THE Bangko Sentral ng Pilipinas (BSP) has approved a new risk-based supervisory framework that will strengthen oversight of banks and other financial institutions by focusing regulatory attention on those that pose the greatest potential harm to consumers.
The framework, called the Financial Consumer Protection Risk-and-Impact Supervisory Model (FCPRISM), aims to establish a structured approach to supervising consumer protection practices among BSP-supervised institutions (BSIs). It will guide all financial consumer protection supervisory assessments beginning Jan. 1, 2027.
The BSP said the model would support a “holistic and forward-looking supervisory assessment” of an institution’s ability to safeguard consumer rights and ensure that supervisory resources are directed toward institutions where consumer harm is more likely.
Supervisory attention will be proportionate to an institution’s potential consumer impact and consumer protection (CP) risk profile, enabling the BSP to concentrate oversight on firms that present greater risks to financial consumers.
“The FCPRISM explicitly links a BSI’s potential consumer impact and CP risk profile to the level of supervisory engagement,” the BSP stated in the draft framework.
This will ensure that supervisory attention “remains proportionately focused on institutions with greater potential to cause consumer harm” while allowing the central bank to undertake “prompt and calibrated supervisory actions” to reinforce compliance with consumer protection standards and promote fair consumer outcomes.
The framework was adopted pursuant to Republic Act 11765, or the Financial Products and Services Consumer Protection Act (FCPA), which strengthened the consumer protection mandates of financial regulators.
Initially, FCPRISM will apply to banks and non-bank electronic money issuers before being proportionately extended to all BSP-supervised institutions over time.
Three-pillar framework
The FCPRISM consists of three major components: consumer impact assessment (CIA), consumer protection risk evaluation and profiling and the corresponding level of supervisory engagement.
The CIA will measure the potential scale, reach and severity of consumer harm that could result from an institution’s misconduct, operational failures or weaknesses in consumer protection controls.
Aside from direct financial losses, the BSP said consumer harm could include unfair or discriminatory treatment, misleading disclosures, poor value for money, misuse of consumer data, ineffective complaint resolution, unjustified exclusion from financial services and other forms of consumer detriment arising from deficiencies in governance, operations or business practices.
Institutions will be classified according to four consumer impact ratings: low, moderate, above average and high. Those with greater potential to affect consumers or undermine confidence in the financial system will receive heightened supervisory attention.
The second pillar, meanwhile, involves evaluating each institution’s consumer protection risk profile by assessing both the inherent risks in its retail financial activities and the strength of its risk management framework.
The BSP said inherent risks would be assessed through two key dimensions: structural complexity and consumer profile.
Structural complexity examines whether product design, pricing structures, digital delivery channels, automation, outsourcing arrangements and other operating features increase the likelihood of consumer harm.
Consumer profile, meanwhile, considers whether customers’ characteristics, such as limited financial or digital capability, language barriers, accessibility constraints or dependence on financial services for essential needs.
The BSP will also evaluate the effectiveness of an institution’s consumer protection risk management based on compliance with the five standards of conduct under the FCPA and its implementing regulations.
The quality of consumer protection risk management will be rated as strong, acceptable, inadequate or weak.
The resulting net consumer protection risk profile will reflect the residual level of consumer harm that remains after taking into account the effectiveness of an institution’s policies, systems and controls.
The BSP will also examine governance, compliance and internal audit functions to determine whether consumer protection principles are effectively embedded throughout an institution.
The framework evaluates how boards of directors and senior management establish accountability for consumer protection, oversee business practices and ensure that consumer protection risks are identified, escalated and addressed.
Compliance units will be assessed based on their effectiveness in monitoring adherence to consumer protection requirements and driving timely remediation of issues, while internal audit functions will be evaluated on the quality of independent assurance they provide over governance, risk management and internal controls.
These assessments will determine an institution’s overall consumer protection stance, which will be classified into one of four categories: consumer-centric, consumer-attentive, consumer-risk exposed and consumer-harm evident.
The final component of the framework determines the level of supervisory engagement based on the combination of an institution’s consumer impact assessment and overall consumer protection stance.
Depending on the results, the BSP may require additional reports and consumer protection information, hold meetings with boards and senior management, conduct on-site examinations, perform periodic risk assessments and intensify complaints-based surveillance.
“Complaints-based surveillance involves the continuous monitoring and analysis of consumer complaints and redress data,” the BSP said.
“It serves as a key tool for validating whether corrective actions are resulting in measurable improvements in consumer outcomes,” it added.