The Bangko Sentral ng Pilipinas has formally overhauled the way it evaluates the technology and cybersecurity controls of banks and other financial institutions, replacing the traditional IT Rating System with a new Supervisory Assessment Framework (SAFr) under BSP Circular No. 1232. The move forms part of the regulator’s broader push to strengthen cyber resilience and operational risk management amid the rapid digitalization of the Philippine financial sector.
Under the circular, the BSP no longer relies solely on the traditional IT examination and rating process previously used during supervisory assessments. Instead, SAFr adopts a broader supervisory framework that evaluates the technology risk environment of a supervised institution together with the adequacy of its governance, controls, and risk management processes in addressing technology-related and cybersecurity risks.
The circular likewise introduces the Cybersecurity Maturity Framework (“CMF”) and the Cybersecurity Control Self-Assessment (“CCSA”), which are intended to assist BSP-supervised institutions in assessing the maturity and effectiveness of their cybersecurity controls and identifying areas requiring enhancement. Covered institutions are likewise expected to conduct periodic self-assessment exercises as part of the BSP’s enhanced supervisory process under the framework.
From a regulatory perspective, the issuance is significant because it indicates that the BSP is moving away from a purely checklist-oriented compliance review toward a supervisory model that places greater emphasis on the actual effectiveness of an institution’s risk management environment. In practice, this may result in supervisory assessments focusing not only on the existence of written policies and controls, but also on whether such controls are properly implemented, monitored, tested, and capable of addressing evolving cybersecurity and operational risks.
The circular may likewise have substantial implications for banks, electronic money issuers, payment service providers, virtual asset service providers, and other BSP-regulated entities that rely heavily on digital infrastructure and technology-driven operations. Institutions may need to revisit internal cybersecurity programs, technology risk management policies, outsourcing arrangements, incident response procedures, and governance structures to ensure alignment with the BSP’s revised supervisory expectations.
The issuance further reflects the BSP’s recognition that technology-related risks, cybersecurity incidents, operational disruptions, and third-party service vulnerabilities now form a critical component of prudential supervision within the Philippine financial system. BSP Circular No. 1232 therefore represents another step in strengthening regulatory oversight over digital financial operations and reinforcing institutional resilience within the banking and financial services sector.
This guide provides a general overview of the above transactions at the time of writing only and is not intended to be a comprehensive legal advice. This should also not be taken as an opinion on the topic. For more details and information, you may coordinate with any GVES Law Partner regarding the matter.
Atty. Ludanielle N. Legarde is a Partner at GVES Law.

