BSP KYC Requirements 2026: What Banks and Fintechs Must Know
Bangko Sentral ng Pilipinas (BSP) requires all BSP-supervised financial institutions (BSFIs) to implement risk-based Know Your Customer (KYC) programs under Circular 1170 and the Anti-Money Laundering Act (AMLA). BSP KYC requirements mandate customer due diligence before account opening, electronic identity verification using PhilSys, and enhanced scrutiny for high-risk clients. Non-compliance carries penalties of 7 to 14 years imprisonment and fines exceeding PHP 3 million.
What BSP KYC Requirements Cover in 2026
BSP KYC requirements apply to every financial institution supervised by the Bangko Sentral ng Pilipinas. This includes universal banks, commercial banks, thrift banks, rural banks, cooperative banks, digital banks, non-bank financial institutions, and e-money issuers. If the BSP regulates your institution, KYC in the Philippines compliance is not optional.
The scope of BSP KYC goes beyond simple identity checks. Institutions must verify customer identity before processing any transaction, maintain records for at least five years after account closure, monitor transactions for suspicious activity, and file reports with the Anti-Money Laundering Council (AMLC). The Philippines’ removal from the FATF grey list on February 21, 2025, raised the bar further, as regulators now work to maintain that clean status.
For compliance officers and risk managers, the practical challenge lies in calibrating onboarding processes to customer risk profiles while keeping friction low enough to compete with digital-first competitors. According to Verihubs’ regulatory compliance team, many Philippine rural banks still rely on manual ID checks, creating bottlenecks that delay onboarding by 3 to 5 business days per customer. For a comprehensive overview of what KYC means in the Philippine context, see our complete KYC Philippines guide.
Key BSP Circulars Every BSFI Must Know for KYC Compliance
Three regulatory frameworks form the foundation of eKYC in the Philippines. Each addresses different aspects of customer due diligence, and compliance officers must understand how they interact.
| Regulation | Scope | Key KYC Provisions | Covered Institutions |
|---|---|---|---|
| BSP Circular 1170 (2023) | Customer due diligence and electronic KYC for all BSFIs | Permits eKYC via video calls and biometric technology; accepts PhilID as sole proof of identity; mandates risk-based tiered onboarding | All BSP-supervised financial institutions including digital banks and e-money issuers |
| BSP Circular 1108 | Virtual Asset Service Providers (VASPs) | Full KYC, CDD, and EDD mandatory; requires cybersecurity measures; mandates regular compliance reporting to BSP | Crypto exchanges, VASP-licensed entities under BSP |
| AMLA (RA 9160, as amended) | Anti-money laundering across all covered persons | Prohibits anonymous accounts and fictitious names; requires suspicious transaction reports; penalties of 7-14 years imprisonment and PHP 3M+ fines | Banks, non-bank financial institutions, casinos, real estate developers, dealers in precious metals |
How BSP Circular 1170 Modernizes Customer Due Diligence
BSP Circular 1170 is the most significant regulatory update for digital onboarding. The circular explicitly permits remote customer onboarding through video calls and biometric verification technology. BSFIs can now verify identities electronically without requiring customers to appear in person at a branch.
For a step-by-step look at how eKYC works under these provisions, see our guide to eKYC in the Philippines.
AMLA Enforcement and the AMLC’s Role
The Anti-Money Laundering Council (AMLC) serves as the Philippines’ financial intelligence unit. Under the AMLA, every BSFI must report covered transactions (those exceeding PHP 500,000) and suspicious transactions regardless of amount. Failure to implement adequate KYC processes exposes institutions to both criminal penalties and regulatory sanctions from the BSP.
The 3 Pillars of BSP Customer Due Diligence
BSP guidelines establish three tiers of customer due diligence. Each tier corresponds to the assessed risk level of the customer, and institutions must apply the appropriate level before establishing a business relationship.
Simplified Due Diligence (SDD) for Low-Risk Customers
SDD applies to customers assessed as low-risk based on the institution’s risk framework. Under SDD, BSFIs may accept a reduced set of identification documents and apply lighter ongoing monitoring. However, SDD does not mean skipping identity verification entirely. Institutions must still confirm the customer’s identity against a reliable, independent source.
Standard Customer Due Diligence (CDD)
Standard CDD is the baseline requirement for most customer relationships. BSFIs must verify the customer’s full legal name, date of birth, address, and nationality using government-issued identification. Under Circular 1170, the Philippine Identification System (PhilSys) ID, whether physical PhilID, digital ePhilID, Philippine Common Reference Number (PCN), or PhilSys Number (PSN), is recognized as official and sufficient proof of identity. No additional document is required when a PhilID is presented.
Standard CDD also requires institutions to understand the nature and purpose of the business relationship and to conduct ongoing monitoring of transactions. This is where automated digital customer onboarding solutions become essential for scaling compliance without scaling headcount.
Enhanced Due Diligence (EDD) for High-Risk Profiles
EDD applies to politically exposed persons (PEPs), customers from high-risk jurisdictions, large or unusual transactions, and any relationship that the institution’s risk assessment flags as elevated. EDD requires deeper investigation into the source of funds, more frequent transaction monitoring, and senior management approval for establishing or continuing the relationship.
How PhilID Changes KYC Compliance
The Philippine Identification System (PhilSys) has fundamentally shifted how BSFIs approach identity verification. Under BSP Circular 1170, PhilID is recognized as the single accepted proof of identity for KYC purposes, eliminating the need for multiple supporting documents. For a detailed breakdown of each Philippine government ID format and how to verify them, see our guide on verifying Philippine IDs online.
For institutions investing in KYC onboarding process automation, PhilID integration is now a critical capability. Systems must be able to read, verify, and authenticate PhilID data in both physical and digital formats, ideally through API-based verification that confirms the ID’s authenticity in real time.
Common BSP KYC Compliance Gaps and How to Close Them
Even well-intentioned BSFIs frequently fall short on BSP KYC requirements. Based on common regulatory findings and industry observations, these are the most persistent compliance gaps.
Manual Verification Processes That Cannot Scale
BSP examinations consistently flag manual ID inspection as a compliance weakness, particularly among rural and cooperative banks. Inconsistent verification quality across branches remains one of the most common findings in regulatory audits.
Incomplete Risk Assessment Frameworks
BSP Circular 1170 requires risk-based KYC tiering, but some institutions apply a one-size-fits-all approach to customer onboarding. Without a documented risk assessment framework, BSFIs cannot demonstrate to examiners that they are calibrating due diligence appropriately.
Weak Ongoing Monitoring and Record-Keeping
BSP examiners frequently cite inadequate transaction monitoring and incomplete record retention as grounds for enforcement action. Institutions that pass initial onboarding audits but neglect ongoing monitoring face escalating regulatory risk at subsequent examinations.
Inadequate EDD Procedures for PEPs and High-Risk Clients
Some BSFIs lack clear escalation procedures for customers who qualify for enhanced due diligence. Without automated screening for PEPs and adverse media, high-risk individuals can slip through standard onboarding channels. Effective fraud prevention measures require systematic, technology-driven screening rather than ad-hoc manual checks.
How Verihubs Helps Philippine BSFIs Meet BSP KYC Standards
Verihubs Philippines provides AI-powered identity verification and KYC automation solutions designed for BSP-regulated institutions. The platform addresses the specific compliance challenges that Philippine banks and fintechs face under Circular 1170, Circular 1108, and the AMLA.
AI-Powered Document and Identity Verification
Verihubs’ AI-powered document verification system processes Philippine government IDs, including PhilSys, SSS, and UMID, with 99.4% accuracy, reducing manual review requirements by over 80%. The system uses optical character recognition (OCR) and machine learning to extract, validate, and cross-reference ID data in seconds rather than days.
For biometric verification, Verihubs’ liveness detection technology confirms that the person presenting the ID is physically present, preventing spoofing attacks that use photos or deepfakes. This capability directly supports the remote onboarding provisions of BSP Circular 1170.
Risk-Based CDD Automation
Verihubs enables BSFIs to implement the tiered due diligence framework that BSP regulations require. The platform automatically routes customers through SDD, standard CDD, or EDD workflows based on configurable risk parameters. This ensures consistent compliance across all channels, whether the customer onboards in-branch, via mobile app, or through a web portal.
Proven Results for BSP-Licensed Institutions
After integrating Verihubs’ automated CDD solution, a BSP-licensed digital bank cut its average KYC processing time from 48 hours to under 5 minutes while maintaining full Circular 1170 compliance. The reduction in processing time also improved customer conversion rates, as fewer applicants abandoned onboarding due to delays. Identity verification powered by AI delivers both compliance and competitive advantage.
Frequently Asked Questions About BSP KYC Requirements
What is BSP Circular 1170 and how does it affect KYC?
BSP Circular 1170, issued in 2023, governs customer due diligence and electronic KYC for all BSP-supervised financial institutions. The circular permits remote onboarding through video calls and biometric verification, recognizes PhilID as sufficient proof of identity, and mandates risk-based tiered KYC policies. All BSFIs, including digital banks and e-money issuers, must comply.
Is PhilID the only document needed for KYC under BSP rules?
Yes. Under BSP Circular 1170, the PhilID in any of its four formats (physical card, ePhilID, PCN, or PSN) is recognized as official and sufficient proof of identity. BSFIs are not required to request additional supporting documents when a customer presents a valid PhilID.
What are the penalties for non-compliance with BSP KYC requirements?
Under the AMLA (RA 9160), violations can result in 7 to 14 years of imprisonment and fines exceeding PHP 3 million. Beyond criminal penalties, the BSP can impose administrative sanctions including monetary penalties, cease-and-desist orders, and suspension or revocation of banking licenses.
Do BSP KYC requirements apply to crypto and virtual asset providers?
Yes. BSP Circular 1108 specifically governs Virtual Asset Service Providers (VASPs). Licensed VASPs must implement full KYC, CDD, and EDD programs, maintain cybersecurity measures, and submit regular compliance reports to the BSP. The requirements mirror those for traditional banking institutions.
How does the Philippines’ FATF grey list removal affect KYC compliance?
The Philippines was removed from the FATF grey list on February 21, 2025, signaling that the country met international AML/KYC standards. However, this removal increases pressure on BSFIs to maintain rigorous compliance. Regulators are expected to enforce existing KYC rules more strictly to preserve the Philippines’ improved standing.
BSP KYC Compliance Is a Competitive Advantage, Not Just a Regulatory Burden
The regulatory landscape for Philippine financial institutions has matured significantly. BSP Circular 1170 gave BSFIs the tools to digitize KYC. The FATF grey list removal in 2025 raised the compliance bar. And PhilSys created a national digital identity infrastructure that makes electronic verification practical at scale.
Institutions that treat BSP KYC requirements as a checkbox exercise will struggle with slow onboarding, inconsistent compliance, and regulatory risk. Those that invest in automated, AI-driven KYC solutions will process customers faster, reduce compliance costs, and build the trust that depositors and regulators both demand.
The gap between manual and automated KYC compliance will only widen in 2026 and beyond. The question for every BSFI is not whether to automate, but how quickly.
Contact Verihubs to learn how our BSP-compliant KYC solutions can streamline your institution’s customer due diligence process.
