KYC Requirements for Philippine Fintech Companies
Philippine fintechs face KYC requirements from two regulators: BSP (for digital banks, e-wallets, VASPs, and payment operators) and SEC (for online lending platforms and crypto-asset service providers). BSP Circular 1170 sets the foundation for customer due diligence and eKYC across all BSP-supervised institutions, while SEC rules mandate identity verification and suspicious transaction reporting for lending apps.
Tiered KYC allows simplified verification for low-risk accounts and enhanced due diligence for high-value transactions above PHP 500,000. With 300+ fintechs active in the Philippines and FATF grey list removal confirmed in February 2025, compliance is non-negotiable. This guide breaks down every KYC obligation by fintech category, regulator, and risk tier.
Why Philippine Fintechs Face Unique KYC Challenges
The Philippine fintech industry operates in a regulatory environment unlike any other in Southeast Asia. Two separate regulators govern different fintech categories, each with distinct KYC mandates. A digital bank answers to BSP. An online lending app answers to SEC. A crypto exchange may answer to both.
This dual-regulator structure creates compliance complexity that fintech founders and CTOs must navigate from day one. Building a product without understanding which regulator governs your specific fintech category can result in licensing delays, costly rearchitecting of onboarding flows, or outright rejection of your application.
According to Verihubs’ fintech partnerships team, Philippine startup founders frequently underestimate the KYC infrastructure needed for BSP licensing, often discovering compliance gaps only during the application review process.
The challenge intensifies when you consider scale. The Philippines has over 300 active fintech companies (per Fintech Alliance PH), 40+ BSP digital bank licenses issued, and a rapidly growing base of digitally banked consumers. The FATF grey list removal in February 2025 has raised the compliance bar further. Regulators now expect fintechs to demonstrate robust, auditable KYC systems before granting or renewing licenses.
Regulatory Bodies That Govern Fintech KYC in the Philippines
Understanding which regulator oversees your fintech is the first step toward building a compliant KYC process. BSP and SEC divide oversight based on the type of financial service your company provides.
| Dimension | BSP-Regulated Fintechs | SEC-Regulated Fintechs |
|---|---|---|
| Fintech Categories | Digital banks, e-money issuers (EMIs), VASPs, payment system operators | Online lending platforms (OLPs), crypto-asset service providers (CASPs) |
| Primary KYC Regulation | BSP Circular 1170 (CDD/eKYC), BSP Circular 1108 (VASPs), BSP Circular 1033 (digital financial services) | SEC Memorandum Circulars, Lending Company Regulation Act (RA 9474) |
| KYC Scope | Full CDD with tiered approach: simplified, standard, and enhanced due diligence | Customer identification, verification of borrower identity, beneficial ownership |
| Transaction Reporting | Covered Transaction Reports (CTRs) for transactions exceeding PHP 500,000; Suspicious Transaction Reports (STRs) to AMLC | CTRs for transactions exceeding PHP 500,000; STRs to AMLC |
| eKYC Acceptance | Explicitly authorized under Circular 1170; PhilSys/PhilID recognized | Permitted but less prescriptive; follows AMLA requirements |
| Ongoing Monitoring | Mandatory continuous transaction monitoring and periodic customer review | Required for AML compliance; frequency based on risk assessment |
| Penalties for Non-Compliance | License suspension or revocation, monetary sanctions, enforcement actions | SEC enforcement orders, fines, cease-and-desist orders, license revocation |
For fintechs that span both jurisdictions (for example, a lending platform that also operates an e-wallet), compliance teams must satisfy the requirements of both BSP and SEC simultaneously. This is common among Philippine super-apps and multi-product fintech platforms.
KYC Requirements by Fintech Category
KYC obligations vary significantly depending on your fintech’s license type. Here is what each category must implement.
Digital Banks
BSP-licensed digital banks must comply with the full scope of BSP Circular 1170. This includes collecting and verifying government-issued IDs (PhilSys, UMID, passport, SSS, or driver’s license), performing biometric matching through facial recognition and liveness detection, conducting risk-based CDD at account opening, filing CTRs for single transactions or series of transactions totaling more than PHP 500,000 within one banking day, and maintaining records for a minimum of five years after account closure.
Digital banks are expected to integrate PhilSys as a primary verification source. BSP has signaled that PhilSys integration will become mandatory for all BSP-supervised financial institutions as the national ID system reaches full coverage.
E-Money Issuers and E-Wallets
E-money issuers follow BSP Circular 1033, which established the framework for digital financial services and KYC requirements for e-wallet integrations. Tiered KYC is the standard approach. Basic e-wallet accounts with monthly limits of PHP 50,000 qualify for simplified due diligence, requiring only a mobile number and basic personal information. Fully verified accounts with higher transaction limits require standard CDD, including government ID verification and biometric matching.
This tiered model allows fintechs to onboard users quickly at the basic level and progressively upgrade accounts as users need higher functionality. Building this tiered customer onboarding flow correctly from the start saves significant development time.
Online Lending Platforms
SEC-regulated online lending platforms (OLPs) must verify borrower identities before disbursing any loan. Requirements include collection of at least one valid government-issued ID, verification of the borrower’s name, date of birth, and address, screening against AMLC watchlists and sanctions databases, and filing CTRs for loan disbursements or repayments exceeding PHP 500,000.
The SEC has intensified enforcement against fraud prevention failures among lending apps. Platforms that fail to verify borrower identity adequately face regulatory action and reputational damage from loan fraud and identity theft complaints.
Virtual Asset Service Providers (VASPs)
VASPs are regulated by BSP under Circular 1108. KYC requirements for crypto exchanges and virtual asset platforms include full CDD for all users (no anonymous accounts permitted), enhanced due diligence for transactions above defined thresholds, travel rule compliance for virtual asset transfers, and real-time transaction monitoring for suspicious activity patterns.
VASPs face some of the strictest KYC requirements in the Philippine fintech ecosystem due to the higher money laundering risk associated with virtual assets.
Payment System Operators
BSP-registered payment system operators must implement KYC processes proportionate to the risk level of their services. Operators handling high-value or cross-border payments face standard to enhanced CDD requirements, while those facilitating low-value domestic transfers may qualify for simplified verification under the tiered approach.
Step-by-Step: Building a BSP-Compliant KYC Process for Your Fintech
Whether you are applying for a BSP license or upgrading an existing system, these steps outline the standard path to a compliant KYC process.
Step 1: Determine Your Regulatory Category and Applicable Circulars
Identify whether BSP, SEC, or both regulators govern your fintech. Map every applicable circular to your product’s specific features. A digital bank with a built-in lending product, for example, must satisfy both BSP Circular 1170 and relevant SEC lending rules.
Step 2: Design a Tiered KYC Framework
Build your verification flow around the three CDD tiers mandated by BSP: simplified due diligence for low-risk, low-value accounts; standard CDD for regular accounts; and enhanced due diligence for high-risk customers, politically exposed persons (PEPs), and complex ownership structures. Define clear upgrade triggers so users can move between tiers seamlessly.
Step 3: Integrate Government ID Verification and Biometrics
Integrate automated ID verification that covers all BSP-accepted Philippine government IDs, including PhilSys, with biometric verification and liveness detection to prevent spoofing.
Step 4: Build AML Screening and Transaction Monitoring
Integrate real-time AML screening into your onboarding flow, including sanctions list checks and PEP screening. For a full understanding of how KYC and AML work together in the Philippines, see our KYC vs AML guide.
Step 5: Prepare for PhilSys Integration
PhilSys (the Philippine Identification System) integration is expected for all fintechs. Build your architecture to accept PhilID as a primary verification document and prepare API connections for direct PhilSys database validation when the system reaches full interoperability.
Step 6: Document Everything for Regulatory Review
BSP and SEC examiners will review your KYC policies, procedures, system architecture, and audit trails during licensing and examination. Maintain comprehensive documentation of your CDD framework, verification logs, exception handling procedures, and staff training records.
Common KYC Pitfalls for Philippine Fintech Startups
Compliance officers and CTOs at early-stage fintechs consistently encounter the same set of mistakes. Avoiding these pitfalls can save months of regulatory back-and-forth.
- Building KYC after product launch. Retrofitting compliance into a live product is far more expensive than building it into the architecture from the start. Regulators expect KYC infrastructure to be operational before you process your first customer.
- Treating KYC as a one-time check. Philippine regulations require ongoing monitoring, periodic customer review, and updated risk assessments. A KYC system that only verifies at onboarding will fail regulatory examination.
- Ignoring the dual-regulator structure. Fintechs that assume BSP rules cover everything miss SEC-specific requirements for lending and crypto-asset services. Map your obligations to both regulators early.
- Relying on manual verification at scale. Manual ID checks work for the first hundred customers. They collapse at ten thousand. Automated eKYC solutions are essential for fintechs planning to scale in the Philippine market.
- Underestimating document fraud. The Philippines has a high incidence of fraudulent government IDs in loan applications. Without AI-powered document verification and liveness detection, fintechs face significant fraud exposure.
- Neglecting record-keeping requirements. BSP requires fintechs to retain all KYC records for at least five years after the business relationship ends. Insufficient record-keeping is one of the most common findings in regulatory examinations.
How Verihubs Helps Philippine Fintechs Meet KYC Standards
Verihubs Philippines provides end-to-end identity verification infrastructure built specifically for the regulatory requirements that Philippine fintechs face. The platform’s API-first architecture integrates into existing fintech platforms within days, making it ideal for startups and scaling companies that need to move fast without compromising compliance.
Based on Verihubs deployment data, Philippine businesses using the Verihubs Identity Verification API have reduced customer onboarding time from an average of three to five business days to under five minutes, without sacrificing compliance or fraud controls. For lending platforms, faster onboarding directly reduces application abandonment at the point of identity verification.
For fintech founders preparing for BSP or SEC licensing, Verihubs provides compliance-ready KYC infrastructure that regulators recognize. Rather than building verification systems from scratch, fintechs can deploy proven, tested technology calibrated for Philippine document types, regulatory requirements, and fraud patterns. For a full feature comparison, see our guide to the best KYC solutions for Philippine banks and fintechs.
Frequently Asked Questions About KYC for Philippine Fintechs
What is the difference between BSP and SEC KYC requirements for fintechs?
BSP regulates digital banks, e-money issuers, VASPs, and payment system operators under circulars like BSP Circular 1170 and BSP Circular 1108. SEC regulates online lending platforms and crypto-asset service providers. Both require customer identification, document verification, and transaction reporting to the AMLC, but BSP provides more detailed guidance on tiered CDD and eKYC acceptance. Fintechs operating across both jurisdictions must comply with requirements from each regulator.
Is eKYC accepted for fintech licensing in the Philippines?
Yes. BSP Circular 1170 explicitly permits eKYC for all BSP-supervised institutions, including digital banks and e-money issuers. Learn the full details in our eKYC Philippines guide.
What are the penalties for KYC non-compliance for Philippine fintechs?
Penalties vary by regulator but are severe across the board. BSP can suspend or revoke licenses, impose monetary sanctions, and issue enforcement actions against non-compliant BSFIs. SEC can issue cease-and-desist orders, revoke lending or securities licenses, and impose fines. Under the Anti-Money Laundering Act, non-compliance can result in fines of up to PHP 3 million per violation and imprisonment. The AMLC can also freeze assets connected to non-compliant institutions.
When will PhilSys integration become mandatory for fintechs?
BSP has signaled that PhilSys integration is expected for all BSP-supervised financial institutions as the national ID system achieves full population coverage. While no firm deadline has been set, fintechs applying for new licenses should build their KYC architecture to support PhilSys verification from the start. Early adopters gain a competitive advantage in onboarding speed and verification accuracy.
What KYC records must Philippine fintechs retain, and for how long?
BSP requires all KYC records, including customer identification documents, verification logs, transaction records, and risk assessments, to be retained for at least five years after the business relationship ends. SEC-regulated fintechs must follow similar retention requirements under the Anti-Money Laundering Act. Fintechs should implement secure, searchable digital archives that can produce records on demand during regulatory examinations.
How does FATF grey list removal affect KYC compliance requirements for Philippine fintechs?
The FATF grey list removal in February 2025 confirmed that the Philippines has strengthened its AML and KYC frameworks to international standards. While removal does not introduce new regulatory requirements overnight, it signals that BSP and AMLC will sustain elevated enforcement standards. Philippine fintechs can expect more rigorous licensing examinations and reduced tolerance for KYC documentation gaps. For fintechs pursuing international partnerships, FATF compliance status also affects correspondent banking relationships and cross-border payment processing approvals.
Building a Compliant Fintech Starts with KYC Infrastructure
KYC compliance is the foundation on which every Philippine fintech is built. Whether you are launching a digital bank, scaling an online lending platform, or entering the virtual asset space, your ability to verify customer identities accurately, consistently, and in accordance with BSP and SEC regulations determines your ability to operate.
The Philippine fintech market is growing rapidly, with over 300 active companies and increasing regulatory scrutiny following FATF grey list removal. Fintechs that invest in robust, automated KYC infrastructure from the start will move faster through licensing, reduce fraud losses, and scale customer acquisition without compliance bottlenecks. Those that treat KYC as an afterthought will struggle with regulatory delays and operational risk.
For a comprehensive overview of Philippine KYC regulations across all industries, read our complete guide to KYC in the Philippines.
Ready to build a BSP-compliant KYC system? Contact Verihubs to get a compliance consultation and see how our identity verification API integrates with your fintech platform.
