Blog

AFASA Explained: What the Philippines’ New Anti-Scam Law Really Means for Banks, Fintechs, and Consumers

Site Logo
Tookitaki
12 December 2025
read
7 min

If there is one thing everyone in the financial industry felt in the last few years, it was the speed at which scams evolved. Fraudsters became smarter, attacks became faster, and stolen funds moved through dozens of accounts in seconds. Consumers were losing life savings. Banks and fintechs were overwhelmed. And regulators had to act.

This is the backdrop behind the Anti-Financial Account Scamming Act (AFASA), Republic Act No. 12010 — the Philippines’ most robust anti-scam law to date. AFASA reshapes how financial institutions detect fraud, protect accounts, coordinate with one another, and respond to disputes.

But while many have written about the law, most explanations feel overly legalistic or too high-level. What institutions really need is a practical, human-friendly breakdown of what AFASA truly means in day-to-day operations.

This blog does exactly that.

Talk to an Expert

What Is AFASA? A Simple Explanation

AFASA exists for a clear purpose: to protect consumers from rapidly evolving digital fraud. The law recognises that as more Filipinos use e-wallets, online banking, and instant payments, scammers have gained more opportunities to exploit vulnerabilities.

Under AFASA, the term financial account is broad. It includes:

  • Bank deposit accounts
  • Credit card and investment accounts
  • E-wallets
  • Any account used to access financial products and services

The law focuses on three main categories of offences:

1. Money Muling

This covers the buying, selling, renting, lending, recruiting, or using of financial accounts to receive or move illicit funds. Many young people and jobseekers were unknowingly lured into mule networks — something AFASA squarely targets.

2. Social Engineering Schemes

From phishing to impersonation, scammers have mastered psychological manipulation. AFASA penalises the use of deception to obtain sensitive information or access accounts.

3. Digital Fraud and Account Tampering

This includes unauthorised transfers, synthetic identities, hacking incidents, and scams executed through electronic communication channels.

In short: AFASA criminalises both the scammer and the infrastructure used for the scam — the accounts, the networks, and the people recruited into them.

Why AFASA Became Necessary

Scams in the Philippines reached a point where traditional fraud rules, old operational processes, and siloed detection systems were not enough.

Scam Trend 1: Social engineering became hyper-personal

Fraudsters learned to sound like bank agents, government officers, delivery riders, HR recruiters — even loved ones. OTP harvesting and remote access scams became common.

Scam Trend 2: Real-time payments made fraud instant

InstaPay and other instant channels made moving money convenient — but also made stolen funds disappear before anyone could react.

Scam Trend 3: Mule networks became organised

Criminal groups built structured pipelines of mule accounts, often recruiting vulnerable populations such as students, OFWs, and low-income households.

Scam Trend 4: E-wallet adoption outpaced awareness

A fast-growing digital economy meant millions of first-time digital users were exposed to sophisticated scams they were not prepared for.

AFASA was designed to break this cycle and create a safer digital financial environment.

New Responsibilities for Banks and Fintechs Under AFASA

AFASA introduces significant changes to how institutions must protect accounts. It is not just a compliance exercise — it demands real operational transformation.

These responsibilities are further detailed in new BSP circulars that accompany the law.

1. Stronger IT Risk Controls

Financial institutions must now implement advanced fraud and cybersecurity controls such as:

  • Device fingerprinting
  • Geolocation monitoring
  • Bot detection
  • Blacklist screening for devices, merchants, and IPs

These measures allow institutions to understand who is accessing accounts, how, and from where — giving them the tools to detect anomalies before fraud occurs.

2. Mandatory Fraud Management Systems (FMS)

Both financial institutions and clearing switch operators (including InstaPay and PESONet) must operate real-time systems that:

  • Flag suspicious activity
  • Block disputed or high-risk transactions
  • Detect behavioural anomalies

This ensures that fraud monitoring is consistent across the payment ecosystem — not just within individual institutions.

3. Prohibition on unsolicited clickable links

Institutions can no longer send clickable links or QR codes to customers unless explicitly initiated by the customer. This directly tackles phishing attacks that relied on spoofed messages.

4. Continuous customer awareness

Banks and fintechs must actively educate customers about:

  • Cyber hygiene
  • Secure account practices
  • Fraud patterns and red flags
  • How to report incidents quickly

Customer education is no longer optional — it is a formally recognised part of fraud prevention.

5. Shared accountability framework

AFASA moves away from the old “blame the victim” mentality. Fraud prevention is now a shared responsibility across:

  • Financial institutions
  • Account owners
  • Third-party service providers

This model recognises that no single party can combat fraud alone.

The Heart of AFASA: Temporary Holding of Funds & Coordinated Verification

Among all the changes introduced by AFASA, this is the one that represents a true paradigm shift.

Previously, once stolen funds were transferred out, recovery was almost impossible. Banks had little authority to stop or hold the movement of funds.

AFASA changes that.

Temporary Holding of Funds

Financial institutions now have the authority — and obligation — to temporarily hold disputed funds for up to 30 days. This includes both the initial hold and any permitted extension. The purpose is simple:
freeze the money before it disappears.

Triggers for Temporary Holding

A hold can be initiated through:

  • A victim’s complaint
  • A suspicious transaction flagged by the institution’s FMS
  • A request from another financial institution

This ensures that action can be taken proactively or reactively depending on the scenario.

Coordinated Verification Process

Once funds are held, institutions must immediately begin a coordinated process that involves:

  • The originating institution
  • Receiving institutions
  • Clearing entities
  • The account owners involved

This process validates whether the transaction was legitimate or fraudulent. It creates a formal, structured, and time-bound mechanism for investigation.

Detailed Transaction Logs Are Now Mandatory

Institutions must maintain comprehensive transaction logs — including device information, authentication events, IP addresses, timestamps, password changes, and more. Logs must be retained for at least five years.

This gives investigators the ability to reconstruct transactions and understand the full context of a disputed transfer.

An Industry-Wide Protocol Must Be Built

AFASA requires the entire industry to co-develop a unified protocol for handling disputed funds and verification. This ensures consistency, promotes collaboration, and reduces delays during investigations.

This is one of the most forward-thinking aspects of the law — and one that will significantly raise the standard of scam response in the country.

BSP’s Expanded Powers Through CAPO

AFASA also strengthens regulatory oversight.

BSP’s Consumer Account Protection Office (CAPO) now has the authority to:

  • Conduct inquiries into financial accounts suspected of involvement in fraud
  • Access financial account information required to investigate prohibited acts
  • Coordinate with law enforcement agencies

Crucially, during these inquiries, bank secrecy laws and the Data Privacy Act do not apply.

This is a major shift that reflects the urgency of combating digital fraud.

Crucially, during these inquiries, bank secrecy laws and the Data Privacy Act do not apply.

This is a major shift that reflects the urgency of combating digital fraud.

ChatGPT Image Dec 11, 2025, 04_47_15 PM

Penalties Under AFASA

AFASA imposes serious penalties to deter both scammers and enablers:

1. Criminal penalties for money muling

Anyone who knowingly participates in using, recruiting, or providing accounts for illicit transfers is liable to face imprisonment and fines.

2. Liability for failing to protect funds

Institutions may be held accountable if they fail to properly execute a temporary hold when a dispute is raised.

3. Penalties for improper holding

Institutions that hold funds without valid reason may also face sanctions.

4. Penalties for malicious reporting

Consumers or individuals who intentionally file false reports may also be punished.

5. Administrative sanctions

Financial institutions that fail to comply with AFASA requirements may be penalised by BSP.

The penalties underscore the seriousness with which the government views scam prevention.

What AFASA Means for Banks and Fintechs: The Practical Reality

Here’s what changes on the ground:

1. Fraud detection becomes real-time — not after-the-fact

Institutions need modern systems that can flag abnormal behaviour within seconds.

2. Dispute response becomes faster

Timeframes are tight, and institutions need streamlined internal workflows.

3. Collaboration is no longer optional

Banks, e-wallets, payment operators, and regulators must work as one system.

4. Operational pressure increases

Fraud teams must handle verification, logging, documentation, and communication under strict timelines.

5. Liability is higher

Institutions may be held responsible for lapses in protection, detection, or response.

6. Technology uplift becomes non-negotiable

Legacy systems will struggle to meet AFASA’s requirements — particularly around logging, behavioural analytics, and real-time detection.

How Tookitaki Helps Institutions Align With AFASA

AFASA sets a higher bar for fraud prevention. Tookitaki’s role as the Trust Layer to Fight Financial Crime helps institutions strengthen their AFASA readiness with intelligent, real-time, and collaborative capabilities.

1. Early detection of money mule networks

Through the AFC Ecosystem’s collective intelligence, institutions can detect mule-like patterns sooner and prevent illicit transactions before they spread across the system.

2. Real-time monitoring aligned with AFASA needs

FinCense’s advanced transaction monitoring engine flags suspicious activity instantly — helping institutions support temporary holding procedures and respond within required timelines.

3. Deep behavioural intelligence and comprehensive logs

Tookitaki provides the contextual understanding needed to trace disputed transfers, reconstruct transaction paths, and support investigative workflows.

4. Agentic AI to accelerate investigations

FinMate, the AI investigation copilot, streamlines case analysis, surfaces insights quickly, and reduces investigation workload — especially crucial when time-sensitive AFASA processes are triggered.

5. Federated learning for privacy-preserving model improvement

Institutions can enhance detection models without sharing raw data, aligning with AFASA’s broader emphasis on secure and responsible handling of financial information.

Together, these capabilities enable banks and fintechs to strengthen fraud defences, modernise their operations, and protect financial accounts with confidence.

Looking Ahead: AFASA’s Long-Term Impact

AFASA is not a one-time regulatory update — it is a structural shift in how the Philippine financial ecosystem handles scams.

Expect to see:

  • More real-time fraud rules and guidance
  • Industry-wide technical standards for dispute management
  • Higher expectations for digital onboarding and authentication
  • Increased coordination between banks, fintechs, and regulators
  • Greater focus on intelligence-sharing and network-level detection

Most importantly, AFASA lays the foundation for a safer, more trusted digital economy — one where consumers have confidence that institutions and regulators can protect them from fast-evolving threats.

Conclusion

AFASA represents a turning point in the Philippines’ fight against financial scams. It transforms how institutions detect fraud, protect accounts, collaborate with others, and support customers. For banks and fintechs, the message is clear: the era of passive fraud response is over.

The institutions that will thrive under AFASA are those that embrace real-time intelligence, strengthen operational resilience, and adopt technology that enables them to stay ahead of criminal innovation.

The Philippines has taken a bold step toward a safer financial system — and now, it’s time for the industry to match that ambition.

Talk to an Expert

Ready to Streamline Your Anti-Financial Crime Compliance?

Our Thought Leadership Guides

Blogs
01 Apr 2026
5 min
read

Inside the Scam Compound: What the Thai-Cambodian Border Case Reveals About Modern Financial Crime

Learn what the Cambodia-linked scam compound near the Thai border reveals about fraud networks, AML risks, and cross-border financial crime.

Inside the Scam Compound: What the Thai-Cambodian Border Case Reveals About Modern Financial Crime
Blogs
24 Mar 2026
5 min
read

Living Under the STR Clock: The Growing Pressure on AML Investigators

AML investigators face increasing pressure to make Suspicious Transaction Report decisions under tight timelines and growing alert volumes. Explore the challenges behind STR reporting and the shift toward intelligence-led investigations.

Living Under the STR Clock: The Growing Pressure on AML Investigators
Blogs
17 Mar 2026
5 min
read

Inside a S$920,000 Scam: How Fake Officials Turned Trust Into a Weapon

A closer look at Singapore’s S$920,000 official impersonation scam and what it reveals about evolving fraud, scam typologies, and AML risk.

Inside a S$920,000 Scam: How Fake Officials Turned Trust Into a Weapon