How fintech stays protected amidst BSP’s brand-new cyber durability push
To understand how AI is helping fintechs navigate this evolving landscape, I spoke with Ramprakash Ramamoorthy, director of AI research study at ManageEngine and Zoho. ManageEngine, a division of Zoho, offers more than 50 enterprise IT management tools. Ramamoorthy emphasized that education is important at every level: “Everybody, right from the consumer to the employees who are working in your IT department of your fintech, have to be consistently informed because this is not a one-time certificate.” Ramamoorthy pointed to one of the most common vulnerabilities among Philippine fintechs: “Overreliance on mobile OTP.” When it comes to day-to-day operations and internal security practices, Ramamoorthy highlighted three essential areas that fintechs should not neglect, including constant patch management, role-based access control, and secure development pipelines. Ramamoorthy said AI-powered tools can help fintechs strengthen authentication, manage access, and secure their networks.
Digital Payments and Fintech Growth in the Philippines
As digital payments become a part of everyday life in the Philippines, fintech is growing rapidly, and so are the associated risks. Cybersecurity is now central to trust, operations, and compliance. Financial institutions face not just growing cyber risks but also increased regulatory pressure from bodies like the Bangko Sentral ng Pilipinas (BSP), which recently introduced the Financial Cyber Resilience Governance Council (FCRGC). To understand how AI is helping fintechs navigate this evolving landscape, I spoke with Ramprakash Ramamoorthy, director of AI research study at ManageEngine and Zoho. ManageEngine, a division of Zoho, provides more than 50 enterprise IT management tools. These include endpoint identity, access and security management, and server monitoring. According to Ramamoorthy, what sets the company apart is its enduring design: “completely bootstrapped and profitable since 1996,” with all products built in-house instead of acquired. With a strong presence across Southeast Asia, including key clients in the Philippines, ManageEngine focuses on delivering what he described as “easy, scalable, and affordable” cybersecurity services. Ramamoorthy pointed to the Philippines’ digital payments boom. The BSP initially set a goal to make half of retail transactions digital by 2024, and the country not only met that target but exceeded it. By the end of the year, “nearly 65 percent of merchant payments,” “20 percent of peer-to-peer transfers,” and “6 percent of B2B payments” were digital. With this growth came new threats. Cybercrime rose “by 150 percent between 2022 and 2024,” resulting in losses of P5.82 billion. As fintech adoption expands into more rural areas, the risk landscape also becomes more complex. Common threats now include SIM swapping, credential deepfake, phishing, and stuffing scams. Ramamoorthy stressed that education is critical at every level: “Everyone, right from the consumer to the employees who are working in your IT department of your fintech, need to be regularly informed because this is not a one-time certificate.” The company has been investing in AI since 2011, well before the technology became mainstream. “Only now the technology has become very consumer-ish with the likes of ChatGPT,” Ramamoorthy noted. But for security, he said, companies need “specialized, bespoke models that are tailor-made for security events.” Their user and entity behavior analytics (UEBA) system uses behavior-based analytics to detect anomalies. Ramamoorthy explained it with a simple example: “Ramprakash typically logs in at 9 a.m. Suddenly there is a multiple login attempt at 3 a.m. from a new location. That’s not normal.” These tools help reduce false positives and identify threats, such as zero-day attacks, ransomware, and phishing. “The moment we detect ransomware, we restore the system to the latest backup.” Ramamoorthy pointed to one of the most common vulnerabilities among Philippine fintechs: “Overreliance on mobile OTP. This can be easily intercepted.” He recommends transitioning to app-based two-factor authentication secured with biometrics. His team uses Zoho’s OneAuth, which supports fingerprint and Face ID and “is much harder to intercept than SMS.” He also raised concerns about the growing threat of deepfakes. “With just a one-minute video and one-minute audio, and three to four images of yours, it’s very easy to create a deepfake. What was once meant for celebrities, politicians, and so on is now so easy to produce at scale.” When it comes to day-to-day operations and internal security practices, Ramamoorthy highlighted three crucial areas that fintechs must not overlook, including constant patch management, role-based access control, and secure development pipelines. Busy teams often overlook security to meet product deadlines. “Security must be built into the process from the beginning. The moment I change my department, my credentials have to be revoked.” As the BSP’s FCRGC raises the bar for compliance, Ramamoorthy said AI and automation can help companies keep pace. The FCRGC is a collaborative effort by the BSP and key financial industry players to build a robust and adaptive defense against the ever-evolving landscape of cyber threats, ensuring the stability and reliability of the Philippine financial system. Ramamoorthy said AI-powered tools can help fintechs strengthen authentication, manage access, and secure their networks. These tools also make it easier for companies to remain prepared for audits. He encouraged regulators to explore practical models, such as Australia’s Essential Eight, which focuses on fundamentals like regular patching, strong authentication, and clear access control policies. For smaller fintechs without the capacity for an entire security team, his message was clear: “Start with the basics. Keep systems patched, define your incident response plan, and educate your staff continuously.” For fintechs navigating an increasingly complex threat landscape, getting the basics right may be the most effective defense.
