Alongside the rapid growth of the financial and banking sector, regulatory frameworks across many Southeast Asian countries have been continuously updated and refined to enhance safety and security in financial operations.
In Vietnam, Singapore, the Philippines, and Malaysia, newly issued regulations go beyond technical compliance requirements and increasingly focus on protecting users and strengthening trust in digital financial systems. Safeguarding digital identities, personal data, and financial transactions is now widely recognized as a prerequisite for the sustainable development of the electronic financial ecosystem. In response to these increasingly stringent requirements, financial institutions are compelled to comprehensively upgrade their authentication capabilities, security controls, and risk-management frameworks to a higher level.
Security Requirements for Open API Implementation
The rapid expansion of digital banking, e-wallets, Open Banking, and fintech partnership models has made fraud, cyberattacks, and data leakage common challenges across the region. Establishing strict security requirements for Open API implementation has therefore become a critical prerequisite for protecting financial systems and maintaining customer trust.
In Singapore, as early as 2016, the Monetary Authority of Singapore (MAS) issued Open Banking and API guidelines requiring financial institutions to implement strong authentication mechanisms, customer consent management, identity and access control, and strict authorization when sharing data with partners. From an early stage, Singapore mandated standards such as secure API gateways, OAuth/OIDC-based security, multi-factor authentication (MFA), and contextual access monitoring as foundational requirements for sustaining trust within the open financial ecosystem.
In 2021, the Philippines introduced the Open Finance Framework, which defines a phased roadmap for data sharing with clearly articulated technical, governance, and security standards aimed at building an open financial ecosystem.
One year later, in 2022, Bank Negara Malaysia (BNM) launched the Open API Framework, providing clear guidance on how banks and third-party fintech providers can securely share data. The framework emphasizes strict security controls, customer-consent-based access management, and technical reference guidelines to promote innovation and fair competition within the digital financial ecosystem.
In Vietnam, Circular 64/2024/TT-NHNN regulates the implementation of Open Application Programming Interfaces (Open APIs) in the banking sector, allowing credit institutions to connect and collaborate with third parties to deliver new financial services. However, ecosystem expansion must be accompanied by stringent requirements for authentication, access control, data protection, and customer consent management. The Circular also defines a clear roadmap for banks that have already deployed Open APIs, ensuring a controlled and secure transition process.
Data Protection and Financial Fraud Prevention Requirements
Singapore and the Philippines have long established comprehensive legal frameworks to protect customer data. Singapore is a regional pioneer in data-protection and digital-banking regulation. The Personal Data Protection Act (PDPA), enacted in 2012 and amended in 2020, provides detailed rules governing the collection, use, and storage of personal data, and requires organizations to notify authorities in the event of data breaches. In the banking sector, the Technology Risk Management Guidelines issued by MAS mandate multi-factor authentication (MFA), the use of OTPs or biometrics, and enhanced monitoring of high-risk transactions.
The Philippines adopted the Data Privacy Act in 2012, one of the earliest such frameworks in the region, granting users the right to access, correct, and delete personal data. Compliance is overseen by the National Privacy Commission (NPC). In banking, the Bangko Sentral ng Pilipinas (BSP) mandates MFA for electronic payment services, the implementation of eKYC, and device and transaction risk management.
Most recently, BSP Circulars 1213 and 1214 were issued in response to rising financial account fraud, to enforce the Anti-Financial Account Scamming Act (AFASA). These regulations emphasize enhanced technology risk management, the adoption of modern authentication methods, and the establishment of coordinated investigation and information-sharing mechanisms between banks and law-enforcement authorities. Specifically:
- Circular BSP 1213 revises IT risk-management requirements by mandating phishing-resistant MFA for all digital transactions, reducing reliance on SMS/email OTPs, and prioritizing modern approaches such as FIDO-based passkeys, device binding, and continuous session monitoring to more effectively combat fraud in compliance with AFASA.
- Circular BSP 1214 governs procedures for financial account investigations and information sharing to enforce AFASA. It authorizes the BSP to investigate suspected fraudulent accounts, obtain data-access warrants, and coordinate with law-enforcement agencies, with the overarching goal of strengthening cybercrime prevention, protecting customers, and reinforcing trust in digital financial systems.
In Vietnam, the Personal Data Protection Decrees (2023), together with the Cybersecurity Law (2018), impose strict requirements on customer consent, impact assessments for sensitive data, and data localization. More recently, Circular 50/2024/TT-NHNN establishes security requirements for online banking services, mandating that credit institutions and foreign bank branches implement customer-protection guidelines (PINs, OTPs, fraud awareness), encryption, access monitoring, and incident reporting to ensure confidentiality, integrity, and availability while protecting customer rights.
Overall, regulatory priorities in Singapore, Vietnam, the Philippines, and Malaysia converge around the adoption of advanced security measures to protect customers from technological risks, online fraud, and cyberattacks, alongside clearly defined Open API implementation roadmaps.
Strengthening Authentication and Security with Savyint’s Comprehensive Solutions
In response to increasingly stringent compliance requirements, Savyint delivers a comprehensive security ecosystem that enables banks and financial institutions to effectively comply with Circulars 64 and 50, as well as BSP Circulars 1213 and 1214, while strengthening long-term security capabilities and risk governance. Savyint’s solution portfolio is built around four core pillars: Secure Payments, Open Banking, Data Protection, and Digital Trust.
Under the Secure Payments pillar, Savyint deploys strong customer authentication (SCA), multi-factor authentication (MFA), Smart OTP, passkeys, FIDO2, biometrics, 3D Secure, tokenization, and fraud-management capabilities such as risk scoring and real-time monitoring. This security layer directly protects card payments, e-wallets, online transfers, and e-commerce transactions, reducing fraud risks for customers, financial institutions, and merchants while safeguarding wallet and card data.
To support controlled Open API connectivity under Circular 64 and Open Banking standards, Savyint provides a full Open Banking solution suite, including API Management, Open Banking Portal, Consent Management, CIAM/SCA-PSD2, TPP Management, and Tokenization. These solutions enable banks to securely deploy Open APIs with strict access control, robust customer consent management, and purpose-limited data sharing in line with security and compliance requirements.
For transaction and data protection, Savyint secures information throughout its lifecycle with solutions such as Sam Appliance, Sam Auth Server, Savyint PKI-in-a-Box, Enterprise Security Appliance, KMS, and DSS.
Notably, Sam Appliance is an all-in-one platform for data encryption, digital signatures, and mobile identity, featuring a FIPS 140-2 Level 3-certified server appliance integrated with Hardware Security Modules (HSMs), SAM software, key-management systems, and digital-signing software. This flexible security platform supports diverse deployment needs across banking, finance, healthcare, education, telecommunications, broadcasting, and media sectors.
Beyond digital signatures for invoices, contracts, documents, certificates, and payment records, Sam Appliance is built on a Cryptographic Security Platform (CSP) and integrates SCA and MFA, PKI-based passwordless authentication, tokenization, end-to-end encrypted transaction signing, advanced mobile security, and post-quantum cryptography (PQC) readiness. It also supports blockchain and cryptocurrency integration, mobile payments, digital wallets, timestamped digital signatures, and long-term electronic archiving for 5, 10, or 20 years.
Finally, Savyint’s Digital Trust solutions play a critical role in building trust through reliable identity, digital-signature, and trusted-archiving services, including Smart eKYC, Mobile Identity/SDK, Consent Management, Qualified Trust Services, Signing Server, e-Stamp, ePaperless, and eArchive. These solutions not only enable secure authentication and transaction approval but also meet legal requirements for data integrity, tamper resistance, and long-term retention – supporting fraud investigation and traceability in line with BSP Circulars 1213 and 1214.
All Savyint solutions comply with leading regional and international standards and regulations, including FIPS 140-2 Level 3, ISO 9001:2015, ISO 14001:2015, ISO 27001:2022, GDPR, SOC 2 Type II, HIPAA, and PCI DSS.
As fraud and cyber threats continue to escalate, compliance with Circulars 64, 50, and BSP Circulars 1213 and 1214 is not merely a regulatory obligation, but a foundational requirement for security, resilience, and trust in digital banking.
Connect with Savyint experts today to strengthen authentication and transaction security in the digital finance era.
