Philippines BSP Circular 1198 and the operational resilience framework
The Bangko Sentral ng Pilipinas issued its operational resilience framework in September 2024. It pulls the Philippine financial sector into the same supervisory direction as the wider region.

The Bangko Sentral ng Pilipinas issued Circular 1198 on the Operational Resilience Framework in September 2024, building on its longstanding operational risk and business continuity expectations and on Circular 1140 on the Information Technology Risk Management Framework, which had updated the IT risk regime in 2022. The circulars together set a comprehensive expectation on Philippine banks, quasi-banks and other BSP-supervised financial institutions to identify critical operations, manage disruption and demonstrate resilience to the supervisor.
The framework follows the international shape now familiar across the region. Institutions are expected to identify critical operations whose disruption would materially affect customers, the institution or the broader financial system. They are expected to set tolerances for disruption that the board can defend. They are expected to map the people, processes, technology, information and third parties that support each critical operation, and to test their ability to remain within tolerance under severe but plausible scenarios. Governance, third-party risk and lessons-learned processes wrap around the operating model.
The Philippine context shapes implementation in specific ways. The country is one of the most disaster-prone in the world, with regular exposure to typhoons, earthquakes, volcanic activity and flooding. Operational resilience planning that does not take this seriously, including for staff safety and for the availability of branch and contact centre operations during and after physical events, will not survive supervisory scrutiny. The regular cadence of regional disruption makes resilience a lived expectation rather than an abstract one.
Digital payments resilience is a parallel concern. The BSP's Digital Payments Transformation Roadmap has driven a rapid increase in the share of payments handled digitally, including through InstaPay and PESONet, and the supervisor has been clear that the resilience of the digital payments stack is a system-level priority. Recent incidents affecting payment availability across multiple institutions have reinforced the point that participants need to plan for events that affect shared infrastructure, not only events that affect their own systems.
Cyber expectations have been progressively tightened through a series of BSP circulars and memoranda, including specific guidance on social engineering, account takeover and the reimbursement of unauthorised transfers. The supervisory focus is moving beyond technical controls towards the customer experience during and after incidents, including the speed and consistency of customer communication, the availability of dispute channels and the institution's ability to absorb the operational load of a major fraud event.
Third-party risk is a maturing area. The Philippine market features both global service providers serving the major institutions and a dense network of domestic technology, processing and operations vendors supporting the broader sector. BSP expectations on third-party arrangements have been strengthened, and supervisory dialogue has focused on the visibility institutions have into critical vendors' own resilience posture, rather than only into the contractual provisions on paper.
For Philippine institutions building their 2026 plans, three points stand out. Anchor the critical operations list in the customer experience during a typhoon, a payments outage or a cyber event, because that is what the supervisor and the public will judge. Treat the digital payments stack as a shared resilience system in which the institution is one participant, not as a purely internal capability. And invest in third-party visibility rather than only in third-party contracts, because the next significant disruption will almost certainly involve a vendor.

