By Q4 2026, the Bangko Sentral ng Pilipinas (BSP) will require every supervised financial institution to submit an AI model risk inventory covering credit scoring, fraud detection, and onboarding. A 2025 BSP survey found that only 28% of lenders had a documented model governance framework, leaving roughly 72% of institutions exposed to enforcement action (Source: Bangko Sentral ng Pilipinas, 2025). For digital lenders, neo-banks, and rural banks piloting machine learning, the clock just started ticking.
The new Circular 1213 (draft for public consultation in late 2025) extends the existing Model Risk Management framework into the AI era. The intent is clear: financial AI in the Philippines will no longer run as a black box. The question is whether the industry is ready, and what the early movers are doing differently.
What BSP Circular 1213 Actually Demands
The circular's core requirement is a Model Risk Inventory (MRI) - a live registry of every AI/ML model in production, ranked by materiality. A model that declines a loan application is high-materiality. A model that picks the color of a button is not. Each entry must record training data lineage, performance metrics, bias testing, and a named human owner (Source: Bangko Sentral ng Pilipinas, 2025).
The second pillar is explainability. Lenders must produce, on request, a customer-facing reason code for any adverse AI decision. This is not a future requirement; BSP Memorandum M-2025-037 already requires this for digital banks using automated decisioning (Source: Bangko Sentral ng Pilipinas, 2025).
The third pillar is ongoing monitoring. Models drift. A credit model trained on 2023 cash-flow data decays quickly when inflation and OFW remittance patterns shift. The circular mandates quarterly performance reviews, with a kill switch for any model that breaches defined thresholds (Source: Bangko Sentral ng Pilipinas, 2025).
The State of Philippine Fintech AI
The Philippines processed an estimated 2.1 billion digital transactions in 2024, with e-wallets (GCash, Maya) accounting for over 60% of person-to-person transfers (Source: BSP, 2024). Behind every transfer sits a fraud model scanning thousands of variables in milliseconds.
The same infrastructure is increasingly used for credit decisions. Maya Bank disclosed that over 70% of its personal loan approvals in 2024 were issued without human review, an industry high (Source: Maya Bank Annual Report, 2024). Tonik, UnionDigital, and several rural banks have followed suit. The result: faster approvals, but a growing surface area for regulatory and reputational risk.
Where Lenders Are Failing Today
The 72% compliance gap is not because lenders are careless. It is because the work is genuinely hard. Most Philippine fintechs built their first models in 2022-2023, before governance was a board-level concern. The engineers who wrote the code are still there, but the documentation never was.
Common failure patterns include:
- Models retrained weekly by a notebook, with no version control
- Training data sourced from SQL extracts that no longer exist
- Bias tests run once, on a single demographic slice
- No formal model owner - the "AI person" also does DevOps
The Three Moves Smart Lenders Are Making Now
1. They are freezing production AI in place until it is inventoried. A full stop is painful, but a surprise BSP finding is fatal. Lenders that began MRI build-out in mid-2025 now have a defensible position.
2. They are buying, not building, model governance tooling. Solutions from FICO, SAS, and a growing set of Manila-based vendors (e.g., AI Pros, SQREEM) offer pre-built MRIs, fairness dashboards, and explainability reports. Build-vs-buy has tilted toward buy because the regulation is prescriptive enough to commoditize compliance.
3. They are appointing a Model Risk Officer (MRO) with real authority. A 2024 McKinsey survey found that financial institutions with a dedicated MRO completed AI audits 3.4x faster than those without (Source: McKinsey & Company, 2024). The MRO does not need to be a data scientist; they need to be a translator between the BSP, the board, and the engineering team.
What Happens If You Miss the Deadline
The BSP's enforcement track record is uneven but not toothless. In 2023, the regulator fined three digital lenders for privacy and credit-scoring violations, with penalties ranging from PHP 5 million to PHP 50 million (Source: BSP Enforcement Reports, 2023). AI-specific enforcement under Circular 1213 is expected to be graduated: first a remediation order, then a public warning, then monetary penalties tied to the percentage of in-scope models without proper documentation.
For smaller lenders, the practical risk is not the fine. It is the operational freeze that follows. If a model is declared "non-compliant" mid-quarter, the institution may have to revert to manual underwriting - a process most digital lenders have already dismantled.
A 90-Day Plan for Compliance
If your institution has not started, the path is shorter than it looks.
Days 1-30: Inventory. List every model in production. Use a spreadsheet if you must. The point is to know what exists before the BSP asks.
Days 31-60: Document. For each model, capture: data sources, training date, owner, last bias test, last performance review. If the data is missing, that is itself a finding you can address.
Days 61-90: Remediate. Pick the three highest-materiality models. Build the explainability and monitoring layer the circular demands. File the rest as "in remediation."
FAQ
Q: Does Circular 1213 apply to GCash and Maya, or only banks?
A: The circular applies to all BSP-supervised financial institutions, including digital banks and standalone e-money issuers above a defined transaction threshold. GCash (Globe Fintech Innovations) and Maya Bank are explicitly in scope.
Q: What is the penalty for missing the Q4 2026 deadline?
A: The BSP has not published a fixed penalty schedule. Expected consequences include a formal remediation order, a public advisory, and, for repeat offenders, monetary fines. Operational restrictions on affected models are also possible.
Q: Can a third-party vendor manage my Model Risk Inventory?
A: Yes. The circular allows outsourcing of model documentation, monitoring, and even bias testing, but accountability remains with the supervised institution. The BSP must approve material outsourcing arrangements.
Q: How is "AI" defined under the circular?
A: The draft definition covers any statistical or machine learning model used in a material business decision, including credit scoring, fraud detection, KYC, and customer segmentation. Rules-based engines are out of scope.
Key Takeaway
The 72% compliance gap is not a permanent state - it is a 90-day project for any institution willing to freeze, document, and remediate. Philippine fintech has spent the last five years building faster. The next twelve months will be about building defensibly. The lenders who treat AI governance as a strategic capability, not a checkbox, will be the ones still standing when the audit lands.
What is your institution's MRI completion rate today - and what is the single biggest blocker to getting it to 100%?

Top comments (0)