Lawzana Lawzana Logo
FIND A LAWYER
Lawzana Logo
For Lawyers
Pricing & Plans Websites for lawyers Marketing services Legal Jobs Blog
REGISTER FOR FREE

Existing user? Sign in

Guide to BSP Fintech Regulatory Compliance in the Philippines

Corporate Governance
Philippines
Updated Feb 23, 2026

  • Fintech companies in the Philippines are primarily regulated by the Bangko Sentral ng Pilipinas (BSP) under the Manual of Regulations for Non-Bank Financial Institutions.
  • Minimum capital requirements range from PHP 20 million to PHP 200 million, depending on the license type and business model.
  • All fintech startups must register with the Anti-Money Laundering Council (AMLC) and the National Privacy Commission (NPC) before beginning operations.
  • The BSP offers a "Test-and-Learn" framework (Regulatory Sandbox) that allows startups to test innovative products in a controlled environment for up to 12 months.

Fintech Compliance Checklist for Philippine Startups

To successfully launch a fintech venture in the Philippines, you must meet specific corporate and regulatory milestones. This checklist outlines the essential steps for international and local founders to ensure full legal alignment with the BSP and other governing bodies.

  • Corporate Incorporation: Register your entity with the Securities and Exchange Commission (SEC) with the appropriate primary purpose in your Articles of Incorporation.
  • Capitalization: Deposit the required minimum paid-up capital into a Philippine bank account based on your specific license category (EMI, VASP, or OPS).
  • BSP Registration/Licensing: Obtain either a Certificate of Registration (for Operators of Payment Systems) or a formal license (for EMIs and VASPs) from the BSP's Financial Supervision Sector.
  • AMLC Registration: Register as a "Covered Person" on the AMLC portal and appoint a Compliance Officer.
  • Data Privacy Compliance: Appoint a Data Privacy Officer (DPO) and register your Data Processing Systems with the National Privacy Commission (NPC).
  • Local Business Permits: Secure a Mayor's Permit and Business Permit from the Local Government Unit (LGU) where your office is located.
  • Tax Registration: Register with the Bureau of Internal Revenue (BIR) to obtain your Tax Identification Number (TIN) and Authority to Print (ATP) invoices.

Categories of EMI and VASP Licenses in the Philippines

Hierarchy diagram showing EMI, VASP, and OPS license categories in the Philippines
Hierarchy diagram showing EMI, VASP, and OPS license categories in the Philippines

The BSP categorizes fintech entities based on the nature of their digital asset handling and payment services. Electronic Money Issuers (EMI) focus on digital representations of fiat currency, while Virtual Asset Service Providers (VASP) facilitate the exchange or transfer of digital assets like cryptocurrencies.

Electronic Money Issuers (EMI)

EMIs are entities that provide money transfer or payment services where the value is stored electronically. Under BSP Circular No. 1166, EMIs are classified into two categories:

  • EMI-Banks: Banks offering e-money services.
  • EMI-Non-Bank Financial Institutions (EMI-NBFI): These are further divided into EMI-Others (Large), which have a 12-month average of aggregated inflow and outflow transactions equal to or greater than PHP 25 billion, and EMI-Others (Small) for those below that threshold.

Virtual Asset Service Providers (VASP)

A VASP license is required for businesses that facilitate the exchange between virtual assets (VAs) and fiat currencies, the exchange between one or more forms of VAs, or the transfer and custody of VAs. The BSP closely monitors VASPs to mitigate risks associated with price volatility and cybersecurity. If your platform allows users to buy Bitcoin using Philippine Pesos or store digital tokens in a custodial wallet, a VASP license is mandatory.

Minimum Capitalization Requirements for Digital Payment Providers

Minimum capitalization requirements for fintech startups in the Philippines vary significantly based on the license type and the scale of operations. These thresholds ensure that firms maintain sufficient liquidity to protect consumer interests and maintain systemic financial stability.

The following table summarizes the capital requirements for the most common fintech licenses:

License Type Category Minimum Capital Requirement
Electronic Money Issuer (EMI) EMI-Others (Large) PHP 200 Million
Electronic Money Issuer (EMI) EMI-Others (Small) PHP 100 Million
Virtual Asset Service Provider (VASP) With Custodial Services PHP 50 Million
Virtual Asset Service Provider (VASP) Without Custodial Services PHP 20 Million
Operator of Payment System (OPS) Local Branch/Entity PHP 10 Million (if handling funds)

Startups should note that the BSP may increase these requirements if the entity's risk profile or transaction volume grows rapidly. For international companies, these funds must be cleared and deposited within the Philippine banking system.

Compliance with Anti-Money Laundering (AML) Reporting Protocols

Fintech startups must register as "Covered Persons" with the Anti-Money Laundering Council (AMLC) to comply with Republic Act No. 9160. This involves establishing a rigorous Money Laundering and Terrorism Financing Prevention Program (MTPP) and conducting mandatory reporting of all covered and suspicious transactions.

Key AML requirements include:

  1. Customer Due Diligence (CDO/KYC): You must implement a tiered "Know Your Customer" process. For low-risk accounts, simplified KYC is allowed, but high-value transactions require enhanced due diligence, including face-to-face (or acceptable digital) verification and proof of income.
  2. Transaction Reporting: Covered Transaction Reports (CTRs) must be filed for transactions exceeding PHP 500,000 within a single banking day. Suspicious Transaction Reports (STRs) must be filed regardless of the amount if there is reason to believe the funds stem from unlawful activity.
  3. Record Keeping: All records of transactions and customer identification must be maintained for at least five years after the account is closed or the transaction occurs.

Data Privacy Standards for Processing Financial Transactions

Data privacy in the Philippine fintech sector is governed by the Data Privacy Act of 2012 (Republic Act No. 10173) and overseen by the National Privacy Commission (NPC). Because fintechs process sensitive personal information (financial history, government IDs), they are held to the highest standard of data protection and accountability.

To remain compliant, startups must implement the five pillars of data privacy:

  • Appoint a Data Protection Officer (DPO): An individual accountable for the company's compliance with the Data Privacy Act.
  • Conduct Privacy Impact Assessments (PIA): Evaluate the risks involved in your data processing activities, especially when using cloud storage or AI-driven credit scoring.
  • Privacy Management Program: Create a manual outlining how data is collected, used, stored, and disposed of.
  • Data Privacy Measures: Implement technical security (encryption, firewalls) and organizational measures (employee training).
  • Breach Management: In the event of a data breach, the NPC and affected data subjects must be notified within 72 hours of discovery.

Sandbox Environments for Testing Innovative Financial Services

A 4-step infographic illustrating the BSP Regulatory Sandbox testing process for fintechs
A 4-step infographic illustrating the BSP Regulatory Sandbox testing process for fintechs

The BSP provides a "Regulatory Sandbox" framework under Circular No. 1153 to encourage financial innovation while managing potential risks. This allows startups to test new technologies or business models-such as blockchain-based lending or decentralized finance (DeFi) tools-with real customers under relaxed regulatory requirements for a limited time.

The sandbox process follows a four-stage approach:

  1. Application: The startup submits a proposal detailing the product, the target market, and the "exit strategy."
  2. Evaluation: The BSP assesses whether the product is truly innovative and if the startup has sufficient safeguards to protect participants.
  3. Testing: The "Test-and-Learn" phase typically lasts 12 months. During this period, the BSP monitors the startup's performance and risk management.
  4. Graduation: If successful, the startup can apply for a formal license. If the test fails, the startup must execute its exit plan, ensuring all customer funds are returned and accounts are closed.

Common Misconceptions

"We only need an SEC registration to operate."

Many founders believe that registering with the Securities and Exchange Commission is enough to launch. In reality, any entity performing "quasi-banking" or payment services must obtain specific secondary licenses or certificates from the BSP. Operating without these can lead to cease-and-desist orders and heavy fines.

"Cryptocurrency businesses are unregulated in the Philippines."

The Philippines was one of the first countries in Asia to regulate virtual assets. If your startup handles digital tokens or provides exchange services, you are legally classified as a VASP and are subject to the same strict AML and capitalization rules as traditional remittance firms.

"The Sandbox is a shortcut to getting a license."

The Regulatory Sandbox is a testing environment, not a fast-track licensing system. Startups in the sandbox must still adhere to core consumer protection and AML rules. Graduation from the sandbox does not guarantee a license; it only provides the data needed for the BSP to make a final licensing decision.

FAQ

How long does it take to get a BSP license?

The timeline for an EMI or VASP license typically ranges from 6 to 12 months. This includes the preparation of the 3-year business plan, IT audit, and the "Presentation of the Business Model" to the BSP.

Can a foreign-owned startup apply for a fintech license?

Yes, foreign-owned entities can apply, but they must comply with the Foreign Investments Act. While many fintech activities allow 100% foreign ownership, certain retail trade or specialized financial activities may have specific equity restrictions or higher capital requirements for foreigners.

What is the difference between an OPS and an EMI?

An Operator of Payment System (OPS) provides the infrastructure or platform (like a payment gateway) but does not necessarily "issue" the electronic money. An EMI actually maintains the digital wallets and holds the underlying fiat currency in trust for the users.

Does the BSP regulate DeFi and DAOs?

Currently, the BSP regulates the activity rather than the technology. If a DAO or DeFi platform performs functions of a VASP or an EMI for Philippine residents, the BSP expects the entity (or its local representatives) to comply with Philippine regulations.

When to Hire a Lawyer

Navigating the Philippine fintech landscape requires more than just technical expertise; it requires a deep understanding of evolving administrative circulars. You should consult a specialized fintech lawyer if:

  • You are determining which license category (EMI, VASP, or OPS) fits your hybrid business model.
  • You are drafting your Money Laundering and Terrorism Financing Prevention Program (MTPP).
  • You are an international founder navigating foreign ownership restrictions and SEC incorporation.
  • You have been invited by the BSP to present your business model or enter the Regulatory Sandbox.

Next Steps

  1. Define Your Model: Determine if you will be holding customer funds (EMI) or simply facilitating transfers (OPS).
  2. Verify Capital: Ensure your investors are prepared to meet the PHP 20 million to PHP 200 million minimums before applying.
  3. Engage the Regulator: Consider requesting a "no-objection" letter or a preliminary meeting with the Bangko Sentral ng Pilipinas to discuss your roadmap.
  4. Register Your DPO: Visit the National Privacy Commission to begin your data privacy journey early in the development phase.

Similar Articles

South Africa Feb 05, 2026

South Africa POPIA Compliance Checklist for Global Firms

International firms must comply with POPIA if they process personal information within South Africa or use automated o...

Read Article
India Jan 24, 2026

India Startup Compliance Guide: Avoiding Common Pitfalls

Startups registered as Private Limited Companies must file annual financial statements (AOC-4) and annual returns (MGT...

Read Article
Philippines Jan 23, 2026

Set Up an IT-BPM Business in the Philippines: PEZA and BOI

Choosing between PEZA and BOI depends on your location strategy; PEZA requires operating within designated ecozones, w...

Read Article

Need Legal Guidance?

Connect with experienced lawyers in your area for personalized advice.

No obligation to hire. 100% free service.

Connect with Expert Lawyers

Get personalized legal advice from verified professionals in your area

ERLAW Logo
ERLAW
Makati City
Since 2000
10 lawyers
Free 1 hour
Banking & Finance Employment & Labor Family +1 more
Call Now
Atty. Rainier Mamangun Logo
Since 2004
20 lawyers
Family Business Corporate & Commercial +1 more
Call Now
Recososa Law Firm Logo
Recososa Law Firm
Lapu-Lapu City
Since 2020
11 lawyers
Free 15 minutes
Banking & Finance Business Accidents & Injuries +1 more
Call Now

All lawyers are verified, licensed professionals with proven track records

Find Lawyers

Corporate Governance in Philippines

Disclaimer:
The information provided on this page is for general informational purposes only and does not constitute legal advice. While we strive to ensure the accuracy and relevance of the content, legal information may change over time, and interpretations of the law can vary. You should always consult with a qualified legal professional for advice specific to your situation.

We disclaim all liability for actions taken or not taken based on the content of this page. If you believe any information is incorrect or outdated, please contact us, and we will review and update it where appropriate.