Why Philippine Banks Need Trust Infrastructure Before the Next BSP Standard Arrives

What BSP Circular 1122 didn't anticipate, and what your architecture needs to handle before it does.

BSP has been more proactive than most regulators in APAC. Open finance here is not a question of if; it's a question of when the next set of technical standards arrives and whether your architecture can absorb them without a rebuild. That answer depends almost entirely on decisions being made right now.

The banks that will absorb new requirements cleanly are the ones that built trust infrastructure first. Not because they anticipated every regulatory detail, but because a composable identity layer (one that handles both human and machine access under a unified policy engine) can be extended to meet new requirements without redesigning the API layer on top of it.

The banks that will struggle are the ones that built APIs against a compliance checklist and are now retrofitting identity infrastructure underneath a system that wasn't designed to receive it. In the Philippines, where GCash and Maya are already setting consumer expectations that legacy institutions can't match natively, that gap becomes a competitive problem before it becomes a regulatory one.

What changes when AI agents enter your open finance stack

The traditional open finance model assumes a human at one end and a bank at the other. A customer logs in, an app requests data, a person approves. That model is giving way to something different: AI agents acting on delegated authority, across multiple banking relationships, without a human in the loop at every step.

When that happens, three assumptions that underpin traditional open finance break down. Each one requires a specific architectural response.

Machine identity is not a variation of user authentication. An AI agent running a customer's financial workflow needs its own credentials, its own lifecycle, and its own audit trail, separate from the user who authorized it. Treating it as a service account is not enough. 

• Solution: Treating AI agents as first-class identity citizens with OAuth 2.0-based credentials, MTLS certificates, and anomaly detection built in.

Delegated authorization has to be granular enough to hold in production. A customer who consents to "view my accounts" has not consented to "initiate a payment on my behalf." A consent architecture that cannot enforce that distinction at the API level (on every call, in real time) will not hold up in an agentic environment. 

• Solution: FAPI 2.0-certified access management to enforce consent boundaries at the token level, not just at onboarding.

Consent-aware orchestration is the capability most banks haven't designed for. When an AI agent chains multiple banking operations (check balance, assess risk, initiate transfer, log outcome) each step crosses a consent boundary. The orchestration layer has to know which consents apply at each step, enforce them independently, and stop the chain if any boundary is breached. 

• Solution: Pre-built connectors without requiring a core banking replacement.

Why the architecture order matters

The banks that get this right won't necessarily have anticipated every regulatory detail BSP eventually specifies. What they'll have is an identity layer that was built to be composable, one that handles human and machine access under the same policy engine, and can be extended as requirements evolve.

The banks that get it wrong will find themselves doing what is genuinely hard to do cleanly: retrofitting identity infrastructure underneath APIs that were never designed to receive it. That work is slower, riskier, and more expensive than building for it now.
WSO2 runs in production at 200+ financial institutions across 90 countries. BDO Unibank is among them in the Philippines. The WSO2 stack deploys on-premises, in private cloud, or hybrid, depending on your data residency requirements.

Next steps

The architecture decisions made in the next 12 months will determine which Philippine banks absorb the next wave of BSP standards without rework, and which spend the following two years catching up.

Two starting points:

• Explore WSO2's Open Banking solution, including the executive brief and live demo environment: wso2.com/solutions/financial-services/open-banking 
• Or book a 30-minute consultation with a WSO2 Solutions Architect. Bring your current architecture and your hardest question about where AI agents fit into your Open Finance roadmap.