Ziam Dev

BSP Merchant Account Rules Pin AML Liability on Banks

What It Means

  • The new BSP merchant account rules, issued through Memorandum M-2026-017 on May 8, confirm that banks cannot transfer AML liability to payment aggregators, regardless of how many intermediaries sit between them and the end merchant.
  • Payment aggregators carry their own independent AML duties, but the bank holding the settlement account remains the primary liable party under Philippine law.
  • BSP merchant account rules now require banks to maintain transaction-level visibility over sub-merchants, a data access requirement that smaller aggregators without enterprise-grade reporting infrastructure will struggle to meet.
  • Merchants running business income through personal e-wallet or bank accounts are directly in scope. The memo explicitly requires institutions to enforce clear distinctions between personal and merchant accounts.
  • The consolidation effect is structural: banks will tighten aggregator partnerships, smaller aggregators will face onboarding friction, and informal MSME payment arrangements will come under pressure.

The Bangko Sentral ng Pilipinas issued Memorandum M-2026-017 on May 8 and framed it as an anti-fraud directive. The press picked it up as a QR code story. Both readings miss the actual shift.

The memo’s operative language is not about fraud detection. It is about who owns the liability when something goes wrong. And the answer the BSP just formalized is: the bank does, always, no matter how many layers of aggregators and intermediaries sit between the bank’s settlement account and the merchant collecting payments.

That is a structural realignment of compliance responsibility across the entire digital payment chain.

BSP merchant account rules

The Aggregator Shield Is Gone

Philippine fintech scaled partly on a convenient ambiguity. Banks provided payment rails and settlement accounts. Payment aggregators handled merchant onboarding, KYB, and day-to-day transaction management. When AML obligations came up, the practical reality was that banks could point to their aggregator partners as the entities with direct merchant relationships.

M-2026-017 closes that gap explicitly. BSP Deputy Governor Bernadette Romulo-Puyat’s memorandum states that aggregator participation in the payment chain cannot “transfer, diminish, or substitute” the bank’s AML obligations. Banks acting as either the originating or receiving financial institution in merchant payment transactions retain primary AML responsibility, full stop.

Aggregators still carry independent duties: merchant due diligence, risk-based onboarding, suspicious transaction reporting. But the bank behind the settlement account cannot treat the aggregator’s compliance program as a substitute for its own. Under BSP merchant account rules, the bank’s liability is non-delegable.

This matters because it changes what banks are willing to accept from aggregator partners. A bank that previously relied on an aggregator’s self-reported KYB process now has direct legal exposure if that process fails. Banks will start demanding sub-merchant data, transaction-level records, and audit access that many smaller aggregators were never built to provide.

The Actors Absorbing the Cost

The most direct pressure falls on two actor classes.

The first is mid-tier and smaller payment aggregators. Companies in this space operate at scale by keeping merchant onboarding lean. A bank suddenly requiring sub-merchant visibility at the transaction level, the ability to access records on any merchant sitting behind an aggregator’s platform, is a significant infrastructure ask. Large aggregators with enterprise data pipelines can absorb it. Smaller operators may not be able to meet it without significant system investment, and some will not survive the onboarding friction that follows when bank partners tighten their requirements.

The second is MSMEs using personal accounts for business income. This is the informal end of the Philippine digital economy. Sari-sari stores, freelancers collecting via GCash personal wallets, market vendors using a family bank account for QR payments. The BSP merchant account rules explicitly require institutions to maintain clear distinctions between merchant and personal accounts based on transaction nature and purpose. That language is a mandate for banks and e-wallets to enforce account reclassification, which may mean restricting or terminating personal accounts that are visibly operating as merchant accounts.

For these operators, the path is either formal merchant account registration with the associated KYB requirements, or continued use of personal accounts with growing restriction risk.

The Banks That Benefit

Tier-1 banks with existing compliance infrastructure are structurally positioned to gain from this. BDO, BPI, Metrobank, and UnionBank already operate AML monitoring systems capable of handling sub-merchant visibility requirements. Their compliance costs rise marginally. Their competitive position improves significantly as smaller bank and non-bank competitors face proportionally higher compliance burdens.

Large aggregators with mature KYB pipelines are also net winners. PayMongo, Xendit, and Maya for Business have the data infrastructure to meet bank partner demands. The new BSP merchant account rules will accelerate the market’s movement toward established players with documented compliance stacks and away from informal or early-stage aggregators.

Regtech vendors providing AML monitoring, merchant due diligence, and suspicious transaction reporting tools are the clearest commercial beneficiaries. Every BSP-supervised institution that lacks a compliant monitoring setup is now a potential client.

The Operational Requirements

Beyond the liability assignment, M-2026-017 sets out operational expectations that banks and aggregators must now treat as minimum standards.

Banks must maintain transaction-level access to sub-merchant data, apply risk-based onboarding standards to aggregator relationships, and conduct periodic reviews with authority to restrict or exit high-risk merchant relationships.

BSP merchant account rules also target mule merchants: entities misusing QR codes registered under legitimate names to route transactions through the payment system. Institutions must implement risk-based measures to detect QR codes operated by anyone other than the registered merchant, across all channels including mobile apps and QR-enabled systems.

The Timeline Is Immediate

There is no phase-in window in M-2026-017. The memo restates obligations already on the books under AMLA and the National Payment Systems Act. Banks that assumed aggregator partnerships distributed their AML exposure are now on formal notice that assumption was wrong. The enforcement risk is present now.

For aggregators, the immediate risk is not regulatory action. It is partnership termination. Banks now have explicit regulatory grounds to restrict or exit aggregator relationships that cannot meet sub-merchant visibility requirements.

The BSP merchant account rules issued in M-2026-017 are not a fraud crackdown. They are a compliance liability map. And the map draws a direct line from settlement account to bank, with no exits through an intermediary.


Track more regulatory shifts that affect your business in Policy & Regulation section of Hemos PH.

Must Read

Post Featured Image (4)
Meralco's Solar Panel Registration Push Has a Subsidiary Problem
fake news inquiry
Ridon's Fake News Inquiry Goes Beyond HR 980's Scope
Post Featured Image (2)
The Architecture Behind Your Meralco Bill Was a Choice
Traffic incident with people involved
The LTO Complaint Platform Now Has a Filtering Layer
Get in Touch
Scroll to Top