The Bangko Sentral ng Pilipinas and AI: a clear, fact-based explanation for Philippine businesses, with osFoundry as the example and dgm as an independent partner.

dgm is an independent osFoundry implementation partner — not affiliated with osFoundry’s developer (the company OS LLC), and it has not yet completed any client integrations.

The Bangko Sentral ng Pilipinas (BSP) regulates banks, e-money and payments; for cloud and AI it supervises outsourcing and IT risk, open finance, and the licensing of digital banks and e-money issuers.

What the BSP regulates

The BSP supervises banking, e-money and payments. For cloud/IT it applies Circular 1137 (outsourcing and IT-risk management). It adopted the Open Finance Framework (Circular 1122, 2021) for consent-based data sharing, lifted the moratorium on new e-money (EMI-NBFI) licenses in December 2024, and managed digital-bank licensing — raising the cap to ten before the Monetary Board reinstated a moratorium on 18 September 2025, closing new applications from 1 December 2025.

What it means for a financial firm

When adopting AI, account for BSP outsourcing/IT-risk rules, customer confidentiality, anti-money-laundering duties and the Data Privacy Act. Plan for control over the processing location and an audit trail, and watch for the forthcoming BSP guidance on AI in the financial sector.

Keeping data in the Philippines

osFoundry pins the data region to the United States, the EU or Japan, runs models locally on your own hardware, and supports self-hosting (BYO Cloud) on a cloud account you control. There is no dedicated managed Philippines region inside osFoundry, and — importantly — no hyperscaler operates a generally available full cloud region inside the Philippines as of 2026: Amazon Web Services runs a Local Zone in Manila (an extension of its Singapore region, not a full region), while Microsoft Azure and Google Cloud serve the country from Singapore. The honest implication is straightforward. The Data Privacy Act of 2012 does not impose a general private-sector data-localization requirement; cross-border transfer runs on an accountability model, so a deployment in the nearest Singapore region can be compliant provided your business stays accountable for the data. Where you need strict in-country control, the honest path is self-hosting on infrastructure you run in the Philippines, or running open-weight models locally (local-first). One further point worth weighing: data held by a United States-headquartered provider can fall within the reach of the US CLOUD Act regardless of where it physically sits, so pinning to a US provider’s Singapore region does not by itself remove US legal jurisdiction — a reason some businesses prefer EU or self-hosted open-weight options. Always confirm the current position with the National Privacy Commission or qualified counsel.

Important note

This article is general information and is not legal, tax or grant advice. Tax incentives, grants, rules and rates change, and only the relevant authorities (among them the National Privacy Commission, the Bureau of Internal Revenue, PEZA, the Board of Investments, the Bangko Sentral ng Pilipinas and the SEC) decide eligibility and awards. dgm is not a registered business enterprise, accredited incentive provider or intermediary. Always confirm the current terms with the official source or a qualified tax or legal adviser.

How dgm helps

dgm is an independent implementation partner that helps businesses in the Philippines adopt osFoundry — from identifying the first practical use case, through building it, to connecting AI to the systems you already use. dgm works independently of osFoundry’s developer (the company OS LLC) and has not yet completed any client integrations; everything above is therefore a description of the service offered, not a delivered result. If you would like to look at a sensible first step, dgm is happy to think it through with you. Arrange a no-obligation conversation with dgm.