← All Insights
AI

AI Regulation in the Philippines 2026: What DICT, NPC, and BSP Are Doing

June 30, 2026 · 5min read  · The Technica Stack

AI Regulation in the Philippines 2026: What DICT, NPC, and BSP Are Doing

Most Philippine organisations using AI tools in 2026 are not subject to a specific AI law — the Philippines has not yet enacted comprehensive AI legislation. But this does not mean AI is unregulated. Three existing regulatory frameworks apply immediately and significantly shape what AI deployments are permissible, what data can be used, and what disclosures are required.

DICT — National AI Strategy and Voluntary Framework

The Department of Information and Communications Technology released the Philippine AI Roadmap 2021–2025 and has updated its positioning with the National AI Strategy targeting 2030. DICT's current role is promotional and strategic — it does not issue binding AI regulations but sets the policy direction that informs future legislation.

Key DICT positions relevant to Philippine businesses:

Trustworthy AI principles — DICT endorses the following principles for Philippine AI deployments, aligned with ASEAN's Guide on AI Governance and Ethics:

  • Transparency: AI systems must be explainable to affected parties
  • Fairness: AI must not perpetuate unlawful discrimination
  • Human oversight: high-stakes AI decisions must have human review mechanisms
  • Security: AI systems must be protected against adversarial attacks and data poisoning

These are currently aspirational, not legally binding. However, they signal the direction of forthcoming legislation and are increasingly referenced in procurement requirements for government-linked contracts.

AI in government services — DICT is piloting AI across government agencies (Chatbot Rosie for government services, AI-assisted permit processing). Private sector organisations bidding on government contracts are increasingly expected to demonstrate responsible AI practices consistent with DICT guidelines.

NPC — Data Privacy Enforcement and AI

The National Privacy Commission is the most active AI-adjacent regulator in the Philippines. The Data Privacy Act of 2012 (RA 10173) and its Implementing Rules and Regulations apply directly to AI systems that process personal data — which includes most enterprise AI deployments.

What NPC requires for AI systems processing personal data:

Lawful basis for processing: Under RA 10173, personal data may only be processed with: (a) consent of the data subject, (b) fulfillment of a contract, (c) compliance with a legal obligation, (d) protection of vital interests, (e) public task, or (f) legitimate interests. AI systems that use employee data, customer data, or any personal information must identify their lawful basis before processing begins.

Automated decision-making disclosure: NPC Circular 2023-04 specifically addresses automated processing. Data subjects must be informed when a significant decision affecting them is made solely by automated means — including AI. This applies to AI-powered hiring screening, credit scoring, performance evaluation, and customer risk assessment.

Data minimisation for AI training: Using personal data to fine-tune or train AI models requires the same lawful basis as the original collection. An organisation cannot use employee emails to fine-tune an internal AI model without a valid lawful basis and, typically, notification to employees.

Breach notification: AI systems that process personal data are subject to the 72-hour NPC breach notification requirement. If an AI system is compromised and personal data is exposed, the 72-hour clock starts from the moment the breach is discovered. See our AI data privacy guide for the full compliance framework.

NPC enforcement trend (2024–2026):

NPC has increasingly investigated complaints related to:

  • AI-powered facial recognition without consent (retail, events)
  • Automated credit scoring using social media data without disclosure
  • AI chatbots collecting personal information without privacy notices

Philippine organisations using AI in customer-facing applications should ensure their privacy notices explicitly disclose AI processing and automated decision-making.

BSP — Technology Risk Management and AI in Financial Services

The Bangko Sentral ng Pilipinas is the most prescriptive Philippine regulator on AI, specifically for BSFIs (banks, e-money issuers, payment system operators, virtual asset service providers).

BSP Circular 1140 (Technology Risk Management Framework)

BSP Circular 1140 does not mention "AI" explicitly but its technology risk management requirements apply fully to AI systems:

Model risk management: AI systems used for credit decisions, fraud detection, AML/KYC screening, or other financial risk applications are subject to BSP's model risk management requirements — including model validation by an independent function, performance monitoring, and documentation of model assumptions and limitations.

Explainability requirement: BSP expects BSFIs to be able to explain automated decisions to regulators and to affected customers. Black-box AI models used for credit denial or transaction blocking face regulatory risk if the BSFI cannot explain the decision.

Third-party AI risk: BSFIs using third-party AI vendors (including Microsoft Copilot, Google Gemini, or AI-powered compliance tools) must conduct third-party risk assessments covering data security, service continuity, and the vendor's own AI model governance practices.

BSP's AI-specific guidance (Circular 1160 and related issuances):

BSP has issued supplemental guidance on:

  • AI in fraud detection: Real-time AI fraud scoring is encouraged but must include human review for high-value transaction blocks
  • AI in KYC/onboarding: eKYC using facial recognition is permitted but must comply with NPC consent requirements
  • Generative AI in customer service: AI chatbots that provide financial advice must include clear disclosures that the response is AI-generated and not human financial advice

The AI Governance Act — What Is Coming

The Philippine Congress has had multiple versions of an AI Governance Bill in deliberation since 2023. As of June 2026, no comprehensive AI law has been enacted. Key provisions being discussed:

  • Risk-based classification: High-risk AI (affecting safety, fundamental rights, financial inclusion) would face stricter requirements than low-risk AI
  • Mandatory impact assessments: High-risk AI deployments would require an AI Impact Assessment before deployment
  • NPC as lead AI regulator: Most versions propose expanding NPC's mandate to cover AI governance broadly, not just data privacy aspects
  • Sectoral carve-outs: BSP, SEC, and HIA would retain authority over AI in their regulated sectors

Philippine businesses should prepare now by:

  1. Inventorying all AI tools in use (including SaaS tools with embedded AI features)
  2. Mapping which personal data each AI tool processes
  3. Confirming lawful basis and disclosure for each AI processing activity
  4. Establishing a model risk management process for AI used in business-critical decisions

See our AI acceptable use policy guide, AI vendor evaluation framework, and AI data privacy guide for the practical implementation path.

Related reading: AI acceptable use policy Philippines · AI vendor evaluation · AI data privacy Philippines · ISO 27001 certification Philippines

For Philippine organisations building AI governance frameworks that comply with DICT, NPC, and BSP requirements, get in touch.

Talk to our Cloud & I.T. team →
Related Insights

More on AI

Claude API vs OpenAI API for Philippine Developers: Which to Build On in 2026
AI

Claude API vs OpenAI API for Philippine Developers: Which to Build On in 2026

30 June 2026
DeepSeek and Open-Source LLMs: What Philippine IT Teams Need to Know in 2026
AI

DeepSeek and Open-Source LLMs: What Philippine IT Teams Need to Know in 2026

24 June 2026
How to Justify AI Investment to Philippine Business Leadership in 2026
AI

How to Justify AI Investment to Philippine Business Leadership in 2026

24 June 2026
← Back to Insights