Banks will have to reduce reliance on text-message one-time passwords (OTPs) as the Bangko Sentral ng Pilipinas (BSP) requires stronger authentication systems by June 30, 2026.
The move, outlined in a draft circular implementing Republic Act No. 12010, or the Anti-Financial Account Scamming Act (AFASA), directs BSP-supervised financial institutions to adopt stronger authentication methods for high-value online transactions and sensitive account changes.
Banks are expected to transition away from “interceptable” authentication mechanisms such as OTPs sent via SMS or email, which regulators say are vulnerable to phishing, SIM-swap attacks and other cyber fraud schemes.
Instead, the BSP is encouraging phishing-resistant multi-factor authentication, including biometric verification and device-bound credentials.
One approach promoted by the central bank is server-side biometric authentication, where fingerprint or facial recognition data are verified through a bank’s secure backend system using centrally stored templates.
“This enables the BSFI’s system to authenticate the customer’s identity against the records it maintains, regardless of changes on the device used, thereby reducing the risk of account takeover, device compromise, spoofing, and unauthorized credential changes,” the BSP said.
OTPs may still be used in limited cases, such as verifying ownership of a registered mobile number, but should no longer serve as the primary authentication method for high-risk activities.
The draft rules also require banks to deploy fraud management systems capable of detecting suspicious transactions in real time, using tools such as behavioral analytics, device-change detection and geolocation monitoring.
The requirements apply particularly to institutions offering complex electronic financial services or those processing at least ₱75 million in average monthly online transactions.
Under AFASA, banks that fail to maintain adequate fraud controls may be required to reimburse customers for losses arising from scams, while institutions found compliant may be shielded from liability.
The BSP also warned that centralized biometric databases could become targets for cyberattacks, requiring banks to encrypt biometric data, store them as protected templates rather than raw images, and implement liveness detection and anti-spoofing safeguards.
Follow Tan Briones & Associates on LinkedIn for more legal updates and law-related articles.
