Banks and e-wallets supervised by the Bangko Sentral ng Pilipinas (BSP) are now required to use stronger authentication methods, beyond SMS and email one-time passwords (OTPs), for transactions classified as high-risk, under a deadline that took effect on June 25, 2026.
Instead of a text or email OTP, you may now be asked to confirm a fund transfer using biometric verification such as fingerprint scanning, facial recognition, or voice recognition, behavioral authentication that tracks patterns like typing speed or device movement, adaptive authentication that adjusts based on your location and device, or passwordless methods using hardware tokens or cryptographic keys.
The BSP last year required covered BSP-supervised financial institutions (BSFIs) to replace SMS- and email-based OTPs with this stronger technology under BSP Circular No. 1213, issued in May 2025. The circular covers banks and e-wallet operators that average more than ₱75 million in online transactions per month, including most universal and commercial banks, all digital banks, and some cooperative, thrift, and rural banks. Many of these institutions had already started implementing the changes ahead of the deadline.
“The BSP is equally dedicated to promoting innovation in financial services as to protecting customers from new forms of fraud, including technology-enabled fraud. We are pleased that banks and e-wallet operators are stepping up on both fronts,” said BSP Deputy Governor Lyn I. Javier.
Covered institutions must apply the stronger authentication specifically to transactions they assess as high-risk, based on factors such as the payee’s profile, the value of the transaction, customer behavior patterns, and the type of product or service involved. The BSP gave examples of what counts as high-risk: enrollment in digital banking, transfers to third parties, online remittances, card payments, account maintenance, and any change to a registered mobile number, email address, login credentials, or device.
For transactions assessed as lower risk, BSFIs may still use less stringent methods, such as OTPs sent via SMS. The BSP cited payments to pre-registered recipients and account inquiries as examples of lower-risk activities that can still rely on the older verification method.
Institutions not covered by the circular are not required to shift to the stronger verification tools within the same transition period, but they must regularly assess the risks tied to their products and services to determine the appropriate fraud-prevention measures.
The circular also requires covered BSFIs to strengthen their fraud management systems so they can better detect and prevent unauthorized transactions. These systems must be able to flag unusual or suspicious activity, including unusually rapid transactions and those involving new recipients or unrecognized devices.
The requirement stems from the Anti-Financial Account Scamming Act (AFASA), the law signed in July 2024 to combat online financial fraud in the Philippines. Under AFASA, institutions that fail to put adequate authentication and fraud controls in place are required to reimburse customers for losses tied to scams, while those that comply gain liability protection.
The BSP said it remains committed to promoting a safe, secure, and resilient digital payments ecosystem while supporting the continued growth of digital financial services.
