Users of digital banking services are expected to receive stronger protection against fraud and unauthorized account access as banks and e-wallet operators implement enhanced authentication measures required by the Bangko Sentral ng Pilipinas (BSP).
Under BSP Circular No. 1213, issued in May 2025, covered BSP-supervised financial institutions (BSFIs) were given until June 25, 2026 to replace SMS- and email-based one-time passwords (OTPs) with stronger authentication technologies for high-risk transactions.
The circular applies to banks and e-wallet operators that process an average of more than P75 million in online transactions each month. These include most universal and commercial banks, all digital banks, and some cooperative, thrift, and rural banks.
The BSP said covered institutions should adopt stronger authentication methods such as biometric verification, behavioral authentication, adaptive authentication, or passwordless technologies for transactions they classify as high risk.
Risk assessments should consider factors including the payee’s profile, transaction amount, customer behavior, and the type of financial product or service involved.
For lower-risk transactions, BSP said institutions may continue using less stringent authentication methods, including OTPs sent through SMS.
“The BSP is equally dedicated to promoting innovation in financial services as to protecting customers from new forms of fraud, including technology-enabled fraud. We are pleased that banks and e-wallet operators are stepping up on both fronts,” said BSP deputy governor Lyn I. Javier.
The circular also requires covered financial institutions to strengthen their fraud management systems to better detect and prevent unauthorized transactions.
These systems should be capable of identifying suspicious activities such as unusually rapid transactions, transfers to new recipients, and access from unrecognized devices.
Financial institutions that are not covered by the circular are not required to implement the stronger authentication measures within the same transition period.
However, the BSP said they should continue assessing fraud risks associated with their products and services and adopt appropriate security controls.
