Bangko Sentral ng Pilipinas has set June 30, 2026 as the deadline for banks to strengthen authentication systems and reduce reliance on SMS one-time passwords (OTPs).
The reform is part of the implementation of the Anti-Financial Account Scamming Act (AFASA), which aims to combat phishing, SIM-swap attacks, and other forms of digital financial fraud.
Under the proposed regulations, banks will be required to adopt stronger authentication methods, particularly for high-value online transactions and sensitive account changes. These may include biometric authentication, device-based credentials, and other phishing-resistant multi-factor verification systems.
According to BSP Deputy Governor Elmore Capule, the June 2026 compliance deadline will remain in place.
“As of now we are not extending it,” Capule said, emphasizing that financial institutions must accelerate preparations for the new security requirements.
In addition to stronger authentication, banks must also deploy fraud management systems capable of detecting suspicious transactions in real time. These systems may include behavioral analytics, device-change detection, and geolocation monitoring.
The rules will apply particularly to financial institutions offering complex electronic financial services or those processing at least PHP 75 million in average monthly transaction value.
The BSP is encouraging banks to move toward server-side biometric verification, where identity checks using fingerprints or facial recognition are validated through secure bank servers rather than relying solely on a user’s device.
Meanwhile, BSP General Counsel Roberto L. Figueroa said broader reforms to bank secrecy laws could further strengthen efforts to combat financial scams.
While OTPs may still be used in certain cases such as verifying mobile number ownership, the central bank said banks must gradually shift toward stronger authentication methods before the June 30 compliance deadline.
0 Comments
Leave a Reply