The Bangko Sentral ng Pilipinas (BSP) has mandated the removal of SMS- and email-based one-time passwords (OTPs) for high-risk transactions handled by Philippine banks and e-wallet operators starting June 25, 2026.
Under BSP Circular No. 1213, issued in May 2025, covered BSP-supervised financial institutions (BSFIs) were required to replace these traditional OTPs with stronger, phishing-resistant technologies on or before 25 June 2026.
These secure alternatives include biometric, behavioral, adaptive, or passwordless authentication solutions.
The circular covers banks and e-wallet operators that average more than P75 million of online transactions per month. That includes most universal and commercial banks, all digital banks, and some cooperative, thrift, and rural banks. Many are already implementing the enhancements in the lead-up to the deadline.
“The BSP is equally dedicated to promoting innovation in financial services as to protecting customers from new forms of fraud, including technology-enabled fraud. We are pleased that banks and e-wallet operators are stepping up on both fronts,” BSP Deputy Governor Lyn I. Javier said.
These BSFIs are required to apply the stronger technology to transactions they consider high-risk.[5] Risk is assessed based on factors such as payee profile, value of the transaction, customer behavior patterns, and nature of the product or service. For transactions assessed as lower risk, BSFIs may use less stringent authentication methods, such as OTPs sent via SMS.
Non-covered institutions are not required to shift to stronger verification tools within the same transition period but must regularly assess the risks associated with their products and services to determine the appropriate measures for fraud prevention.
The circular likewise requires covered BSFIs to strengthen their fraud management systems to better detect and prevent unauthorized transactions. These systems must be capable of flagging unusual or suspicious activities, including unusually rapid transactions and those involving new recipients or unrecognized devices.
The BSP said is committed to promoting a safe, secure, and resilient digital payments ecosystem while supporting the continued growth of digital financial services.