Platform
Platform
Drop-In Authentication
Passkeys
Phishing-resistant, FIDO2/WebAuthn
Biometric authentication
Face and device-native biometrics
WhatsApp OTP
Global reach, lower cost than SMS
Email OTP
Universal second factor
App push authentication
Native device push notifications
Palm biometrics
Contactless identity verification
All authentication methods
KEY FEATURES
No-code rules engine
Step-up auth, risk policies, alerts
User observability
Audit trails, dynamic linking
Risk-based authentication
Adaptive MFA by context
Session management
Persistent sessions across channels
Digital credentials API
Verify sovereign digital IDs
Pre-built UI
Fastest deployment path
Passkeys
Deploy phishing-resistant passkeys across web and mobile in days
Solutions
Solutions
USE CASE
Account Takeover Prevention
Stop ATO without adding friction
Go Passwordless
Replace passwords with passkeys
Account Recovery
Secure self-service recovery flows
Call Centre Authentication
Verify callers without KBA
SMS Cost Optimisation
Cut OTP costs up to 90%
Existing Apps (Drop-In)
Add auth without re-architecting
Palm biometric payments
Contactless in-store payments
INDUSTRY
Financial Services & Banking
Secure high-value transactions
Healthcare
Authentication for ePHI access
Loyalty Programs
Protect points and member accounts
ROLE
Engineering
Fast integration, flexible SDKs
Product
No-code flows, conversion insights
Cybersecurity
Risk policies, compliance, audit trails
PricingCustomers
Resources
Resources
LEARN
Blog
Guides
Regulatory
Templates
Docs
COMPANY
About Us
Why Authsignal
Partners
Careers
Security
Contact
INTEGRATIONS
Amazon Cognito
Auth0
Azure AD B2C
Custom identity provider
Duende IdentityServer
All integrations
Docs
Start a trial
Book a callLogin
AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Join us today!
Right icon
Blog
/
Current article
BSP Circular 1213
Philippine banking
SMS OTP
Risk based authentication

BSP Circular 1213: Philippine banks must replace SMS OTPs by June 2026

Ashutosh Bhadauriya
⬤
March 17, 2026
Share
BSP Circular 1213: Philippine Banks Must Replace SMS OTPs by June 2026

The Bangko Sentral ng Pilipinas, the country's central bank, has set June 30, 2026, as the deadline for financial institutions to stop using SMS OTPs for high-risk banking transactions. Deputy Governor Elmore Capule has confirmed the central bank is holding the date firm: "As of now we are not extending it, so they have to catch up."

Under the Anti-Financial Account Scamming Act (AFASA), banks that fail to put adequate authentication controls in place are required to reimburse customers for funds lost to scams. Banks that comply get liability protection.

‍

Why the BSP is moving away from SMS OTPs

SMS OTPs travel over the telecom network, which the bank has no control over. SIM swap fraud lets attackers receive OTP messages intended for the account holder. Phishing pages harvest codes in real time. Smishing tricks users into reading the code aloud over the phone. Each of these attacks works because the authentication factor has to leave the bank's systems and pass through a channel anyone can potentially intercept.

BSP Circular 1213 requires institutions to "transition away from interceptable authentication mechanisms" for financial transactions and high-risk activities. The coverage extends beyond login. Adding a new payee, updating registered contact details, initiating large transfers - any high-risk transaction or critical account change falls under the mandate.

‍

What the BSP is actually requiring

The regulation goes beyond a mandate to adopt biometrics. The BSP has published specific guidelines on server-side biometric authentication, which it recognises as an acceptable control for covered transactions.

The difference between server-side and device-side biometrics matters here. Device-side biometrics, the fingerprint or face scan that unlocks a banking app, rely on whatever is happening on the user's phone. If the device is compromised, that check can be bypassed. Server-side biometrics validate the user's identity against templates stored in the bank's own backend, so the check happens independently of the device's state.

The guidelines also acknowledge the security tradeoff that comes with centralising biometric data. A database of biometric templates is a high-value target for attackers. Banks are required to store templates as encrypted mathematical representations rather than raw images, and to encrypt data both at rest and in transit. Liveness and deepfake detection are mandatory. Biometrics also has to be layered with other controls rather than used alone, and banks are required to monitor false acceptance rates, false rejection rates, and algorithmic bias across different user groups.

The BSP also requires banks to think about users who may struggle with biometric authentication: elderly customers with worn fingerprints, people with certain disabilities, users on lower-end devices. Solutions have to work for these cases while maintaining the security standard.

‍

The liability provision

Before AFASA(Anti-financial account scamming act), liability for digital banking fraud was often contested. The law changes that. Banks with adequate risk management systems and strong authentication are protected from liability when scams occur despite those controls. Banks without adequate controls are required to reimburse customers directly.

The BSP also clarified that OTPs retain one permitted use: confirming the existence or ownership of a registered mobile number. OTPs remain in the toolkit, just not as a way to authorise transactions.

‍

What compliance actually involves

Circular 1213 sets the fraud management baseline. Institutions handling complex electronic services, or with average monthly transaction volumes above PHP 75 million, are required to have real-time fraud detection covering behavioral anomalies, geolocation, blacklist screening, and device change events. This infrastructure has to be in place alongside the authentication changes, and the authentication side requires phishing-resistant mechanisms for anything classified as high-risk. Methods that can be socially engineered out of a user, including SMS codes, fall outside that definition.Biometrics alone does not satisfy the requirement either. The BSP is explicit that authentication has to be layered: biometrics combined with device binding, behavioral signals, and transaction risk scoring. Banks using third-party biometrics vendors also carry obligations under the circular. The circular requires due diligence on the vendor's security architecture, explicit data protection clauses in contracts, and independent audits on an ongoing basis.

‍

Where Authsignal fits

Authsignal's platform handles adaptive, risk-based authentication. Financial institutions can configure authentication to scale with transaction risk, so a balance check and a large transfer to a new payee go through different flows. The platform supports passkeys, biometric-backed authenticators, in-app push confirmations, and a no-code rules engine that can be tuned to each institution's risk profile. Given that the BSP mandate is risk-tiered by design, that configurability is where the compliance work actually happens.

Get in touch with if you're figuring out what the transition looks like for your stack, we've helped banks across the region move off SMS OTPs without rebuilding their identity layer.

Question icon
Have a question?
Talk to an expert
NewsletterDemo PasskeysView docs
BSP Circular 1213
Philippine banking
SMS OTP
Risk based authentication

You might also like

The passkey UX patterns that drive adoption in 2026
Passkeys
Passkeys implementation

The passkey UX patterns that drive adoption in 2026

July 2, 2026
What is silent network authentication, and how does it work?
Silent Network Authentication
SNA

What is silent network authentication, and how does it work?

June 26, 2026
HIPAA MFA requirements and what to do before the final rule lands
Passkeys
Step up authentication
Adaptive MFA
SMS Alternative

HIPAA MFA requirements and what to do before the final rule lands

July 4, 2026

Secure your customers’ accounts today with Authsignal

Passkey demoCreate free account
Authsignal Purple Logo

Authsignal is a drop-in authentication and orchestration layer for consumer-facing businesses. Passkeys, adaptive MFA, and omnichannel verification on top of your existing identity stack. Deployed in weeks, not quarters.

AICPA SOCFido Certified
LinkedInTwitter
Platform
Drop-In Authentication
PasskeysBiometric authenticationWhatsApp OTPEmail OTPApp push authenticationPalm biometricsSMS OTPEmail OTPMagic LinksAuthenticator apps (TOTP)
View all auth methods
KEY FEATURES
No-code rules engineUser observabilityRisk-based authenticationSession managementDigital credentials APIPre-built UI
All authentication methods
Pricing
Customers
Solutions
USE CASE
Account takeovers (ATO)
Go passwordless
Call center
SMS cost optimization
Existing apps
Palm biometric payments
View all use cases
industry
Financial services
Healthcare
Marketplace
View all use cases
ROLE
Engineering
ProductCybersecurityDocs
Compare
Twilio Verify vs AuthsignalAuth0 vs AuthsignalAWS Cognito vs Authsignal + AWS Cognito
Resources
LEARN
BlogGuidesRegulatoryTemplatesDocs
COMPANY
About usWhy AuthsignalPartnersCareersSecurityContact
Integrations
Amazon Cognito
Azure AD B2C
Duende IdentityServer
Keycloak
Auth0
NextAuth.js
Custom identity provider
All integrations
United States
+1 214 974-4877
Ireland
+353 12 676529
Australia
+61 387 715 810
New Zealand
+64 275 491 983
© 2026 Authsignal - All Rights Reserved
Terms of servicePrivacy policySecuritySystem statusCookies