OTPs to be phased out as part of BSP reforms

Reliance on one-time passwords (OTPs) as the main security layer in Philippine digital banking is set to decline as regulators push financial institutions to adopt stronger authentication systems. The Bangko Sentral ng Pilipinas (BSP) is requiring banks to reduce reliance on interceptable authentication mechanisms such as SMS or email OTPs, which regulators say are increasingly vulnerable to phishing, SIM-swap attacks, and social engineering schemes.

The shift is part of the implementation of the Anti-Financial Account Scamming Act (AFASA), a law aimed at strengthening defenses against the growing number of digital financial scams.

Under the rules, banks must deploy stronger fraud management systems (FMS) capable of detecting suspicious transactions in real time. Institutions offering complex electronic financial services—or processing at least ₱75 million in average monthly network value—must adopt monitoring tools such as behavioral analytics, device-change detection, and geolocation tracking.

BSP Deputy Governor Elmore Capule said the central bank is maintaining the June 2026 compliance deadline.

“As of now we are not extending it,” Capule said, stressing that financial institutions are expected to accelerate preparations for the new requirements.

The BSP is encouraging banks to shift toward phishing-resistant multi-factor authentication, including biometric verification and device-bound credentials.

Meanwhile, BSP General Counsel Roberto L. Figueroa said broader reforms to bank secrecy laws could further strengthen AFASA enforcement.

“Access to financial information under reasonable suspicion will significantly strengthen our ability to go after financial criminals,” Figueroa said.

The deadline for banks to comply remains on 30 June.