In the fight against fraud, the Philippines Central Bank leads the way.
Bangko Sentral ng Pilipinas (BSP) Circular 1213 takes effect in five weeks. For Philippine banks and licensed digital financial services providers, that means SMS OTP is no longer a compliant authentication mechanism for high-risk transactions. What replaces it requires more than a product swap; it's a comprehensive approach to authentication and fraud prevention, and the window to implement is short.
Over the past several months, I've been meeting with bank executives, fintech operators, and digital wallet teams across Southeast Asia. BSP Circular 1213 has emerged as an urgent topic in the Philippines. The June 30 deadline creates direct liability for banks that don't comply under the Anti-Financial Account Scamming Act (Republic Act No. 12010, AFASA). Meanwhile, many of the bank executives I've spoken with are already dissatisfied with their current identity verification providers, leaving many banks reluctant to deepen their dependence on vendors that have already let them down.
What the circular requires
Circular 1213 mandates stronger authentication methods across the board. For high-risk transactions, the minimum bar is in-app notifications, but the stronger and more defensible path, and the one the BSP explicitly endorses, is server-side biometric authentication: checks that run in the bank's backend against centrally stored encrypted templates, independently of what's happening on the user's device. Device-side biometrics - the face scans that unlock your phone - don't meet this standard. If the device is compromised, that check can be bypassed.
Banks without adequate authentication controls are required to reimburse customers directly for scam losses. This isn't just a BSP audit risk; it's a P&L exposure that lands on your balance sheet from July 1.
Who does this apply to?
The authentication mandate, phasing out SMS OTP, applies directly to all BSP-supervised financial institutions (BSFIs) - universal and commercial banks, digital banks, and BSP-licensed fintechs holding EMI, PSSP, or lending licences. Pure fintechs operating outside BSP licensing aren't directly covered, though most rely on BSFI infrastructure and inherit the compliance obligation indirectly.
Beyond the regulatory perimeter, however, the circular's effects will spread further. Consumers who bank with institutions that have moved to biometric authentication will quickly recalibrate their expectations. Once users are trained by their bank not to accept an SMS code as sufficient proof of identity, they will think twice before moving significant funds through a fintech app that hasn't adopted the same standard. The regulation sets a floor; consumer expectations will raise the ceiling for everyone.
The vendor question
Despite the number of identity vendors in the Philippines, the market hasn't been well-served. Fake IDs and synthetic faces have slipped through automated onboarding checks often enough that many banks have quietly reverted to manual review, which is workable for thousands of onboardings per day, but not for the millions of daily authentication events the circular now requires to be checked by machine.
In-app push notifications are one alternative to OTP, but they only confirm that the same device is present, not that the account is still in the hands of the original holder. For high-risk transactions, that's the critical gap. Ensuring that the person initiating a transaction is genuinely who they claim to be - not a fraudster with a stolen device or a cloned account - requires biometrics and liveness detection layered with additional fraud signals.
Philippine banks also serve a genuinely diverse user base: across device generations, connectivity, literacy levels, and channels ranging from app-native to agent-assisted. A biometric system has to perform equally well on a four-year-old entry-level Android on a provincial mobile network as on an iPhone in BGC - consistently, or customers abandon the flow. It also means fraud detection built on real-world attack patterns, not lab test sets. Vendors need experience stopping synthetic identities, deepfakes assembled from social media, and coordinated account takeover rings with AI-powered fraud infrastructure.
Smile ID is a leading biometric authentication provider, built in Silicon Valley and operating at scale across the world's most demanding environments. We've processed 400M+ identity verifications, hold ISO PAD Level 2 certification, and power authentication and fraud prevention for leading traditional and digital banks.
Institutions that get this right won't just be compliant, they'll have fraud infrastructure that reduces losses, maintains conversion, and scales without adding headcount.
If you're evaluating authentication providers now for BSP 1213 or working through how to comply without disrupting your existing authentication flows, reach out - our solutions engineers can help you get a compliant system in place ASAP.
ISO/IEC 30107-3:2023 Level 2 - Biometric Presentation Attack Detection
Smile ID is a leading biometric facial attack prevention software provider. Its trademarked Enhanced SmartSelfie™ technology secured a 0% attack breach rating during independent testing by a NIST-licensed laboratory. Smile ID has achieved ISO 30107-3:2023 Level 2, an advanced certification for biometric presentation attack detection (PAD) - it demonstrates our commitment to preventing fraudsters from using fake biometric samples to trick financial systems. Certification requires a less than 1% failure rate over 2–4 days of continuous attack testing. ISO/IEC 30107-3:2023 Explained →
