BSP follows through to go beyond OTPs

MANILA, Philippines —  After signaling that financial institutions must move beyond one-time passwords (OTPs), the Bangko Sentral ng Pilipinas (BSP) has rolled out calibrated guidelines to promote more secure multi-factor authentication (MFA) methods to protect consumers from digital fraud.

BSP deputy director Maricris Salud said evolving cyberthreats have exposed the vulnerabilities of SMS-based OTPs, prompting the central bank to recommend that financial institutions adopt more advanced MFA solutions.

This follows the BSP’s earlier push to shift liability to banks that fail to implement adequate security under the Anti-Financial Account Scamming Act (AFASA), a move first reported by The STAR in May.

“Banks and financial institutions can still do OTPs, but they have to look for other authentication methods to supplement the vulnerabilities of OTPs,” Salud said in a press briefing.

Under Circular 1213, the BSP outlined a two-tiered set of fraud management system (FMS) requirements for supervised financial institutions offering electronic payment and financial services.

At the minimum, all institutions must adopt fraud detection and blocking systems that are comprehensive, real-time and commensurate to risk. These systems must also be constantly calibrated to adapt to emerging threats.

For institutions handling complex electronic products and services or those with high aggregate digital transaction values (defined as having an average monthly transaction value of at least P75 million over the past six months) additional safeguards are required.

These include behavioral anomaly detection, blacklist screening, geolocation monitoring, tracking of mobile device and account information changes as well as checks on transaction velocity. These enhanced measures aim to catch unusual patterns, prevent unauthorized access and ensure early fraud detection for high-risk platforms.

The central bank’s Circular 1213 also officially recognized alternative authentication technologies such as biometrics, behavioral analytic and cryptographic keys like Fast Identity Online (FIDO).

“Sometimes a good system is only good until the scammers find a way to get around it,” BSP Deputy Governor Elmore Capule said. “There has to be additional safety measures.”

The BSP said the transition to more secure authentication would be calibrated, with requirements varying depending on the size and complexity of the institution.

While large banks and platforms with significant digital transaction volumes will be expected to adopt advanced MFA tools, smaller institutions like rural and thrift banks may implement simpler solutions based on a proportional risk-based approach.

Circular 1213, which takes effect on June 25, is one of three new regulations issued by the BSP to operationalize AFASA, a landmark law aimed at curbing digital financial scams through coordinated industry safeguards and accountability.

The BSP reminded financial institutions that failure to comply with the new fraud management standards, including updated authentication mechanisms, could expose them to both administrative penalties and civil liability under the law.

“If a bank fails to comply and a customer is defrauded, that bank may be held liable,” Capule said. “This gives institutions strong incentive to take these requirements seriously.

The BSP also noted that while implementing these technologies may be costly, they are essential to keeping pace with increasingly sophisticated cybercriminal tactics.