Beyond OTPs: New BSP Rules To Reshape MSME Payments

MANILA, Philippines — As the Bangko Sentral ng Pilipinas (BSP) pushes the financial sector toward stronger authentication standards, the biggest adjustments may not be happening inside banks or e-wallets but at the checkout counters of millions of small businesses.

Under BSP Circular 1213, banks and other BSP-supervised financial institutions are moving away from vulnerable authentication methods such as text and email one-time passwords (OTPs) for higher-risk transactions.

The stronger authentication requirements took full effect on June 25, requiring covered banks and e-wallet operators to replace OTPs for high-risk transactions with more secure technologies such as biometric, behavioral, adaptive or passwordless authentication.

The rules apply to BSP-supervised financial institutions that process an average of more than P75 million in online transactions per month. These institutions are also required to strengthen their fraud management systems to better detect suspicious activities and prevent unauthorized transactions.

“The BSP is equally dedicated to promoting innovation in financial services as to protecting customers from new forms of fraud, including technology-enabled fraud. We are pleased that banks and e-wallet operators are stepping up on both fronts,” BSP Deputy Governor Lyn Javier said.

While the new rules primarily apply to financial institutions, payments company HitPay said their impact will inevitably ripple through the country’s merchant community, particularly micro, small and medium enterprises (MSMEs), which account for 99.63 percent of all registered businesses in the Philippines.

“The rules may apply primarily to banks, e-wallets and other BSP-supervised institutions, but their effects will reach merchants at checkout,” said HitPay co-founder and CEO Aditya Haripurkar.

“Even a modest change in payment completion or customer behavior can therefore have a broad commercial impact.”

For many small merchants, the challenge will not simply be adopting new technology. Rather, it will be ensuring that stronger security does not create unnecessary friction that discourages customers from completing purchases.

Security versus convenience

Digital payments have become deeply embedded in the Philippine economy.

According to BSP data, merchant payments now account for 66.4 percent of the country’s digital payment volume, while digital transactions comprise 57.4 percent of total retail payment volume.

As a result, even small disruptions during checkout can have outsized effects on businesses that rely heavily on cashless transactions.

Haripurkar said the biggest operational risks include abandoned purchases, uncertain payment statuses and additional administrative work.

“A clear decline is usually easier to manage than an uncertain transaction,” he said. “When a payment remains pending or the customer receives a different message from the merchant, customers may try again, leave the checkout or send a screenshot as proof.”

Such situations often force merchants to manually investigate transactions, determine whether duplicate charges occurred and decide whether goods or services should be released.

To reduce confusion, Haripurkar said payment providers should ensure both customers and merchants receive consistent transaction updates, including statuses such as successful, pending review, declined, refunded or settled. Shared transaction reference numbers should also be available to both parties to simplify reconciliation.

Moving beyond text OTPs is also expected to require an adjustment period for consumers. “Some initial friction is likely because consumers understand the familiar sequence of receiving and entering an OTP,” Haripurkar said.

To minimize disruptions, he said payment providers should encourage customers to register trusted devices, activate biometric authentication and complete passwordless enrollment before making time-sensitive purchases.

For many MSMEs operating with lean teams, real-time payment confirmation has become increasingly important as fraud detection grows more sophisticated.

Unlike larger corporations, many small businesses lack dedicated finance or fraud management teams and often depend on immediate confirmation before shipping goods or providing services.

Haripurkar said delays or ambiguous payment statuses can slow order fulfillment, complicate cash flow management and force merchants into manual reconciliation.

“In the Philippines, where a lot of SMEs rely on platforms like GCash, Maya, bank transfers and marketplaces, real-time visibility helps them confirm payments immediately before releasing goods or services, reduce dependency on manual checking or screenshots, catch failed or suspicious transactions faster and keep cash flow predictable,” he said.

He added that merchants should gradually stop treating screenshots as proof of payment and instead verify transactions directly through payment provider dashboards, applications or automated notifications.

Smarter fraud controls

Haripurkar acknowledged that stronger fraud controls could initially lead to more delayed or declined transactions while systems are being calibrated.

However, he stressed that legitimate customers should not be unnecessarily blocked. “A customer may have changed phones, travelled or made a larger purchase than normal,” he said.

Instead of relying on a single indicator, providers should combine multiple risk signals before declining payments and apply proportionate responses.

“A moderately unusual transaction might trigger an additional confirmation, while only clearly high-risk activity should be blocked outright,” he said.

He added that providers should closely monitor false-positive rates alongside fraud losses, noting that “a system that stops fraud but unnecessarily blocks good customers has solved only half the problem.”

Looking ahead, Haripurkar said the Philippine payments industry should move toward a layered authentication model that combines device recognition, biometrics and adaptive risk assessment rather than relying on any single security tool.

“Behavioral analysis will be particularly valuable when it operates quietly in the background, identifying unusual patterns without adding another screen to every transaction,” he said. At the same time, providers should retain secure alternatives for customers using older devices or those with accessibility or connectivity limitations.

Ultimately, Haripurkar said fraud prevention should become less visible to customers and merchants as payment providers take on more of the complexity behind the scenes.

“The central principle should be to shift security from customer effort to provider intelligence,” he said. “Stronger security and smoother payments are not competing objectives. Done properly, security is the infrastructure that allows convenience to scale.”