By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: Smile IDPublished May 27, 2026

TL;DR: BSP Circular 1213 makes SMS OTP non-compliant for high-risk transactions in Philippine financial institutions and pushes banks toward in-app and server-side biometric authentication, with reimbursement liability for scam losses shifting directly onto institutions that fail to comply, according to Smile ID. The policy exposes a broader identity gap: device-side checks and one-time codes cannot prove the account holder’s presence or resist compromised-device fraud.


At a glance

What this is: This is a regulatory shift that removes SMS OTP as acceptable authentication for high-risk transactions and raises the bar toward server-side biometric verification.

Why it matters: It matters because IAM, fraud, and digital banking teams now have to align identity proofing, transaction authentication, and liability control across both human access and customer-facing financial workflows.

By the numbers:

👉 Read Smile ID's analysis of BSP Circular 1213 and high-risk authentication


Context

BSP Circular 1213 changes the authentication baseline for high-risk transactions in the Philippines by removing SMS OTP as a compliant mechanism for banks and licensed digital financial services providers. The issue is not just whether a second factor exists, but whether the factor actually binds the transaction to the real account holder under fraud pressure.

For identity and access teams, this is a customer IAM and fraud-control problem, not a simple channel change. The circular pushes institutions toward server-side authentication, stronger liveness checks, and evidence that the transaction approval is generated independently of a potentially compromised device.

Practical adoption will depend on whether banks can preserve conversion across varied devices, network conditions, and customer segments while still meeting regulatory expectations. That balance is typical of large-scale identity change in financial services: the control must be defensible, usable, and supportable at volume.


Key questions

Q: How should banks replace SMS OTP for high-risk transactions?

A: Banks should move high-risk actions to step-up authentication that is bound to the transaction, not the login. That usually means in-app approval, software tokens, device biometrics, or other stronger second factors, plus beneficiary confirmation for payment events. The goal is to make the approval decision harder to intercept, replay, or socially engineer.

Q: Why do one-time codes fail for high-risk financial approvals?

A: One-time codes fail because they prove possession of a message channel, not control of the account by the legitimate customer. In fraud scenarios, SIM swaps, malware, and social engineering can intercept or redirect the code. For high-risk approvals, that creates a weak assurance layer that cannot carry the full trust burden.

Q: What do security teams get wrong about biometric verification in mobility?

A: They often treat biometric matching as the end of identity assurance when it is only one control point. The bigger risk is unmanaged recovery, override, and re-verification logic. If those paths are weak, a strong biometric front end can still be undermined by inconsistent decisions behind it.

Q: Who is accountable when scam losses are not blocked by weak authentication?

A: The institution is accountable when its authentication controls are not adequate for the regulated transaction type. In this case, reimbursement obligations move the issue from security operations into financial and regulatory governance. Boards, IAM leads, and fraud teams should treat the control failure as a shared accountability problem.


Technical breakdown

Why SMS OTP no longer satisfies high-risk authentication

SMS OTP works as a possession check only when the phone number, device, and session remain trustworthy. In fraud-driven environments, those assumptions break quickly because SIM swap, malware, account recovery abuse, and social engineering can all redirect or intercept the code. OTP also proves little about the person initiating the transaction, which is why regulators increasingly treat it as too weak for high-risk actions. The control failure is not that OTP is obsolete in every context, but that it cannot carry the assurance burden for financially material transactions.

Practical implication: move high-risk transaction flows away from SMS OTP and map each remaining OTP use case to a documented residual-risk decision.

Server-side biometrics versus device-side biometrics

Server-side biometric authentication verifies the biometric against centrally stored encrypted templates in the bank’s backend, which makes the trust decision independent of the user device. Device-side biometrics only confirm that the local device can unlock a session, not that the account holder is present or that the device has not been compromised. That distinction matters when malware, overlay attacks, or cloned credentials can manipulate the device layer. For regulated financial transactions, the trust anchor must sit where the institution can govern it, audit it, and tie it to fraud decisioning.

Practical implication: design authentication so that biometric verification and policy enforcement occur in the bank-controlled stack, not just on the endpoint.

Why fraud signals must sit beside authentication

Authentication alone does not stop synthetic identities, deepfakes, stolen devices, or coordinated account takeover. A modern financial control stack needs liveness detection, transaction context, behavioural signals, and step-up logic that can distinguish normal activity from monetisation attempts. That is especially important where manual review cannot scale to millions of daily events. In practice, the architecture is less about a single factor and more about binding identity proof, device posture, and transaction intent into one decision path.

Practical implication: integrate fraud analytics into authentication policy so that step-up and denial decisions are based on the transaction risk, not only on login success.


NHI Mgmt Group analysis

SMS OTP is a liability exposure, not a compliance shortcut. The circular makes clear that possession-based codes no longer provide enough assurance for high-risk transactions. Once reimbursement for scam losses shifts onto the institution, weak authentication becomes a balance-sheet problem as well as an audit problem. Practitioners should treat the retirement of SMS OTP as a governance reset, not a channel preference change.

Server-side authentication is the real control boundary. Device-side checks inherit the device’s trust problem, while backend verification keeps the assurance decision inside the institution’s governed environment. That distinction matters because fraud teams need evidence, logs, and policy enforcement that survive compromised endpoints. The practitioner conclusion is that authentication assurance must be anchored where the bank can observe and control it.

Fraud-resistant customer identity needs more than one factor. Biometric checks alone are not enough if liveness, risk signals, and transaction context are absent. The circular effectively rewards institutions that connect authentication to fraud detection rather than treating them as separate programmes. Practitioners should align IAM, fraud, and digital banking operations around one transaction trust model.

Programme maturity will be measured by operational consistency, not feature adoption. A control that works in a lab but fails on older Android devices, weak networks, or high-volume flows will not survive real customer traffic. This is where identity governance meets service design. The practitioner takeaway is to test assurance controls across the full customer estate, not just the ideal path.

From our research:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
  • Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly identity failure compounds across environments.
  • For the lifecycle angle, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for how identity controls should be governed across provisioning, rotation, and offboarding.

What this signals

Credential trust debt: environments that still rely on inherited trust from a phone number, device, or static factor are accumulating identity risk that becomes visible only after fraud lands. The governance lesson is that assurance must move closer to the institution-controlled decision point, where fraud signals and authentication policy can be correlated in real time.

Banks that treat this as a fraud-only upgrade will miss the lifecycle implications for customer identity assurance and exception handling. The practical shift is toward governed, auditable approval paths that can survive regulator scrutiny and customer-device compromise without collapsing into manual review.

The stronger the authentication requirement becomes, the more important it is to map how access decisions are made, logged, and challenged across channels. That is where programmes aligned to the NIST Cybersecurity Framework 2.0 and NIST SP 800-63 Digital Identity Guidelines tend to separate policy from performance.


For practitioners

  • Inventory every SMS OTP use case Map where SMS OTP is still used for login, transaction approval, recovery, and exception handling. Classify each use case by risk, then retire SMS OTP first in high-risk flows where the circular creates direct liability.
  • Shift high-risk approvals to server-side verification Implement backend authentication that verifies the user against centrally governed biometric templates and policy checks. Keep the approval decision inside systems you can log, audit, and tune for fraud response.
  • Add fraud signals to every step-up decision Combine liveness detection, device trust, behavioural signals, and transaction context before granting approval. This reduces the chance that a compromised device or cloned account can satisfy the authentication flow alone.
  • Run usability testing on real customer devices Validate authentication across low-end Android devices, poor connectivity, and assisted channels before broad rollout. If the control breaks in the field, the organisation will absorb both friction and fraud risk.

Key takeaways

  • BSP Circular 1213 turns weak transaction authentication into a regulatory and financial liability for Philippine institutions.
  • SMS OTP and device-only biometrics do not provide enough assurance for high-risk financial approvals in compromised environments.
  • Banks need a server-side, fraud-aware identity model that can prove the account holder is present and keep that proof auditable at scale.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63BSMS OTP deprecation and stronger auth map directly to digital identity assurance.
NIST CSF 2.0PR.AC-1The article is about access control decisions for customer transactions.
NIST SP 800-53 Rev 5IA-2Identity verification and authentication are central to regulated transaction approval.
ISO/IEC 27001:2022A.5.15Access control governance is directly implicated by the circular's authentication shift.

Align high-risk transaction authentication to PR.AC-1 and document the assurance level required by risk.


Key terms

  • Server-Side Biometrics: An authenticator pattern where the bank verifies biometric evidence against templates stored in its own backend. The control keeps the assurance decision inside the institution's trust boundary, which makes it stronger than device-only checks when the device itself may be compromised.
  • Transaction Authentication: Transaction authentication is the control layer that validates the trustworthiness of a digital interaction after identity has been established. It focuses on confidentiality, integrity, and availability of the exchange itself, which makes it especially relevant when sign-in alone does not protect the action.
  • Liveness Detection: Liveness detection is the mechanism that checks whether a biometric sample comes from a real, present person rather than a spoof such as a photo, screen, or mask. In identity programmes, it is a core defence against presentation attacks and should be tested under realistic operating conditions.
  • Assurance Level: An assurance level is the degree of confidence an organisation has that an identity proofing or authentication outcome is accurate. Higher assurance usually means stronger checks, more evidence, and more governance overhead. The key is matching assurance to the transaction risk, not applying one standard everywhere.

What's in the full article

Smile ID's full article covers the operational detail this post intentionally leaves for the source:

  • Detailed explanation of how BSP Circular 1213 changes authentication expectations for Philippine banks and licensed fintechs.
  • Implementation context for server-side biometric authentication, including where device-side checks fall short.
  • Operational discussion of fraud prevention, reimbursement exposure, and customer experience considerations.
  • Vendor-specific guidance on evaluating biometric authentication providers for regulated transaction flows.

👉 The full Smile ID article covers biometric authentication details, fraud implications, and compliance timing for Philippine institutions.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org