TL;DR: BSP Circular 1213 makes SMS OTP non-compliant for high-risk transactions in Philippine financial institutions and pushes banks toward in-app and server-side biometric authentication, with reimbursement liability for scam losses shifting directly onto institutions that fail to comply, according to Smile ID. The policy exposes a broader identity gap: device-side checks and one-time codes cannot prove the account holder’s presence or resist compromised-device fraud.
NHIMG editorial — based on content published by Smile ID: BSP Circular 1213 and the move beyond SMS OTP for high-risk transactions
By the numbers:
- Smile ID states that BSP Circular 1213 takes effect in five weeks for Philippine banks and licensed digital financial services providers.
- Smile ID states that the company has processed 400M+ identity verifications across its biometric authentication footprint.
Questions worth separating out
Q: How should banks replace SMS OTP for high-risk transactions?
A: Banks should move high-risk actions to step-up authentication that is bound to the transaction, not the login.
Q: Why do one-time codes fail for high-risk financial approvals?
A: One-time codes fail because they prove possession of a message channel, not control of the account by the legitimate customer.
Q: What do security teams get wrong about biometric verification in mobility?
A: They often treat biometric matching as the end of identity assurance when it is only one control point.
Practitioner guidance
- Inventory every SMS OTP use case Map where SMS OTP is still used for login, transaction approval, recovery, and exception handling.
- Shift high-risk approvals to server-side verification Implement backend authentication that verifies the user against centrally governed biometric templates and policy checks.
- Add fraud signals to every step-up decision Combine liveness detection, device trust, behavioural signals, and transaction context before granting approval.
What's in the full article
Smile ID's full article covers the operational detail this post intentionally leaves for the source:
- Detailed explanation of how BSP Circular 1213 changes authentication expectations for Philippine banks and licensed fintechs.
- Implementation context for server-side biometric authentication, including where device-side checks fall short.
- Operational discussion of fraud prevention, reimbursement exposure, and customer experience considerations.
- Vendor-specific guidance on evaluating biometric authentication providers for regulated transaction flows.
👉 Read Smile ID's analysis of BSP Circular 1213 and high-risk authentication →
SMS OTP is ending for high-risk transactions in the Philippines?
Explore further
SMS OTP is a liability exposure, not a compliance shortcut. The circular makes clear that possession-based codes no longer provide enough assurance for high-risk transactions. Once reimbursement for scam losses shifts onto the institution, weak authentication becomes a balance-sheet problem as well as an audit problem. Practitioners should treat the retirement of SMS OTP as a governance reset, not a channel preference change.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly identity failure compounds across environments.
A question worth separating out:
Q: Who is accountable when scam losses are not blocked by weak authentication?
A: The institution is accountable when its authentication controls are not adequate for the regulated transaction type. In this case, reimbursement obligations move the issue from security operations into financial and regulatory governance. Boards, IAM leads, and fraud teams should treat the control failure as a shared accountability problem.
👉 Read our full editorial: BSP Circular 1213 forces banks beyond SMS OTP for high-risk auth