TL;DR: The Bangko Sentral ng Pilipinas has set June 30, 2026, as the deadline for Philippine banks to stop using SMS OTPs for high-risk transactions, while AFASA ties adequate authentication controls to liability protection and requires real-time fraud detection for larger institutions, according to Authsignal. The real shift is that authentication must now be intercept-resistant, layered, and auditable rather than merely available.
NHIMG editorial — based on content published by Authsignal: BSP Circular 1213, Philippine banks must replace SMS OTPs by June 2026
By the numbers:
- Institutions handling complex electronic services, or with average monthly transaction volumes above PHP 75 million, are required to have real-time fraud detection covering behavioral anomalies, geolocation, blacklist screening, and device change events.
Questions worth separating out
Q: What breaks when banks keep using SMS OTP for high-risk transactions?
A: SMS OTP breaks down when the factor can be intercepted, redirected, or socially engineered out of the user.
Q: Why do interceptable authentication methods increase scam liability for banks?
A: Because liability now depends on whether the bank used adequate controls, not just whether the customer entered a code.
Q: How can security teams know if step-up authentication is actually working?
A: Look for reduced fraud on high-risk transactions, fewer successful account changes after suspicious device or location shifts, and clear evidence that server-side decisions are using multiple signals.
Practitioner guidance
- Replace SMS OTP for high-risk flows Move payment authorisation, new payee setup, and registered contact changes to phishing-resistant or server-side authenticated methods.
- Map transaction classes to step-up policies Classify banking actions by scam impact and require stronger controls for high-risk transactions, including device binding, biometric checks, and risk scoring before approval.
- Align fraud telemetry with authentication decisions Feed behavioural anomalies, geolocation shifts, blacklist screening, and device-change events into the authentication policy so suspicious activity changes the assurance level in real time.
What's in the full article
Authsignal's full blog post covers the operational detail this post intentionally leaves for the source:
- Specific guidance on how the circular treats high-risk transactions versus ordinary login activity.
- The distinction between server-side and device-side biometrics for regulated banking flows.
- Implementation notes on layered authentication, liveness checks, and biometric template storage.
- What third-party biometric vendors must provide in due diligence, contracts, and audits.
👉 Read Authsignal's analysis of BSP Circular 1213 and SMS OTP replacement →
SMS OTP replacement in Philippine banking: what IAM teams need to know?
Explore further
SMS OTP is now a governance liability, not an authentication preference. BSP Circular 1213 moves the discussion away from user convenience and into control ownership. If a bank does not control the channel carrying the factor, it does not fully control the authorisation event. The practitioner conclusion is straightforward: transaction authentication must be evaluated as a risk and liability control, not as an implementation detail.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who is accountable when a bank authorises a scam transaction with weak authentication?
A: Under AFASA and the BSP circular, accountability shifts toward the institution when adequate authentication controls are missing. Banks that fail to put sufficient controls in place may have to reimburse customers directly, so authentication design is now a governance and financial risk issue, not only a security one.
👉 Read our full editorial: BSP Circular 1213 pushes banks beyond SMS OTP for high-risk access