No more SMS, email OTPs for high-risk financial transactions starting June 25

Philippine banks and e-wallet operators will be required to move away from SMS- and email-based one-time passwords (OTPs) for high-risk transactions starting Thursday, June 25, under a Bangko Sentral ng Pilipinas (BSP) directive aimed at strengthening protection against fraud.

Under BSP Circular No. 1213 issued in May 2025, the central bank required BSP-supervised financial institutions to replace SMS- and email-based OTPs with stronger authentication methods such as biometric, behavioral, or passwordless solutions on or before June 25, 2026.

The directive covers banks and e-wallet operators averaging more than P75 million in online transactions per month, including most universal and commercial banks, all digital banks, and select cooperative, thrift, and rural banks.

“The BSP is equally dedicated to promoting innovation in financial services as to protecting customers from new forms of fraud, including technology-enabled fraud," BSP Deputy Governor Lyn Javier said in an emailed statement.

"We are pleased that banks and e-wallet operators are stepping up on both fronts,” she added.

Institutions are also required to apply stronger authentication measures for “high-risk” transactions, based on factors such as payee profile, transaction value, customer behavior, transaction patterns, and the nature of the products or services. Lower-risk transactions may still use OTPs sent via SMS.

Covered entities are likewise required to strengthen their fraud management systems, with the capacity to flag unusual or suspicious activities such as rapid transactions and those involving new recipients or unrecognized devices, to better detect and prevent unauthorized transactions.

For institutions not covered by the circular, the BSP said that while they are not required to shift to stronger verification tools, they must still regularly assess the risks associated with their products and services to determine appropriate fraud prevention measures.

“The BSP is committed to promoting a safe, secure, and resilient digital payments ecosystem while supporting the continued growth of digital financial services,” the BSP said.

The central bank said last year that the shift from OTPs to more advanced authentication methods forms part of its broader efforts to combat fraud and financial crime, noting that several other countries have already adopted similar measures.— MCG, GMA News