EXPLAINER: Why are OTPs being replaced?

Starting Thursday, June 25, most banks and e-wallets are expected to have already shifted away from SMS- and email-based one-time passwords (OTPs) for riskier transactions, as the Bangko Sentral ng Pilipinas (BSP) pushes for stronger defenses against fraud.

“The BSP is committed to promoting a safe, secure, and resilient digital payments ecosystem while supporting the continued growth of digital financial services,” it said.

What is an OTP?


An OTP is a temporary code used to confirm that the individual making a transaction is really the account owner. Unlike passwords, OTPs can only be used once, expire after a specific time period, and are usually sent through SMS or email.

Financial institutions have used OTPs as a security layer before allowing individuals to log in or make money transfers.

Why are SMS- and email-based OTPs being removed?

The BSP earlier said it wants banks to develop a “higher level” of protection, as OTPs may be stolen through phishing activities, malware, SIM-swap attacks, and social engineering where fraudsters convince victims to share the code.

With the advancement of technology, criminals have become better at obtaining such codes.

What will replace OTPs?

Instead of OTPs sent via SMS or email, the BSP has urged banks to implement stronger authentication methods:

Biometic authentication where users verify their identity through physical characteristics such as fingerprint scanning, facial recognition, and voice recognition.

Behavioral authentication where the system checks whether the individual is using a device the way they normally do by analyzing typing speed, mouse, or device movements.

Adaptive authentication where security is adjusted based on the circumstances such as the location, device, and behavior.

Will OTPs disappear completely?

The BSP says stronger authentication is required mainly for high-risk transactions, while OTPs may still be used for lower-risk activities, if considered appropriate.

High-risk transactions may include enrollment in digital banking, transfers to third parties, online remittances, card payments, account maintenance, and changes to mobile numbers, email, login credentials, or devices.

Which financial institutions are covered?



The BSP rule applies to supervised financial institutions that process over P75-million worth of online transactions each month.

This includes most universal and commercial banks, all digital banks, and some thrift, rural, and cooperative banks.

The regulations align with the Anti-Financial Account Scamming Act (AFASA), which seeks to protect the public from cybercriminals and criminal syndicates by penalizing financial cybercrimes and imposing harsher penalties for illegal acts.

Under the law, the BSP is authorized to investigate cases, apply for cybercrime warrants and orders, and request assistance from law enforcers during investigations. It is also exempted from existing laws on bank secrecy and data privacy to gather sufficient information regarding the commission of prohibited acts. —VAL, GMA News