BSP Circular 1213: SMS OTP Ban for Philippine Banks

1. BSP Circular 1213 and SMS OTP Deadline#

BSP Circular No. 1213 is the central Philippine banking regulation behind the current shift away from SMS OTP and email OTP in digital banking. The Bangko Sentral ng Pilipinas (BSP) does not frame the issue as a UX preference, but as a fraud risk: authentication codes that customers can read, forward or enter on phishing sites are interceptable authentication mechanisms.

BSP Circular No. 1213 Series of 2025 was published as an official BSP PDF in June 2025 to implement the IT risk management part of the Anti-Financial Account Scamming Act (AFASA). It gives covered BSP-supervised financial institutions one year from effectivity to comply. In practice, that makes June 2026 the deadline Philippine banks, fintechs, e-money issuers and payment providers should plan around.

This article explains what the circular means for Philippine banks MFA, why SMS OTPs are being limited, which controls the BSP expects and why passkeys are one of the strongest ways to replace OTP-based authentication.

2. AFASA as Legal Base for BSP Circular 1213#

Before looking at BSP Circular No. 1213, banks need to understand the broader legal base: the Anti-Financial Account Scamming Act (AFASA).

AFASA, officially Republic Act No. 12010, was signed on July 20, 2024 to fight online financial scams involving digital accounts. Covered entities include financial institutions such as:

• Commercial banks, thrift banks, savings and mortgage banks
• Trust companies, investment firms
• Lending companies, pawnshops and similar financial institutions
• Payment providers, financial service providers and fintechs

AFASA focuses on three main prohibited activities:

1. Money-mulling activities such as using accounts to move illicit proceeds, opening accounts in fake names or stolen identities and buying/selling financial accounts for criminal gains
2. Social-engineering activities such as pretending to be a bank or stealing account credentials by deceiving consumers
3. Related activities that support online financial scams against consumers or institutions

For financial institutions, the law also creates operational expectations:

• Using robust fraud management systems (FMS) including real-time monitoring
• Using multi-factor authentication (MFA) as a countermeasure for phishing
• Freezing or holding disputed funds to reimburse consumers later after investigations
• Sharing information with BSP and law enforcement swiftly when fraud is suspected

3. BSP Circular 1213 Summary: MFA Requirements for Banks#

BSP Circular No. 1213 amends IT risk management rules for banks, non-bank financial institutions and payment systems. For authentication teams, the most important message is clear: financial accounts must be protected with stronger controls than passwords and interceptable OTPs.

3.1 SMS and Email OTP Limits for High-Risk Activity#

The circular specifically calls out the limitation of interceptable authentication mechanisms, including One-Time Pins (OTPs) via SMS and email. The reason is simple: if an authentication factor can be shared with or intercepted by third parties, it is weak against modern social engineering.

SMS OTP is risky in banking because:

• SIM swapping lets attackers manipulate telecom providers to transfer a target’s phone number to a new SIM card, allowing them to capture OTPs sent via SMS
• SS7 protocol vulnerabilities: Attackers exploit flaws in the Signaling System No. 7 (SS7) used by mobile networks to secretly intercept or reroute text messages
• Phishing and spear-phishing: Fraudsters trick users into disclosing their OTPs through deceptive messages or targeted scams, facilitating unauthorized access to accounts and financial fraud

The Philippines is part of a wider regulatory move away from SMS OTP in banking. Similar patterns can be seen in the UAE OTP phase-out and Singapore banking passkey guidance.

3.2 Strong MFA: Biometrics, FIDO and Adaptive Authentication#

For covered institutions with complex electronic products and services or high aggregate online transaction values, the circular lists strong authentication mechanisms, including:

• Biometric authentication, such as fingerprint, facial or voice recognition
• Behavioral biometrics, such as typing speed, mouse movement or device movement
• Passwordless authentication, including FIDO passkeys and hardware-backed cryptographic keys
• Adaptive authentication, which adjusts verification based on location, device, behavior and risk context

This is why a narrow "replace SMS with app OTP" project is usually not enough. The more strategic move is a layered MFA architecture that combines phishing-resistant login, device signals and transaction risk controls.

3.3 Fraud Management Controls around MFA#

BSP Circular 1213 is not only an authentication rule. It also requires robust fraud management systems for covered BSFIs. These systems should detect, prevent and block disputed, suspicious or fraudulent transactions in real time.

The circular names several core fraud controls:

• Transaction velocity checks to detect unusual frequency, value or pattern of transfers
• Mobile device and account information change monitoring, especially after mobile number, email or authenticated device changes
• Geolocation monitoring to detect transactions from unexpected locations
• Blacklist screening for risky merchants, devices, IP addresses and account activity
• Behavioral anomaly detection for deviations from normal spending, login or transfer behavior

This matters for MFA design because authentication should become risk-based. A low-risk balance check, a new device login and a large transfer to a new payee should not receive the same authentication flow.

4. Passkeys for BSP Circular 1213#

4.1 Passkeys are phishing-resistant by design#

The circular points institutions away from authentication mechanisms that can be shared or intercepted. Passkeys meet this intent because:

• They don’t rely on user-entered credentials (like passwords or OTPs) that can be captured on fake websites
• Instead, authentication uses cryptographic key pairs: the private key is stored securely on the user's device (for device-bound passkeys) or synced encrypted across trusted devices (for synced passkeys), while the public key is held by the service provider
• Even if a user is tricked into visiting a fake site, the cryptographic challenge won't complete unless the domain matches, making passkeys highly phishing-resistant though not immune to all forms of social engineering or account compromise

4.2 Passkeys are device-bound or securely synced#

Passkeys are built for device-bound or securely synced authentication:

• The private key is stored in a secure enclave on the user’s phone, tablet, or computer
• Accessing the passkey typically requires biometric or device-level authentication, such as a fingerprint or Face ID

4.3 Passkeys support seamless and secure UX at scale#

The BSP recognizes that security must coexist with usability, especially given how many Filipinos now rely on mobile financial services. Passkeys are not only more secure than OTPs, they are also easier to use:

• No passwords or codes to remember or type
• Login becomes a single biometric confirmation on a trusted device
• Ideal for mobile-first environments, which dominate in the Philippines

4.4 Passkeys align with BSP intent and global standards#

BSP Circular 1213 explicitly names FIDO as an example of passwordless authentication that uses biological features or a FIDO security key to log in to online accounts. Passkeys are built on FIDO2 and WebAuthn, the same global standard also reflected in NIST passkey guidance and European PSD2 authentication.

By adopting passkeys, institutions can meet both the technical requirements and the regulatory intent of the circular, demonstrating strong customer protection, regulatory compliance and forward-thinking security.

5. Compliance Checklist for Philippine Banks#

For Philippine banks, the practical BSP Circular 1213 workstream should look like this:

• Map all login, device registration, payee setup, profile update and high-risk transaction flows that still rely on SMS or email OTP
• Classify which products qualify as complex electronic products and services and whether monthly online transaction value crosses the PHP 75 million threshold
• Replace interceptable OTP flows with phishing-resistant MFA, ideally FIDO passkeys for login and transaction confirmation
• Add adaptive authentication based on device, location, behavior and transaction risk
• Implement fraud management rules for velocity, device changes, blacklist screening, geolocation and behavioral anomalies
• Store transaction logs, authentication method details, device fingerprints and relevant network data for audit and investigation
• Prepare customer communication for the move away from SMS OTP and toward biometric or passkey-based confirmation

5.1 Technology and Infrastructure Upgrades#

The circular compels financial institutions to upgrade authentication and fraud infrastructure. Systems that rely on easily intercepted factors like SMS or email OTPs should move toward phishing-resistant and device-bound methods such as passkeys, biometrics or hardware security keys.

5.2 Compliance and Auditing Pressure#

Banks and fintechs need to show that the circular's provisions are implemented by the June 2026 compliance window. Evidence may include risk assessments, FMS rules, authentication flow documentation, transaction logs, vendor due diligence and internal audit material.

5.3 Customer Education and Transition Challenges#

Transitioning away from OTPs also creates customer experience challenges. Institutions need clear communication that explains why OTPs are less secure, what replaces them and how customers can use passkeys or biometric confirmation safely.

6. What Consumers should expect#

Consumers will also notice the shift. The result should be safer digital banking, but the transition needs careful UX design.

6.1 Better Security and less Fraud Risk#

For consumers, the shift will ultimately lead to a safer digital banking environment. By using stronger forms of authentication such as fingerprint or face recognition, they’ll be better protected from common fraud tactics like SIM swapping, phishing scams and account takeovers.

6.2 Change in Login Habits#

Instead of receiving OTPs by SMS or email, users will increasingly be asked to confirm login or transaction activity through passkey-based flows, in-app biometric confirmation or other strong authentication. While more secure, these methods may feel unfamiliar at first, especially for users with limited digital literacy.

6.3 Improved User Experience#

Despite the initial adjustment, the long-term experience for users is likely to be smoother. Passwordless logins and biometric authentication remove the need to remember passwords or wait for OTPs, making access to digital financial services faster and more convenient. Once users get used to the system, many may find it easier than what they had before.

7. Conclusion#

BSP Circular No. 1213 turns SMS OTP migration into a near-term compliance priority for Philippine banks. The circular does not only ask institutions to replace one login factor; it asks them to strengthen the whole fraud and authentication model around financial accounts.

For most banks, the strongest path is to combine passkeys, device intelligence, adaptive authentication and real-time fraud monitoring. This reduces exposure to phishing, SIM-swapping and OTP interception while giving customers a faster login and transaction confirmation experience.

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →

Frequently Asked Questions#

What is the BSP circular on OTP?#

BSP Circular No. 1213 is a 2025 Bangko Sentral ng Pilipinas circular that limits interceptable authentication mechanisms such as SMS and email OTPs for covered financial institutions. It requires stronger authentication and fraud controls for financial accounts, especially high-risk transactions and complex electronic financial services.

Are Philippine banks required to replace SMS OTPs by June 2026?#

BSP Circular No. 1213 gives covered institutions one year from effectivity to comply, which puts the practical deadline in June 2026. The rule does not simply ban every OTP message, but it tells BSP-supervised financial institutions to limit SMS and email OTPs because they can be shared with or intercepted by third parties.

What will replace SMS OTP for Philippine banks?#

The circular points banks toward strong authentication mechanisms such as biometric authentication, behavioral biometrics, passwordless authentication using FIDO cryptographic keys and adaptive authentication. Passkeys are a strong fit because they are phishing-resistant, domain-bound and easier for customers than typing OTP codes.

Why are SMS OTPs risky for Philippine banking MFA?#

SMS OTPs are vulnerable to SIM-swapping, SS7 protocol exploits and phishing attacks that trick users into disclosing codes on fake sites. The Philippines' digital fraud rate stands at 13.4 percent, nearly triple the global average, making these interceptable methods a significant liability under BSP Circular No. 1213.

What does a Philippine bank need to do for BSP Circular 1213 compliance?#

A Philippine bank should reduce reliance on SMS and email OTP, implement strong MFA for high-risk activity, add real-time fraud management controls, track device and account changes, monitor geolocation and behavioral anomalies, keep transaction logs and prepare audit evidence for BSP review.

How does AFASA relate to BSP Circular 1213?#

AFASA (Republic Act No. 12010), passed July 20, 2024, is the primary Philippine law against financial account scamming, requiring multi-factor authentication and fraud management systems from covered institutions. BSP Circular No. 1213, issued June 2025, operationalizes AFASA by specifying which authentication methods are acceptable and limiting the use of SMS OTPs.

What are the new banking rules in the Philippines in 2026?#

For authentication and fraud prevention, Philippine banks must comply with BSP Circular No. 1213 by the June 2026 compliance window. The key rules limit SMS and email OTPs, require stronger MFA for high-risk activity, mandate real-time fraud monitoring and expect controls such as device fingerprinting, transaction velocity checks, geolocation monitoring and customer notification.

Which Philippine financial institutions must comply with BSP Circular No. 1213?#

BSP Circular No. 1213 applies to all BSP-supervised entities: universal banks, commercial banks, thrift and rural banks, fintechs and e-money issuers. Named examples include BDO Unibank, BPI, Metrobank, Maya and SeaBank. Lending companies, pawnshops and payment providers are also covered under the overarching AFASA framework.