How to stay compliant with Filipino BSP Circular No. 1213 by using Passkeys?

Cybercrime is rising fast in the Philippines, creating serious risks for individuals, businesses, and public institutions. In the first quarter of 2024, reported cases jumped by 21.8 percent compared to the previous quarter, with an average of 49 incidents per day, up from 40 daily in 2023. Common threats include phishing, online selling scams, investment fraud, identity theft, and hacking. More than 80 percent of organizations experienced around three security breaches each this year. The digital fraud rate reached 13.4 percent, nearly triple the global average, placing the country second worldwide. Over 315,000 credentials were exposed in just six months, and Filipinos who fell victim to fraud lost an average of more than PHP 44,700 per incident. Phishing remains the most reported threat, while malware infections and tactics like smishing are becoming more widespread. With cyber risks growing more complex and frequent, the need for clear, enforceable cybersecurity compliance in the Philippines has never been greater.

Recently the Anti‑Financial Account Scamming Act (AFASA) also known as Republic Act No. 12010 (which is the primary compliance framework for protecting financial institutions from cyber fraud) got an update with the BSP Circular No. 1213 (June 2025) to strengthen the Philippines’ defenses against online financial scams. In this blog, we aim to clarify the recent compliance change and address the key questions it raises:

• What is the Bangko Sentral ng Pilipinas Circular No. 1213 (June 2025)?

• What problems does this new regulation aim to solve and what are the contents of the new regulation?

• Which institutions are impacted by the proposed compliance of the central bank of the Philippines?

Before getting into details about the BSP Circular No. 1213 which was released in June 2025 we must first get an overview of the overarching regulatory framework which is the AntiFinancial Account Scamming Act (AFASA).

The AntiFinancial Account Scamming Act (AFASA) (officially Republic Act No. 12010) is a landmark Philippine law passed July 20, 2024, aimed at combating online financial scams and frauds involving digital accounts. As the name already suggests the covered entities under this act include mostly financial institutions like:

• Commercial banks, thrift banks, savings and mortgage banks

• Trust companies, investment firms

• Lending companies, pawnshops, etc.

• Payment providers, financial service providers and fintechs

The AFASA has three main prohibited acts that should protect financial institutions and their consumers:

1. Money-mulling activities such as using accounts to move illicit proceeds, opening accounts in fake names or stolen identities and buying/selling financial accounts for criminal gains

2. Social-engineering activities such as pretending to be a bank or stealing account credentials by deceiving consumers

3. Related activities to the described scams which attempt to harm financial institutions

For a smooth cooperation with the government trying to combat scams financial institutions also have duties advised to follow under AFASA:

• Using robust fraud management systems (FMS) including real-time monitoring

• Using multi-factor authentication (MFA) as a countermeasure for phishing

• Freezing or holding disputed funds to reimburse consumers later after investigations

• Sharing information with BSP and law enforcement swiftly when fraud is suspected

Now that we covered the overarching Scamming Act under which the Circular No. 1213 is formed, we can go deeper into detail on what changes the new Circular has brought and what impact these changes will have on authentication policies of financial institutions in the Philippines:

Circular No. 1213 emphasizes that traditional OTP mechanisms, especially those sent via SMS or email, present increasing security risks and are therefore not a good authentication method which should be avoided. This aligns with global trends recognizing that OTPs via insecure channels are vulnerable to phishing, SIM swap fraud, and other social engineering tactics

The Philippines are only one of many countries (read more on United Arab Emirates, Singapore etc. phasing out SMS OTP) who are taking the right step to phase out SMS and Email OTPs and replace them with more secure authentication methods having a few critical reasons:

• SIM-swapping: Cybercriminals manipulate telecom providers to transfer a target’s phone number to a new SIM card, allowing them to capture OTPs sent via SMS.

• SS7 protocol vulnerabilities: Attackers exploit flaws in the Signaling System No. 7 (SS7) used by mobile networks to secretly intercept or reroute text messages.

• Phishing and spear-phishing: Fraudsters trick users into disclosing their OTPs through deceptive messages or targeted scams, facilitating unauthorized access to accounts and financial fraud.

FIDO Passkeys are considered perfectly aligned with BSP Circular No. 1213 because they directly address the circular’s core security objectives: preventing phishing, eliminating interceptable authentication, and binding user access to a secure device.

The circular explicitly encourages the use of authentication methods that cannot be phished or intercepted. Passkeys meet this criterion because:

• They don’t rely on user-entered credentials (like passwords or OTPs) that can be captured on fake websites.

• Instead, authentication uses cryptographic key pairs: the private key is stored securely on the user’s device and never leaves it, while the public key is held by the service provider.

• Even if a user is tricked into visiting a fake site, the cryptographic challenge won't complete unless the domain matches, making phishing technically impossible.

The circular requires that authentication factors be tied to the individual user and their trusted device or synchronized in a secure manner. Passkeys do exactly that:

• The private key is stored in a secure enclave on the user’s phone, tablet, or computer.

• Accessing the passkey typically requires biometric or device-level authentication, such as a fingerprint or Face ID.

The BSP recognizes that security must coexist with usability, especially given how many Filipinos now rely on mobile financial services. Passkeys are not only more secure than OTPs, they are also easier to use:

• No passwords or codes to remember or type.

• Login becomes a single biometric confirmation on a trusted device.

• Ideal for mobile-first environments, which dominate in the Philippines.

BSP Circular 1213 endorses “phishing-resistant, cryptographically bound authentication”, mirroring the direction taken by the FIDO Alliance, NIST, and EU PSD2. Passkeys are built on the FIDO2/WebAuthn standard, which is the global benchmark for passwordless security.

By adopting passkeys, institutions can meet both the technical requirements and the regulatory intent of the circular, demonstrating strong customer protection, regulatory compliance, and forward-thinking security.

Apart from passwordless multi-factor authentication with FIDO passkeys (which is currently the gold standard from a UX and security perspective) there were also other authentication methods mentioned in the Circular that also count as strong authentication but bring some difficulties:

• On-device Biometrics (fingerprint, face, voice): compromised biometric (e.g., a stolen fingerprint template) data is non-revocable

• Hardware Security Keys (e.g., YubiKeys, smartcards): Risk of loss or damage as well as an interruption of the consumer during login process

Authentication with TOTP apps and push-based authentication are more secure than SMS/email OTPs, but the circular implies they are not considered phishing-resistant by default and therefore does not consider them.

BSP Circular No. 1213 (June 2025) has significant implications for both financial institutions and consumers, especially in how authentication is handled.

The main financial institutions beeing:

• Universal Banks (e.g., BDO Unibank, BPI, Metrobank, Landbank, etc.)

• Commercial Banks (e.g., RCBC, Security Bank)

• Thrift & Rural Banks (e.g., Overseas Filipino Bank, Partner Rural Bank etc.)

• Fintech & E-Money Issuers (e.g., Maya, SeaBank, Pomelo etc.)

The circular compels financial institutions to upgrade their technology and infrastructure, particularly around authentication. Systems that rely on easily intercepted factors like SMS or email OTPs must be phased out in favor of phishing-resistant and device-bound methods such as biometrics, passkeys, or hardware security keys. This may require major technical integration efforts and collaboration with third-party security vendors.

There is also an increased regulatory burden. Banks and fintechs will be required to show that they are in compliance with the circular’s provisions by the June 2026 deadline. This may involve providing audit trails, risk assessments, or technical documentation to BSP. Non-compliance could lead to supervisory action, reputational damage, or even fines.

Transitioning away from OTPs also introduces customer experience challenges. Institutions will have to re-educate users who are accustomed to traditional login methods. Explaining why older methods are no longer secure and how to use newer ones, like biometric login or push approvals, will require clear, consumer-friendly communication campaigns.

Not only institutions but also consumers will have to adjust to the regulations imposed by the central bank of the Philippines even when these changes are in favor of consumers and lead to measurable improvements in safety and usability.

For consumers, the shift will ultimately lead to a safer digital banking environment. By using stronger forms of authentication such as fingerprint or face recognition, they’ll be better protected from common fraud tactics like SIM swapping, phishing scams, and account takeovers. This should result in fewer incidents of unauthorized transactions or lost funds.

However, this security comes with changes to familiar login behaviors. Instead of receiving OTPs by SMS or email, users will increasingly be prompted to authenticate through passkey-based flows or other authentication. While more secure, these new methods may feel unfamiliar or intimidating at first, especially for users with limited digital literacy.

Despite the initial adjustment, the long-term experience for users is likely to be smoother. Passwordless logins and biometric authentication remove the need to remember passwords or wait for OTPs, making access to digital financial services faster and more convenient. Once users get used to the system, many may find it easier than what they had before.

As cyber threats continue to surge in the Philippines, the updated Anti-Financial Account Scamming Act and BSP Circular No. 1213 represent a strong step toward a safer digital financial landscape. By phasing out outdated authentication methods like SMS and email OTPs and adopting secure technologies like passkeys and biometrics, institutions can better protect consumers from fraud.

Though the transition will involve technical upgrades and user education, the result is a stronger, more resilient system that offers both improved security and a smoother user experience. These changes position the Philippines as a forward-thinking leader in financial cybersecurity.

Regarding the BSP Circular No. 1213 we could answer the following questions in todays blog:

• What is the Bangko Sentral ng Pilipinas Circular No. 1213 (June 2025)?
  BSP Circular No. 1213 is a regulatory directive that mandates the use of phishing-resistant, device-bound authentication methods for financial institutions in the Philippines.

• What problems does this new regulation aim to solve and what are the contents of the new regulation?
  The regulation addresses the rising threat of digital fraud by discouraging insecure methods like SMS/email OTPs and promoting stronger authentication tools such as passkeys and biometrics.

• Which institutions are impacted by the proposed compliance of the Philippine central bank?
  The compliance requirements apply to all financial institutions operating under BSP oversight, including banks, fintechs, payment providers, lending firms, and similar entities.