---
url: 'https://www.corbado.com/blog/philippines-compliance'
title: 'How to stay compliant with Filipino BSP Circular No. 1213 by using Passkeys?'
description: 'Learn how the Philippines'' AFASA law and BSP Circular No. 1213 combat online financial scams with stronger, phishing-resistant authentication.'
lang: 'en'
author: 'Alex'
date: '2025-07-23T11:09:58.664Z'
lastModified: '2026-04-26T06:01:00.694Z'
keywords: 'cybersecurity compliance Philippines, Anti Financial Account Scamming Act, Republic Act No. 12010, BSP Circular No. 1213, online financial scams Philippines, FIDO passkeys Philippines, BSP compliance 2025, secure digital banking Philippines, digital fraud'
category: 'Authentication'
---

# How to stay compliant with Filipino BSP Circular No. 1213 by using Passkeys?

## Key Facts

- **BSP Circular No. 1213** (June 2025) mandates phishing-resistant, device-bound
  authentication for Philippine financial institutions, discouraging SMS/email OTPs, with
  a June 2026 compliance deadline.
- The Philippines' **digital fraud rate** reached 13.4 percent, nearly triple the global
  average, with Filipinos losing an average of PHP 44,700 per fraud incident.
- Passkeys satisfy the circular's requirements because **device-bound cryptographic key
  pairs** cannot be phished or intercepted, and authentication fails if the domain does
  not match.
- All BSP-supervised entities including universal banks, fintechs and e-money issuers must
  demonstrate compliance by the **June 2026 deadline** or face supervisory action and
  fines.

## 1. Introduction

Cybercrime is rising fast in the Philippines, creating serious risks for individuals,
businesses, and public institutions. In the first quarter of 2024, reported cases jumped
by 21.8 percent compared to the previous quarter, with an average of 49 incidents per day,
up from 40 daily in 2023. Common threats include [phishing](https://www.corbado.com/glossary/phishing), online
selling scams, investment fraud, identity theft, and hacking. More than 80 percent of
organizations experienced around three security breaches each this year. The digital fraud
rate reached 13.4 percent, nearly triple the global average, placing the country second
worldwide. Over 315,000 credentials were exposed in just six months, and Filipinos who
fell victim to fraud lost an average of more than PHP 44,700 per incident.
[Phishing](https://www.corbado.com/glossary/phishing) remains the most reported threat, while
[malware](https://www.corbado.com/glossary/malware) infections and tactics like smishing are becoming more
widespread. With cyber risks growing more complex and frequent, the need for clear,
enforceable [cybersecurity compliance](https://www.corbado.com/blog/cyber-security-compliance) in the Philippines
has never been greater.

Recently the
[**Anti‑Financial Account Scamming Act (AFASA) also known as Republic Act No. 12010**](https://elibrary.judiciary.gov.ph/thebookshelf/showdocs/2/97690)
(which is the primary compliance framework for protecting financial institutions from
cyber fraud) got an update with the
[**BSP Circular No. 1213 (June 2025)**](https://www.bsp.gov.ph/Regulations/Published%20Issuances/Images/Circular_1213.pdf)
to strengthen the Philippines’ defenses against online financial scams. In this blog, we
aim to clarify the recent compliance change and address the key questions it raises:

- What is the Bangko Sentral ng Pilipinas Circular No. 1213 (June 2025)?

- What problems does this new regulation aim to solve and what are the contents of the new
  regulation?

- Which institutions are impacted by the proposed compliance of the central bank of the
  Philippines?

## 2. What is the AntiFinancial Account Scamming Act (AFASA)?

Before getting into details about the BSP Circular No. 1213 which was released in June
2025 we must first get an overview of the overarching regulatory framework which is the
AntiFinancial Account Scamming Act (AFASA).

The **AntiFinancial Account Scamming Act (AFASA)** (officially Republic Act No. 12010) is
a landmark Philippine law passed **July 20, 2024**, aimed at combating online financial
scams and frauds involving digital accounts. As the name already suggests the covered
entities under this act include mostly financial institutions like:

- Commercial banks, thrift banks, savings and mortgage banks

- Trust companies, investment firms

- Lending companies, pawnshops, etc.

- [Payment](https://www.corbado.com/passkeys-for-payment) providers, financial service providers and fintechs

The AFASA has three main prohibited acts that should protect financial institutions and
their consumers:

1. **Money-mulling activities** such as using accounts to move illicit proceeds, opening
   accounts in fake names or stolen identities and buying/selling financial accounts for
   criminal gains

2. **Social-engineering activities** such as pretending to be a bank or stealing account
   credentials by deceiving consumers

3. **Related activities** to the described scams which attempt to harm financial
   institutions

For a smooth cooperation with the [government](https://www.corbado.com/passkeys-for-public-sector) trying to
combat scams financial institutions also have duties advised to follow under AFASA:

- Using **robust fraud management systems (FMS)** including real-time monitoring

- Using **multi-factor authentication (MFA)** as a countermeasure for
  [phishing](https://www.corbado.com/glossary/phishing)

- Freezing or **holding disputed funds** to reimburse consumers later after investigations

- **Sharing information with BSP** and law enforcement swiftly when fraud is suspected

## 3. What is the Bangko Sentral ng Pilipinas (BSP) Circular No. 1213?

Now that we covered the overarching Scamming Act under which the Circular No. 1213 is
formed, we can go deeper into detail on what changes the new Circular has brought and what
impact these changes will have on authentication policies of financial institutions in the
Philippines:

### 3.1 Discouraged Use of SMS and Email OTP

Circular No. 1213 emphasizes that **traditional OTP mechanisms**, especially those sent
via SMS or email, present increasing **security risks** and are therefore not a good
authentication method which should be avoided. This aligns with global trends recognizing
that OTPs via insecure channels are vulnerable to phishing, [SIM swap](https://www.corbado.com/glossary/sim-swap)
fraud, and other social engineering tactics

The Philippines are only one of many countries (_read more on_
[_United Arab Emirates_](https://www.corbado.com/blog/uae-banking-otp-phase-out#1-introduction-why-is-the-uae-banning-sms-and-email-otps-in-banking)_,_
[_Singapore_](https://www.corbado.com/blog/singapore-passkeys-banks) _etc. phasing out SMS
OTP)_ who are taking the right step to phase out SMS and Email OTPs and replace them with
more secure authentication methods having a few critical reasons:

- SIM-swapping: Cybercriminals manipulate [telecom](https://www.corbado.com/passkeys-for-telecom) providers to
  transfer a target’s phone number to a new SIM card, allowing them to capture OTPs sent
  via SMS.

- **SS7 protocol vulnerabilities**: Attackers [exploit](https://www.corbado.com/glossary/exploit) flaws in the
  Signaling System No. 7 (SS7) used by mobile networks to secretly intercept or reroute
  text messages.

- [Phishing and spear-phishing](https://www.corbado.com/blog/psd2-passkeys): Fraudsters trick users into
  disclosing their OTPs through deceptive messages or targeted scams, facilitating
  unauthorized access to accounts and financial fraud.

### 3.2 Focus on multifactor Authentication Standards like Passkeys based on FIDO

[FIDO Passkeys](https://fidoalliance.org/passkeys/) are considered perfectly aligned with
BSP Circular No. 1213 because they directly address the circular’s core security
objectives: preventing phishing, eliminating interceptable authentication, and binding
user access to a secure device.

#### 3.2.1 Passkeys are phishing-resistant by Design

The circular explicitly encourages the use of authentication methods that cannot be
phished or intercepted. Passkeys meet this criterion because:

- They don’t rely on user-entered credentials (like passwords or OTPs) that can be
  captured on fake websites.

- Instead, authentication uses cryptographic key pairs: the private key is stored securely
  on the user's device (for
  [device-bound passkeys](https://www.corbado.com/blog/fbi-operation-winter-shield-passkeys)) or synced encrypted
  across trusted devices (for
  [synced passkeys](https://fidoalliance.org/white-paper-passkeys-the-journey-to-prevent-phishing-attacks/)),
  while the public key is held by the service provider.

- Even if a user is tricked into visiting a fake site, the
  [cryptographic challenge](https://www.corbado.com/glossary/cryptographic-challenge) won't complete unless the
  domain matches, making passkeys
  [highly phishing-resistant](https://fidoalliance.org/passkeys-are-not-broken-the-conversation-about-them-often-is/)
  (though not immune to all forms of social engineering or account compromise).

#### 3.2.2 Passkeys are bound to the User’s Device or synced securely

The circular requires that authentication factors be **tied to the individual user and
their trusted device** or synchronized in a secure manner. Passkeys do exactly that:

- The private key is stored in a **secure enclave** on the user’s phone, tablet, or
  computer.

- Accessing the passkey typically requires **biometric or device-level authentication**,
  such as a fingerprint or [Face ID](https://www.corbado.com/faq/is-face-id-passkey).

#### 3.2.3 Passkeys support seamless and secure UX at Scale

The BSP recognizes that **security must coexist with usability**, especially given how
many Filipinos now rely on mobile [financial services](https://www.corbado.com/passkeys-for-banking). Passkeys
are not only more secure than OTPs, they are also **easier to use**:

- No passwords or codes to remember or type.

- Login becomes a single biometric confirmation on a trusted device.

- Ideal for mobile-first environments, which dominate in the Philippines.

#### 3.2.4 Passkeys are explicitly in line with BSP’s Intent and global Standards

BSP Circular 1213 endorses **“phishing-resistant, cryptographically bound
authentication”**, mirroring the direction taken by the
[FIDO Alliance](https://www.corbado.com/glossary/fido-alliance), [NIST](https://www.corbado.com/blog/nist-passkeys), and EU
[PSD2](https://www.corbado.com/blog/psd2-passkeys). Passkeys are built on the [FIDO2](https://www.corbado.com/glossary/fido2)/WebAuthn
standard, which is the global benchmark for passwordless security.

By adopting passkeys, institutions can meet both the technical requirements and the
regulatory intent of the circular, demonstrating strong customer protection,
[regulatory compliance](https://www.corbado.com/blog/cybersecurity-frameworks), and forward-thinking security.

![passkeys circular screenshot](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/passkeys_circular_screenshot_4e84d8c436.png)

### 3.3 Other strong Authentication Methods mentioned in the BSP Circular No. 1213

Apart from passwordless multi-factor authentication with FIDO passkeys (which is currently
the gold standard from a UX and security perspective) there were also other authentication
methods mentioned in the Circular that also count as strong authentication but bring some
difficulties:

- [**On-device Biometrics (fingerprint, face, voice):**](https://www.corbado.com/blog/passkeys-local-biometrics)
  compromised biometric (e.g., a stolen fingerprint template) data is non-revocable

- **Hardware Security Keys (e.g., YubiKeys, smartcards**): Risk of loss or damage as well
  as an interruption of the consumer during login process

Authentication with TOTP apps and push-based authentication are more secure than SMS/email
OTPs, but the circular implies they are not considered phishing-resistant by default and
therefore does not consider them.

## 4. Consequences of the new Additions to the AntiFinancial Account Scamming Act on Institutions

BSP Circular No. 1213 (June 2025) has significant implications for both financial
institutions and consumers, especially in how authentication is handled.

The main financial institutions beeing:

- **Universal Banks** (e.g., BDO Unibank, BPI, Metrobank, Landbank, etc.)

- **Commercial Banks** (e.g., RCBC, Security Bank)

- **Thrift & Rural Banks** (e.g., Overseas Filipino Bank, Partner Rural Bank etc.)

- **Fintech & E-Money Issuers** (e.g., Maya, SeaBank, Pomelo etc.)

### 4.1 Technology and Infrastructure Upgrades

The circular compels financial institutions to upgrade their technology and
infrastructure, particularly around authentication. Systems that rely on easily
intercepted factors like SMS or email OTPs must be phased out in favor of
phishing-resistant and device-bound methods such as biometrics, passkeys, or
[hardware security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys). This may require major
technical integration efforts and collaboration with third-party security vendors.

### 4.2 Compliance and Auditing Pressure

There is also an increased regulatory burden. Banks and fintechs will be required to show
that they are in compliance with the circular’s provisions by the June 2026 deadline. This
may involve providing audit trails, risk assessments, or technical documentation to BSP.
Non-compliance could lead to supervisory action, reputational damage, or even fines.

### 4.3 Customer Education and Transition Challenges

Transitioning away from OTPs also introduces customer experience challenges. Institutions
will have to re-educate users who are accustomed to traditional login methods. Explaining
why older methods are no longer secure and how to use newer ones, like biometric login or
push approvals, will require clear, consumer-friendly communication campaigns.

## 5. Consequences of the new Additions to the AntiFinancial Account Scamming Act on Consumers

Not only institutions but also consumers will have to adjust to the regulations imposed by
the central bank of the Philippines even when these changes are in favor of consumers and
lead to measurable improvements in safety and usability.

### 5.1 Better Security and less Fraud Risk

For consumers, the shift will ultimately lead to a safer digital
[banking](https://www.corbado.com/passkeys-for-banking) environment. By using stronger forms of authentication
such as fingerprint or face recognition, they’ll be better protected from common fraud
tactics like [SIM swapping](https://www.corbado.com/faq/sim-swapping-sms-authentication-risk), phishing scams,
and account takeovers. This should result in fewer incidents of unauthorized transactions
or lost funds.

### 5.2 Change in Login Habits

However, this security comes with changes to familiar login behaviors. Instead of
receiving OTPs by SMS or email, users will increasingly be prompted to authenticate
through passkey-based flows or other authentication. While more secure, these new methods
may feel unfamiliar or intimidating at first, especially for users with limited digital
literacy.

### 5.3 Improved User Experience

Despite the initial adjustment, the long-term experience for users is likely to be
smoother. Passwordless logins and
[biometric authentication](https://www.corbado.com/blog/passkeys-biometric-authentication) remove the need to
remember passwords or wait for OTPs, making access to digital
[financial services](https://www.corbado.com/passkeys-for-banking) faster and more convenient. Once users get
used to the system, many may find it easier than what they had before.

## 6. Conclusion

As cyber threats continue to surge in the Philippines, the updated Anti-Financial Account
Scamming Act and BSP Circular No. 1213 represent a strong step toward a safer digital
financial landscape. By phasing out outdated authentication methods like SMS and email
OTPs and adopting secure technologies like passkeys and biometrics, institutions can
better protect consumers from fraud.

Though the transition will involve technical upgrades and user education, the result is a
stronger, more resilient system that offers both improved security and a smoother user
experience. These changes position the Philippines as a forward-thinking leader in
financial cybersecurity.

Regarding the BSP Circular No. 1213 we could answer the following questions in todays
blog:

- **What is the Bangko Sentral ng Pilipinas Circular No. 1213 (June 2025)?**\
  BSP Circular No. 1213 is a regulatory directive that mandates the use of
  phishing-resistant, device-bound authentication methods for financial institutions in
  the Philippines.

- **What problems does this new regulation aim to solve and what are the contents of the
  new regulation?**\
  The regulation addresses the rising threat of digital fraud by discouraging insecure
  methods like SMS/email OTPs and promoting stronger authentication tools such as passkeys
  and biometrics.

- **Which institutions are impacted by the proposed compliance of the Philippine central
  bank?**\
  The compliance requirements apply to all financial institutions operating under BSP
  oversight, including banks, fintechs, [payment](https://www.corbado.com/passkeys-for-payment) providers,
  lending firms, and similar entities.

## Frequently Asked Questions

### What authentication methods does BSP Circular No. 1213 accept as compliant replacements for SMS OTPs?

BSP Circular No. 1213 accepts passkeys built on FIDO2/WebAuthn, on-device biometrics and
hardware security keys such as YubiKeys as compliant alternatives. TOTP apps and
push-based authentication are excluded because the circular does not consider them
phishing-resistant by default, making them insufficient to meet the regulation's full
intent.

### Why are SMS OTPs being phased out under Philippine banking regulations?

SMS OTPs are vulnerable to SIM-swapping, SS7 protocol exploits and phishing attacks that
trick users into disclosing codes on fake sites. The Philippines' digital fraud rate
stands at 13.4 percent, nearly triple the global average, making these interceptable
methods a significant liability under BSP Circular No. 1213.

### What does a Philippine financial institution need to do to prove compliance with BSP Circular No. 1213?

Institutions must phase out SMS/email OTPs, adopt phishing-resistant authentication such
as passkeys or biometrics and demonstrate compliance by June 2026. Evidence may include
audit trails, risk assessments and technical documentation submitted to the BSP.
Non-compliance can result in supervisory action, reputational damage or fines.

### How does AFASA (Republic Act No. 12010) relate to BSP Circular No. 1213?

AFASA (Republic Act No. 12010), passed July 20, 2024, is the primary Philippine law
against financial account scamming, requiring multi-factor authentication and fraud
management systems from covered institutions. BSP Circular No. 1213, issued June 2025,
operationalizes AFASA by specifying which authentication methods are acceptable and
mandating the phase-out of SMS OTPs.

### Which Philippine financial institutions are required to comply with BSP Circular No. 1213?

BSP Circular No. 1213 applies to all BSP-supervised entities: universal banks, commercial
banks, thrift and rural banks, fintechs and e-money issuers. Named examples include BDO
Unibank, BPI, Metrobank, Maya and SeaBank. Lending companies, pawnshops and payment
providers are also covered under the overarching AFASA framework.