Digital banking users in the Philippines will get additional security checks as banks and e-wallet providers move away from relying mainly on SMS- and email-based one-time passwords (OTPs) for risky transactions.
The Bangko Sentral ng Pilipinas (BSP) required covered BSP-supervised financial institutions (BSFIs) to adopt stronger ways of verifying users by June 25, 2026.
Banks and e-wallet operators must use more secure methods, including fingerprint or facial recognition, analysis of user behavior, risk-based security checks, or password-free login methods for transactions considered high risk.
“The BSP is equally dedicated to promoting innovation in financial services as to protecting customers from new forms of fraud, including technology-enabled fraud. We are pleased that banks and e-wallet operators are stepping up on both fronts,” said BSP Deputy Governor Lyn Javier.
The change comes as more Filipinos use digital banking and online payments, giving fraudsters more opportunities to target accounts through scams such as fake websites, stolen mobile numbers, and social engineering.
The rules cover banks and e-wallet operators that process more than ₱75 million in online transactions per month. This includes most universal and commercial banks, all digital banks, and some cooperative, thrift, and rural banks.
The new security measures will not apply the same way to every transaction. Banks and e-wallet providers will assess the risk based on factors such as the amount being transferred, the recipient, a customer’s usual transaction patterns, and the service being used.
For instance, sending a large amount of money to a new recipient or logging in from an unfamiliar device may require additional verification. Smaller or familiar transactions may still use simpler methods, including SMS OTPs, depending on the institution’s assessment.
Aside from stronger user verification, the BSP also requires covered institutions to improve their fraud detection systems. These systems should be able to identify unusual activity, such as unusually fast transactions, payments to new recipients, or activity from unknown devices.
The new rules shift digital banking security from simply checking if a user has the correct password or OTP to checking whether the transaction matches the customer’s normal behavior.
Financial institutions not covered by the rules are not required to follow the same transition timeline but must continue reviewing fraud risks and applying appropriate security measures.