From
Ideem— device-bound passkeys and A2A payment authentication for banks, fintechs, and payment platforms.
TL;DR: The Bangko Sentral ng Pilipinas has confirmed that the June 2026 deadline for Circular 1213 stands. Philippine banks, e-money issuers, and payment operators have a tight window to phase out SMS and email OTPs for high-risk transactions, deploy real-time fraud management systems, and bring their authentication architecture into line with phishing-resistant standards. The BSP has been clear that institutions falling short face liability for customer losses under the Anti-Financial Account Scamming Act. Here is what the circular requires, why the BSP is holding firm, and a practical playbook for the months ahead.
BSP Circular 1213 was issued in June 2025 as the central pillar of the regulatory implementation of the Anti-Financial Account Scamming Act (AFASA), Republic Act No. 12010, signed by President Marcos in July 2024. The circular amends the BSP's IT Risk Management Regulations and applies universally to BSP-supervised financial institutions: commercial banks, digital banks, e-money issuers, payment system operators including InstaPay and PESONet participants, credit card issuers, and remittance companies.
The circular establishes two parallel obligations. First, BSP-supervised institutions must limit the use of authentication mechanisms that can be shared with, or intercepted by, third parties unrelated to the transaction. That language directly captures SMS and email OTP. Second, institutions handling complex electronic products and services, or those with average monthly transaction volumes above PHP 75 million, must deploy real-time fraud management systems covering behavioral anomalies, geolocation monitoring, blacklist screening, mobile device change events, and transaction velocity checks.
Compliance is required within one year of the circular's effective date, putting the practical deadline in late June 2026.
In January 2026, BSP Deputy Governor Elmore Capule confirmed publicly that the central bank is not extending the June 2026 deadline, telling reporters in Manila that as of now they are not extending it and institutions have to catch up. BSP General Counsel Roberto Figueroa has acknowledged that some banks have requested an extension, but the BSP's public posture has remained firm.
The reasoning is straightforward. The BSP received approximately 70,000 consumer complaints in 2024, with around 13 percent tied to unauthorized transactions including phishing and vishing. The Philippines has one of the highest digital fraud rates in the region, and the central bank has connected that directly to interceptable authentication. Capule's framing has been blunt: institutions still using outdated technology when fraud occurs are presumed negligent, and the burden of proof under AFASA falls on the institution, not the customer.
For institutions reading Circular 1213 and concluding that SMS OTP can stay as a primary factor with biometrics layered on top, the language of the circular argues otherwise. The BSP has clarified that OTP retains one permitted use: confirming the existence or ownership of a registered mobile number at enrollment. It is no longer an acceptable factor for authorizing high-risk transactions.
What counts as high-risk under Circular 1213 is broad. It includes login to digital banking, but it extends to adding a new payee, updating registered contact details, initiating large transfers, and initiating any account change that could be exploited downstream. The coverage matches the modern fraud playbook, in which attackers do not always need to drain an account on day one. They need to gain a foothold that permits draining on day fifteen.
The circular also names the alternatives explicitly. Biometric authentication, behavioral biometrics, passwordless authentication using FIDO standards, hardware tokens, and cryptographic keys are all listed as acceptable. The phishing-resistant, device-bound flavor of those mechanisms is what regulators globally have converged on.
Authentication is only half of Circular 1213. The other half is a real-time fraud management system that operates alongside the stronger authentication. The circular is explicit that batch processing or end-of-day reconciliation does not meet the standard. Detection has to be real-time, the rules engine has to be calibrated, and the system has to be able to block transactions, not just flag them.
Clearing Switch Operators running InstaPay and PESONet must implement equivalent standards. Fraud monitoring is a chain obligation across the payment network, which means an institution's compliance posture is partly dependent on the posture of the rails it connects to.
For institutions that have outsourced fraud analytics or biometrics to third-party vendors, the circular adds explicit due diligence requirements: vendor security architecture review, data protection clauses in contracts, and ongoing independent audits. The BSP is pushing the ownership of the security perimeter back into the regulated entity even when the technology is bought, not built.
The most consequential change AFASA introduced is the shift in liability for fraud losses. Before AFASA, liability for digital banking fraud was contested. Banks would point to customer behavior, customers would point to bank controls, and the resolution depended on the specifics. AFASA changed that.
Banks with adequate risk management systems and strong authentication are protected from liability when scams occur despite those controls. Banks without adequate controls are required to reimburse customers directly. Capule's framing of the consequence has been direct: if there is a loss, the institution pays, and BSP adjudication is fast.
That reverses the historic incentive structure. The cheapest path used to be to maintain status quo authentication and absorb the occasional dispute. The cheapest path now is to comply with Circular 1213 and earn the liability protection.
For Philippine institutions still running OTP as a default at this stage of 2026, the path to the deadline is short but tractable. A workable sequence:
Inventory the authentication touchpoints first. Identify every flow that currently relies on SMS or email OTP: login, transaction signing, payee adds, contact updates, account recovery, password reset. The list is usually longer than the security team initially estimates because fraud-relevant flows accumulate over years.
Move high-risk transactions to phishing-resistant authentication first. Wire initiation, beneficiary additions, large transfers, and account change operations matter more than session-level login. Customers tolerate a stronger factor on a high-value action; they resist friction on routine balance checks.
Stand up the fraud management layer in parallel. Real-time behavioral analytics, device fingerprinting, geolocation checks, and velocity monitoring are not a substitute for stronger authentication, but they are required alongside it. The circular treats authentication and fraud monitoring as the two-sided defense, not as alternatives.
Document everything. The BSP expects audit trails showing authentication methods used for high-risk transactions, technical documentation of the fraud management system architecture, and evidence of vendor due diligence. The institutions that pass through compliance smoothly are the ones with the documentation already assembled, not the ones building it the week of the audit.
For institutions weighing passkeys against the device-bound variant, the assurance question is the one that matters at the regulator's table. Synced passkeys are a meaningful improvement over OTP, but they sync across the user's iCloud Keychain or Google Password Manager, which leaves a gap on the device-binding side that Circular 1213's language pushes against. Device-bound passkeys close that gap by binding the credential to a specific, attested device. That is what the regulator means when it talks about authentication that cannot be shared or intercepted.
BSP Circular 1213 is a compliance deadline. It is also an opening. The institutions that meet it cleanly will reduce fraud losses, reduce SMS delivery costs, reduce password-reset support volume, and earn the AFASA liability protection. The institutions that bring better authentication forward will also bring a better customer experience: a faster login, fewer code-typing moments, and fewer support calls when the OTP does not arrive.
The BSP has been consistent that the goal is consumer protection, not regulatory friction. The institutions that lean into that framing will find the next year easier than the institutions that treat 1213 as a checkbox. The deadline is firm, the regulator is engaged, and the path forward is well marked. The work is operational now, not strategic.
Bangko Sentral ng Pilipinas: Circular No. 1213 (June 2025)
BSP Regulations and Issuances Index
GMA News: BSP keeps June 2026 deadline for PH banks to upgrade fraud management systems
GMA News: Financial institutions given until June 2026 to boost fraud management systems
Rappler: BSP - Financial institutions must upgrade fraud management systems by 2026
Most orgs running OTP-based MFA have 3–4 exploitable gaps they don’t know about. Our Authentication Assessment takes 2 minutes and shows you exactly where you stand — plus a phased migration roadmap.
Take the Assessment →Built by Ideem
Device-bound passkeys and A2A payment authentication. One SDK. No OTPs, no redirects.
Our 2-minute assessment scores your authentication setup and shows you exactly where the improvements are.
See Your Score →