The Deputy Governor of Bangko Sentral ng Pilipinas (BSP), the country’s central bank, has warned that financial institutions need to ‘catch up’ in order to meet the deadline of June 30, 2026, for ending the use of SMS one-time passwords (OTPs) for banking transactions and implementing various other anti-fraud controls. The requirement to phase out SMS OTPs comes from BSP Circular 1213.
With the increasing prevalence of social engineering attacks aimed at obtaining login credentials, BSFIs [BSP-supervised financial institutions] should limit the use of authentication mechanisms that can be shared to, or intercepted by, third parties unrelated to the transaction… Moreover, BSFIs engaged in complex electronic products and services and handling high aggregate values of online transactions must adopt strong authentication mechanisms to ensure the integrity of customer-initiated transactions. These include any of the following:
aa. Biometric authentication — provides customer convenience and enhanced security as biometrics can be difficult to replicate or steal. Examples include fingerprint scanning, facial recognition, and voice recognition, among others;
bb. Behavioral biometrics — can track behavioral patterns, such as typing speed, mouse, or device movements. This can be implemented as part of continuous authentication and linked to anomaly/fraud detection;
cc. Passwordless authentication — eliminates traditional passwords but uses factors like biometrics, hardware tokens and cryptographic keys. An example is the use of Fast Identity Online (FIDO), a technical specification for online user identity authentication, allowing biological features or a FIDO security key to log in to online accounts; or
dd. Adaptive authentication — dynamically adjusts authentication process based on user’s context, to cover factors such as location, device, and behavior. Upon detection of unusual activity, it can prompt additional verification steps or other actions, depending on risk appetite.
BSP recently published a draft of potential rules for server-side biometric authentication of transactions as part of the intended transition from OTPs sent by SMS or email. However, banks will still be permitted to send SMS OTPs to confirm that a phone number belongs to a customer.
The Philippines is following an increasingly popular international trend where banks will be liable for scam losses unless they have successfully executed prescribed controls to protect customers. Other requirements included in BSP Circular 1213 that will also affect comms traffic and comms businesses include the following:
- Monitoring changes to the phone number associated with a bank account and limiting the transactions that can be performed for 24 hours after it has been changed;
- Preventing mobile banking apps being installed on devices which are not secure, such as handsets that have been jalibroken or which are running outdated versions of operating systems;
- Gathering data about the ‘fingerprint’ of the devices used by customers and implementing controls to prevent hardware spoofing;
- Instantly notifying customers about activity on their account, potentially via messages sent to their banking app, through an OTT messaging platform or by SMS; and
- A general prohibition of clickable hyperlinks or QR codes sent by the bank to its customer via SMS or instant messaging except where a specific exemption applies.
The extent to which modern retail banking relies on electronic communications means central bankers are right to set expectations for the controls surrounding those communications. There is a lot of common sense in these requirements from the Philippine central bank. Financial institutions should not be allowed to absolve themselves of responsibility when they give customers risky ways of transacting via their phones. BSP is right to stick with their original deadline for implementing enhanced security around online and mobile banking.
