Central Bank of the Philippines requires stronger authentication for high risk digital transactions by banks and large e wallet operators by 25 June 2026

The Central Bank of the Philippines said covered BSP-supervised financial institutions must replace SMS- and email-based one-time passwords with stronger authentication tools for high-risk digital banking and payment transactions by 25 June 2026. The requirement, set out in Circular No. 1213, applies to banks and e-wallet operators that average more than P75 million in online transactions per month and is aimed at reducing fraud and unauthorized account access. Covered institutions must use stronger methods such as biometric, behavioral, adaptive or passwordless authentication where their risk assessment identifies higher-risk activity. Risk is to be assessed based on factors including the payee profile, transaction value, customer behavior patterns, and the nature of the product or service. Lower-risk transactions may still use less stringent methods such as SMS OTPs. The circular also requires stronger fraud management systems that can flag unusual or suspicious activity, including unusually rapid transactions and activity involving new recipients or unrecognized devices. Institutions outside the threshold are not subject to the same transition period but must regularly assess fraud risks in their products and services and determine appropriate preventive measures. Many covered firms are already implementing the changes ahead of the deadline.