The Bangko Sentral ng Pilipinas (BSP) urges banks and electronic wallets to move beyond one-time passwords (OTPs) and adopt stronger authentication methods to combat the growing threat of cybercrime.
During the 2025 Media Information Session in Baguio City last February, BSP Deputy Governor Elmore Capule warned that relying solely on OTPs is no longer enough to future-proof the financial system.
“What we have now may be efficient, but next week or next year, it may no longer be,” Capule said.
He emphasized the need for ‘continuous upgrading’ among financial institutions, especially digital banks, which are expected to have more advanced security frameworks.
Meanwhile, BSP Deputy Governor Mamerto Tangonan noted that global regulators like the Monetary Authority of Singapore and the Bank for International Settlements have already discouraged OTP reliance.
OTPs at risk
OTPs have long been the go-to second layer of authentication in online banking. However, with social engineering and phishing attacks becoming more sophisticated, OTPs have become increasingly vulnerable.
“Even the OTPs now are quite vulnerable. So we’re recommending that financial institutions adopt stronger, more advanced forms of multi-factor authentication,” BSP Technology Risk and Innovation Supervision Deputy Director Maricris Salud said.
Data from the Cybercrime Investigation and Coordinating Center showed that cybercrime complaints in the Philippines tripled from 3,317 cases in 2023 to 10,004 in 2024.
Total financial losses reached nearly ₱198 million, with GCash users accounting for ₱76.49 million in losses due to fraud, scams, and phishing.
Because of these developments, BSP issued Circular No. 1213 in June 2025, mandating that supervised financial institutions limit the use of OTPs and begin deploying more secure mechanisms.
These include biometric authentication, behavioral biometrics, cryptographic keys, and passwordless systems.
Fraud management mandatory
In compliance with the Anti-Financial Account Scamming Act (RA 12010), BSP is giving banks and e-wallets one year to implement robust fraud management systems (FMS), especially for those offering electronic payment and financial services.
Minimum requirements include automated, real-time fraud monitoring, the ability to detect device and account changes, transaction velocity checks, and geolocation tracking.
Capule explained that institutions engaged in complex digital operations with at least ₱75 million in monthly transaction value must also implement machine learning systems capable of identifying suspicious behaviors and blocking transactions tied to flagged individuals.
“If they fail to come up with these systems, the consequence is that the financial institution that fails to abide will be the one scam-responsible,” Capule said, referring to the shift in civil liability once the rules take effect on June 25.
Calibrated shift
Despite the push, Capule acknowledged the high cost of these upgrades.
“All of these things are very, very expensive. That’s the reality. So we are giving them sufficient time,” he said.
He emphasized that inaction would only fuel more scams and frauds, and the shift must happen gradually.
The BSP’s move echoes its earlier efforts to replace magnetic stripe cards with EMV chip technology in 2017, which also required a phased implementation.
As the country moves toward more complex digital finance ecosystems, the BSP remains firm: OTPs are no longer enough. Financial institutions must evolve or be held accountable.
