The rapid growth of digital banking, e-wallets, and online payments in the Philippines has led to a serious consequence – financial fraud is becoming increasingly sophisticated and more organized. Following the enactment of AFASA, the Bangko Sentral ng Pilipinas (BSP) continued to issue BSP Circulars 1213, 1214, and 1215, tightening the responsibilities of financial institutions and imposing stricter requirements for user authentication, fraud management, and data protection.
About AFASA and BSP Circulars 1213, 1214, and 1215
Officially taking effect on June 25, 2025, the Anti-Financial Account Scamming Act (Republic Act No. 12010) was enacted by the Philippine government with the following core objectives:
- Protect consumers against scams such as phishing, social engineering, account takeover, and mule accounts.
- Require banks, fintech companies, and payment institutions to implement proactive fraud prevention systems instead of merely responding after damage has occurred.
- Increase legal accountability for institutions that fail to prevent or respond promptly to fraudulent activities.
One of the most important requirements under AFASA is the mandatory transition of authentication methods before June 2026. OTPs sent via SMS and email will no longer be accepted for high-risk transactions. Instead, more secure methods must be implemented, such as biometric authentication, passwordless authentication, and adaptive multi-factor authentication (MFA) based on risk levels.
AFASA marks a major shift in risk management thinking: account security is no longer just a technology choice – it is now a legal obligation.
BSP Circular 1213 – Focus on Fraud Management and Strong Authentication
Among the three circulars, BSP Circular 1213 is considered the technical backbone that brings AFASA into real operational practice.
This circular requires banks and financial institutions to:
- Deploy a real-time Fraud Management System (FMS) to detect abnormal activities.
- Gradually reduce dependence on SMS/email OTPs, which are vulnerable to theft and interception.
- Implement strong multi-factor authentication (MFA) and anti-phishing methods such as biometrics, behavioral analysis, and FIDO2/Passkeys.
- Monitor abnormal transaction behavior, device location, transaction speed, and blacklists/watchlists.
BSP Circular 1213 clearly states that traditional authentication methods are no longer sufficient. Systems must understand user behavior patterns and detect fraud at the earliest stages – during login or even before a transaction is completed.
Read more: Philippines BSP Circular No. 1213 and Compliance Solutions for Financial Institutions
BSP Circular 1214 – Enabling Data Sharing for Faster Fraud Response
BSP Circular 1214 addresses a major legal bottleneck related to accessing account data during fraud investigations. Its main goal is to create a fast-response mechanism to prevent funds from being completely withdrawn before authorities can intervene.
Under this regulation:
- BSP and the Consumer Account Protection Office (CAPO) are authorized to request access to suspicious account data.
- Restrictions under banking secrecy and personal data privacy laws may be relaxed within the scope of fraud investigations.
- Financial institutions are allowed to coordinate with law enforcement agencies, the Anti-Money Laundering Council (AMLC), and judicial authorities.
BSP Circular 1215 – Protecting Funds During Disputes
While Circular 1213 focuses on prevention and 1214 focuses on investigation, BSP Circular 1215 addresses what happens after an incident occurs. It allows financial institutions to protect customer funds during the investigation period, preventing money from “disappearing” within minutes.
Specifically, this circular:
- Allows financial institutions to temporarily hold funds related to suspicious transactions for up to 30 days.
- Establishes a coordinated verification process among involved parties.
- Increases legal liability if institutions fail to properly follow customer protection procedures.
Together, AFASA and BSP Circulars 1213, 1214, and 1215 are reshaping the digital financial security standards in the Philippines. Financial institutions now need not only compliance documentation but also a strong technology foundation capable of detecting, preventing, and responding to fraud in real time.
AFASA & BSP 1213, 1214, 1215 – Compliant Security Solutions from SAVYINT
Savyint is a leading trusted service provider, ready to deliver authentication and payment security solutions that strictly comply with security standards and regulatory requirements under AFASA, BSP Circulars 1213, 1214, and 1215 issued by the Bangko Sentral ng Pilipinas (BSP), as well as the Philippine Open Banking framework and international regulations.
Savyint’s solution ecosystem is built around four key pillars: Risk Management & Compliance, Cybersecurity & Application Protection, SCA/MFA Identity, and the FMS AI Fraud Engine. Together, these components protect the entire customer journey – from registration, login, authentication, and transaction execution to post-transaction monitoring.
SAM Auth Server
SAM Auth Server is an all-in-one strong authentication solution designed for mobile payments and digital banking.
Built on a Zero Trust architecture and integrated with a FIPS 140-3 Level 3 certified Hardware Security Module (HSM), and ready for Post-Quantum Cryptography, SAM Auth Server supports a wide range of modern authentication methods, including: Biometric authentication, Smart OTP, Push Authentication, FIDO2 / Passkeys and Context-based authentication
It enables step-up authentication when risk levels increase, ensuring maximum protection for electronic transactions.
SAM FIDO2 Identity Server
SAM FIDO2 Identity Server is a passwordless identity and authentication platform based on FIDO2/WebAuthn standards. It eliminates password storage by replacing passwords with asymmetric key-based authentication securely stored on the user’s device.As a result, the system effectively protects against common attacks such as phishing, man-in-the-middle attacks, and credential stuffing.
SAM FIDO2 Identity Server fully meets Strong Customer Authentication (SCA) requirements under PSD2/PSD3 and complies with international standards for identity and data security.
SAVYINT Fraud Prevention & Risk Management
SAVYINT Fraud Prevention & Risk Management leverages AI and Machine Learning (ML) to help banks and financial institutions detect, assess, and prevent fraud across the entire user journey – from login behavior, device characteristics, and access context to transaction data. Key capabilities include:
- AI-based transaction risk assessment with detection speed as fast as 50 milliseconds
- An Adaptive Risk Engine combined with Explainable AI
- Data analysis and correlation from watchlists, device intelligence, user behavior, and transaction context. This enables fast, accurate, and transparent fraud decision-making in real time.
RASP+
RASP+ protects mobile applications directly within the runtime environment, detecting and blocking attacks while the application is running. It can detect rooted or jailbroken devices, debugging attempts, code tampering, hooking techniques, memory manipulation and emulator-based attacks.
RASP+ integrates directly into mobile applications without affecting performance, ensuring strong protection without compromising user experience.
TrustShield
TrustShield is a mobile fraud prevention platform powered by device fingerprinting, behavioral analytics, and AI. It can identify devices without relying on cookies or advertising IDs, detect emulators, rooted or jailbroken devices, identify multi-device fraud patterns, analyze in-app user behavior, generate real-time risk scores and trigger adaptive authentication directly on mobile devices.
With a multi-layered architecture and seamless integration capabilities, Savyint’s security ecosystem delivers a comprehensive fraud prevention model – protecting devices, behavior, identity, and transactions simultaneously.
All solutions comply with AFASA, BSP Circulars 1213, 1214, 1215, and international standards such as FIDO2, PSD2/PSD3, eIDAS, GDPR, and PCI DSS. This allows fast deployment on existing infrastructure while achieving the highest level of security.
Connect with Savyint’s experts today to implement and optimize your security solutions – and be fully prepared to meet AFASA and BSP requirements within just 3 months!
