To strengthen fraud prevention, the Bangko Sentral ng Pilipinas (BSP), under Circular No. 1213, requires institutions to adopt enhanced authentication methods in place of SMS and email OTPs, while also strengthening automated fraud management systems.
According to BSP Circular No. 1213, issued in May 2025, the central bank requires BSP-supervised financial institutions to replace SMS- and email-based OTPs with stronger authentication methods such as biometrics, behavioural authentication, adaptive authentication, or passwordless authentication by 25 June 2026. In addition, the circular sets out specific requirements for strengthening automated fraud monitoring. This directive applies to banks and e-wallet operators with average online transaction revenues of more than PHP 75 million per month, including most commercial banks, digital banks, cooperative banks, and rural banks.
Banks that fail to comply must reimburse customers for funds lost due to fraud.
1. Authentication and Compliance Requirements
Circular 1213 requires institutions to move away from authentication mechanisms that can be shared with or intercepted by third parties. SMS and email OTPs fall under this definition. By 30 June 2026, high-risk transactions and critical account changes must use phishing-resistant, device-bound alternatives, such as server-side biometrics authenticated against templates stored by the bank, or FIDO2/WebAuthn passkeys with device authentication. OTPs may only be used to confirm ownership of a registered mobile phone number.
Biometrics
BSP requires financial institutions to adopt server-side biometric authentication, where customer identity is verified within the bank’s secure backend system based on biometric templates stored on the bank’s server. The use of biometrics is expected to reduce the risks of account takeover, device compromise, spoofing, and unauthorized changes to authentication credentials.
FIDO2 Passkey
FIDO2/WebAuthn is a passwordless authentication standard designated by BSP as a mandatory solution for high-risk transactions and critical account changes, which must use phishing-resistant and device-bound alternatives.
Smart OTP
As mentioned above, Smart OTP is used for one purpose only: confirming ownership of a registered mobile phone number. It must not be used for transaction authentication. This is an important distinction that banks should note to avoid confusion with traditional OTPs.
2. Fraud Prevention and Management Requirements
In addition to strong authentication methods, Circular 1213 also requires financial and banking institutions to strengthen their proactive fraud monitoring and detection capabilities by identifying suspicious transactions, unfamiliar devices, and abnormal customer behaviour before financial losses occur. Accordingly, fraud management systems must operate in real time and be capable of:
- Transaction velocity checks
- Geolocation monitoring
- Device change event monitoring
- Blacklist screening
- Behavioural anomaly detection
BSP emphasizes that batch processing or end-of-day reconciliation does not meet this standard.
3. AI-Powered Strong Authentication and Fraud Prevention Solutions from Savyint
With extensive experience working with and supporting financial institutions, SAVYINT provides a security and fraud prevention solution suite that supports compliance with AFASA and BSP Circulars 1213, 1214, and 1215.
The solution suite is built around four pillars: strong and passwordless authentication; AI-powered fraud management; security, data encryption, and application protection; and risk management and compliance with local and international regulatory requirements. It ensures end-to-end protection across the entire customer journey, from registration, login, and transaction authentication to post-transaction monitoring.
Key differentiators of the SAVYINT solution suite include:
- Built on a Zero Trust architecture, continuously verifying every user and device based on real-time risk signals.
- API-first design, with API security aligned with FAPI and mTLS standards
- A wide range of advanced authentication methods, including FIDO2 Passkey, biometrics, multi-factor authentication, Smart OTP, and more
- An AI-powered fraud management system that enables real-time monitoring and analysis of abnormal signals, risk scoring, and automated fraud prevention decision-making. The system can automatically trigger adaptive authentication and additional risk-based authentication
- Integration with 3D Secure to secure online card payment transactions in compliance with PSD2/PSD3, verifying the cardholder’s identity before a transaction is approved
- Device and application protection using RASP, Device Intelligence, and device fingerprinting
- Fast deployment and easy integration with existing systems
- Long-term operational cost optimization
In particular, Savyint’s solution suite supports compliance with regulatory requirements in multiple countries, including the Philippines, such as AFASA and BSP Circulars 1213-1215; Vietnam, such as Circulars 50, 64, and 77 of the State Bank of Vietnam; and Singapore, such as MAS requirements. It also aligns with international security standards including FIDO2, PSD2/PSD3, eIDAS, GDPR, PCI DSS,…
Connect with our experts today to quickly achieve compliance with AFASA and BSP Circulars 1213-1215.
