Philippines BSP Circular No. 1213 and Compliance Solutions for Financial Institutions

In June 2025, BSP Circular No. 1213 was issued as a regulatory instrument amending the IT Risk Management Regulations to implement Section 6 of the Anti-Financial Account Scamming Act (AFASA) in the Philippines. This Circular provides a detailed set of mandatory compliance actions for financial institutions to safeguard users’ financial transactions and accounts.

The Philippines government has demonstrated that it is taking bold action to ensure the safety and protection of online financial transactions. Cybercrime in the Philippines is rising at a staggering rate. Cybercrime complaints surged by 71.9% in the first quarter of 2025 compared with the same period the previous year, increasing from 1,891 to 3,251 cases, according to the Cybercrime Investigation and Coordinating Center (CICC). This sharp rise underscores how cybercriminals are evolving faster than conventional security models can keep pace with.

Financial institutions are a popular target. According to the Bangko Sentral ng Pilipinas (BSP), supervised institutions reported losses of P5.82 billion due to cyber incidents in 2024, up from P5.67 billion in 2023. Most of these were due to phishing, card-not-present fraud, and ATOs. In addition to financial repercussions, these cyber incidents also undermine consumer trust and confidence in digital systems.

 1. About the Anti-Financial Account Scamming Act (AFASA)

Before delving into the specifics of BSP Circular No. 1213, issued in June 2025, it’s important to first understand the broader regulatory framework it falls under — the Anti-Financial Account Scamming Act (AFASA).

The AFASA is a landmark Philippine law aims to prevent the misuse of financial accounts in fraud and scams like phishing and vishing

The AFASA is a landmark Philippine law passed July 20, 2024, aims to prevent the misuse of financial accounts in fraud and scams like phishing and vishing. It also defines and penalizes social engineering schemes, money muling activities, and related offenses. These include those committed using advances in technology, which were previously not covered by existing cybercrime laws in the Philippines.

The BSP has issued three circulars to implement AFASA:

BSP Cir. No. 1213, series of 2025: https://www.bsp.gov.ph/Regulations/Issuances/2025/1213.pdf

BSP Cir. No. 1214, series of 2025: https://www.bsp.gov.ph/Regulations/Issuances/2025/1214.pdf

BSP Cir. No. 1215, series of 2025: https://www.bsp.gov.ph/Regulations/Issuances/2025/1215.pdf

2. About the Bangko Sentral ng Pilipinas (BSP) Circular No. 1213

Bangko Sentral ng Pilipinas (BSP) Circular No. 1213, issued in June 2025, is a regulation mandating stricter, phishing-resistant, device-bound authentication for financial institutions in the Philippines to combat digital fraud. The circular aims to enhance security in digital customer onboarding, transactions, and session management.

We can further explore the specific changes introduced by the new Circular and examine how these changes will affect the authentication policies of financial institutions in the Philippines.

a. Broader Scope: The requirements apply to all BSP-supervised financial entities, including banks, fintech companies, payment providers, and lending firms.

b. Focus Areas: The enhanced authentication requirements cover critical areas such as:

  • Digital onboarding and customer login processes
  • Authorization of transactions
  • Device and session management
  • Ongoing identity proofing

3. Limitation on the use of interceptable authentication mechanism

Limitation on the use of interceptable authentication mechanism (e.g. One-Time Pins [OTPs] via SMS and email). With the increasing prevalence of social engineering attacks aimed at obtaining login credentials, BSFIs should limit the use of authentication mechanisms that can be shared to, or intercepted by, third parties unrelated to the transaction.

The Philippines is one of many countries, such as the United Arab Emirates and Singapore, that are making the move to retire SMS and email OTPs and adopt more secure forms of authentication.

  • Focus on other strong authentication methods
  • Biometric authentication – provides customer convenience and enhanced security as biometrics can be difficult to replicate or steal. Examples include fingerprint scanning, facial recognition, and voice recognition, among others;
  • Behavioral biometrics – can track behavioral patterns, such as typing speed, mouse, or device movements. This can be implemented as part of continuous authentication and linked to anomaly/fraud detection;
  • Passwordless authentication – eliminates traditional passwords but uses factors like biometrics, hardware tokens and cryptographic keys. An example is the use of Fast Identity Online (FIDO2), a technical specification for online user identity authentication, allowing biological features or a FIDO security key to log in to online accounts;
  • Adaptive authentication – dynamically adjusts authentication process based on user’s context, to cover factors such as location, device, and behavior. Upon detection of unusual activity, it can prompt additional verification steps or other actions, depending on risk appetite.
  • Comparison with Regulations in other countries

Fundamentally, the provisions of BSP Circular No. 1213 adopt a similar approach to those of other countries around the world, as cyberattacks are a global issue. To gain a broader perspective, let’s compare BSP Circular No. 1213 with regulatory frameworks from a few other jurisdictions.

5.1 PSD3/PSR (EU, proposed 2023–2025)

AspectBSP Circular No. 1213 (Philippines, 2025)PSD3/PSR (EU, proposed 2023–2025)
Objectives / new focusStrengthen technology security, combat digital account scamming; require BSFIs to implement Fraud Management System (FMS), strong authentication, and account protection.Upgrade of PSD2: enhance security, expand user rights, impose PSP liability for impersonation fraud, improve SCA, refunds, and fraud data sharing.
Fraud requirements / fraud detectionMandatory implementation of real-time FMS: velocity checks, blacklists, geo-location, bot, and anomaly detection.Proposed transaction monitoring before execution (pre-execution monitoring), push for real-time anti-fraud.
Authentication & SCAMove away from SMS/email OTP, require phishing-resistant MFA (passkeys, FIDO2).Tighten & expand SCA: clarify mandatory cases, support new methods (biometric, device binding).
Liability & compensationMainly technical requirements; no clear rules on liability/compensation for customers in case of fraud.Introduces liability shift: PSPs must refund when customers suffer impersonation fraud (except in cases of gross negligence).
Data sharing & cooperationNo emphasis on fraud data sharing among institutions.Opens path for PSPs to share fraud intelligence within GDPR framework.
Account & device protection24h pause after account info changes, kill switch, restrictions on root/jailbreak, monitoring device/geo anomalies.Adds confirmation of payee, protection against impersonation, clearer liability rules.
Timeline & entry into forceEffective June 2025, BSFIs have 1 year to comply.Still in proposal stage, expected adoption 2025–2026 after EU approval.
Limitations / unclear pointsFocused on large BSFIs, not yet extended to smaller fintechs; lacks clear compensation mechanism; weak on data sharing.Details still evolving due to EU legislative process; challenges in defining impersonation and compliance costs for smaller PSPs.

5.2

AspectBSP Circular No. 1213 (Philippines, 2025)Circular 50/2024/TT-NHNN (Vietnam)
Basis & objectivesAdds IT Risk Management requirements under Section 6 AFASA (RA 12010) to combat scamming/digital account attacks.Regulations on safety and security for online services, replacing Circulars 35/2016 + 2018; aligned with the Law on Cyberinformation Security & E-Transactions Law.
Scope of applicationAll BSP-supervised financial entities, including banks, fintech companies, payment providers, and lending firmsCredit institutions, foreign bank branches, payment intermediaries, credit information companies providing online services.
Fraud / FMS / Fraud detectionRequires high-transaction BSFIs to implement real-time Fraud Management System: velocity checks, blacklist, geo, device, bot, anomaly detection.No requirement for real-time FMS; focus on IT security, encryption, access control, periodic testing.
Authentication & transaction protectionPush for stronger authentication, reducing SMS/email OTP; encourage passkeys, FIDO, phishing-resistant MFA.Requires electronic transaction confirmation via PIN, OTP, or secret key; mandatory re-authentication when identity information changes.
Account protection & security measures24h pause after account changes, kill switch, restrictions on rooted/emulated devices, geo/device anomaly monitoring.End-to-end encryption, session control, masking sensitive data, auto log-off on inactivity, notification upon login from new device.
Logging & reportingRequires transaction log retention, data for investigations; aligned with Circulars 1214, 1215 to hold/dispute funds.Requires data storage and protection, security event management system (SIEM), periodic testing, incident reporting to SBV.
Liability & supervisionBSP supervises, BSFIs are accountable for compliance; coordination in investigations under AFASA.SBV inspects and supervises; institutions must report and are liable for violations.
Entry into force & roadmapEffective June 2025, BSFIs have 1 year to comply; linked with Circulars 1214, 1215 (dispute/hold funds).Effective 01/01/2025; some provisions effective 01/07/2025 or 01/01/2026.

6.     Compliance Solution for BSP Circular No. 1213

With its wide scope, BSP Circular No. 1213 requires financial institutions in the Philippines to prepare and upgrade their technology solutions comprehensively to ensure strict compliance with the Circular, while safeguarding both their own assets and those of their customers.

Savyint – a leading trusted service provider specializing in Digital Transformation Platforms – Services – Solutions, Cybersecurity, and Fintech, is ready to deliver authentication and payment security solutions that strictly comply with local (BSP Circular No. 1213, No.1122 – Open Banking Framework, Philippines) and international regulatory and security standards.

Focusing on strong customer authentication (SCA) with passwordless methods (Passwordless FIDO2, PKI Passwordless, SmartOTP Passwordless), Savyint builds a comprehensive, easy-to-integrate solution ecosystem that enables financial institutions, fintech companies, and service providers to optimize user experience, fully comply with international standards, and develop an open banking, open finance, and financial inclusion ecosystem:

  • SAM Auth Server: Strong authentication platform for mobile payments, digital bank, MFA Authentication  
  • SAM Appliance: An all-in-one solution for data encryption, digital signature authentication, and mobile identification
  • Savyint PKI in a Box: All-in-one Public Key Infrastructure (PKI) solution
  • Mobile Identity based on PKI
  • Savyint CIAM/SCA: Customer Identity & Access Management / Strong Customer Authentication
  • Smart eKYC: Remote digital identity verification solution
  • Open Banking Tech Stack: End-to-end solutions for identity, authentication, data encryption, and digital transactions, including Customer Identity & Access Management (CIAM/SCA), Tokenization

All solutions are designed in strict compliance with international standards such as FIDO2, PSD2, eIDAS, GDPR, PCI DSS, ensuring rapid deployment, compatibility with existing infrastructure, and the highest level of security.

Contact us today for expert consultation.

Latest Blogs