The Philippines has the second-highest digital fraud rate in the world. It has also set one of the most operationally specific authentication deadlines in the region. By June 30, 2026, every bank, e-money issuer, and payment operator supervised by the Bangko Sentral ng Pilipinas (BSP) — the Philippines' central bank — must have phased out SMS and email One Time Passwords (OTPs) for high-risk transactions. BSP Circular 1213 is the instrument that makes that deadline binding.
But buried in the compliance is the gap it reveals. The payer was authenticated but the payee was not verified.
Circular 1213 will tell you exactly how to confirm a customer’s identity before they initiate a payment. It says nothing about confirming the account on the other end is who the customer thinks it is. That gap between a compliant authentication layer and an unverified beneficiary is where authorised push payment (APP) fraud lives and it is where Philippine institutions need to act before the next circular forces them to.
Where Circular 1213 Sits
BSP Circular 1213, issued in June 2025, implements Section 6 of the Anti-Financial Account Scamming Act (AFASA) , the Philippines' landmark anti-fraud legislation enacted in July 2024. AFASA created the mandate; Circular 1213 translates it into operational requirements. It sits alongside Circulars 1214 and 1215, which together form AFASA's three-part implementation framework. All three carry the same consequence for non-compliance: under AFASA, institutions that fail to implement adequate controls must reimburse customers for fraud losses. Institutions that comply get liability protection.
Fraud Management System Requirements
BSP Circular 1213 mandates automated, real-time fraud monitoring across all BSP-supervised financial institutions. Enhanced requirements apply to institutions handling complex electronic services or with average monthly transaction volumes above PHP 75 million, covering the majority of active digital banking participants in the Philippines.
The fraud management system must cover in real time: transaction velocity checks to detect unusually rapid or bot-driven activity; geolocation monitoring to flag transactions from locations inconsistent with a customer's pattern; device change event monitoring to catch account takeover signals; blacklist screening against known fraud indicators; and behavioural anomaly detection. The BSP is explicit that batch processing or end-of-day reconciliation does not meet this standard. Clearing Switch Operators running InstaPay and PESONet must also implement equivalent standards. Fraud monitoring is a chain obligation across the payment network.
Authentication Requirements and Compliance — The OTP Phase-Out
The most immediate compliance challenge is the authentication requirement. Circular 1213 requires institutions to move away from authentication mechanisms that can be shared with or intercepted by third parties. SMS and email OTPs fall squarely within that definition.
The phase-out applies to high-risk transactions and critical account changes: adding a new payee, updating contact details, initiating large transfers, and changes to authentication credentials. For these actions, acceptable replacements are to be phishing-resistant and device-bound.
The BSP recognises server-side biometrics, validated against templates stored in the bank's backend, not just a device-level face or fingerprint unlock, as compliant. Device-side biometrics alone do not meet the standard. FIDO2/WebAuthn-standard passkeys also satisfy the requirement, provided device attestation is in place. The BSP's intent is layered authentication: biometrics combined with device binding, behavioural signals, and transaction risk scoring. App-based authenticators without cryptographic device binding do not fully satisfy the circular.
OTPs retain one permitted use: confirming the existence or ownership of a registered mobile number. They cannot be used to authorise transactions.
Who Is Covered and What You Need to Show
Circular 1213 applies universally to BSP-supervised institutions — commercial banks, digital banks, e-money issuers, payment system operators including InstaPay and PESONet participants, credit card issuers, and remittance companies. There is no carve-out for smaller institutions on the authentication requirements.
By the June 2026 deadline, institutions must be prepared to provide:
- Audit trails showing authentication methods used for high-risk transactions
- Technical documentation of their fraud management system architecture
- Risk assessments covering the OTP transition
- Evidence of real-time monitoring capability
Institutions using third-party vendors for authentication or biometrics carry additional due diligence obligations on vendor security practices.
What Circular 1213 Does Not Cover
Circular 1213 strengthens the authentication layer, confirming that the payer is who they say they are. It does not address the payee layer, confirming that the account receiving funds belongs to the entity the payer believes they are sending to. These are two distinct controls.
An institution can achieve full Circular 1213 compliance, real-time fraud monitoring in place, SMS OTPs phased out, biometric authentication deployed and still process a payment to a fraudulent account. The payer was authenticated. The payee was not verified.
Circular 1215 addresses what happens after a payment moves, establishing a 30-day fund hold and coordinated tracing process across every institution in the payment chain. It is a recovery mechanism, not a prevention one. Together, 1213 and 1215 cover the payer and the aftermath. What neither mandates is the check in between: confirming, before funds leave, that the account receiving them belongs to the named beneficiary.
What This Means for Your Institution
The deadline is firm and the lead time for deploying server-side biometrics, integrating passkey infrastructure, and updating customer-facing flows is measured in months. Institutions that have not begun are already behind.
Beyond June 2026, AFASA Philippine's trajectory points in one direction: pre-payment payee verification. The liability shift, the authentication mandate, and Circular 1215's recovery framework are all moving toward a single logical conclusion. Institutions that build pre-payment verification capability now will be positioned ahead of that mandate rather than waiting for the next circular.
iPiD's Know Your Payee (KYP) platform provides that pre-payment verification layer confirming the beneficiary account name matches the account number before funds are authorised, across global payment corridors. It bridges the gap between Circular 1213 and Circular 1215, addressing the check that happens before a payment clears, not after it fails.
For a full analysis of AFASA's broader framework, read Part 2 of iPiD's State of Fraud in Asia series: The Law is Catching Up with Criminals: The Philippines’ New Anti-Scam Law
- Bangko Sentral ng Pilipinas - BSP Circular 1213 - Amendments to IT Risk Management Regulations (June 2025)
- Bangko Sentral ng Pilipinas - BSP Circular 1215 - Temporary Holding of Funds and Coordinated Verification Process (June 2025)
- Bangko Sentral ng Pilipinas - Anti-Financial Account Scamming Act and Implementing Circulars Booklet (2025)
- GMA News Online - BSP keeps June 2026 deadline for PH banks to upgrade fraud management systems (January 2026)
- TransUnion Philippines - H1 2025 Update to the State of Omnichannel Fraud Report
