The Philippines has the second-highest digital fraud rate in the world. It has also set one of the most operationally specific authentication deadlines in the region. By June 30, 2026, every bank, e-money issuer, and payment operator supervised by the Bangko Sentral ng Pilipinas (BSP) — the Philippines' central bank — must have phased out SMS and email One Time Passwords (OTPs) for high-risk transactions. BSP Circular 1213 is the instrument that makes that deadline binding.
Buried in the compliance is the gap it reveals. The payer was authenticated but the payee was not verified.
Circular 1213 will tell you exactly how to confirm a customer’s identity before they initiate a payment. It requires that the account on the other end be verified but stops short of defining what a compliant verification mechanism looks like in practice. That gap between a compliant authentication layer and an unverified beneficiary is where authorised push payment (APP) fraud lives and it is where Philippine institutions need to act before the next circular forces them to.
Where Circular 1213 Sits
BSP Circular 1213, issued in June 2025, implements Section 6 of the Anti-Financial Account Scamming Act (AFASA) , the Philippines' landmark anti-fraud legislation enacted in July 2024. AFASA created the mandate; Circular 1213 translates it into operational requirements. It sits alongside Circulars 1214 and 1215, which together form AFASA's three-part implementation framework. All three carry the same consequence for non-compliance: under AFASA, institutions that fail to implement adequate controls must reimburse customers for fraud losses. Institutions that comply get liability protection.
Fraud Management System Requirements
BSP Circular 1213 mandates automated, real-time fraud monitoring across all BSP-supervised financial institutions. Enhanced requirements apply to institutions handling complex electronic services or with average monthly transaction volumes above PHP 75 million, covering the majority of active digital banking participants in the Philippines.
The fraud management system must cover in real time: transaction velocity checks to detect unusually rapid or bot-driven activity; geolocation monitoring to flag transactions from locations inconsistent with a customer's pattern; device change event monitoring to catch account takeover signals; blacklist screening against known fraud indicators; and behavioural anomaly detection. The BSP is explicit that batch processing or end-of-day reconciliation does not meet this standard. Clearing Switch Operators running InstaPay and PESONet must also implement equivalent standards. Fraud monitoring is a chain obligation across the payment network.
Authentication Requirements and Compliance
Circular 1213 requires institutions to move away from authentication mechanisms that can be shared with or intercepted by third parties, SMS and email OTPs fall squarely within that definition. By June 30, 2026, high-risk transactions and critical account changes must use phishing-resistant, device-bound alternatives: server-side biometrics validated against bank-held templates, or FIDO2/WebAuthn-standard passkeys with device attestation in place. OTPs retain one permitted use: confirming ownership of a registered mobile number. They cannot be used to authorise transactions.
Authentication is only one of two verification obligations in Circular 1213. BSP Circular 1213, Section 1, subsection (e)(g) explicitly requires that mechanisms be established to enable account holders to verify the identity of the recipient of fund transfers, ensuring transactions reach the intended payee. For off-us transactions, BSFIs must adhere to an industry-wide, standardised approach for exchanging the information necessary for payee verification.
Who Is Covered and What You Need to Show
Circular 1213 applies universally to BSP-supervised institutions like commercial banks, digital banks, e-money issuers, payment system operators including InstaPay and PESONet participants, credit card issuers, and remittance companies. There is no carve-out for smaller institutions on the authentication requirements.
By the June 2026 deadline, institutions must be prepared to provide:
- Audit trails showing authentication methods used for high-risk transactions
- Technical documentation of their fraud management system architecture
- Risk assessments covering the OTP transition
- Evidence of real-time monitoring capability
Institutions using third-party vendors for authentication or biometrics carry additional due diligence obligations on vendor security practices.
What Circular 1213 Says About Payee Verification
Circular 1213 does not ignore payee verification. BSP Circular 1213, Section 1, subsection (e)(g) states that "mechanisms should be established to enable account holders to verify the identity of the recipient of fund transfers, ensuring that transactions are directed to the intended payee." It goes further: BSFIs "should ensure that off-us transactions adhere to an industry-wide, standardized approach that facilitates the secure and reliable method to exchange information necessary for payee verification."
The obligation is real. What the circular does not define is what a compliant verification mechanism looks like in practice, leaving institutions to determine for themselves whether what they have in place meets the standard. That ambiguity is the gap and it is where authorised push payment fraud continues to move.
What This Means for Your Institution
The deadline is firm and the lead time for deploying server-side biometrics, integrating passkey infrastructure, and updating customer-facing flows is measured in months. Institutions that have not begun are already behind.
Payee verification is already in the framework. What June 2026 forces is the question of how institutions implement it and whether what they have in place is sufficient. The liability shift, the authentication mandate, and Circular 1215's recovery framework are all moving toward a single logical conclusion. Institutions that build pre-payment verification capability now will be positioned ahead of that mandate rather than waiting for the next circular.
iPiD's Know Your Payee (KYP) platform provides that pre-payment verification layer confirming the beneficiary account name matches the account number before funds are authorised, across global payment corridors. It bridges the gap between Circular 1213 and Circular 1215, addressing the check that happens before a payment clears, not after it fails.
For a full analysis of AFASA's broader framework, read Part 2 of iPiD's State of Fraud in Asia series: The Law is Catching Up with Criminals: The Philippines’ New Anti-Scam Law
- Bangko Sentral ng Pilipinas - BSP Circular 1213 - Amendments to IT Risk Management Regulations (June 2025)
- Bangko Sentral ng Pilipinas - BSP Circular 1215 - Temporary Holding of Funds and Coordinated Verification Process (June 2025)
- Bangko Sentral ng Pilipinas - Anti-Financial Account Scamming Act and Implementing Circulars Booklet (2025)
- GMA News Online - BSP keeps June 2026 deadline for PH banks to upgrade fraud management systems (January 2026)
- TransUnion Philippines - H1 2025 Update to the State of Omnichannel Fraud Report
