The Law is Catching Up with Criminals: The Philippines’ New Anti-Scam Law

The Philippines has a fraud problem that refuses to stand still. In 2024, 13.4% of all digital transactions were flagged as potentially fraudulent, more than double the global average and the second-highest rate of any country on earth, according to TransUnion. By the first half of 2025, that figure had fallen to 4.4%, still above the global average of 3.8%, and still the product of the same structural vulnerabilities. Economy-wide losses remain estimated at USD 8.29 billion annually, equivalent to 1.9% of GDP.

If your institution operates in the Philippines, the clock is already running. The Anti-Financial Account Scamming Act (AFASA), enacted in July 2024 and operationalised through three circulars issued by the Bangko Sentral ng Pilipinas (BSP), the Philippines' central bank, in 2025, sets a hard deadline of June 30, 2026 for institutions. AFASA Philippines is the region's most operationally specific fraud statute. AFASA is the Philippines’ primary anti-scam law for digital finance, designed to stop scams earlier by enabling the tracing and freezing of funds. It also targets facilitators, especially money mules, while placing greater responsibility on banks and fintechs to prevent fraud. Understanding what it actually mandates, and what it deliberately does not yet do, is what this article examines.

The Consumer Education Default and why the Philippines Broke from It

Part 1 of this series argued that the dominant regional response to fraud has been addressed to the wrong problem: teaching consumers to spot fraud, rather than building payment systems that catch it before it moves. The Philippines is where that argument is most clearly tested.

For years, the BSP's response followed the same regional playbook, public awareness campaigns, One Time Password (OTP) hygiene messaging, consumer hotlines. Then the losses kept climbing. In 2022, phishing and its variants generated PHP 623 million in losses. Account takeover fraud added PHP 409 million. The consumer-facing response was not moving the numbers.

AFASA represented a deliberate break. It moved the burden from the consumer to the institution criminalising the enablers of fraud and mandating that financial institutions build systems capable of catching fraud before it completes, not just reporting it after.

What AFASA Actually Mandates

AFASA Philippines criminalises the infrastructure of fraud: money muling, social engineering schemes including phishing, vishing, and smishing, and economic sabotage, defined as coordinated fraud involving three or more perpetrators, mass mailers, or human trafficking. It codifies these in the context of financial accounts, with penalties ranging from fines to imprisonment, and removes the bank secrecy protections that previously slowed investigation.

BSP Circular 1213, issued in June 2025, mandates real-time automated fraud monitoring and detection systems across all BSP-supervised financial institutions, transaction velocity checks, geolocation monitoring, device change events, and blacklist screening. It requires institutions to move away from SMS and email OTPs for high-risk transactions. By June 30, 2026, biometric authentication, passkeys, or hardware security keys must replace interceptable authentication methods for adding a new payee, updating contact details, or initiating large transfers.

BSP Circular 1214 grants the BSP's Consumer Account Protection Office, a dedicated investigative unit established under AFASA with the authority to bypass bank secrecy law, powers to investigate financial accounts and share information with law enforcement. Regulators can now move at investigation speed rather than litigation speed.

BSP Circular 1215 establishes a coordinated verification process for disputed transactions, requiring every institution in a payment chain to trace and temporarily hold funds linked to a dispute. Importantly, BSP 1215 asks institutions to perform enhanced verification for payee creation and account changes, including confirmation-of-payee style checks and out-of-pattern verification. Informal Channels, Unverified Gaps.

One of the driving forces of fraud is thin verification across large, informal economies. It is acutely visible in the Philippines. Much of the country's commercial activity runs through peer-to-peer transfers, social commerce, and messaging apps. For individual consumers, the risk is misdirected payments and social engineering. For businesses, particularly those managing supplier or remittance payments across the region, the risk is invoice fraud and payment redirection, an instruction to update bank details arrives by Messenger or Viber, with no mechanism to confirm it is legitimate.

The Philippines has 74% of its population active on social media. The highest digital fraud rate by industry is in online communities like social media, dating platforms, forums, at 19.2%, against a global average of 11.6%. The informal channel is the primary attack surface for cyber criminals.

The Gap AFASA Does Not Close

AFASA Philippines and its implementing circulars are designed to detect fraud in transit, investigate it after the fact, hold disputed funds before they disappear, and prosecute those who enabled it. What they do not mandate is a pre-payment check: confirming, before a transaction is authorised, that the account receiving funds belongs to the entity named as the beneficiary.

This is the Confirmation of Payee (CoP) gap. In the UK, Australia, and under the EU's Verification of Payee (VoP) scheme, a payer is shown whether the account name matches the beneficiary's name on record before they confirm a transfer. If it does not match, the payment is flagged or blocked. The check happens at payment origination, before funds move, and it is the single most effective structural control against both misdirected payments and authorised push payment fraud.

In the Philippines, that check does not exist as a mandated scheme. Institutions may display an account holder's name to the sender but it is not name-matching. Display shows what the account holder is called; matching confirms whether the name entered by the payer corresponds to the name on record at the receiving institution. Display without matching leaves the door open to the most common fraud vector in the region: the payer believes they are sending to a legitimate payee, because a name is shown, but that name has not been verified against the account.

AFASA's trajectory points toward this gap. The liability shift, the authentication mandates, the institutional verification processes of Circular 1215 — they are all moving in the direction of pre-payment control, but the final step has not yet been taken.

The Regulatory Trajectory

The Philippines exited the Financial Action Task Force (FATF) grey list in February 2025, a significant institutional milestone signalling that the country's AML/CFT framework has reached a threshold of credibility the FATF recognises. It is not a fraud outcome. Fraud losses have not fallen materially. Compliance and outcomes are not the same thing.

What the FATF exit does signal is that The Philippines has the institutional architecture to move faster than most ASEAN markets. The BSP has demonstrated willingness to mandate rather than recommend. The liability framework is in place. The June 2026 authentication deadline is enforceable.

The logical next step in AFASA's trajectory is a mandated pre-payment verification requirement, a formal name-matching scheme that sits upstream of the payment, rather than downstream of the dispute. That would make the Philippines the first country in ASEAN state to operate a framework comparable to CoP or VoP. Given the scale of the fraud problem and the pace of the regulatory response, it is a question of when, not whether.

What This Means for Financial Institutions Operating in the Philippines

The June 2026 deadline is the immediate pressure point but the more consequential shift is structural: liability for fraud is moving toward institutions, not consumers. The era of treating fraud losses as primarily a customer problem, addressed through awareness campaigns and OTP warnings, is ending in the Philippines faster than anywhere else in ASEAN.

AFASA's framework gets institutions to the point of detection, investigation, and recovery.  The Philippines is moving toward CoP-like outcomes (pre-payment payee verification), but has not implemented a formal, standardised Confirmation of Payee system. Instead, it is embedding verification within a wider fraud detection, tracing, and recovery architecture.

iPiD's Know Your Payee (KYP) verification platform operates across ASEAN payment corridors, enabling financial institutions to confirm beneficiary account details before funds are authorised, the upstream control that AFASA's framework is moving toward.