Before June 30, you can expect to access your account more securely using methods like facial recognition and behavioral biometrics.
Let’s be real, we all have a friend, relative, partner, or parent who has fallen victim to a money scam, all because, well, they shared their one-time passwords (OTPs). It’s hard to blame them—phishing scams aren’t always easy to spot. Even with banks constantly reminding customers not to share OTPs, cybercriminals are always finding new ways to strike.
That is why the Bangko Sentral ng Pilipinas (BSP) is requiring financial institutions to ditch traditional text-message passwords for more secure authentication systems that will better protect users from phishing, SIM-swap attacks, and “emerging cyber fraud schemes.”
The move is part of the implementation of the Anti-Financial Account Scamming Act (AFASA), which was first signed into law by President Ferdinand Marcos, Jr. in July 2024. In the draft memorandum issued in February 2026, BSP said that the change aims to “reduce the risk of account takeover, device compromise, spoofing, and unauthorized credential changes.”
With the new mandate, banks and financial apps are expected to start rolling out new verification systems ahead of the June 30, 2026 deadline.
Related story: Gone phishing: Filipinos are among top internet users and most vulnerable to cybercrime
Related story: Meta is done with fact-checking: What this means for Filipino users
What’s behind the shift?
These six-digit codes that are usually sent to you via short message service (SMS) or e-mail are considered “interceptable authentication methods” for online scams, according to BSP. In other words, if your smartphone is lost or stolen, anyone who gets hold of it could access your codes and make transactions using your accounts.
There are also attackers who use automated proxy tools, such as fake websites, emails, or text messages, that mimic the website of financial institutions. When account holders enter their credentials and OTPs, a bot instantly forwards the data to the attacker’s website to hijack the session.
The same goes for those scammers who call the victims, pretending to be bank officials, and pressure them to provide their OTPs to “secure” their accounts. Then there’s the scheme called “SIM Swap Fraud,” where an attacker convinces a mobile carrier to transfer a victim’s phone number to a new SIM card under the attacker’s control. The result? All incoming calls and SMS messages, including OTPs, are delivered directly to the attacker.
Another more complicated tactic is called Technical Network Exploits. Here, hackers exploit weaknesses in mobile networks to redirect SMS messages to themselves, and without the users noticing.
With so many risks at play, BSP calls on banks to beef up their fraud management systems and enforce stronger customer authentication processes.
Related story: What is DeepSeek, the AI startup that shook the tech world?
Related story: Is Blue Sky the new Twitter? Why everyone’s leaving X for a ‘brighter’ social media scene
What will replace OTPs?
Rather than depending solely on a user’s mobile device, the BSP is urging financial institutions to use authentication systems where the verification happens on the bank’s secure records. The regulator is also requiring banks to use “liveness and deepfake detection mechanisms” to verify genuine users and block digital impersonation.
So, before June 30, you can expect to access your account more securely using various methods, including fingerprint scans or facial recognition directly on your device. Another method is in-app OTPs or push notifications, where verification codes are sent securely and encrypted directly within your bank’s app.
A more advanced and convenient method is the Silent Network Authentication (SNA), which telecommunication networks PLDT and DITO introduced previously. Here, the SNA verifies your identity automatically through your mobile network, removing the need to type codes or scan faces and fingerprints.
Behavioral biometrics is another method that banks may use to verify your identity. It begins with the system recording your typical behavior patterns on the app. Whenever you need to make a bank transaction, the system will then compare your real-time behavior to the touch, type, or navigation patterns that were previously recorded. If your behavior matches the baseline, access is granted.
BSP’s guidelines also ask banks to make sure their biometric systems are inclusive and accessible, taking into account persons with disabilities or “elderly individuals with worn or damaged fingerprint characteristics.”
At the end of the day, the first line of defense for your accounts is you. Avoid sharing personal details online or with strangers and secure your devices with the latest software update. Avoid using public Wi-Fi for bank transactions and monitor your accounts frequently for unauthorized transactions. Lastly, don’t click on links or open attachments from unknown or suspicious senders. When in doubt, contact your bank directly.
Related story: Cash, credit, or travel card? Here’s the best way to spend money abroad, according to Klook
Related story: Four important financial lessons we learned from dads
