BSP Mandates Server-Side Biometrics for Bank Authentication
The Bangko Sentral ng Pilipinas has ordered all supervised financial institutions to phase out SMS and email one-time passwords for high-risk transactions under the Anti-Financial Account Scamming Act, requiring a switch to server-side biometrics authentication that validates customer identity against centrally stored templates.
Key Takeaway
Philippine banks must now bear scam losses unless they upgrade authentication systems beyond SMS OTPs.
The Bangko Sentral ng Pilipinas directed all supervised financial institutions to phase out interceptable authentication methods, including SMS and email one-time passwords, for high-risk transactions.
The mandate requires banks to move to server-side biometrics authentication, which validates customer identity against centrally stored templates rather than device-based verification. BSP said this approach reduces vulnerabilities like account takeovers or device compromises that plague traditional OTP systems.
The central bank's directive under the Anti-Financial Account Scamming Act sets strict data handling requirements. Institutions must encrypt biometric templates rather than storing raw images, and implement continuous liveness and deepfake detection to prevent spoofing attacks. BSP emphasized that biometrics should not be the sole line of defense against fraudulent activity.
Banks that fail to maintain adequate risk management systems must reimburse customers for funds lost to scams under the new framework. Compliant institutions receive liability protection for specific cybercrime offenses, creating a clear incentive structure for rapid adoption.
Several Philippine banks already deployed biometric authentication ahead of the mandate. UnionBank introduced speech recognition for fraud mitigation in 2023, while Philippine National Bank reached over one million users on its Digital App using fingerprint and face biometrics that same year.
BSP acknowledged that centralizing biometric data creates a high-value target for cyber threats, despite the security upgrade over SMS-based authentication.
🇵🇭 Filipino Impact
PDAX and Coins.ph, as BSP-licensed Virtual Asset Service Providers under Circular 1108, will likely face similar biometrics requirements in future directives. Filipino crypto users on these platforms may see fingerprint or facial recognition replace SMS codes for withdrawals and high-value trades. The liability shift means exchanges that stick with SMS OTPs could be forced to reimburse users for account takeover losses.
This article was written based on reporting from Fintechnews.
