The Bangko Sentral ng Pilipinas (BSP) is ordering the financial institutions to ditch traditional text-message passwords in favor of fingerprints and facial recognition as it moves to harden the country’s defenses against the relentless surge in digital heists.

In a draft memorandum released, the central bank outlined a transition away from traditional, interceptable methods such as short message service (SMS) or email-based one-time passwords (OTPs) toward more robust, centralized verification systems.

The BSP noted the proposed memorandum aligns with Republic Act No. 12010, or the Anti-Financial Account Scamming Act (AFASA), which “establishes a sector-wide framework to combat financial account-related scams and emerging cyber fraud schemes.”
Under the new guidelines, BSP-supervised financial institutions (BSFIs) that handle “high aggregate values of online transactions”—defined as an average monthly network value of at least ₱75 million—must implement advanced fraud management systems and strong customer authentication.

Server-side biometric authentication allows a customer’s identity to be verified within a bank’s “secure backend system” using centrally stored templates, rather than relying solely on the security of an individual’s mobile device.

The BSP noted that this approach “reduces the risk of account takeover, device compromise, spoofing, and unauthorized credential changes.” While the regulator expects BSFIs to “transition away from interceptable authentication methods” for high-risk activities, OTPs may still be utilized for verifying the “existence or ownership of a registered mobile number.”

The central bank emphasized that the adoption of these controls will directly impact a bank’s legal standing.

Under AFASA, institutions that fail to “employ adequate risk management systems and controls, or failure to exercise the highest degree of diligence” will be held liable for the “restitution of funds to the account owners.” Conversely, those determined by the BSP to be compliant “shall not be liable for any loss or damage arising from the offenses” under the Act.

Despite the security benefits, the BSP warned that centralized biometric databases create a “high-value target for threat actors.”

To mitigate this, the draft requires banks to “store biometric data in the form of encrypted biometric templates” and avoid the “retention of raw biometric images.” The regulator also mandated the use of “liveness and deepfake detection mechanisms” to distinguish genuine users from digital spoofs.

Furthermore, the guidelines demand that banks ensure their biometric solutions “support inclusivity and accessibility,” specifically considering “elderly individuals with worn or damaged fingerprint characteristics” or persons with disabilities.

As the industry moves toward these new standards, the BSP expects institutions to remain responsible for ensuring their authentication frameworks are “commensurate with their risk profile” while maintaining compliance with national data protection laws.