Philippine financial technology firms are racing to meet the midyear deadline to overhaul their security protocols, as the Bangko Sentral ng Pilipinas (BSP) prepares to phase out one-time passwords to curb a surge in digital fraud.

Lito Villanueva, FinTech Alliance.ph, founding chairman, told reporters that while the transition to advanced fraud management systems requires significant capital outlays, the industry is moving to comply with the central bank.

The mandatory shift is part of a broader regulatory push under the Anti-Financial Account Scamming Act (AFASA), which aims to address the rising tide of account takeovers and unauthorized transactions.

“Of course, we need to comply,” Villanueva told reporters, noting that adherence is mandatory regardless of individual firm readiness.

While some industry participants have appealed to the BSP for an extension of the implementation timeline, Villanueva said any decision to move the target remains entirely at the BSP’s discretion.

The move marked the shift in how millions of Filipinos interact with mobile banking. One-time passwords, or OTPs, have long been the standard for transaction verification, but their susceptibility to phishing and social engineering has made them a primary vulnerability.

The BSP has been aggressive in pushing for their removal, citing the fact that the vast majority of fraud-linked complaints involve the compromise of these credentials.

Under the new regulatory framework, financial institutions must pivot toward more sophisticated defenses. These include device binding—which links a banking profile to a specific physical handset—and behavioral device intelligence, which uses pattern recognition to detect suspicious activity.

Villanueva noted that these requirements are driving a spike in compliance and cybersecurity spending across the sector as firms build out platforms that integrate anti-money laundering and fraud detection.

The cost of compliance has created a divide within the industry. While large commercial banks are generally on track to meet the deadline, smaller institutions and rural banks have expressed concern over the “transitory provision,” citing the high investment costs. T

o bridge this gap, the industry has launched the Fraud Intelligence Data Sharing Network, a consortium led by credit bureau CIBI. The network allows smaller players to access shared industry data, helping them maintain security parity with larger institutions.

The stakes for non-compliance are high. The BSP has signaled it may exercise its authority to suspend banking licenses or hold lenders liable for client losses resulting from fraud if they fail to establish the required fraud management systems.