What It Means
- The BSP OTP ban, grounded in AFASA, formally moves fraud liability onto banks by tying authentication adequacy to institutional responsibility for fraud losses.
- Banks that cannot demonstrate compliant authentication systems by June 2026 lose their primary legal defense in fraud cases filed by customers.
- Draft Circular 1213 identifies server-side biometric authentication as the acceptable replacement for OTPs on high-risk transactions and critical account changes.
- The June 2026 deadline is confirmed firm. Multiple banks have already requested extensions and been refused.
- MSME operators running payroll and supplier payments through digital banking channels need to know which institutions are behind on compliance and what that means for their accounts.
The OTP Was Never the Problem. The Liability Was.
Philippine banks have known for years that SMS-based OTPs are insecure. SIM swap fraud, phishing pages that harvest codes in real time, and SS7 protocol vulnerabilities are not new threats. The BSP OTP ban did not arrive because the technology suddenly became dangerous. It arrived because AFASA, Republic Act 12010, changed who pays when that danger materializes.
Before AFASA, a bank facing a fraud claim had a workable defense. The SIM was swapped by a criminal. The customer clicked a phishing link. The telco’s infrastructure was exploited. The authentication system did what it was designed to do. None of that is the bank’s fault. Courts and regulators largely accepted versions of this argument, and fraud losses stayed with customers far more often than with institutions.
AFASA changed that architecture. The law ties authentication adequacy directly to institutional liability. If a bank’s authentication system is deemed inadequate, the institution absorbs the liability. The BSP OTP ban, through Draft Circular 1213, is the mechanism that defines what adequacy now means. Server-side biometric authentication is in. Interceptable OTPs via SMS and email are out, at least for high-risk transactions and critical account changes.
The distinction matters. Banks are not being told to upgrade their security because the BSP decided biometrics are better. Banks are being told to upgrade because the legal cost of not upgrading just became real and specific.
What Draft Circular 1213 Actually Does
The BSP OTP ban circular does two things that are easy to conflate but structurally different.
First, it sets the technical standard. Server-side biometric authentication, where a customer’s biometric data is verified against templates stored in the bank’s backend system, is recognized as a strong and acceptable authentication mechanism for high-risk transactions. OTPs can still be used for one narrow purpose: verifying the existence or ownership of a registered mobile number. That is it.
Second, and more consequentially, it connects compliance with that technical standard to the BSP’s evaluation of whether a bank maintained adequate risk management systems. That evaluation directly affects liability outcomes under AFASA Sections 4 and 5. A bank that cannot demonstrate compliant authentication does not just face a regulatory penalty. It faces a weakened legal position in every fraud case where a customer argues the institution failed to protect them.
This is not an automatic liability trigger. The circular makes authentication adequacy a factor in liability determination, not a binary switch that assigns blame the moment an OTP is used. But the direction is clear. Banks that arrive at a fraud dispute in July 2026 still running SMS OTPs on high-risk transactions are walking in with a structural disadvantage they chose not to address when they had the time.
The Deadline Is Not Moving
Several banks have already requested extensions on the June 2026 deadline. The BSP OTP ban has confirmed the deadline stands. That exchange is itself a signal worth reading carefully. The institutions asking for more time are telling you they are not ready. The BSP refusing to move the date is telling you the liability clock is running regardless.
For larger universal and commercial banks with dedicated technology teams and existing digital infrastructure, the transition is expensive but manageable. The compliance gap is concentrated in smaller institutions, rural banks, thrift banks, and cooperative banks that depend on vendor-supplied core banking systems and have limited in-house technical capacity. These are not peripheral players. They are the institutions serving provincial depositors, agricultural communities, and segments of the population that have no practical alternative.
What This Means for Operators
If you run a business with payroll, supplier payments, or collections running through a digital banking channel, the June 2026 deadline is relevant to you in a way that goes beyond consumer inconvenience.
An institution that misses the deadline is not just non-compliant. It is operating with a weakened fraud liability position at exactly the moment fraud attempts are likely to spike. Authentication transitions are high-value windows for account takeover attempts. Fraudsters know when banks are mid-migration. The compliance gap and the fraud risk are not separate problems. They arrive together.
Check where your business accounts sit. Ask your bank directly about their authentication transition timeline. If the answer is vague, that is information.
The BSP OTP ban is not the story. The liability framework it enforces is. Banks that treat this as a technology upgrade project are misreading what AFASA actually changed.
Sources:
Track more regulatory shifts that affect your business in Policy & Regulation section of Hemos PH.
