Philippines moves toward stronger biometric security as OTP risks mount

The Philippines central bank wants to widen financial access even as the country and wider region tackles surging online crime and scams.

The Bangko Sentral ng Pilipinas (BSP) is pledging to widen access to financial services as new data shows more Filipinos are entering the formal financial system. However, cybersecurity experts warn that AI‑driven attacks are rapidly escalating risks across the country’s digital infrastructure.

A first‑quarter Social Weather Stations (SWS) survey found that 58 percent of Filipino adults now own a financial account, up from 51 percent in the BSP’s 2025 Consumer Finance and Inclusion Survey. The rise spans all regions, income brackets and education levels. E-money wallets continue to drive adoption with 43 percent of adults now holding an e‑money account, compared with 21 percent who have a bank account.

The Philippines has seen various initiatives in driving national ID and mobile wallet uptake, with the likes of GCash partnering with the Philippine Statistics Authority (PSA). GCash has long used biometrics from Ant Digital Technologies subsidiary Zoloz for performing KYC checks on new users.

BSP Governor Eli Remolona Jr. said the central bank will “continue to broaden access to financial services,” arguing that account ownership is essential for savings, expense management and long‑term financial health. But the expansion of digital finance is unfolding alongside a surge in cyberthreats that increasingly target individuals, small businesses and financial platforms.

Cybersecurity firm Fortinet warned that artificial intelligence is being used to automate attacks, scan for vulnerabilities at scale and bypass traditional defences, reports the Philippine News Agency. Fortinet Philippines country head Bambi Escalante said AI‑driven threats no longer focus solely on high‑value sectors such as banking and telecommunications but are now hitting ordinary users through e‑commerce fraud, payment scams and identity‑based attacks.

Southeast Asian governments are intensifying cooperation against cybercrime and online scams. ASEAN member‑states have endorsed a series of new frameworks. The ASEAN Cybersecurity Cooperation Strategy 2026–2030 and the operationalization of the ASEAN Regional Computer Emergency Response Team (CERT) look to strengthen cross‑border threat intelligence, harmonize digital security standards and protect victims of online fraud.

The regional bloc is also advancing work on anti‑scam policies, digital infrastructure resilience and the governance of emerging technologies. Leaders highlighted the need for evidence‑based policymaking and better data systems. Digitalization is reshaping human security risks across the region, from the digital divide to the rise of scam farms and identity‑based exploitation.

It’s a trend that enterprising businesses are looking to target. Regula and V-Key, for example, partnered to connect their respective layers for a mobile identity stack. The partnership comes as mobile platforms dominate as the primary channel for digital identity in the Asia‑Pacific region, even as it struggles with a plague of fraud. Organizations are facing pressure to strengthen onboarding security, liveness detection, fraud prevention and mobile authentication as digital services scale.

Lessons from Vietnam

Vietnam’s biometric banking overhaul offers a cautionary tale for the Philippines as it strengthens digital banking security, reports The Manila Times.

Trusting Social, which operates in both markets, said Vietnam’s reforms exposed how weak identity checks had enabled millions of fraudulent accounts to persist. When biometric re‑verification became mandatory in 2024, banks discovered 86 million of 200 million accounts could not be tied to a real person and shut them down by late 2025.

Vietnam would go on to report a 59 percent drop in individual fraud cases and a 52 percent decline in mule accounts. Trusting Social said its systems across eight Vietnamese banks blocked $4.3 billion in attempted mule‑account transactions in a year.

“The institutions that built properly protected their customers and ones that didn’t become the new target,” said Nguyen Nguyen, founder and CEO of Trusting Social. “That is the lesson we saw play out in Vietnam, and the one the Philippines needs to take seriously.”

The company warned that fraudsters simply migrate to the weakest institutions, an issue it sees emerging in the Philippines where digital fraud complaints continue to rise. The Bangko Sentral ng Pilipinas logged 70,000 fraud complaints in 2024, while the CICC recorded 10,004 cybercrime cases, triple the previous year, with losses nearing $11.4 million.

New BSP rules will phase out SMS and email OTPs for high‑risk transactions by June 30, 2026, and the Anti-Financial Account Scamming Act (AFASA) may hold institutions liable for customer losses if safeguards are inadequate. A draft circular also encourages server‑side biometric authentication, aligning with Vietnam’s approach.

Trusting Social said Vietnam’s experience shows that strong biometric systems reduce fraud but require continuous upgrades as criminal techniques evolve.

BSP considers server-side biometrics

The BSP has proposed adopting server-side biometric authentication, reports Philstar. The proposal for server-side biometric authentication comes under AFASA, which drafts in other stronger controls for high-risk financial transactions and critical account changes. The proposals are designed to tackle online fraud and improve consumer protection.

“Server-side biometric authentication is considered a strong and acceptable authentication mechanism for high-risk transactions and critical account changes in electronic financial applications, provided that the risks associated with its implementation are adequately addressed and sound practices or minimum control requirements are adopted,” the BSP says in the draft document.

It builds on Circular 1213, which already requires BSP-supervised financial institutions (BSFIs) handling complex digital services to deploy robust fraud detection tools.

Under the draft rules, the BSP may consider the use of server‑side biometrics when assessing whether institutions have adequate risk controls. This would be an evaluation that could influence AFASA liability in fraud cases.

The central bank also wants BSFIs to phase out interceptable OTPs for high‑risk transactions due to rising SIM‑swap and phishing attacks, though OTPs may still verify mobile‑number ownership.

Server‑side biometrics allow authentication against centrally stored templates, reducing risks of account takeover, device compromise and spoofing. But the BSP warns that centralized biometric databases introduce privacy, cybersecurity and operational risks.

To mitigate these, the draft sets minimum safeguards: encrypting biometric templates, avoiding storage of raw images, restricting access, enforcing strong monitoring and ensuring secure retention and disposal. Additional layered controls — device binding, session revalidation, human review, liveness and deepfake detection, and multimodal checks — are encouraged.

The BSP also stresses governance and third‑party oversight, requiring due diligence on biometric providers and monitoring of accuracy metrics. Institutions are expected to add further protections based on their service complexity and risk profile.

Article Topics

banking  |  biometric authentication  |  biometrics  |  fraud prevention  |  identity verification  |  Philippines