THE Bangko Sentral ng Pilipinas wants banks to move away from one-time passwords (OTPs) sent via SMS or email and adopt server-side biometric authentication to combat online financial scams.
Under a draft memorandum, BSP-supervised financial institutions (BSFIs) offering complex electronic services or handling large online transaction volumes are expected to implement stronger authentication controls as part of broader fraud management requirements under the Anti-Financial Account Scamming Act.
The central bank said that server-side biometric authentication — where a customer’s biometric data, such as fingerprints or facial recognition, is verified through secure backend systems — would be treated as an acceptable and strong authentication method for sensitive transactions and critical account changes.
The shift reflects growing concern over cyber fraud schemes that exploit weaknesses in traditional verification tools, particularly OTPs delivered through SMS or email.
“BSFIs are expected to transition away from the use of interceptable authentication mechanisms ... given the elevated risks of SIM swap fraud, phishing and related attacks,” the central bank said.
“OTPs may, however, be used for verifying the existence or ownership of a registered mobile number,” it added.
Under the proposal, the adoption of server-side biometrics and related controls will form part of the BSP’s assessment of whether banks and financial institutions maintain adequate risk management systems.
Compliance with these standards may also affect whether institutions can be held liable for losses tied to fraudulent transactions, while failure to implement sufficient safeguards could expose them to restitution claims from affected customers.
Server-side biometric authentication works by matching a customer’s biometric credentials against encrypted templates stored in centralized systems, allowing institutions to verify identities even if a user changes devices.
“This enables the BSFI’s system to authenticate the customer’s identity against the records it maintains, regardless of changes on the device used, thereby reducing the risk of account takeover, device compromise, spoofing, and unauthorized credential changes, among other threats,” the central bank said.
However, it also warned that centralized biometric systems would create new risks, including the possibility of large-scale data breaches and unauthorized access if databases or encryption keys are compromised.
Financial institutions adopting the technology will be required to implement safeguards such as encrypting biometric data, limiting access to authorized personnel and ensuring proper data disposal practices.
The draft guidelines also emphasize the need for layered security controls alongside biometrics, including liveness detection to prevent spoofing and deepfake attacks, monitoring for suspicious activity and additional verification steps for high-risk transactions such as credential resets or device changes.
Institutions using third-party biometric service providers must also conduct due diligence and maintain oversight to manage outsourcing risks.
The BSP said financial institutions would remain responsible for ensuring that their authentication systems matched their risk profiles and complied with security standards.
“These controls are intended to safeguard biometric data, mitigate fraud and account takeover risks, preserve customer trust, and ensure alignment with applicable authentication, cybersecurity, and data protection standards,” it said.
“BSFIs, however, should implement additional controls, as warranted, to effectively address the risks and concerns identified above, commensurate with the complexity and risk profile of their digital financial services.”
