MORE than a quarter of digital finance technology firms in the country have stopped sending one-time passwords (OTPs) to customers during transactions, an industry official told reporters on Tuesday.
The Bangko Sentral ng Pilipinas (BSP) has set June 30 as the deadline for banks, e-wallets, and other financial institutions to phase out SMS-based one-time passwords (OTPs) for high-risk transactions.
This is part of the implementation of the Anti-Financial Account Scamming Act (Afasa) to control rising digital fraud, including phishing, SIM-swapping, and account takeovers.
Around 30 percent have complied, said FinTech Alliance.Ph founding chairman Lito Villanueva.
The group currently has 136 corporate members that manage more than 95 percent of the country‘s digital retail financial transactions.
Among its prominent members is GCash, which announced it has replaced OTPs with in-app push notifications.
In a draft memorandum, BSP-supervised financial institutions (BSFIs) offering complex electronic services or handling large online transaction volumes are mandated to implement stronger authentication controls as part of broader fraud management requirements under the Afasa.
An acceptable process for sensitive transactions and critical account changes, the BSP said, is server-side biometric authentication — in which a customer’s biometric data, such as fingerprints or facial recognition, is verified through secure backend systems.
The order is a result of growing concern over cyber fraud schemes that exploit weaknesses in traditional verification tools, particularly OTPs sent through SMS or email.
While adopting a new system could be costly, particularly for small fintech firms, “there’s no choice but to comply,” Villanueva said. “If you’re not compliant, the liability now shifts to the bank or to the fintech player.”
The aim is to protect the interests of consumers, and there is a law on this, Villanueva pointed out, referring to the Afasa, or Republic Act 12010, which contains a provision for financial institutions to implement robust Fraud Management Systems (FMS) to protect clients.
More fintech firms, including digital bank Maya, are expected to comply with the BSP order in the coming months, Villanueva said.
