Philippines Moves Toward Stronger Biometric Security as OTP Risks Mount

Financial inclusion in the Philippines is accelerating, with 58 percent of adults now holding a formal account—up from 51 percent a year earlier. Mobile wallets such as GCash dominate, but the rapid digitization has attracted AI‑powered scams that target everyday users, from e‑commerce fraud to SIM‑swap attacks. The rise in cybercrime has pressured regulators to rethink legacy security models, prompting the BSP to scrutinize one‑time passwords that can be intercepted or spoofed.

In response, the BSP’s draft circular under the Anti‑Financial Account Scamming Act (AFASA) proposes server‑side biometric authentication for high‑risk transactions. Unlike device‑bound biometrics, server‑side solutions store encrypted templates centrally, enabling robust liveness checks and deep‑fake detection while reducing reliance on vulnerable OTP channels. The regulator also mandates strict safeguards—no raw image storage, limited access, continuous monitoring, and third‑party provider due diligence—to address privacy and cybersecurity concerns. By making biometric compliance a factor in AFASA liability assessments, the BSP signals that institutions must adopt layered defenses or face regulatory penalties.

Regional experience offers a roadmap. Vietnam’s mandatory biometric re‑verification in 2024 eliminated 86 million phantom accounts and drove a 59 percent drop in individual fraud cases, blocking roughly $4.3 billion in mule‑account attempts. Philippine fintechs and banks are now partnering with firms like Regula and V‑Key to build a unified mobile identity stack that incorporates multimodal checks and server‑side verification. As Southeast Asian governments tighten cross‑border cyber cooperation, the Philippines’ biometric push could become a benchmark for balancing financial inclusion with resilient digital security.