The Philippines’ push to retire SMS-based one-time passwords (OTPs) by June 2026 is more than just a regulatory update. It is a structural reset in how trust and security will be built across the country’s digital financial ecosystem.
In an exclusive interview with FintechNewsPH, Michelle Anne Chan, Country Manager of ADVANCE.AI and ADVANCE.CBP Philippines, said the Bangko Sentral ng Pilipinas (BSP)’s move reflects a growing recognition that legacy authentication methods are no longer enough to defend against modern fraud.
“The BSP’s move is a direct response to how fraud itself has evolved,” Chan said.
“What used to be opportunistic scams are now highly organized, syndicated operations. These groups operate like enterprises, complete with dedicated tools, playbooks, and clearly defined roles across SIM registration fraud, phishing, social engineering, and account monetization.”
For years, SMS OTPs have been the default layer of security for banks, e-wallets, and digital lenders in the Philippines.
But according to Chan, that model has become increasingly vulnerable as fraud syndicates shift their focus from attacking systems directly to exploiting identity verification gaps.
“At ADVANCE.AI, we’re seeing coordinated attacks where fraudsters don’t hack systems in the traditional sense,” she said. “Instead, they compromise the identity layer. Once they control the mobile number, the OTP becomes a formality.”
That, she said, is exactly why the Philippine banking industry is now being pushed toward identity-centric security — moving beyond authentication based on what a user possesses, such as a SIM card, and toward systems that verify who the user actually is.
A deadline forcing long-overdue change
The June 2026 deadline, set under the implementation framework of the Anti-Financial Account Scamming Act (AFASA), gives financial institutions time to adapt.
But Chan views the deadline as intentionally firm.
“The BSP is setting a non-negotiable direction,” she said. “The Philippines cannot build a modern financial system on outdated authentication methods.”
The timing is particularly significant as digital banking adoption continues to accelerate.
Michelle Anne Chan, Country Manager of ADVANCE.AI and ADVANCE.CBP Philippines, delivering her speech at an event
With more Filipinos relying on app-based financial services, the security stakes have become higher than ever.
“If security does not evolve at the same pace as inclusion, fraud scales faster than trust,” Chan said.
“And once trust erodes, adoption slows.”
Why banks are still holding on to OTPs
Despite the looming phaseout, many institutions remain deeply reliant on SMS-based authentication.
Chan said the hesitation is rarely about awareness. It is about execution.
“Most institutions understand the risks. The challenge is implementation at scale,” she said.
Legacy infrastructure remains one of the biggest obstacles, particularly for traditional banks operating on fragmented systems that were never designed for biometric integration.
“There’s also the coordination challenge,” Chan explained. “Authentication touches onboarding, login, transactions, compliance, customer experience — it cuts across multiple departments.”
The skills gap is another pressure point.
Biometric and AI-driven authentication systems require expertise in fraud detection, behavioral modeling, and risk governance — capabilities that many institutions are still building internally.
Some institutions, Chan noted, also continue to approach the shift as a compliance exercise rather than a long-term resilience strategy.
“That mindset needs to change,” she said.
Beyond OTP: What comes next
At ADVANCE.AI, Chan believes the replacement for OTPs will not come in the form of a single technology, but through a layered authentication framework combining facial biometrics, liveness detection, behavioral signals, device intelligence, and in-app verification.
“These methods work because they verify the person, not just the credential,” she said.
A fraudster may intercept a code or compromise a SIM. Replicating a live biometric check or mimicking behavioral patterns at scale is significantly harder.
Chan also pushed back against concerns that stronger authentication necessarily creates more friction for users.
“In practice, many customers find biometrics easier than waiting for an OTP that expires or never arrives,” she said.
For Chan, the broader opportunity extends beyond fraud prevention.
Stronger authentication, she argued, could become a key enabler of financial inclusion.
“When customers trust the system, they transact more confidently and engage more deeply with digital financial services,” she said.
“That directly translates to digital economy growth.”
As the countdown to June 2026 continues, Chan’s message to banks and fintechs is straightforward: move now.
“The transition does not have to be disruptive,” she said. “But it has to start.”
This version reads a touch sharper and more publication-ready.
