Inquirer Plus
Now Reading
BSP to require banks to adopt strong biometrics authentication
Inquirer Plus
Inquirer Plus
Dark Light
Bloomberry closes sale of Korean casino biz
PSEi slides 2.13% on Middle East crisis
March 5, 2002: Sandigan warns Erap of contempt
2 raps vs Sara found ‘sufficient in substance’
VP sues alleged ‘bagman’ Madriaga for perjury
From Palace to City Hall, Suntay reaps a storm
Bill filed giving President special powers to suspend oil tax
‘Oil shock’ subsidies set for farmers, drivers
Erice says he lost House post after ‘legit criticism’ of Marcos
OWWA receives 1,189 requests for repatriation from Middle East OFWs
Palace, print media join forces vs fake news
DFA: Deal with China ensured 13 successful Ayungin missions

BSP to require banks to adopt strong biometrics authentication

Ian Nicolas P. Cigaral
by
March 5, 2026

The Bangko Sentral ng Pilipinas (BSP) wants banks to adopt robust biometric authentication for high-value online transactions and sensitive account changes, steering the industry away from text-message and email security codes that scammers have learned to intercept.

Under a draft circular now circulating for industry comment, the central bank would weigh a lender’s use of “server-side” biometric safeguards when determining potential liability in fraud cases.

In effect, a bank that fails to deploy what the BSP considers a “strong” and “acceptable” authentication mechanism could be held responsible for reimbursing customers for stolen funds.

The proposal was meant to enforce the Anti-Financial Account Scamming Act (Afasa), which criminalized the use of financial accounts as a vehicle to move or hide criminal proceeds. Afasa also seeks to raise accountability standards across regulated institutions by compelling stronger defenses against fraud and cybercrime.

Server-side biometric authentication refers to a system in which a customer’s fingerprint, facial scan or other biometric credential is verified within the secure back-end infrastructure of a bank or its authorized third-party provider, using centrally stored reference templates.

Preventing scammers

Because validation occurs on the bank’s servers rather than solely on a customer’s device, this approach allows banks to confirm identity against their own records even if a phone is replaced or compromised.

The BSP said server-side biometric authentication should eventually replace authentication mechanisms that criminals can intercept, such as one-time pins (OTPs) sent via SMS and email.

OTPs may, however, be used for verifying the existence or ownership of a registered mobile number.

Even so, the central bank acknowledged the security, operational and privacy risks of biometric authentication, warning that centralized biometric databases could become high-value targets for cybercriminals.

See Also
BIZ BUZZ: DBP, Landbank still say hard pass on merger

The BSP also cautioned that biometric systems could be fooled by spoofing, replay attacks and increasingly sophisticated deepfakes if they lack strong liveness detection and antispoofing safeguards.

To mitigate these dangers, the BSP said banks must encrypt biometric data and restrict access to those data to authorized personnel.

Banks must also layer biometrics with additional defenses—behavioral checks, human review and secure fallback options—and monitor error rates and bias.

“These requirements establish the BSP’s baseline expectations,” the central bank said.

Tags
Inquirer Plus

Have problems with your subscription? Contact us via
Email: plus@inquirer.net, subscription@inquirer.net
Landline: (02) 8896-6000
SMS/Viber: 0908-8966000, 0919-0838000

© 2025 Inquirer Interactive, Inc.
All Rights Reserved.

Scroll To Top