BSP pushes server-side biometrics vs online fraud

Upgrade to High-Speed Internet for only ₱1499/month!

Enjoy up to 100 Mbps fiber broadband, perfect for browsing, streaming, and gaming.

Visit Suniway.ph to learn

March 5, 2026 | 12:00am

MANILA, Philippines —  The Bangko Sentral ng Pilipinas (BSP) is proposing the adoption of server-side biometric authentication and other stronger controls for high-risk financial transactions and critical account changes, as part of efforts to curb online fraud and strengthen consumer protection under the Anti-Financial Account Scamming Act (AFASA).

In a draft memorandum issued by the central bank’s Financial Supervision Sector, the BSP said server-side biometric authentication would be recognized as a strong authentication mechanism for digital financial services.

“Server-side biometric authentication is considered a strong and acceptable authentication mechanism for high-risk transactions and critical account changes in electronic financial applications, provided that the risks associated with its implementation are adequately addressed and sound practices or minimum control requirements are adopted,” the BSP said in the draft document.

The BSP earlier issued Circular 1213 to implement a section of AFASA, requiring BSP-supervised financial institutions (BSFIs) engaged in complex electronic services and large online transaction volumes to deploy robust fraud management systems capable of detecting and blocking suspicious or fraudulent transactions.

The draft memorandum builds on this requirement by encouraging the use of server-side biometric authentication as part of strong customer verification mechanisms.

Under the proposal, the use of server-side biometrics will also be considered by the BSP when evaluating whether financial institutions have maintained adequate risk management systems and controls. This assessment may affect potential liability under AFASA in cases involving financial account fraud.

The central bank is also urging financial institutions to gradually move away from interceptable authentication methods such as one-time passwords (OTPs) sent through text or email, which are increasingly vulnerable to cyberattacks.

“BSFIs are expected to transition away from the use of interceptable authentication mechanism, such as OTPs, as an authentication mechanism for financial transactions or other high-risk activities, given the elevated risks of SIM swap fraud, phishing and related attacks,” the BSP said.

However, OTPs may still be used for verifying the existence or ownership of a registered mobile number.

The proposed framework defines server-side biometric authentication as a system in which a customer’s biometric credential, such as a fingerprint, facial image or voice sample, is validated within the secure backend systems of a financial institution or its authorized provider using centrally stored biometric templates.

This approach allows institutions to authenticate customers against records maintained in their systems regardless of device changes, helping reduce risks of account takeover, device compromise, spoofing and unauthorized credential changes.

Despite its benefits, the BSP noted that the use of biometrics also introduces operational, privacy and cybersecurity risks.

The draft guidelines highlight several concerns, including the possibility that centralized biometric databases could become high-value targets for cybercriminals, exposing sensitive identity data if compromised. Improper collection or handling of biometric information may also lead to regulatory violations and reputational damage.

To address these risks, the BSP outlined minimum control requirements for financial institutions adopting the technology.

These include encrypting biometric templates, avoiding the storage of raw biometric images, limiting access to authorized personnel, implementing strong logging and monitoring systems as well as establishing clear procedures for the secure retention and disposal of biometric data.

Financial institutions are also advised to adopt layered security measures such as device binding, session revalidation, human review of suspicious transactions, liveness detection and deepfake detection mechanisms as well as multimodal authentication checks combining biometric and behavioral indicators.

The BSP also emphasized the importance of governance and third-party oversight, particularly for institutions that outsource biometric services.

Institutions must conduct rigorous due diligence on service providers, ensure compliance with data protection regulations, and regularly monitor performance metrics such as false acceptance and false rejection rates to prevent unauthorized access or customer disruption.

While the proposed guidelines set baseline expectations, the BSP said institutions should implement additional safeguards depending on the complexity and risk profile of their digital financial services.