Banks across Southeast Asia have spent years making SMS one-time passwords (OTPs) feel like a mark of safety, the Philippines included.

Customers learned to treat the code arriving on their phone as the final signal that a transaction was safe to complete, but that familiar routine is now reaching its expiry date.

From 30 June 2026, Philippine financial institutions are expected to limit the use of SMS OTPs for high-risk transactions and adopt stronger, less interceptable forms of authentication.

The shift is likely to bring wider use of biometric checks inside banking apps, push-based approvals and liveness verification, giving banks a firmer way to confirm that the person behind a sensitive transaction is genuine and present.

The deadline arrives as scam tactics in the Philippines have grown more fluent in the language of digital banking itself.

Fraudsters no longer need to break into every account when they can persuade customers to surrender access willingly, often by wrapping the request in the familiar rituals of bank verification.

An SMS OTP that once reassured customers can now sit inside a phishing flow, making the code feel legitimate at the very moment it is being misused.

AFASA, short for the Anti-Financial Account Scamming Act, raises the consequences for banks that cannot show reasonable safeguards were in place when customers are targeted.

The phase-out of SMS OTPs now forms part of a wider readiness test, where banks must show that stronger authentication is backed by fraud controls capable of reacting quickly once suspicious activity begins.

Moises Ycot, Growth Lead for the Philippines at Sumsub, says readiness across the market remains uneven.

“There are some banks who are in the final stages of implementation. But the majority of the banks are only starting to look at and evaluating solutions now,” he says.

Once the new baseline takes effect, banks will need to prove that their fraud controls support stronger authentication well beyond the login screen.

AFASA Changes the ROI of Fraud Prevention

The shift changes how banks justify fraud prevention spending. AFASA makes it harder for institutions to defend controls that are slow, fragmented or difficult to prove after a scam has occurred.

Scam-related losses now bring sharper scrutiny over the safeguards an institution had in place and the evidence it can produce after the fact.

“For a CEO, the biggest risk isn’t just the fine; it’s the inability to prove due diligence across the entire lifecycle,” Moises says.

Leadership teams are therefore looking at fraud prevention technology through a different lens. A fraud system now has to do more than block suspicious transactions.

It must leave a clear record of what the bank saw, when it acted and how decisions were made.

“You can’t defend a 48-hour manual review process in a world where a mule can drain an account in 48 seconds,” he adds.

Manual review still has a role when cases require judgement, but slow review cycles are becoming increasingly difficult to justify as the first line of defence against fast-moving scams.

Authentication Has to Follow the Customer Journey

The same pressure now extends into the customer journey.

Banks built traditional digital security around fixed checkpoints. They verified identity during onboarding, then often relied on OTPs to protect later transactions.

That approach weakens when risk can emerge long after the account is opened. A clean onboarding result does not guarantee that the account will remain low-risk, especially once behaviour begins to move away from the profile the bank first approved.

Moises says institutions need to move from “static, point-in-time checks to a risk-based, real-time authentication framework.”

Step-up verification becomes more targeted when banks can see whether the activity still fits the customer’s usual profile.

A familiar login with normal behaviour should not carry the same treatment as a high-value transfer from a newly registered device, especially when location or behavioural signals appear unusual.

Authentication has to become more responsive without turning every customer interaction into a heavier security process. Ordinary activity should move with minimal interruption, while riskier behaviour receives scrutiny before it turns into loss.

The Growth Lead for the Philippines at Sumsub describes the wider shift as a move from one-time verification to “continuous trust.”

The first identity check gives banks a starting point, but the harder work is knowing when the account begins to behave differently.

What Could the Philippines Use To Replace SMS OTPs for High-Risk Transactions?

As Philippines banks move away from SMS OTPs for high-risk activity, they need authentication methods that are harder to steal.

Liveness checks and biometric authentication help shift the question from whether a customer can enter a code to whether the person behind a high-risk action is real and matches to the identity already on file.

Sumsub uses face and biometric authentication to help financial institutions confirm that a user is physically present during sensitive actions, while giving banks a faster alternative to SMS OTPs in the Philippines.

But speed still matters.

Banks cannot replace one friction point with another process that feels slow or punitive for ordinary customers.

Stronger authentication needs to work quietly for most users, while still challenging activity that carries higher risk.

“The shift is from ‘more steps’ to ‘smarter steps’,” Moises says.

A known customer completing a routine transaction should not face the same level of friction as someone attempting a large transfer from a newly registered device.

The security layer becomes more dynamic, shaped by risk rather than applied evenly to every action.

Remote user verification now has to account for manipulated media and presentation attacks, especially as deepfakes and synthetic identities become harder to spot.

Moises identifies these as among the primary risks banks need to mitigate.

He also points to PhilID as a foundational identity layer that can help banks streamline onboarding.

His point, however, is that national identity validation cannot carry the whole fraud burden on its own.

Identity verification still needs to sit within a wider fraud control layer that can assess risk after onboarding.

Ongoing Monitoring Becomes Central to AFASA Readiness

Fraud and compliance teams can no longer rely only on periodic reviews or large manual alert queues.

They need systems that monitor behaviour continuously and escalate cases when risk crosses a defined threshold.

“The system monitors behavior 24/7 and only alerts your team when a threshold is crossed. It’s the difference between a static snapshot and a continuous security feed,” Moises says.

The immediate regulatory focus may be the move away from SMS OTPs in the Philippines, but AFASA also pushes institutions to strengthen fraud controls around the wider customer relationship.

Authentication sits within that system rather than apart from it.

Sumsub’s full-cycle verification approach brings identity verification, liveness, device intelligence, transaction monitoring and risk decisioning all into one single platform, allowing banks to connect signals that would otherwise sit across separate systems.

With that wider account context, banks may read the same transaction differently.

Sumsub’s transaction monitoring can detect unusual payment patterns as they happen, while its device intelligence layer can flag anomalies such as new device usage, spoofing attempts or location inconsistencies linked to account compromise.

As these signals come together, banks gain a clearer view of customer risk and a faster way to act.

Fragmented Fraud Stacks Create Operational Drag

Many banks have built their fraud controls gradually, adding tools as new risks emerged.

Over time, fraud teams can end up working across systems that do not share a common view of risk.

“When you have one vendor for liveness, another for screening, and a third for transaction monitoring, your staff spends 70% of their time just moving data between windows,” Moises pointed out.

Fragmentation also makes decisions harder to explain.

Under AFASA and BSP’s heightened expectations, banks need to show how they assessed risk, what actions they took and how they handled suspicious activity.

A single-platform approach can reduce that burden by helping fraud teams handle clear-cut cases faster and reserve more attention for complex risks.

Compliance teams can gain better visibility, while leadership can get stronger evidence that controls are working across the customer lifecycle.

Moises says the goal should not be to keep expanding manual review teams.

“The goal shouldn’t be to hire 200 more reviewers; it should be Automated Decisioning,” he explains.

Automation helps fraud teams preserve human judgement for cases that genuinely need closer review.

What Safer Banking Should Feel Like After 2026

The end of SMS OTPs for high-risk banking transactions in the Philippines should lead to a more precise security experience, rather than a heavier one.

Moises says the ideal secure banking experience should feel “almost invisible” to the user.

Banks should authenticate routine activity quietly and reserve customer challenges for moments when behaviour begins to look unusual.

Liveness checks and biometric authentication will still appear, but only when risk justifies the interruption.

The SMS OTPs phase-out gives banks in the Philippines a chance to modernise digital trust around stronger authentication, ongoing monitoring and faster fraud response.

Customers, meanwhile, should get safer digital banking without feeling that every transaction has become slower.

Featured image: Edited by Fintech News Philippines based on an image by tete_escape via Magnific.