How the Philippines is reducing fraud and scams with AFASA

Key takeaways
Escalating scams in the Philippines
What is AFASA?
Why the change?
Fraud prevention in the Philippines from 2026
What recent BSP Circulars mean for fraud teams
Ready to rethink fraud prevention?

Key takeaways

AFASA combats escalating consumer fraud and scams:
The Anti-Financial Account Scamming Act (AFASA) was enacted in the Philippines in 2024 as a response to the rise in digital financial scams, aiming to restore public trust and provide a legal framework against cybercriminals.
AFASA provides comprehensive and granular regulatory requirements:
AFASA and related BSP Circulars mandate financial institutions to implement advanced fraud prevention measures.
Criminalization of fraud tactics and strengthened enforcement:
AFASA specifically criminalizes money muling, social engineering, and economic sabotage, while giving BSP greater investigative powers and facilitating information sharing with law enforcement, both locally and across borders.
Mandatory shift to advanced authentication by 2026:
By June 2026, SMS and email OTPs must be phased out for high-risk transactions in favor of secure methods such as biometric authentication, passwordless logins, and risk-based adaptive multi-factor authentication.
Strategic opportunity for financial institutions:
Banks and financial services can rebuild customer trust, reduce losses from fraud, and stay ahead of global regulatory trends by adopting proactive and collaborative fraud prevention strategies.

The Philippines Anti-Financial Account Scamming Act (AFASA) brings granular detail to expectations on the industry to reduce consumer fraud and scam losses

In 2024, AFASA was introduced in response to the escalating prevalence of financial account scams in the Philippines. An incredible 42.3% of those within the country have been subject to scams. The rapid adoption of digital technologies, particularly in the financial services sector, has enabled cybercriminals to exploit vulnerabilities and target individuals and institutions alike. This trend has led to significant financial losses, eroding public trust in digital financial systems, and creating a need for robust legal frameworks to combat these criminal activities.

What is AFASA?

In 2022, Bangko Central ng Pilipinas (BSP) Circular 1140 [1] linked requirements for information technology risk management and fraud monitoring. This was a set of aggressive security measures to maintain consumer trust in digital financial channels. It includes the adoption of real-time monitoring, analysis of customer behavior, and the ability to block transactions.

In 2024, the AFASA and its associated implementing rules and regulations (IRRs) extended these requirements to safeguard the public from cybercriminals and syndicates exploiting financial accounts. AFASA also criminalized money muling, social engineering schemes, and economic sabotage. BSP also received additional powers to investigate scams and share information with law enforcement.

Under AFASA, financial services (bank and non-bank) businesses must have adequate risk management systems in place. This includes real-time detection for velocity transactions, geolocation monitoring, behavioral anomaly detection, and blacklist screening. Multi-factor authentication must also evolve from one-time-passwords (OTPs). Such improvements include biometrics, behavioral biometrics, adaptive authentication, and password-less methods. For customers, they must be able to have control of their digital finances through access to a kill switch, managing transaction limits, and receiving notifications about account activities.

While some of these features have become the standard in other parts of the Association of Southeast Asian Nations (ASEAN), not all countries have adopted the granular approach of the Philippines in mandating specific fraud monitoring capability as part of formal regulatory frameworks. The Philippines has also specified the time period to hold funds (30 days) and provided a liability framework for safe harbor and restitution. The country has also designated a central unit at BSP that can share information locally and seek cross-border enforcement for the proceeds of scams.

Why the change?

In addition to record consumer losses and diminished trust in the digital economy, criminals have also overcome traditional fraud controls, like OTPs.

With scams growing at exponential rates [2][3], any fraud control that seeks the customer’s agreement to a transaction renders these types of authentication near useless. This is because in the context of scams, customers generally do not recognize they will lose money at the time of the transaction.

Couple that with criminals’ ability to port numbers, swap SIMS, or engage in phishing attacks to intercept OTPs. It is clear that these SMS-generated authentication methods have become an outdated control.

Financial services businesses now need to use the digital channels data available to them about unusual access or changes in customer behavior. This equips financial services teams to better protect customers and reduce the impacts of fraud.

Fraud prevention in the Philippines from 2026

By June 2026, all BSP-supervised financial institutions must phase out SMS and email OTPs for high-risk transactions. This is part of BSP Circular 1213[4], 1214[5], and 1215[6]. In their place, banks must implement more secure and phishing-resistant authentication methods.

These include:

Biometric authentication – fingerprint authentication, facial recognition, etc.

Passwordless logins – asking a user to tap a link on an app within sixty seconds

Risk-based, adaptive multi-factor authentication – a security framework that assesses the risk level of a login attempt or transaction based on multiple contextual factors

They will also need to extend real-time monitoring to go beyond the basic rules to detect fraud, and be able to:

Identify velocity transactions

Monitor the geolocation of devices

Detect anomalies in customer behaviour

Screen against blacklists of known bad actors and associated details, like accounts

The BSP’s request is not a suggestion but a regulatory requirement. It acts as a clear signal that the era of outdated security is over. Sooner rather than later, other jurisdictions will follow suit in enhancing their security guidelines.

What BSP Circulars 1213, 1214, and 1215 mean for fraud teams

Moving away from SMS OTP is a technical shift, but it’s also a strategic one. And getting to a next-generation real-time monitoring that extends beyond transactions and analyzes other digital footprints allows fraud prevention teams to evolve from being reactive to providing proactive intelligence.

To stay effective, they must design flexible, risk-based authentication journeys and break down silos by fostering greater collaboration between fraud, identity, and digital experience teams. If done correctly, fraud prevention can be an organization’s first and strongest line of defense.

While some institutions in the Philippines may view BSP Circular 1213, 1214, and 1215 as more regulatory hurdles, they also offer opportunity. Banks can rebuild customer trust through seamless, secure experiences, reduce fraud losses from account takeovers and social engineering, and get ahead of global regulatory trends. Now is the time to redesign processes for a safer and more user-friendly future.

Ready to rethink fraud prevention?

Who still uses candles for everyday lighting when there are more efficient, safer methods of lighting available? As such, it’s time to move on from outdated technology like SMS OTPs. Yes, they might still work currently, but it will put your customers and your reputation at risk.

The Philippines is drawing a line in the sand. Now it’s up to fraud leaders globally to do the same.

We’d love to show you what smarter, adaptive fraud prevention looks like – and how bringing these risk signals into your central view of customers will support more efficient and risk-oriented workflows to protect customers and prevent financial crime

Get in touch to learn more about NetReveal Payment Fraud and our full financial crime prevention suite of products, including AI agents, AI overlays, and the award-winning Sensa Investigation Hub case management system.

Citations

[1] https://www.bsp.gov.ph/Regulations/Issuances/2022/1140.pdf

[2] https://www.gasa.org/post/2024-asia-scam-report-688-billion-lost

[3] https://www.unodc.org/roseap/uploads/documents/Publications/2025/Inflection_Point_2025.pdf

[4] https://www.bsp.gov.ph/Regulations/Published%20Issuances/Images/Circular_1213.pdf

[5] https://www.bsp.gov.ph/Regulations/Issuances/2025/1214.pdf

[6] https://www.bsp.gov.ph/Regulations/Issuances/2025/1215.pdf