BSP wants banks to use server-side biometrics to combat financial fraud

THE Bangko Sentral ng Pilipinas (BSP) wants to require banks to enforce server-side biometric authentication to verify users and secure customer-initiated transactions amid rising financial fraud risks.

In a draft circular, the central bank said the system would cover high-risk transactions and major account changes in digital financial applications.

The move aligns with a circular issued last year under the Anti-Financial Account Scamming Act, which requires BSP-supervised institutions to deploy robust fraud management and customer authentication systems.

These measures include automated real-time monitoring, transaction velocity checks, geolocation tracking and blacklist screening to flag disputed, suspicious or fraudulent transactions.

“Server-side biometric authentication is considered a strong and acceptable authentication mechanism for high-risk transactions and critical account changes in electronic financial applications, provided that the risks associated with its implementation are adequately addressed and sound practices or minimum control requirements are adopted,” according to a copy of the draft circular.

The BSP added that adopting biometric authentication would factor into evaluations of whether banks maintain adequate risk management systems and could influence liability under the law.

Once implemented, institutions are expected to phase out interceptable methods like one-time pins (OTP) via text or e-mail, though OTPs may still verify a registered mobile number linked to transactions.

The draft also orders banks to secure all collected, stored and processed data, implement robust authentication controls, and ensure human oversight of flagged cases to strengthen audit and compliance.

The central bank noted that while server-side biometrics enhance verification, they introduce heightened security, operational and privacy risks.

“BSP-supervised financial institutions remain responsible for ensuring that their authentication frameworks are commensurate with their risk profile,” it said.

It added that they could still use stronger or equivalent authentication methods and follow existing security rules to protect customers from scams and digital fraud.

Under previous guidance, lenders were given until June 25 to upgrade fraud management systems and six months to revise risk management frameworks.

The regulation targets banks with complex electronic products handling high transaction volumes, specifically those averaging at least P75 million in monthly online transactions over six months.

Central bank officials confirmed earlier this year that the deadline remains firm despite requests from several banks for extensions. — Katherine K. Chan