Bangko Sentral ng Pilipinas (BSP)
Executive Summary
Driven by the need to enhance the security of digital transactions and to help protect customers’ interests, the Bangko Sentral ng Pilipinas (BSP) has released Circular No. 1213, establishing updated guidelines to adopt a robust Fraud Management System (FMS) capable of rapidly detecting, preventing, blocking disputed, suspicious, or other fraudulent transactions, including new and evolving fraud schemes.
In this circular, the BSP strongly encourages financial institutions to move away from SMS-based one-time passwords (OTPs) in favor of more secure, modern authentication methods. Although not explicitly banned, SMS OTPs are now considered insufficient on their own due to vulnerabilities such as interception and social engineering attacks. This aligns with long-standing concerns from global standards bodies, including the National Institute of Standards and Technology (NIST), which deprecated SMS-based OTPs as early as 2016.
According to 1Kosmos, this regulatory shift opens the door for stronger identity-proofing and access-control solutions such as biometric authentication, multi-factor authentication (MFA), and passwordless login methods. These technologies represent a forward-looking approach designed to strengthen security while enhancing the overall customer experience. The BSP’s updated framework is intended to not only reinforce trust in digital banking, but also ensure regulatory compliance and foster innovation without compromising risk management.
1Kosmos is well-positioned to help financial institutions meet these evolving requirements. With its privacy-by-design platform, 1Kosmos delivers verified identity assurance, enables users to control their personally identifiable information (PII), and supports seamless, secure, and passwordless access to digital services. It also acts as a universal authenticator for legacy applications and provides built-in multi-factor authentication, used millions of times daily across enterprises, financial institutions, and government entities worldwide.
Notably, the BSP’s new guidelines apply in full to institutions handling over ₱75 million in monthly digital transactions or those offering more complex digital services.
These entities are now expected to adopt real-time, risk-based fraud detection systems, including:
- Behavioral anomaly detection and transaction monitoring
- Geolocation and device fingerprinting
- Real-time validation of account and device changes
- Blacklist screening and transaction velocity checks
For smaller or less complex institutions such as thrift and rural banks, the BSP allows a tiered approach to implementation, proportionate to their operational scale and risk exposure.
In addition to regulatory expectations, these measures align with the broader provisions of the Anti-Financial Account Scamming Act (AFASA), which holds financial institutions accountable for safeguarding customer accounts. Failing to adopt appropriate authentication and fraud controls could result in administrative or civil penalties, especially in cases of avoidable customer loss.
By implementing secure, user-centric technologies like those provided by 1Kosmos, institutions can not only comply with BSP Circular No. 1213 but also significantly reduce fraud, increase customer satisfaction, and strengthen their digital trust posture.
Get the Complete Whitepaper
BSP’s Framework
The BSP’s updated framework, as detailed in Appendix 79/Q-66, outlines specific guidance on the adoption of multi-factor authentication (MFA) across digital financial services. Institutions offering complex digital products or processing high volumes of online transactions are now expected to implement robust authentication protocols to maintain the integrity of customer-initiated activities.
- Biometric authentication, which enhances both convenience and security by using unique, hard-to-replicate physical traits such as fingerprints, facial recognition, or voice patterns.
- Behavioral biometrics, which monitor unique user behaviors like typing rhythm, screen interaction, and device usage patterns to detect anomalies. This approach supports continuous authentication and integrates well with fraud detection systems.
- Passwordless authentication, which removes the reliance on traditional passwords by using secure alternatives such as biometric identifiers, physical tokens, or cryptographic credentials. One widely accepted
standard is FIDO (Fast Identity Online), which enables login through passkeys, secure hardware keys or biometric input. - Adaptive authentication, which dynamically evaluates contextual factors such as user location, device characteristics, and usage behavior. Based on perceived risk, it can escalate verification requirements or trigger preemptive security measures.
These mechanisms reflect the BSP’s risk-based approach to digital security, prioritizing solutions that are both user-centric and resilient against fraud. Institutions adopting such technologies will not only enhance customer protection but also future proof their digital platforms in compliance with the latest regulatory standards.
The 1Kosmos Platform
The 1Kosmos platform is well-positioned to address the BSP’s guidelines on alternative authentication mechanisms for digital payment transactions. Below is a detailed summary.
BSP Requirement
1Kosmos Capability
Implement automated and real-time fraud monitoring and detection systems
Continuous risk evaluation via deterministic policy engine with real-time behavioral analysis, session metadata monitoring, and integration with third-party risk engines for advanced fraud detection
Mobile device and account information changes
Enhanced SDK-driven detection with real-time monitoring of SIM swap, device replacement, profile updates, and account changes that trigger immediate access restriction policies and admin notifications
Geolocation monitoring
Advanced geo-fencing with configurable radius-based restrictions, IP geolocation validation, and out-of-pattern location alerts during login or transaction flows
Blacklist screening
Real-time integration with global threat intelligence feeds to block known malicious IPs, compromised devices, and fraudulent identifiers at authentication time with automatic updates
Behavioural anomalies detection
Enhanced session metadata analysis including keystroke dynamics, navigation patterns, device behaviour
24 hour Transaction Pause Period (TPP) after key account changes
Configurable cooldown periods enforced by policy engine for transactions following profile changes, device updates, or credential modifications with customizable duration settings
Restriction on unsecured devices (rooted, jailbroken, emulators)
Comprehensive mobile SDK with enhanced device integrity assessment, jailbreak/root detection, emulator identification, and prevention of installation or use on compromised environments
Prohibition of unauthorized scripts or automation tools
Advanced session fingerprinting with bot detection, headless browser identification, automated script blocking, and rate limiting to prevent unauthorized automation tools
Proper authentication and integrity checks
FIDO2 certified public-key cryptography with hardware security module integration ensuring end-to-end transaction integrity, non-repudiation, and tamper-evident authentication
Adoption of strong device fingerprinting
Multi-dimensional device profiling collecting hardware signatures, OS fingerprints, browser attributes, network characteristics, and behavioral patterns to build tamper-resistant device profiles
Limitation on interceptable OTPs (SMS/email)
Complete elimination of OTP dependency through FIDO2 passkeys, hardware-backed biometric authentication, Liveness facial authentication and cryptographic proof of possession eliminating SMS/email vulnerabilities
Multi-factor authentication (MFA) including biometric, passwordless, adaptive
Comprehensive passwordless MFA supporting Face ID, Touch ID, LiveID biometric authentication, FIDO2 tokens, adaptive step-up policies, and contextual authentication based on risk assessment
Descriptive real-time customer notifications
Real-time secure notifications via in-app push, email, and SMS channels with detailed transaction metadata including payee information, amounts, timestamps, device details, and location data
Recipient identity verification for fund transfers
Pre-transaction identity verification via eKYC workflows, government document validation, biometric binding, liveness detection, and credential verification against issuing authorities
Revocation of access for devices, merchants, third parties
Centralized management console with comprehensive device registry, API token management, third-party authorization tracking, and granular revocation capabilities for all connected services
Secure onboarding and digital account linking
Enhanced eKYC document verification, selfie-to-ID matching, advanced liveness detection, and multi-country document support (190+ countries)
Collection and protection of transaction logs against unauthorized manipulation
Immutable blockchain-backed audit trail with cryptographic integrity capturing comprehensive device metadata, session details, transaction logs, and user activities making it tamper-proof
Restriction on unsolicited links or QR codes
Secure actionable link generation requiring authenticated user consent, contextual QR code implementation within app environment, and protection against unsolicited external links
BSP Requirement: Implement automated and real-time fraud monitoring and detection systems
1Kosmos Capability: Continuous risk evaluation via deterministic policy engine with real-time behavioral analysis, session metadata monitoring, and integration with third-party risk engines for advanced fraud detection
1Kosmos Capability: Continuous risk evaluation via deterministic policy engine with real-time behavioral analysis, session metadata monitoring, and integration with third-party risk engines for advanced fraud detection
BSP Requirement: Mobile device and account
information changes
1Kosmos Capability: Enhanced SDK-driven detection with real-time monitoring of SIM swap, device replacement, profile updates, and account changes that trigger immediate access restriction policies and admin notifications
information changes
1Kosmos Capability: Enhanced SDK-driven detection with real-time monitoring of SIM swap, device replacement, profile updates, and account changes that trigger immediate access restriction policies and admin notifications
BSP Requirement: Geolocation monitoring
1Kosmos Capability: Advanced geo-fencing with configurable radius-based restrictions, IP geolocation validation, and out-of-pattern location alerts during login or transaction flows
1Kosmos Capability: Advanced geo-fencing with configurable radius-based restrictions, IP geolocation validation, and out-of-pattern location alerts during login or transaction flows
BSP Requirement: Blacklist screening
1Kosmos Capability: Real-time integration with global threat intelligence feeds to block known malicious IPs, compromised devices, and fraudulent identifiers at authentication time with automatic updates
1Kosmos Capability: Real-time integration with global threat intelligence feeds to block known malicious IPs, compromised devices, and fraudulent identifiers at authentication time with automatic updates
BSP Requirement: Behavioural anomalies detection
1Kosmos Capability: Enhanced session metadata analysis including keystroke dynamics, navigation patterns, device behaviour
1Kosmos Capability: Enhanced session metadata analysis including keystroke dynamics, navigation patterns, device behaviour
BSP Requirement: 24 hour Transaction Pause Period (TPP) after key account changes
1Kosmos Capability: Configurable cooldown periods enforced by policy engine for transactions following profile changes, device updates, or credential modifications with customizable duration settings
1Kosmos Capability: Configurable cooldown periods enforced by policy engine for transactions following profile changes, device updates, or credential modifications with customizable duration settings
BSP Requirement: Restriction on unsecured devices (rooted, jailbroken, emulators)
1Kosmos Capability: Comprehensive mobile SDK with enhanced device integrity assessment, jailbreak/root detection, emulator identification, and prevention of installation or use on compromised environments
1Kosmos Capability: Comprehensive mobile SDK with enhanced device integrity assessment, jailbreak/root detection, emulator identification, and prevention of installation or use on compromised environments
BSP Requirement: Prohibition of unauthorized scripts or automation tools
1Kosmos Capability: Advanced session fingerprinting with bot detection, headless browser identification, automated script blocking, and rate limiting to prevent unauthorized automation tools
1Kosmos Capability: Advanced session fingerprinting with bot detection, headless browser identification, automated script blocking, and rate limiting to prevent unauthorized automation tools
BSP Requirement: Proper authentication and integrity checks
1Kosmos Capability: FIDO2 certified public-key cryptography with hardware security module integration ensuring end-to-end transaction integrity, non-repudiation, and tamper-evident authentication
1Kosmos Capability: FIDO2 certified public-key cryptography with hardware security module integration ensuring end-to-end transaction integrity, non-repudiation, and tamper-evident authentication
BSP Requirement: Adoption of strong device fingerprinting
1Kosmos Capability: Multi-dimensional device profiling collecting hardware signatures, OS fingerprints, browser attributes, network characteristics, and behavioral patterns to build tamper-resistant device profiles
1Kosmos Capability: Multi-dimensional device profiling collecting hardware signatures, OS fingerprints, browser attributes, network characteristics, and behavioral patterns to build tamper-resistant device profiles
BSP Requirement: Limitation on interceptable OTPs (SMS/email)
1Kosmos Capability: Complete elimination of OTP dependency through FIDO2 passkeys, hardware-backed biometric authentication, Liveness facial authentication and cryptographic proof of possession eliminating SMS/email vulnerabilities
1Kosmos Capability: Complete elimination of OTP dependency through FIDO2 passkeys, hardware-backed biometric authentication, Liveness facial authentication and cryptographic proof of possession eliminating SMS/email vulnerabilities
BSP Requirement: Multi-factor authentication (MFA) including biometric, passwordless, adaptive
1Kosmos Capability: Comprehensive passwordless MFA supporting Face ID, Touch ID, LiveID biometric authentication, FIDO2 tokens, adaptive step-up policies, and contextual authentication based on risk assessment
1Kosmos Capability: Comprehensive passwordless MFA supporting Face ID, Touch ID, LiveID biometric authentication, FIDO2 tokens, adaptive step-up policies, and contextual authentication based on risk assessment
BSP Requirement: Descriptive real-time customer notifications
1Kosmos Capability: Real-time secure notifications via in-app push, email, and SMS channels with detailed transaction metadata including payee information, amounts, timestamps, device details, and location data
1Kosmos Capability: Real-time secure notifications via in-app push, email, and SMS channels with detailed transaction metadata including payee information, amounts, timestamps, device details, and location data
BSP Requirement: Recipient identity verification for fund transfers
1Kosmos Capability: Pre-transaction identity verification via eKYC workflows, government document validation, biometric binding, liveness detection, and credential verification against issuing authorities
1Kosmos Capability: Pre-transaction identity verification via eKYC workflows, government document validation, biometric binding, liveness detection, and credential verification against issuing authorities
BSP Requirement: Revocation of access for devices, merchants, third parties
1Kosmos Capability: Centralized management console with comprehensive device registry, API token management, third-party authorization tracking, and granular revocation capabilities for all connected services
1Kosmos Capability: Centralized management console with comprehensive device registry, API token management, third-party authorization tracking, and granular revocation capabilities for all connected services
BSP Requirement: Secure onboarding and digital account linking
1Kosmos Capability: Enhanced eKYC document verification, selfie-to-ID matching, advanced liveness detection, and multi-country document support (190+ countries)
1Kosmos Capability: Enhanced eKYC document verification, selfie-to-ID matching, advanced liveness detection, and multi-country document support (190+ countries)
BSP Requirement: Collection and protection of transaction logs against unauthorized manipulation
1Kosmos Capability: Immutable blockchain-backed audit trail with cryptographic integrity capturing comprehensive device metadata, session details, transaction logs, and user activities making it tamper-proof
1Kosmos Capability: Immutable blockchain-backed audit trail with cryptographic integrity capturing comprehensive device metadata, session details, transaction logs, and user activities making it tamper-proof
BSP Requirement: Restriction on unsolicited links or QR codes
1Kosmos Capability: Secure actionable link generation requiring authenticated user consent, contextual QR code implementation within app environment, and protection against unsolicited external links
1Kosmos Capability: Secure actionable link generation requiring authenticated user consent, contextual QR code implementation within app environment, and protection against unsolicited external links
The 1Kosmos platform exhibits flexibility which allows service providers and their users to choose the authentication method that best suits their needs, thereby increasing the adoption of digital payments while maintaining high security standards with minimal friction to the user experience.
The platform is attested for Authentication Assurance Level 1, 2, and 3 as per NIST 800-63 standards. This allows 1Kosmos to enforce multiple factors of authentication via various authentication methods in a single platform.
It also leverages adaptive authentication to adjust the required factors based on risk signals, ensures secure transmission and storage of authentication data, and provides convenient user management and recovery options. This approach helps to protect against unauthorized access while maintaining a user-friendly experience.
1Kosmos customers are able to leverage this in multiple ways, for example, by a global banking customer.
Risk-Based Authentication Privacy
The BSP circular recommends a risk-based approach to determine the appropriate AFA for a transaction. The 1Kosmos platform continuously assesses risk levels associated with each transaction or login attempt based on several factors such as user behavior, device, location, and time.
This dynamic assessment allows the system to adjust authentication requirements in real-time. The system collects and analyzes risk signals, which might include unusual login locations, changes in user behavior, high-value transactions, or access attempts from unfamiliar devices.
Based on the risk assessment, 1Kosmos adapts the authentication process. For elevated risk/ high value activities, it might require additional verification steps, such as biometric authentication, multifactor authentication (MFA), or additional
identity proofs. For low-risk activities, it may streamline the process with fewer steps.
As an example, a 1Kosmos banking customer leverages Facial Liveness authentication to authenticate digital payments, proving they are a real person.
Customer Consent and Deregistration
The BSP circular requires explicit customer consent before implementing any new authentication method and provides the option for customers to deregister from any method.
The 1Kosmos platform ensures compliance with this requirement by:
- Ensuring that users provide explicit consent before any > identity-related data is collected or used. This is typically > managed through user interfaces where consent is obtained through > affirmative actions, such as checking a box or clicking a consent > button.
- Giving users control over the specific information they are sharing > and with whom. The system allows for detailed permission settings, > giving users the ability to grant or revoke access to their > personal data as needed.
- One of the most unique differentiators that 1Kosmos offers to its > customer is its privacy-by-design architecture. Utilizing a > private, permissioned ledger (AKA private blockchain) to create > immutable audit trails of all consent actions. This means that > once consent is given or revoked, the record of this action is > permanently stored and cannot be altered, providing a clear and > verifiable history of user permissions.
Real-Time Transaction Alerts
The BSP guidelines mandates near real-time alerts for all eligible digital payment transactions. The 1Kosmos platform supports this requirement by:
- Providing real-time notifications for all transactions, ensuring > that customers are immediately aware of any activity on their > accounts.
- Offering customizable alert settings, allowing users to choose how > they receive notifications (e.g., SMS, email, push notifications).
1Kosmos Platform Helps Meet Privacy Standards
Additionally, 1Kosmos platform architecture has privacy-by-design built in which emphasizes the protection of personal data, ensuring data privacy, security, and minimizing data breaches. The 1Kosmos solution can significantly aid in compliance
with this act by offering more secure and user-friendly ways to verify identity without traditional passwords, which are a common point of vulnerability. Specifically, the following benefits accrue on its implementation:
Enhanced Security: Passwords are susceptible to breaches, phishing, and other attacks. The diverse and flexible methods (e.g., biometrics, device-based authentication, and one-time codes) offered by 1Kosmos reduce the risk of unauthorized access, aligning with local privacy requirements for strong data protection.
Data Minimization: The Data Privacy Act of 2012 encourages minimizing data collected, used, and retained. Passwordless systems often reduce or eliminate the need to store password data, which reduces the volume of sensitive information the organization must protect.
Compliance: Adhering to industry standards and certifications such as the NIST 800-63-3 identity proofing and access management, FIDO2 for passwordless authentication and iBeta for biometric authentication.
Privacy by Design: The state-of-the-art approach of 1Kosmos solution aligns with the compliance requirement for ‘’privacy by design.’’ This approach inherently reduces the data footprint and enhances user security, which is built into the authentication mechanism from the start.
Improved User Control and Transparency: The reliable mechanisms, particularly those that use biometrics or device-based factors, help comply with the Data Privacy Act of 2012 emphasis on user rights by giving individuals more control over their data (e.g., biometric data stored locally on their device rather than a central server).
Reduced Risk of Data Breaches: With fewer stored passwords, the organization’s risk of exposure from data breaches decreases, which helps in meeting the Data Privacy Act of 2012 requirements for data security and breach reporting standards.
Conclusion
The 1Kosmos platform is well-equipped to address the BSP’s guidelines on alternative authentication mechanisms for digital payment transactions. By offering robust, dynamic, and diverse authentication methods, 1Kosmos enhances security while maintaining user convenience. The platform’s risk-based approach, customer consent mechanisms, and real-time transaction alerts further align with the BSP’s requirements. Additionally, 1Kosmos’ commitment to compliance and standardization ensures that its solutions are secure, interoperable, and reliable, making it an ideal choice for issuers looking to meet the BSP’s guidelines.
You May Also Be Interested In
Which type of phishing attack can cost your company millions? Understanding different attacks can help protect against them and could boost your bottom line.
What Are the Types of Phishing Attacks...
10 Common Types of Phishing Attacks With Examples
Leaders today know that passwords must go.
But, lacking certification to industry standards, many passwordless solutions simply replace one set of vulnerabilities for another.
At 1Kosmos, we ...
Identity Based Authentication
Using distributed identity management for your business should be a no-brainer, especially if you're worried about security for your employees' logins.
But what is blockchain authentication? Blo...