The Bangko Sentral ng Pilipinas (BSP) has issued new rules under the Anti-Financial Account Scamming Act (AFASA), requiring banks and financial institutions to overhaul their fraud management and authentication systems by June 2026.
Banks in the Philippines have traditionally relied on legacy means of authentication, and the organic adoption of modern methods, such as passkeys or mobile authentication, was slow despite the rising fraud rate.
The financial damage became substantial and, if unchecked, might even pose an existential threat to the bank and a systemic problem to the Philippine financial market. This is why market leaders with large customer bases will be motivated to go beyond compliance and become truly secure.
This latest development allows banks to use regulation as a driver to modernise authentication and leap directly into the post-quantum era.
Meeting BSP Circular No. 1213 Requirements
Wultra's product portfolio has been designed to meet the security challenges, authentication needs, and regulatory requirements for European and Asian financial institutions. It complies with the highest security standards and allows smooth integration into the banking environment.
We help banks align the regulatory requirements with a user-friendly experience by providing:
1. Strong Customer Authentication (SCA)
The mobile-first authentication platform provides fast and secure access with passwordless multi-factor authentication based on future-proof, post-quantum cryptography (PQC). Users authenticate via biometry or a secure financial-grade PIN code. In addition, we secure high-value transactions or transactions flagged by Fraud Detection Systems with advanced facial biometry. As an alternative, our authentication platform includes FIDO2 HW Authenticator and Passkeys.
Our solution ensures every notification and approval is tied to the exact transaction details: payee, amount, currency, date, type, and reference. Customers see this information clearly on the mobile device before confirming with PIN or biometrics, which aligns with the “what you see is what you sign” principle. Unlike generic OTPs, which can be intercepted or misused, our approach delivers personalised, real-time notifications that empower users to verify legitimacy and stop fraud.
2. Cryptographic Device Binding
During the activation process, the mobile device is cryptographically bound to the customer’s identity, ensuring that only trusted devices can be used for authentication and transactions. This prevents spoofing or device identity cloning and enables seamless management of registered devices. The bank and the user can instantly deactivate a device through a kill switch, blocking unauthorised access and preventing fraudulent device changes or activation attempts.
3. Secure Customer Notifications
Our platform can deliver customer notifications for account activities and financial transactions through real-time push notifications to the mobile app on the registered device to meet the regulatory requirements on properly informing the user about legitimate or suspicious activity.
4. Real-Time Fraud Detection and Behaviour Monitoring
Many financial organisations worldwide use fraud detection systems to consume data feeds from the mobile in-app protection solution and then use the inputs during real-time transaction monitoring. The in-app protection proactively identifies potential threats and provides robust runtime application self-protection (RASP) to ensure mobile devices remain secure against various malicious attacks.
5. Malware and Tampering Detection
The built-in anti-malware feature guards mobile banking from tampering, code injection, screen readers, keyloggers, malware, and detects root/jailbreak, emulators, or VPN connections. Identified threats can be propagated to the bank fraud detection or SIEM systems and analysed on the dashboards in the management servers. All features are listed on our developer portal for Android and iOS.
6. Auditability and Compliance
Wultra ensures that every authentication and transaction event is captured in a tamper-resistant audit log, providing a trustworthy record of customer activity. Logs include all critical details such as sender and recipient accounts, transaction amounts and currency, timestamps, authentication method used, device and network information, and non-financial events like account or device changes. This comprehensive record enables banks to perform thorough investigations, coordinated verification, and analysis of fraudulent patterns
Post-Quantum Authentication: From Optional to Inevitable
The coming quantum threat may sound distant, but the countdown has already begun. In mid-2024, NIST published the first post-quantum cryptography (PQC) standards to replace RSA and ECC, algorithms that will be broken once quantum computing matures, with forecasts pointing to as early as 2029.
For the first time, Gartner® has included postquantum authentication (PQA) in its "Hype Cycle for Digital Identity, 2025", rating its benefit as High but noting that market penetration is still under 1%. The analysts warn:
“By 2029, advances in quantum computing will weaken and break the conventional asymmetric cryptography that underpins many authentication methods.”
Download full report: Gartner® Hype Cycle™ for Digital Identity, 2025
Banks in the Philippines now can skip “short-term fixes” and move directly into an authentication solution built with PQC and crypto-agility, proving to customers, partners, and regulators that security is not just compliance but a strategic advantage.
Comparing Legacy MFA with PQA
Wultra’s Role in Securing the Future
Wultra enables Philippine banks to move directly into Post-Quantum Authentication (PQA), which addresses today’s BSP compliance requirements while preparing for tomorrow’s quantum threats. Built on NIST-approved PQC algorithms, our platform protects logins, transactions, and approvals not only from current cyberattacks but also from the quantum breakthroughs expected later this decade.
Already trusted by banks and fintechs in over 20 countries, Wultra delivers:
Leaping Beyond Just Compliance
While the BSP regulation primarily presents additional compliance requirements, the banks that approach the new challenge proactively may benefit from an unexpected technology windfall. By leaping forward directly to future-proof PQA for authentication, the banks will also:
- Avoid unnecessary investment in obsolete solutions.
- Win customer trust by visibly leading in security.
- Stay ahead of global standards already shaping up in APEC, the US, and the EU.
The banks that act now and embrace the opportunity will win over the market by building resilience, fortifying customer trust, and gaining a competitive edge in post-quantum readiness.
.webp)