Fintech

BSP Is Quietly Rewriting the Rules for Every Digital Bank and E-Wallet in the Philippines

3 min read

The Bangko Sentral ng Pilipinas has set a hard deadline of June 30, 2026 for every bank, e-money issuer, and payment operator it supervises to phase out SMS and email one-time passwords for high-risk transactions, part of a broader push to close fraud gaps that have plagued account-takeover and phishing schemes built specifically around intercepting text-message codes.

The same push extends to how money actually moves between institutions. New BSP rules are steering digital banks and e-wallets toward standardized payment rails, InstaPay and PESONet, rather than the proprietary shortcut integrations some institutions had built between themselves. Standardizing the rails makes fraud monitoring and transaction tracing more consistent across the system, even if it means some players lose whatever speed or cost advantage their custom integrations previously offered.

The licensed digital banking landscape is now six institutions deep: Tonik, Maya Bank, GoTyme Bank, UNO Digital Bank, UnionDigital Bank, and OFBank, the state-linked bank for overseas Filipino workers. Each must hold at least 1 billion pesos in minimum capital, and deposits are insured by the Philippine Deposit Insurance Corporation up to between 500,000 and 1,000,000 pesos per depositor. BSP reopened the digital bank license application window in 2025 after a three-year moratorium, opening four new slots for prospective entrants.

A separate, still-draft circular takes aim at rural banks rather than digital banks directly. It proposes capping the share of customers a rural bank can serve outside its designated physical service area at 30 percent; cross that threshold and BSP can reclassify the institution as a digital bank outright, which immediately triggers the same 1 billion peso capital requirement on a one-year deadline. For small rural lenders that simply want to offer mobile banking to their existing customer base without becoming a full digital bank, industry groups have pushed back on the rule as disproportionately blunt.

Taken together, the OTP phase-out, the rails standardization, and the rural bank reclassification threat point to a central bank trying to close structural security and classification gaps before they harden into systemic risk. The cost of that tightening, inevitably, falls hardest on smaller players that can’t absorb compliance spending as easily as GCash or Maya can.

The OTP phase-out in particular targets a well-understood fraud pattern. SMS and email-based one-time passwords have long been vulnerable to SIM-swap fraud and phishing schemes that intercept the code before the legitimate account holder can use it, a weakness fraud investigators across the region have flagged for years as digital banking adoption climbed. Not everyone in the industry is comfortable with how BSP is sequencing the broader reform push, however; some industry voices have publicly urged the central bank to recalibrate elements of its digital banking rules, arguing that compressed compliance timelines risk penalizing smaller, well-intentioned institutions more than the fraud rings the rules are meant to stop.

How BSP balances that tension, moving fast enough to close real security gaps without pricing smaller rural lenders out of digital banking altogether, will likely shape how quickly financial inclusion spreads beyond the metro areas that already have it.

BSP digital banking fintech regulation Philippines

Share this article

Share on X Share on LinkedIn Share on Facebook

Related Articles

Newsletter

By subscribing, you agree to our Privacy Policy.