June 2025 SMS OTP regulatory updates: Banking's global shift to secure authentication

Central banks across multiple countries are cracking down on SMS one-time passwords. What banks have relied on for years is now being actively banned or restricted by regulators who recognize the security flaws that make these codes vulnerable to fraud.

In just the past few months, we've seen binding directives from the Philippines, new deadlines from the UAE, and evolving guidance from the EU. SMS OTPs are becoming a compliance liability rather than a security asset.

Here are the latest regulatory updates that every financial institution should be aware of:

‍

The Philippines: BSP issues binding circular

The most recent regulatory development comes from the Philippines, where the Bangko Sentral ng Pilipinas (BSP) issued Circular No. 1213 in June 2025. This isn't just guidance anymore, it's a binding order that requires banks to fundamentally change their authentication practices.

The circular orders banks to "limit the use of authentication mechanisms that can be shared with, or intercepted by, third parties unrelated to the transaction." This directly targets SMS and email OTPs, which the BSP now considers inherently vulnerable to social engineering attacks.

BSP Deputy Governor Elmore Capule has been clear about the central bank's position: "You know how technology is. If you say that what we have right now is efficient, then by next week or next year, it may no longer be."

The regulation is particularly strict for digital banks, requiring them to implement "stronger authentication processes" including:

• Biometric authentication
• Behavioral biometrics
• Passwordless auth systems
• Hardware tokens and cryptographic keys

While smaller rural and thrift banks may still use OTPs temporarily, the BSP is pushing the entire industry toward more secure alternatives. The central bank acknowledges the costs involved and is "giving them sufficient time," but the direction is clear.

‍

UAE: Central Bank sets March 2026 deadline

UAE Central Bank issued its directive in June 2025, giving financial institutions until March 2026 to completely eliminate SMS and email OTPs. This represents one of the most aggressive timelines for SMS OTP elimination globally.

The directive requires banks to adopt:

• Emirates face recognition technology
• Soft tokens and biometric verification
• Real-time fraud monitoring systems
• Secure app-based authentication

The urgency is driven by alarming fraud statistics. Scams and fraud in the UAE have grown by 43% year-over-year, with over 40,000 people falling victim to scams in 2023 alone, losing an average of $2,194 each.

The challenge for UAE banks is significant. Many still rely on legacy systems built around OTP infrastructure. Upgrading to support cryptographic tokens, biometric authentication, and secure digital verification requires substantial investment. Leading institutions like Emirates NBD, ADIB, and FAB have already made the transition, but industry-wide compliance by March 2026 will test the sector's adaptability.

‍

EU: PSD2 framework evolution

The European Union's approach under PSD2 (Payment Services Directive 2) continues to evolve. While SMS OTPs aren't completely banned, the regulatory environment is increasingly restrictive and discouraging their use.

The European Banking Authority (EBA) has made clear that SMS OTPs face significant limitations:

• They can only serve as a possession factor, not for dynamic linking requirements
• SMS content must be encrypted for payment authentication, which is impractical
• The inherent vulnerabilities of SMS infrastructure don't meet strong customer authentication ideals

The EU is actively promoting stronger authentication methods. The European Commission now supports passkeys for EU Login, demonstrating institutional commitment to phishing-resistant authentication. Additionally, ENISA's NIS2 technical guidance emphasizes the importance of robust authentication mechanisms for critical infrastructure.

Most EU financial institutions are proactively moving toward:

• FIDO2-based passkeys
• Biometric authentication within mobile apps
• Hardware security keys
• Behavioral analytics

While technically compliant in limited scenarios, SMS OTPs are becoming a liability rather than an asset for EU banks focused on regulatory adherence and customer security.

‍

Why SMS OTPs are failing

The reasons for this global shift are clear and compelling:

Security vulnerabilities: SMS messages can be intercepted through various methods, including SIM swapping, social engineering, and malware. Scammers have developed sophisticated tools and tactics to capture OTP codes.

Phishing attacks: Criminals create fake banking websites that closely resemble legitimate ones, tricking users into entering their OTPs. These attacks have become increasingly sophisticated and successful.

Technical limitations: The SMS infrastructure relies on older protocols that weren't designed with modern security threats in mind. The SS7 signaling protocol, for instance, has well-known security flaws.

Cost inefficiency: SMS OTPs are expensive and unreliable. Banks pay for each SMS sent, with costs ranging from $0.01 to $0.10 per message depending on the region. What's worse, delivery rates are often poor - studies show that 10-15% of SMS OTPs never reach users due to network congestion, carrier filtering, or device issues. This creates a double hit: banks pay for failed deliveries while customers get frustrated with the authentication process. One partner reported that 12% of their OTPs never reached users, highlighting the scale of this inefficiency.

‍

The alternatives taking over

Banks worldwide are adopting several alternative authentication methods:

Biometric authentication: Fingerprint, facial recognition, and voice authentication provide strong security tied to individual users.

App-based digital tokens: Secure tokens generated within banking apps, often using time-based algorithms, provide better security than SMS.

WhatsApp and messaging app OTPs: Some institutions are exploring WhatsApp Business API and other messaging platforms for OTP delivery. These alternatives offer better delivery rates, lower costs (often 50-70% cheaper than SMS), and enhanced security through end-to-end encryption. However, they still face similar interception risks if not properly implemented.

Push notifications: Instead of sending codes, banks send push notifications that users can approve or deny directly in their banking apps.

Behavioral analytics: Systems that analyze user behavior patterns, such as typing speed and device handling, provide continuous authentication.

FIDO2/WebAuthn standards: Passkeys and hardware security keys offer phishing-resistant authentication that's both secure and user-friendly.

‍

What this means for users

For banking customers, these changes might initially seem inconvenient. However, the benefits are substantial:

• Better security: Reduced risk of account takeovers and fraudulent transactions
• Improved user experience: Once set up, biometric and app-based authentication is often faster than typing in SMS codes
• Future-proofing: These new methods are designed to evolve with emerging threats

The transition period might require some patience as banks upgrade their systems and customers adapt to new authentication methods. But the long-term result will be a more secure banking environment for everyone.

‍

Looking forward

The global movement away from SMS OTPs represents a crucial evolution in financial security. As digital banking continues to grow and cyber threats become more sophisticated, the industry's proactive approach to authentication security is both necessary and encouraging.

Banks that haven't yet started this transition should begin planning now. The regulatory trend is clear, and customer security demands it. The question isn't whether SMS OTPs will be phased out, but how quickly financial institutions can implement better alternatives.