AI Regulation Tracker / Guidance
Philippine Central Bank Tells Supervised Banks to Retire Passwords and SMS Codes for Privileged Access
Regulatory summary: Bangko Sentral ng Pilipinas (BSP) Memorandum No. M-2026-034, "Recommendations for Managing Emerging Risks Arising from Frontier Artificial Intelligence Systems," was signed by Deputy Governor Lyn I.
Bangko Sentral ng Pilipinas Memorandum M-2026-034 sets six cybersecurity recommendations for managing frontier AI threats, including a directive to discontinue passwords and SMS or push authentication for privileged access and move to FIDO2 hardware keys. It is anchored to the enforceable IT and cyber risk framework already binding on supervised institutions.
Key takeaways
- BSP issued a dedicated memorandum on frontier AI cyber risk that names concrete controls. Most consequentially, it directs supervised institutions to discontinue passwords and SMS or push authentication for administrative and privileged access and to adopt hardware security keys (FIDO2 or WebAuthn), Smart Cards, or hardware-backed certificate-based authentication instead. It also folds AI cyber defense, attack surface reduction, zero trust and micro-segmentation, and business continuity readiness into existing IT risk expectations, and recommends each institution build a proportionate AI Governance Framework per M-2026-031.
- Chief information security officers, heads of technology risk, and IT examiners at Philippine banks and non-bank financial institutions; identity and access management teams running privileged access; third-party and cloud service providers to BSIs; and compliance and internal audit functions that will be asked to evidence alignment with the risk-based IT framework.
- Status: Issued and signed 6 July 2026 by Deputy Governor Lyn I.
- Pull a list of all administrative and privileged accounts, identify which still rely on passwords or SMS or push one-time codes, and scope a migration to FIDO2 or WebAuthn hardware keys or hardware-backed certificate-based authentication, while opening a workstream to draft the AI Governance Framework required under M-2026-031.
| Date | Jurisdiction | Rule | Affected professionals | Status or effective date |
|---|---|---|---|---|
| 2026-07-09 | Philippines | BSP issued a dedicated memorandum on frontier AI cyber risk that names concrete controls. Most consequentially, it directs supervised institutions to discontinue passwords and SMS or push authentication for administrative and privileged access and to adopt hardware security keys (FIDO2 or WebAuthn), Smart Cards, or hardware-backed certificate-based authentication instead. It also folds AI cyber defense, attack surface reduction, zero trust and micro-segmentation, and business continuity readiness into existing IT risk expectations, and recommends each institution build a proportionate AI Governance Framework per M-2026-031. | Chief information security officers, heads of technology risk, and IT examiners at Philippine banks and non-bank financial institutions; identity and access management teams running privileged access; third-party and cloud service providers to BSIs; and compliance and internal audit functions that will be asked to evidence alignment with the risk-based IT framework. | Issued and signed 6 July 2026 by Deputy Governor Lyn I. Javier. In effect as a supervisory issuance from the date of signing. It does not set a separate transition deadline for the authentication change. |
Frequently Asked Questions
Is BSP Memorandum M-2026-034 legally binding?
The memorandum is worded as recommendations, not a new standalone rule, but it is expressly tied to the risk-based IT and cybersecurity framework under Section 148 of the MORB and the parallel MORNBFI sections, which are binding on supervised institutions. In supervisory practice, expectations issued this way become the benchmark examiners apply, so supervised institutions should treat the measures as expected.
Does it really tell banks to stop using passwords and SMS codes?
Yes, for administrative and privileged access. The memorandum directs supervised institutions to discontinue knowledge-based (passwords) and communication-based (SMS or push) authentication for all administrative and privileged access, and to adopt hardware security keys such as FIDO2 or WebAuthn, Smart Cards, or hardware-backed certificate-based authentication instead.
Who does the memorandum apply to?
All Bangko Sentral-supervised institutions, meaning banks and BSP-supervised non-bank financial institutions in the Philippines, along with their technology risk management, cyber hygiene practices, and third-party service providers.
How is this different from BSP Memorandum M-2026-031?
M-2026-031, dated 24 June 2026, is the broader AI governance issuance whose principles institutions are asked to follow when building an AI Governance Framework. M-2026-034, dated 6 July 2026, is the frontier-AI cybersecurity memorandum that sets the six cyber measures. They are separate documents that work together.
Is there a deadline to comply?
The memorandum does not set a separate transition date. It takes effect as supervisory guidance from its 6 July 2026 signing and complements the standing Section 148 framework, so institutions should begin aligning without waiting for a fixed cutoff.
Internal links
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.