eKYC Philippines Guide: BSP Regulations, PhilSys, and How It Works
eKYC (electronic Know Your Customer) lets Philippine businesses verify customer identities digitally, with no branch visits required. BSP Circular 1170 (2023) is the primary regulation governing eKYC for all BSP-supervised financial institutions, mandating risk-based digital onboarding with PhilSys as the sole sufficient proof of identity.
Industries from digital banking to crypto and insurance must comply. Non-compliance carries fines up to PHP 5 million per violation and criminal liability under the AMLA. Verihubs provides a BSP-compliant eKYC API for the Philippines with 99.95% face verification accuracy and OCR support for PhilSys, Passport, Driver’s License, UMID, and more.
What Is eKYC in the Philippines?
eKYC stands for electronic Know Your Customer. It is the process of verifying a customer’s identity entirely through digital means capturing an ID document, extracting data via OCR, matching a live selfie against the document photo, and confirming liveness without requiring the customer to appear in person.
The Bangko Sentral ng Pilipinas formally defines e-KYC as “the process of electronically verifying the credentials of a customer” under Section 921(g) of the Manual of Regulations for Banks (MORB). This definition positions eKYC as a legally recognized equivalent to traditional face-to-face onboarding, provided the digital process meets the same verification standards.
For Philippine businesses, eKYC is no longer optional. With digital payments reaching 57.4% of all retail transactions in 2024 (BSP, 2025) and six licensed digital banks collectively serving more than 8.7 million depositors, the demand for fast, accurate, and compliant remote onboarding has never been higher. At the same time, the Philippines’ suspected digital fraud rate stands at 13.4%, nearly 2.5 times the global average of 5.4% (TransUnion, 2024), making robust identity verification a business-critical necessity, not just a regulatory checkbox.
eKYC vs. KYC: What Is the Difference?
Traditional KYC requires customers to physically appear at a branch, present original documents, and undergo manual verification by staff. eKYC replaces all of that with a digital workflow: the customer uploads or photographs their ID, the system automatically extracts and validates data, and biometric verification confirms that the person submitting the document is its legitimate holder. The outcome, a verified customer identity, is the same. The process is faster, cheaper, and scalable.
| Dimension | Traditional KYC | eKYC |
|---|---|---|
| Verification channel | Physical branch / in-person | Mobile app / web browser |
| Document handling | Manual review of originals | OCR extraction + authenticity check |
| Identity confirmation | Staff comparison | Facial recognition + liveness detection |
| Onboarding time | Days to weeks | Seconds to minutes |
| Scalability | Limited by branch capacity | Unlimited (API-driven) |
| Fraud resistance | Dependent on staff vigilance | AI-powered deepfake and spoofing detection |
BSP eKYC Regulatory Framework: What Philippine Businesses Need to Know
Many businesses incorrectly cite BSP Circular 1108 as the eKYC regulation. This is a critical misconception. Circular 1108 (Series of 2021) governs Virtual Asset Service Providers (VASPs) crypto exchanges and custodians requiring them to obtain a Certificate of Authority and comply with AML/CFT obligations. It is sector-specific, not a general eKYC mandate.
The primary eKYC regulation for all BSP-supervised financial institutions is BSP Circular 1170 (Series of 2023), approved by Monetary Board Resolution No. 402 on March 23, 2023. Circular 1170 amends Sections 921 (MORB) and 921Q (MORNBFI), embedding eKYC guidelines directly into the Customer Due Diligence (CDD) framework.
Key Provisions of BSP Circular 1170
PhilSys as the universal ID: Under Circular 1170, the PhilID whether physical, digital (ePhilID), or represented by a PhilSys Card Number (PCN) or PhilSys Number (PSN) is designated as the official and sufficient proof of identity. No additional document shall be required when a PhilID is presented. Only the front portion of the PhilID needs to be scanned; the PSN on the reverse remains confidential.
Video KYC explicitly permitted: Section 921(d) of the Manual of Regulations for Banks (MORB) authorizes the use of information and communications technology for face-to-face contact and interviews, provided the covered person has risk mitigation measures in place and maintains adequate documentation and audit trails.
Tiered, risk-based approach mandated: Covered entities must implement tiered or risk-based eKYC policies, calibrating onboarding requirements and authentication assurance levels to the customer’s risk profile. Basic tiers apply minimum assurance; higher-value services require stronger verification.
Technology-neutral standards: BSP does not prescribe specific biometric modalities, OCR tools, or software vendors. The regulation focuses on outcomes: systems must be “supported by robust technology,” produce “accurate results,” and be “protected against cyber-attacks, internal malfeasance, and external manipulation.” This gives businesses flexibility to choose vendors that meet their specific needs.
Equivalency standard: eKYC must achieve the same verification standards as face-to-face onboarding. The digital process cannot be treated as a lower bar.
The BSP eKYC Regulatory Stack
| Regulation | Year | eKYC Relevance |
|---|---|---|
| BSP Circular 1022 (AMLA / MORB Section 921) | 2018 | Established tiered CDD framework; permits video ID with liveness as digital equivalent to face-to-face |
| BSP Circular 1105 | 2020 | Digital bank framework; requires eKYC as primary onboarding channel for digital-only banks |
| BSP Circular 1108 | 2021 | VASP/crypto-specific AML/KYC obligations; travel rule for transfers above PHP 50,000 |
| BSP Circular 1170 | 2023 | Primary eKYC regulation; PhilSys as sole sufficient ID; video KYC; tiered risk approach |
| Republic Act 10173 (Data Privacy Act) | 2012 | Biometric data = sensitive personal information; requires consent, DPO, NPC registration, breach notification |
| Republic Act 11055 (PhilSys Act) | 2018 | Establishes PhilSys as national ID system; mandates private sector acceptance of PhilID |
| Republic Act 11934 (SIM Registration Act) | 2022 | Requires ID-backed SIM registration; major telco eKYC obligation |
Businesses should note that the Philippines was removed from the FATF grey list on February 21, 2025, after successfully addressing all 18 action items a significant milestone that reflects the maturity of the country’s AML/CFT framework and raises the compliance bar for all covered entities.
How eKYC Works in the Philippines: Step-by-Step
A standard BSP-compliant eKYC flow for a Philippine financial institution consists of five sequential stages:
- Document capture: The customer photographs or uploads their government-issued ID using a mobile device or webcam. The system automatically detects the document type PhilSys ID, Passport, Driver’s License, UMID, SSS ID, or others and prompts for correct framing, lighting, and focus.
- OCR extraction and validation: Optical Character Recognition (OCR) extracts the customer’s name, date of birth, ID number, address, and photo from the document. A forgery detection layer screens for photocopies, screen captures, and manipulated images. For machine-readable IDs (PhilSys QR, ePassport MRZ/NFC, UMID chip), cryptographic verification provides a higher assurance level.
- Biometric face matching: The customer takes a live selfie. The facial recognition system compares the selfie against the photo extracted from the ID document, calculating a match score. Verihubs Face Recognition achieves a False Non-Match Rate (FNMR) below 1% on NIST FRVT benchmarks, ensuring that legitimate customers are not incorrectly rejected.
- Liveness detection: Anti-spoofing AI confirms that the selfie is taken from a live, physically present person not a printed photo, a screen replay, or a deepfake. This step is critical in the Philippine context, where digital fraud losses reached PHP 5.82 billion in BSP-supervised institutions in 2024 alone.
- Risk scoring and decision: The system compiles the extracted data, match scores, and liveness result into a verification decision approved, flagged for manual review, or rejected. The decision and supporting evidence are logged to create the audit trail required under BSP Circular 1170.
For PhilSys ID holders, businesses registered with the Philippine Statistics Authority (PSA) as relying parties can perform an additional step: verifying the QR code or PCN/PSN against the PSA’s eVerify system for real-time biometric or demographic authentication against the national registry. Under BSP Circular 1170, PhilSys verification satisfies the full CDD requirement with no additional document needed.
eKYC Methods: Face Liveness, OCR, and Document Verification Compared
BSP Circular 1170 is technology-neutral it defines outcomes, not tools. Philippine businesses typically combine multiple methods based on their risk tier and the customer population they serve.
| Method | How It Works | Fraud Resistance | UX Impact | Best For |
|---|---|---|---|---|
| Document OCR | AI reads text and photo from ID image; forgery detection flags photocopies and screen captures | Medium | Low friction (1 photo) | First-step data extraction for all tiers |
| Passive Liveness Detection | Single selfie; AI determines liveness algorithmically without user action | High | Minimal (1 photo) | High-volume consumer onboarding |
| Active Liveness Detection | Prompted actions (blink, turn head); motion analysis confirms presence | Very high | Moderate (30–60 sec) | Higher-risk tiers, EDD scenarios |
| Facial Recognition Match | Selfie matched to ID photo via biometric AI | High | Low friction | Identity confirmation in all eKYC flows |
| Deepfake Detection | AI detects AI-generated face manipulation distinct from liveness detection | Very high (AI threats) | Invisible to user | Financial services with high fraud exposure |
| PhilSys QR / eVerify | PSA-backed authentication via QR scan or PCN/PSN query against national registry | Highest | Requires ID card present | BSP Tier 3 / highest assurance onboarding |
| Video KYC | Live agent or AI-assisted video interview with document display | Very high | High friction (5–15 min) | Premium accounts, EDD, PEP onboarding |
The most common production configuration for Philippine digital banks and EMIs combines document OCR + passive liveness + facial recognition for standard-tier onboarding. Higher-risk profiles trigger active liveness or video KYC. Businesses with significant exposure to AI-driven fraud add deepfake detection as an invisible layer on top of liveness.
Industry Applications: Who Needs eKYC in the Philippines?
Banking (BSP-Supervised Institutions)
All universal, commercial, thrift, rural, cooperative, and digital banks are covered under MORB Section 921 and Circular 1170. Required CDD data includes full name, PCN or PSN, date of birth, address, contact details, citizenship, and a biometric or specimen signature. Digital banks must rely on eKYC as their primary onboarding channel; branch-based verification is not an option when you have no branches. The six licensed digital banks (Tonik, GoTyme, Maya Bank, UNObank, UnionDigital, OFBank) collectively grew their depositor base from 3.6 million to 8.7 million between June 2023 and June 2024, entirely through eKYC.
Fintech and E-Money Issuers (EMIs)
BSP licenses 42 EMI-NBFIs and 28 EMI-banks as of July 2025. All operate tiered e-wallet accounts: restricted wallets with simplified KYC and capped transaction limits, and fully verified wallets requiring government ID plus biometric verification. GCash and Maya together reach over 92% of adult Filipinos aged 18–45. Every one of those accounts was opened via eKYC. Face recognition and liveness detection are the backbone of their onboarding infrastructure.
Insurance (Insurance Commission)
Insurance companies are classified as covered persons under the Anti-Money Laundering Act (AMLA). They are required to verify customer identity at onboarding, with lighter requirements for microinsurance products (premium not exceeding 10% of the daily minimum wage, maximum life coverage of 500 times the minimum wage). Bancassurance clients are exempt from additional KYC if the partner bank certifies existing verification. The Insurance Commission has not issued eKYC-specific technology guidelines equivalent to BSP Circular 1170 the AMLA framework applies directly.
Crypto / VASPs (BSP Circular 1108)
Virtual Asset Service Providers must obtain a Certificate of Authority from BSP and comply with full AML/KYC obligations. The travel rule applies to virtual asset transfers above PHP 50,000 both originator and beneficiary information must be transmitted. VASPs face real-time sanctions screening requirements, source of funds assessment, and enhanced due diligence for PEPs and high-risk jurisdictions. eKYC is not optional for crypto platforms; it is a licensing condition.
Telco (SIM Registration RA 11934)
Republic Act 11934 requires all SIM cards to be registered with carriers using a government-issued ID. Accepted IDs include PhilSys, Passport, SSS, UMID, Driver’s License, and others. The NTC deactivated over 54 million unregistered SIMs in July 2023. For telcos, eKYC automates this registration at scale manual verification of tens of millions of SIMs would be operationally impossible.
Lending Companies (SEC-Supervised)
Online lending platforms regulated by the SEC must comply with AML/KYC requirements, maintain ISO 27001-equivalent data security, register all platforms with the SEC, and ensure third-party KYC vendors are properly contracted and audited. NPC Circular 20-02 specifically prohibits harvesting borrowers’ contact lists, making data minimization a compliance requirement, not just a best practice.
Benefits of eKYC for Philippine Businesses
eKYC delivers measurable operational and commercial value beyond regulatory compliance. Philippine businesses that have deployed automated identity verification report improvements across four key dimensions:
Faster onboarding, higher conversion: GoTyme Bank reduced account opening from 30–60 minutes in a traditional branch to under 5 minutes via eKYC. Digital banks across the market report onboarding completion rates that would be impossible through manual processes. Every additional minute added to the onboarding flow increases drop-off.
Fraud reduction at scale: With the Philippines’ digital fraud rate at 13.4% the second highest globally manual verification cannot keep pace. AI-powered eKYC detects document forgeries, spoofing attacks, and synthetic identities in milliseconds. Verihubs’ Deepfake Detection adds a layer specifically designed to catch AI-generated face manipulation, which grew by 4,500% globally between 2022 and 2023.
Lower compliance cost per customer: Manual KYC requires trained staff, physical document storage, and branch infrastructure. eKYC via API eliminates all three. Pay-as-you-go pricing models like Verihubs’ mean businesses pay only for verifications performed, with no upfront capital commitment.
Financial inclusion at the unbanked frontier: An estimated 76% of Filipinos remain unbanked or underserved. Many lack the ability to physically visit a branch. eKYC removes the geographic barrier: a customer in rural Mindanao can open a digital bank account from a smartphone in minutes, using a PhilSys QR code as their sole credential.
Common eKYC Compliance Mistakes Philippine Businesses Make
BSP examination findings and enforcement actions reveal seven recurring compliance failures among Philippine businesses implementing eKYC:
1. Treating Circular 1108 as the eKYC mandate
As noted above, Circular 1108 governs VASPs only. Businesses that build their compliance framework around Circular 1108 miss the full requirements of Circular 1170, including the PhilSys sufficiency rule, the equivalency standard, and the tiered risk approach. The result is a compliance gap that surfaces during BSP examination.
2. Requiring additional documents when a PhilID is presented
BSP Circular 1170 and RA 11055 are explicit: PhilSys ID is the sole sufficient proof of identity. Businesses that continue to demand a secondary ID alongside a PhilID are non-compliant and they are creating unnecessary friction for customers who have already registered with the PSA.
3. Using liveness detection as the only anti-fraud layer
Liveness detection confirms that the face in front of the camera is real: not a photo, screen replay, or mask. It does not detect deepfakes. AI-generated face manipulation bypasses standard liveness checks. As Jason Hartono, VP of Strategy at Verihubs, has explained: “Liveness detection only confirms whether the face in front of the camera is real, but it cannot detect whether that face is being manipulated in real time by deepfake AI.” Deepfake Detection requires a separate, purpose-built layer.
4. Inadequate audit trails
Circular 1170 requires that key CDD processes be “documented or with adequate audit trail.” Systems that store only the final verification decision, without preserving the ID images captured, OCR output, match scores, and liveness results, cannot pass BSP examination. Every step of the eKYC workflow must be logged and retained for a minimum of 5 years after account closure.
5. Non-compliant third-party outsourcing
BSP allows reliance on third-party eKYC vendors subject to outsourcing rules. However, the covered person remains ultimately responsible for compliance. Contracts must clearly allocate KYC obligations, define SLAs, and allow for BSP examination of the vendor’s systems. A vendor that lacks ISO 27001 certification or proper data residency controls creates direct regulatory exposure for the covered person.
6. Treating eKYC as a one-time onboarding step
AMLA and BSP regulations require ongoing customer due diligence. Risk profiles change: a customer who opened a basic e-wallet account may later upgrade to a higher-value product, or exhibit transaction patterns inconsistent with their stated profile. Periodic re-verification and event-driven re-checks are required components of a complete eKYC program.
7. Ignoring the Data Privacy Act obligations
Biometric data facial images, fingerprints, iris scans is classified as sensitive personal information under RA 10173. Collecting it without explicit informed consent, failing to appoint a Data Protection Officer, or retaining it beyond the legally required period are violations that carry administrative fines of 0.25% to 3% of annual gross income, plus criminal penalties of up to 7 years imprisonment and PHP 5 million in fines.
Verihubs eKYC Solution for the Philippines
Verihubs provides an AI-powered eKYC API purpose-built for the Philippine market, combining face recognition, liveness detection, deepfake detection, and OCR into a unified verification stack. All components are independently certified and designed to meet BSP Circular 1170’s equivalency standard.
Face Recognition
Verihubs Face Recognition achieves 99.95% accuracy on the Labeled Faces in the Wild (LFW) benchmark, ranked #3 in Southeast Asia for speed and precision. It is certified by the US National Institute of Standards and Technology (NIST) on both FRVT 1:1 (verification) and FRVT 1:N (identification) benchmarks, and holds NIST FATE PAD certification for presentation attack detection. The False Non-Match Rate (FNMR) is below 1%, meaning fewer than 1 in 100 legitimate customers are incorrectly rejected. The system processes face matches in milliseconds and operates in both online and offline modes, which is critical for Philippine regions with intermittent connectivity.
OCR Extraction for Philippine IDs
The Verihubs OCR API extracts data from nine types of Philippine government documents: PhilSys National ID, Philippine Passport, Driver’s License, UMID, SSS ID, and four additional formats. Accuracy reaches 99% even on low-resolution or partially degraded documents. The Smart Grayscale Detection feature automatically flags photocopies black-and-white or screen-captured images are rejected before they enter the verification queue, eliminating a common fraud vector in the Philippine market.
Liveness Detection and Deepfake Detection
Verihubs Liveness Detection supports both active (prompted actions) and passive (single-frame AI analysis) modes. It is certified to ISO/IEC 30107 by FIME and achieves above 95% accuracy in distinguishing real faces from spoofing artifacts: photos, videos, 3D masks, and screen replays. For the growing threat of AI-generated identity fraud, Verihubs offers a dedicated Deepfake Detection layer that identifies real-time digital face manipulation, a capability that liveness detection alone cannot provide.
Pricing and Integration
Verihubs operates on a pay-as-you-go model with no upfront setup costs, no minimum monthly commitment, and no sudden pricing spikes at scale. The API is designed for rapid integration, with SDKs for web and mobile. On-premise deployment is available for regulated institutions that require data to remain within their own infrastructure, meeting BSP data residency and DPA compliance requirements simultaneously.
Frequently Asked Questions About eKYC in the Philippines
Is BSP Circular 1108 the eKYC regulation?
No. BSP Circular 1108 (2021) governs Virtual Asset Service Providers (VASPs) and crypto exchanges. The primary eKYC regulation for all BSP-supervised financial institutions is BSP Circular 1170 (2023), which amends the CDD provisions of the MORB and MORNBFI.
Is PhilSys ID sufficient for eKYC, or do customers need additional documents?
PhilSys ID physical card, ePhilID, or credentials derived from the PCN or PSN is the sole sufficient proof of identity under BSP Circular 1170 and RA 11055. No additional document shall be required when a PhilID is presented. Requiring a secondary ID alongside a PhilID is non-compliant.
What is the difference between liveness detection and deepfake detection?
Liveness detection confirms that the face captured is from a live, physically present person not a static photo, video replay, or 3D mask. Deepfake detection identifies AI-generated real-time face manipulation, where a fraudster uses generative AI to replace their face with a different person’s face during the video capture. These are distinct threats requiring distinct technology.
How long must eKYC records be retained?
BSP and AMLA regulations require KYC records including documents collected, data extracted, verification decisions, and audit logs to be maintained for a minimum of 5 years after the account is closed or the business relationship is terminated.
What are the penalties for eKYC non-compliance in the Philippines?
BSP can impose administrative fines of up to PHP 5 million per violation and deploy supervisory enforcement actions including cease-and-desist orders and license revocation. AMLA violations carry criminal penalties of 7 to 14 years imprisonment plus fines of not less than PHP 3 million. Data Privacy Act violations add fines of 0.25% to 3% of annual gross income, plus up to 7 years imprisonment and PHP 5 million per offense.
Does BSP mandate a specific eKYC technology or vendor?
No. BSP Circular 1170 is technology-neutral. It prescribes outcomes accurate results, anti-fraud protection, adequate audit trails, equivalency with face-to-face standards without specifying biometric modalities, OCR systems, or software vendors. Businesses are free to choose any vendor that meets these outcome standards.
Who is required to implement eKYC in the Philippines?
All BSP-supervised financial institutions (universal, commercial, thrift, rural, cooperative, and digital banks, plus non-bank financial institutions) under Circular 1170. VASPs/crypto exchanges under Circular 1108. Insurance companies under AMLA. Online lending platforms under SEC regulations. Telcos for SIM registration under RA 11934.
Can eKYC be fully automated, or does it require human review?
BSP Circular 1170 permits fully automated eKYC provided the system meets the equivalency standard. However, regulated entities must implement risk-based escalation: higher-risk customers, PEPs, and cases with low confidence scores should be routed for human review or enhanced due diligence. The decision-making system must be able to justify its outputs to BSP examiners.
eKYC Is Now the Foundation of Philippine Financial Compliance
The Philippines’ eKYC landscape has matured rapidly. With 91.7 million PhilSys registrations, 57.4% digital payment penetration, six licensed digital banks, and a fraud rate that is 2.5 times the global average, the pressure on Philippine businesses to implement accurate, compliant, and scalable identity verification has never been greater. BSP Circular 1170 sets a clear standard: eKYC must be risk-based, PhilSys-aware, audit-trailed, and equivalent in quality to face-to-face verification.
Businesses that treat eKYC as a one-time compliance project, rather than an ongoing operational capability, will find themselves exposed to regulatory enforcement, fraud losses, and the growing threat of AI-powered identity attacks that standard liveness detection alone cannot counter.
The technology decisions made today vendor certification, deepfake detection capability, data residency configuration will determine both compliance outcomes and competitive positioning as the Philippines continues its rapid shift to digital-first financial services.
Contact Verihubs here to learn how our eKYC API can help your Philippine business achieve BSP Circular 1170 compliance, reduce fraud, and onboard more customers faster and more accurately than any other solution in Southeast Asia.
