Organizations running customer communication programs in the Philippines operate under a specific regulatory environment. Whether you're sending payment reminders, appointment notifications, OTPs, marketing campaigns, or service updates, several frameworks govern how customer mobile numbers can be collected, stored, and used.
Understanding these requirements before launching is significantly easier than dealing with blocked messages, customer complaints, or regulatory attention after the fact. This guide covers the core compliance requirements, what they mean in practice, and the processes your team should have in place before go-live. While the examples focus on SMS, the same principles apply to WhatsApp, Viber, and other messaging channels.
The Data Privacy Act of 2012 (Republic Act 10173)
RA 10173 is the primary framework governing personal data in the Philippines. Mobile numbers are classified as personal information under the Act, which means collecting, storing, and using them for communication requires an appropriate legal basis.
The practical distinction that matters most is between transactional and marketing messaging.
Transactional messaging - payment reminders, delivery notifications, appointment confirmations, OTPs, account updates, service alerts is generally covered by the existing customer relationship. A borrower who provides their mobile number on a loan application can reasonably expect communications related to that loan. A patient who books a clinic appointment can reasonably expect appointment reminders. The requirement is proportionality: the communication should remain connected to the purpose for which the number was collected.
Marketing and promotional messaging requires documented opt-in consent. A clear statement at the point of collection "By providing your number, you agree to receive promotional messages from [Organization]" combined with a record of when and how consent was obtained, is the minimum standard. Organizations should not assume consent exists simply because they have a customer's phone number. That assumption is exactly what regulators look for.
The National Privacy Commission has enforcement authority under RA 10173 and has shown increasing willingness to investigate complaints. Organizations handling significant volumes of personal data are expected to maintain appropriate privacy governance, including documented policies, security controls, and privacy management processes.
The SIM Registration Act (Republic Act 11934)
RA 11934 requires all SIM cards in the Philippines to be registered to verified individual identities. For organizations sending outbound messages, two implications matter.
First, customer numbers are now linked to verified identities, which means both regulators and carriers have become more aggressive in identifying and filtering suspicious messaging activity. Organizations sending to outdated, purchased, or poorly maintained lists will see deliverability problems before they see a regulator.
Second, inactive numbers can be reassigned to new subscribers. A number that belonged to one customer a year ago may belong to someone entirely different today. Sending payment reminders, account alerts, or sensitive notifications to a reassigned number creates both a compliance risk and a customer experience failure. Regular list hygiene and suppression of inactive contacts should be treated as operational requirements, not optional maintenance.
The Act was introduced largely in response to scam SMS volumes that caused significant harm to Filipino consumers. Organizations operating consent-based programs are aligned with where the regulatory environment is heading. Those relying on unsolicited bulk sends are increasingly exposed.
The Anti-Financial Account Scamming Act and BSP Circular 1213
For organizations in financial services, a third framework now sits alongside the Data Privacy Act and the SIM Registration Act, and it directly reshapes how authentication messages can be used. The Anti-Financial Account Scamming Act (Republic Act 12010), signed in July 2024, was enacted to curb account takeover, money muling, and social engineering scams. Its information-security requirements are implemented through Bangko Sentral ng Pilipinas (BSP) Circular 1213, issued in June 2025, which amends the BSP's IT Risk Management regulations. The compliance deadline the end of June, this year. BSP Deputy Governor Elmore Capule stated in early 2026 that the BSP was not planning to extend the June 2026 compliance deadline, signaling that institutions should continue preparing for implementation on the original timeline.
The circular applies to all BSP-supervised institutions: commercial and digital banks, e-money issuers, payment system operators, credit card issuers, lending firms, and remittance companies. If your messaging program supports any of these, the requirements below affect you directly.
The OTP rule is the one most frequently misread. Circular 1213 restricts the use of authentication mechanisms that can be shared with, or intercepted by, third parties unrelated to the transaction, with SMS and email OTPs named as the primary example. This does not ban OTPs outright. What it restricts is the use of SMS or email OTPs as the authentication factor for login and high-risk transactions, such as adding a new payee, changing registered contact details, or initiating large transfers. For those flows, covered institutions are expected to move to stronger mechanisms: biometric authentication, behavioral biometrics, passwordless methods such as FIDO security keys, or adaptive authentication.
OTP via SMS retains two legitimate uses. The circular still permits OTP for confirming ownership of a registered mobile number at enrollment. It also explicitly requires that OTP messages be personalized with sufficient transaction detail so the recipient can verify what they are approving. A bare six-digit code with no context no longer meets the standard. If your OTP templates are generic, that is a content change worth making before the deadline.
A rule that catches many SMS programs by surprise involves links. Circular 1213 restricts sending clickable hyperlinks or QR codes via SMS or instant messaging unless the link was prompted by a prior customer action, provides information only, and does not redirect to a page requesting credentials or sensitive data. Marketing and transactional flows that rely on embedded short links should be reviewed against this rule, as it sits at the center of how phishing reaches customers.
The circular also creates affirmative messaging requirements. Covered institutions must send real-time notifications for account activity: withdrawals, fund transfers above a threshold, merchant and bills payments, device registration, new login or authentication methods, and profile updates. These notifications can be delivered through SMS and must contain enough detail (recipient, amount, date and time, transaction type, reference) for the customer to confirm the activity is legitimate. For messaging programs, this is a structured, recurring, and clearly compliant category of transactional traffic.
The practical checklist for financial-services messaging teams: audit your authentication flows against the June 30 deadline, separate the OTP traffic that must change from the OTP and notification traffic that remains valid, personalize your OTP and notification content, and review any SMS that carries a link.
Data Handling Requirements in Practice
Beyond consent, organizations must implement appropriate safeguards for the personal data they hold. For a messaging program, this translates into several concrete requirements: secure storage of customer mobile numbers and message records; access controls that limit who can view, export, or use the contact database; a documented retention policy covering how long message history and contact records are kept; and a process for responding to data subject requests from customers who want to see, correct, or delete their data.
Audit trails matter here. Records showing when messages were sent, what content was delivered, and how consent was obtained become important if a customer disputes a communication or if regulators ask for evidence.
When evaluating messaging providers, ask specifically: where is customer data stored, who within the vendor organization has access, what security controls are in place, and what audit and reporting capabilities are available. Philippine law does not require local data storage, but organizations in financial services, healthcare, and education often factor hosting location into their compliance strategy.
Sender ID Registration
An alphanumeric sender ID displays your organization name "ABCBANK" or "HEALTHCLINIC" instead of a random number. In a market where scam SMS has been persistent, sender identification plays a direct role in whether customers open and act on your messages. Many recipients have learned by experience to ignore messages from numbers they don't recognize.
For banks, lenders, healthcare providers, educational institutions, and government programs, a registered sender ID is increasingly a trust requirement, not a branding enhancement. The registration process runs through your messaging provider in coordination with participating Philippine carriers. Approval timelines vary. Build it into your project plan rather than treating it as a post-launch task.
Philippine carriers classify sender IDs as either domestic or international (referred to as Premium A2P), based on whether your organization is registered locally or headquartered outside the Philippines. The documentation requirements and routing differ between the two, and that classification is made by Globe and Smart, not by you or your provider. The registration process runs through your messaging provider in coordination with the carriers, and knowing which category applies to your organization will avoid delays.
Opt-Out Management
Every customer communication program needs a clear, functional mechanism for recipients to stop receiving messages. For SMS, the standard is keyword-based: "Reply STOP to unsubscribe." The more important requirement is that opt-out requests are processed promptly and reflected in your contact database before the next send cycle.
Sending messages to someone who has already opted out is both a compliance failure and a trust failure. Design opt-out handling into the workflow from the beginning. It is much harder to retrofit.
Pre-Launch Compliance Checklist
Before launching a customer messaging program in the Philippines, confirm that your organization has:
- Documented consent for promotional and marketing messages
- A published privacy policy covering how customer data is used
- Clear opt-out mechanisms for all message types
- Processes for handling data subject access, correction, and deletion requests
- Access controls limiting who can view or export customer contact data
- A documented data retention policy
- Sender ID registration in progress or completed where applicable
- Regular contact database verification and list hygiene procedures
- For BSP-supervised institutions: an authentication review against BSP Circular 1213, identifying which OTP flows must transition to stronger mechanisms before June 30, 2026
- OTP and transaction-notification templates personalized with sufficient transaction detail (recipient, amount, date and time, transaction type, reference)
- A review of any SMS containing clickable links or QR codes against Circular 1213 restrictions
- Audit trails covering message delivery and consent records
Organizations that can confirm all of these are in place are generally well-positioned for both regulatory compliance and long-term messaging performance.
The Regulatory Environment Is Getting More Structured
The compliance landscape for business messaging in the Philippines has tightened significantly since 2022. The SIM Registration Act, more active NPC enforcement, stronger carrier-level filtering, and the AFASA authentication requirements under BSP Circular 1213 have collectively raised the bar. That last one extends the same trajectory into authentication and fraud management, reinforcing a clear direction: consent-based, well-governed programs are where regulation is heading.
Most compliance failures are not caused by bad intent. They're caused by poor workflows: outdated lists, missing opt-out handling, undocumented consent, or uncontrolled access to customer data. The organizations running the strongest messaging programs in the Philippines are not the ones sending the most messages. They're the ones sending the right messages to consenting customers, with clean data, secure systems, and reliable opt-out paths. That is both the compliant approach and the effective one.
Frequently Asked Questions
Is SMS marketing legal in the Philippines? Yes. Organizations can send sms marketing messages provided they obtain appropriate consent, maintain records of that consent, and honor opt-out requests promptly.
Do businesses need consent to send SMS in the Philippines? For promotional and marketing messages, yes. Transactional messages such as OTPs, account notifications, payment confirmations, and service updates may not require separate marketing consent when they are necessary to provide the service requested by the customer and are consistent with the organization's disclosed privacy practices.
What is a sender ID for SMS in the Philippines? A sender ID allows messages to display a business name rather than a phone number. It is registered through a messaging provider and approved by participating mobile carriers.
Does the Data Privacy Act apply to customer mobile numbers? Yes. Mobile numbers are personal information under RA 10173 and must be handled with appropriate privacy, security, and governance practices.
Are SMS OTPs still allowed in the Philippines? For most messaging, yes. BSP Circular 1213 restricts SMS and email OTPs as the authentication factor for login and high-risk banking transactions at BSP-supervised institutions, with a June 30, 2026 deadline to adopt stronger methods. OTP via SMS remains valid for confirming mobile number ownership at enrollment and for transaction notifications, provided the message is personalized with sufficient detail. The restriction applies to regulated financial institutions; it does not ban OTP messaging across all industries.
What is BSP Circular 1213? It is the regulation, issued in June 2025, that implements the information-security provisions of the Anti-Financial Account Scamming Act (RA 12010). It requires BSP-supervised financial institutions to limit interceptable authentication such as SMS OTPs for high-risk transactions, restrict clickable links in outbound SMS, deploy real-time fraud management systems, and send personalized account-activity notifications to customers. The compliance deadline is June 30, 2026.
Explore Telerivet's platform to learn how organizations manage SMS, WhatsApp, Viber, and other messaging channels while maintaining operational control.
