Lola's Pension Is Locked Behind a Push Notification She Can't Receive
Banks killed SMS OTPs to fight scammers. Rural pensioners with feature phones became collateral, and nobody at the branch wants to override the system.
Philippine banks spent 2025 phasing out SMS one-time passwords, citing fraud, SIM-swap attacks, and pressure from regulators to tighten authentication. The replacement, in most cases, is an in-app push notification that pops up on a smartphone running the bank's official app. Clean fix, on paper.
On the ground in Nueva Ecija, Samar, and Sulu, it means a 71-year-old retiree with a Nokia keypad phone can no longer log into the account where her SSS or GSIS pension lands every month.
The phone was always the problem
The assumption baked into push-based authentication is that everyone has a working smartphone, a stable data connection, enough storage to install a 200MB banking app, and the literacy to navigate biometric prompts in English. None of that is universal in barangays where the nearest cell tower drops signal after 6PM.
Pensioners who relied on a child or a neighbor to read SMS codes aloud now need that same person to hand over a smartphone, log in under the pensioner's name, approve a push, and hand it back. The bank calls this a security upgrade. Families call it Tuesday.
Branch managers in provincial capitals have started seeing the same scene on payout days: elderly clients in line with passbooks, denied withdrawals because the system flags an unverified device. The override exists. It requires a manager's signature, two valid IDs, and sometimes a trip back the next day because the regional office has to approve it.
The workaround is informal and slightly illegal
What happens instead is that a grandchild keeps Lola's ATM card, knows Lola's PIN, and runs the app on a phone registered under the grandchild's number. Banks officially prohibit this. Banks also know it is the only way pensions get withdrawn in towns where the cooperative ATM is two jeepney rides away.
The risk transfer is quiet. If the grandchild's phone gets compromised, the bank's terms and conditions say the account holder, meaning Lola, is liable for unauthorized transactions because she shared her credentials. Read the fine print on any BPI or BDO mobile banking agreement. It is there.
Bangko Sentral has issued circulars on digital financial inclusion and has flagged the need for alternative authentication channels. Implementation is left to individual banks, and individual banks have decided that compliance with anti-fraud rules costs less than building a parallel system for clients without smartphones.
Who actually pays for the upgrade
Fraud losses from SMS interception were real and were costing banks money. Push notifications cut those losses. The savings show up in annual reports. The cost shows up in a pension queue in Catarman where a widow waits four hours for a manager to verify her thumbprint against a 2008 signature card.
Pensioners are not a growth segment. They do not take out auto loans, they do not open investment accounts, and they will be dead before the bank needs to upsell them on a credit card. Designing the authentication flow around them was never going to win an internal meeting.
So the system works exactly as intended. The fraud rate drops, the compliance box gets ticked, and the pension stays in the account until somebody under 40 with a working iPhone agrees to drive out to the province and tap approve.
