When Philippine President Ferdinand Marcos Jr. signed Republic Act 11934, the SIM Registration Act, into law in October 2022, the pitch was simple: force every mobile subscriber to register their SIM card with a verified identity, and the scourge of text-message scams — fake job offers, phishing links, romance fraud, and political disinformation — would dry up. By the July 2023 registration deadline (and a subsequent extension), telcos had deactivated tens of millions of unregistered numbers. Authorities and lawmakers told the public this was the price of a safer digital ecosystem.
Three years on, the bill has come due — and the dividends have not arrived. Globe Telecom and Smart Communications, the country's two dominant operators, continue to block billions of scam messages annually. Congressional oversight hearings through 2025 have surfaced uncomfortable testimony: scam volumes have not collapsed, registered numbers are being used in fraud, and lawmakers including Senator Grace Poe — one of the law's original champions — are now openly calling for amendments. The law that was supposed to end SMS scams is, by the admission of its own backers, not working.
What RA 11934 Actually Required
The SIM Registration Act made the Philippines the first ASEAN country to mandate identity registration for every SIM, prepaid and postpaid alike. Subscribers had to submit a government ID and biometric or selfie verification to keep their number active. Telcos became data custodians for over 100 million subscriber records, with steep penalties for non-compliance and a registration database overseen by the National Telecommunications Commission (NTC).
The law was sold on two propositions. First, that anonymity in the SMS layer was the root cause of fraud. Second, that knowing the registered identity behind a SIM would deter scammers and aid law enforcement in tracing them. Civil society groups — including the Foundation for Media Alternatives and several digital rights organizations — warned at the time that both propositions were weak. Scammers, they argued, would either use stolen IDs to register fraudulently, switch to over-the-top (OTT) platforms like Telegram and WhatsApp, or simply route messages through SMS aggregators based offshore. Those warnings have aged well.
The Evidence: Scams Didn't Stop, They Migrated
Telco-published transparency data tells the story. Both Globe and Smart have publicly reported blocking billions of suspected scam and spam SMS messages in the years since registration took effect. PLDT-Smart's network alone has reported blocking volumes in the multiple billions per year, while Globe has highlighted that a growing share of fraud now arrives via OTT messengers and "smishing" links rather than traditional SMS. The fraud tactics adapted faster than the regulation.
The patterns confirm what economists call a balloon effect: squeeze one channel, and the same activity inflates somewhere else. Sophisticated operators moved to encrypted messengers, to spoofed sender IDs originating overseas, and — most damningly — to SIMs registered under the names of victims of identity theft, money mules, or fictitious documents that passed cursory KYC checks. Meanwhile, ordinary users absorbed the privacy and friction costs of registration without receiving the safety benefit promised.
The Costs Lawmakers Underweighted
Mandatory SIM registration is not a neutral policy. It carries real, measurable costs that the original debate downplayed:
- Privacy and surveillance risk. Centralized databases linking national IDs to phone numbers are high-value targets. The National Privacy Commission (NPC) has had to investigate multiple data exposure incidents involving telco subscriber data since registration began — a reminder that creating the database creates the breach risk.
- Financial inclusion harms. Millions of unregistered SIMs were deactivated, disproportionately affecting low-income, rural, and elderly users who lacked easy access to ID verification. For many Filipinos, the SIM is the gateway to mobile money (GCash, Maya) and government services — losing it means losing economic participation.
- Chilling effects on speech. In a country where cyberlibel under the Cybercrime Prevention Act of 2012 has been used against journalists and critics — most prominently in the prosecution of Maria Ressa — tying every SIM to a verified identity weakens the practical anonymity that whistleblowers, activists, and ordinary citizens have historically relied on.
- Compliance burden on telcos. Globe and Smart spent substantial sums building registration infrastructure and continue to bear the cost of fraud filtering they were already doing. The regulatory mandate did not relieve them of the engineering problem; it added paperwork on top of it.
What Senator Poe and the Oversight Hearings Are Acknowledging
The current congressional review is significant precisely because it is being led by lawmakers who voted for the original law. Senator Grace Poe, who chaired the Senate Public Services Committee that shepherded the bill, has publicly conceded that amendments are needed and that the law as enacted has not delivered on its anti-fraud promise. Proposed fixes range from tougher penalties on fraudulent registrants to expanding scope to OTT platforms — but the deeper question is whether the underlying model is sound at all.
A Better Path: Proportionate, Evidence-Based Anti-Fraud Policy
The Philippines does not need to choose between scam victims and digital rights. The evidence from three years of RA 11934 — and from comparable mandates in Nigeria, Pakistan, and elsewhere — points to a more effective and proportionate approach:
- Invest in telco-side fraud detection and information sharing. The billions of messages Globe and Smart already block prove the network layer is where most fraud is actually stopped. Standardized scam-signal sharing between operators, banks, and the NPC would do more than another round of ID checks.
- Tighten sender-ID and aggregator accountability. Most large-scale SMS fraud exploits spoofed alphanumeric sender IDs or unscrupulous aggregators. Regulating that supply chain — not retail subscribers — targets the actual chokepoint.
- Protect the registration database — or shrink it. If a database exists, it should be governed by strict minimization, encryption, and audit requirements under NPC supervision, with mandatory breach disclosure. Better still, retain only what investigators actually need rather than indefinite blanket records.
- Resist expansion to OTT platforms. Proposals to extend identity mandates to encrypted messengers would compound the harms without addressing the cross-border nature of the fraud — and would put the Philippines on the wrong side of the global encryption debate.
The honest lesson of RA 11934 is one regulators worldwide should internalize: identity mandates are an attractive political answer because they look decisive. But fraud is an engineering and economics problem, not an anonymity problem. The Philippine Congress deserves credit for being willing to revisit a law it passed. The next step is to fix it — or repeal the parts that aren't working — rather than double down.