Bank Secrecy Law and Disclosure of Bank Information for Audit Engagements

If you're a business owner, corporate officer, or individual preparing for a financial statement audit in the Philippines—or working with an external auditor who needs to verify your bank accounts—you may be concerned about how banks can share deposit information without violating the strict rules under the Bank Secrecy Law. Republic Act No. 1405 protects the confidentiality of deposits to encourage saving and support economic growth, yet it expressly permits disclosure when you give written permission. This article explains the law's requirements, how the written-permission exception operates in real audit engagements, the exact steps to authorize disclosure, common obstacles Filipinos and foreigners face, and practical ways to keep your audit moving forward smoothly.

The Bank Secrecy Law: Core Rules and Purpose

Enacted in 1955, Republic Act No. 1405 (the Law on Secrecy of Bank Deposits) declares that all deposits of whatever nature with banks or banking institutions in the Philippines—including investments in government bonds—are of an absolutely confidential nature. They may not be examined, inquired into, or looked into by any person, government official, bureau, or office except in limited situations. The law's stated purpose is to discourage private hoarding and encourage people to place money in banks so it can be channeled into productive loans that aid national development.

Section 2 of RA 1405 sets the boundaries clearly: disclosure or inquiry is allowed only upon written permission of the depositor, in cases of impeachment, upon order of a competent court in cases of bribery or dereliction of duty of public officials, or in cases where the money deposited or invested is the subject matter of the litigation. Section 3 makes it unlawful for any bank official or employee to disclose deposit information to anyone outside those exceptions. Violations carry penalties of imprisonment of not more than five years, a fine of not more than twenty thousand pesos, or both.

The same confidentiality principle applies to foreign currency deposits under Republic Act No. 6426 (the Foreign Currency Deposit Act), with written consent of the depositor as the primary exception for voluntary disclosures. The Bangko Sentral ng Pilipinas (BSP) primer on bank secrecy laws reinforces that valid written consent must be given knowingly and voluntarily, with awareness of the circumstances and consequences.

In practice, this framework protects ordinary depositors' privacy while allowing necessary information flow when the depositor themselves authorizes it.

Written Permission: The Practical Route for Most Audit Engagements

For routine external audit engagements—where a licensed CPA or audit firm examines a company's or individual's financial statements—the key mechanism is your written permission as the depositor (or authorized representative). Philippine Standards on Auditing, which align with international standards on external confirmations, treat direct bank responses as highly reliable evidence for cash balances, outstanding loans, guarantees, and related banking arrangements.

Your auditor prepares a standard confirmation request that doubles as an authorization. By signing it, you explicitly permit the bank to release the specified information directly to the named auditor for the stated audit purpose only. This satisfies RA 1405's written-permission exception without needing a court order or government involvement.

Banks themselves also undergo mandatory external audits under BSP regulations. In those engagements, the bank's own independent auditor may examine deposit records (treated as liabilities on the bank's books) because the examination serves the bank's own financial reporting and regulatory compliance, with results restricted to the bank's use. This is a recognized practical allowance separate from customer-initiated disclosures.

Other exceptions (such as AMLC inquiries with probable cause under RA 9160, Ombudsman access in pending cases meeting specific conditions from jurisprudence like Marquez v. Desierto, or COA examination of government deposits) exist but rarely apply to ordinary private-sector audit engagements of businesses or individuals.

Step-by-Step Guide to Authorizing Disclosure for an Audit

Follow these steps to ensure smooth, compliant disclosure:

  1. Coordinate early with your external auditor during planning. Identify all material bank accounts and relationships. The auditor prepares tailored confirmation requests specifying the as-of date (commonly fiscal or calendar year-end), the exact information needed (balances, loans, contingencies), and the auditor's contact details.

  2. Review the confirmation request or authorization form carefully. It should name the specific auditor or firm, limit use to the current audit engagement, list or describe the accounts, and state your consent for direct release to the auditor. Avoid signing overly broad or open-ended waivers.

  3. Secure internal authority if the account belongs to a corporation, partnership, or other entity. Obtain a recent board resolution, secretary's certificate, or equivalent document confirming the signatory's power to consent to disclosure. Banks routinely require this to verify authority and protect themselves from liability.

  4. Sign and notarize as required. Many banks insist on notarization for formality and to confirm identity under notarial rules. Use a wet signature unless the bank explicitly accepts electronic or digital signatures with proper verification.

  5. Submit the documents to the bank. Your auditor typically sends the signed request (often via the bank's dedicated audit confirmation email, portal, or registered mail). Attach supporting documents such as the board resolution and valid IDs. Keep copies for your records.

  6. Monitor processing and follow up. Banks usually acknowledge receipt and aim to respond within one to three weeks. The response goes directly and confidentially to the auditor. You may receive a copy or status update.

  7. Resolve any follow-up requests quickly. If the bank asks for additional proof of authority or clarification, provide it promptly to avoid delaying fieldwork or the audit report deadline.

For overseas signatories or OFWs: Have the document notarized locally, then apostille it through the Department of Foreign Affairs (or the equivalent process via a Philippine embassy or consulate). Many banks now accept properly apostilled scanned copies, though some still prefer original or courier-delivered documents. Plan extra time—apostille processing and international transmission can add 7–14 days.

Documents, Timelines, Fees, and Practical Realities

Typical documents include:

  • The signed bank confirmation request or authorization letter clearly identifying the auditor and limited purpose
  • Valid government-issued photo ID of the signatory (or signatories for joint accounts)
  • For corporations and similar entities: Board resolution or secretary's certificate authorizing the disclosure and the specific signatory (usually dated within the last 3–6 months or per bank policy)
  • Occasionally, a copy of the audit engagement letter for context

No government filing or fee is required for this private process between you, your auditor, and the bank.

Timelines vary by bank size and season. Universal and commercial banks often respond in 5–15 banking days for standard requests. Smaller rural banks, thrift banks, or cooperative banks may take longer, especially during peak audit periods (January to April for calendar-year entities). Build a 3–4 week buffer into your overall audit schedule. SEC filing or lender deadlines make early initiation essential.

Fees are usually none or nominal for basic positive confirmations of balances and facilities. Some banks charge for rush service, certified true copies of statements, or extensive transaction histories beyond the standard confirmation.

In practice, universal banks have dedicated teams or portals for auditor confirmations and handle these routinely. Delays most often stem from incomplete documentation rather than reluctance to disclose.

Common Pitfalls and Real-World Scenarios

Many clients encounter delays or complications from these issues:

  • Using outdated or blanket authorizations from previous audits or different auditors—banks generally require fresh, engagement-specific consent.
  • Signatory mismatches, especially in corporations where the person signing is not the current authorized signatory on bank records or lacks an updated board resolution.
  • Requesting full transaction histories or copies of checks when only balances and key facilities are needed—the standard confirmation is a snapshot; broader requests may need extra justification or separate consent.
  • Last-minute execution near reporting deadlines, which risks outstanding confirmations and qualified audit opinions.
  • Cross-border authentication hurdles for OFWs, dual citizens, or foreign-owned entities—failing to apostille or consularize documents in advance.
  • Joint accounts, trust accounts, or accounts with multiple signatories where not all required parties consent.

Example scenario 1: A Cebu-based manufacturing company needs audited financial statements for a bank loan renewal. The treasurer coordinates with the external auditor in December, signs the confirmations for three banks in early January along with the board resolution, and receives clean responses within ten days—allowing timely opinion issuance.

Example scenario 2: An OFW in the Middle East maintains peso and dollar accounts for a family business undergoing its first formal audit. She executes the authorizations before a notary in her host country, has them apostilled at the Philippine embassy, and emails the scanned set. The banks process after verification, adding about ten days but completing without issue once documentation is complete.

Example scenario 3: A sole proprietor with accounts in both a large commercial bank and a rural bank finds the rural bank slower and more document-heavy. Early follow-up and providing extra identification resolves it without affecting the overall audit timeline.

Special Considerations for Foreign Currency Deposits and Foreigners

Foreign currency deposits enjoy similar absolute confidentiality under RA 6426. Written consent remains the straightforward route for audit confirmations. The process is essentially the same, though some banks apply extra internal compliance checks for forex accounts due to reporting obligations.

Foreign account holders or those signing documents abroad should anticipate apostille requirements under the Hague Apostille Convention (to which the Philippines is a party). Philippine banks are generally familiar with apostilled documents from major jurisdictions. If your home country is not a Hague member, consularization through the Philippine embassy or consulate may be needed instead. Always confirm the specific bank's current policy, as digital acceptance has increased but is not universal.

When Written Permission Is Not Sufficient

If the deposit itself is disputed in ongoing litigation (for example, ownership claims in estate settlement or collection cases), a court order under the "subject matter of the litigation" exception may be required. Your counsel can file the appropriate motion or subpoena duces tecum in the proper Regional Trial Court or Metropolitan Trial Court. The court evaluates whether the request fits the narrow exception.

For BIR tax audits or assessments, detailed deposit information generally still requires your consent or a court order; the existence of audited financial statements does not automatically grant the BIR access to underlying bank records. Other regulatory bodies (BSP for supervised institutions, PDIC in unsafe banking situations, AMLC with probable cause) have their own statutory carve-outs, but these fall outside ordinary private audit engagements.

Frequently Asked Questions

Can my Philippine bank disclose account information to my external auditor without my written permission?
No. Section 2 of RA 1405 requires written permission of the depositor for this type of voluntary disclosure in a private audit engagement. Verbal approval, implied consent, or an old blanket authorization from a prior year is not sufficient. Your auditor will provide a specific confirmation request form for you to sign.

What information does a standard bank confirmation for an audit usually cover?
It typically confirms account balances as of a cutoff date, details of outstanding loans or credit facilities, guarantees or contingencies, and sometimes the existence of safe deposit boxes or other banking relationships. Full transaction histories or copies of checks are not part of the standard request and require separate, specific authorization if truly needed.

Do I need to notarize the authorization letter or confirmation request?
Many banks require notarization to verify identity and authenticity, especially for corporate accounts or higher-value relationships. Check with your specific bank or have your auditor confirm the requirement in advance. Notarization follows the Rules on Notarial Practice and adds a small step but prevents later rejection.

How long does it normally take for a bank to respond to an audit confirmation request in the Philippines?
Responses usually arrive within 5 to 15 banking days for major commercial and universal banks. Smaller or rural banks may take longer. Peak season (January–March) can extend timelines, so initiate the process early in the audit planning stage.

What if I have accounts in multiple banks for my company's audit?
You generally need separate authorizations or confirmation requests for each bank. Your auditor coordinates the process across all institutions. Material accounts must be covered; immaterial ones may sometimes be verified through alternative procedures such as bank statements and reconciliations.

Can a foreign auditor or an auditor based outside the Philippines receive information from my Philippine bank?
Yes, provided you give proper written permission naming that specific auditor or firm. The information is released directly to them. For documents signed abroad, apostille or consular authentication is usually required. Many international audit firms with Philippine affiliates handle this routinely through their local teams.

Does bank secrecy apply differently to foreign currency (dollar) deposits for audit purposes?
The confidentiality rule is similar under RA 6426, and written consent of the depositor remains the primary exception. The practical steps—signed confirmation request, supporting authority documents, and bank processing—are essentially the same, though some banks apply additional compliance reviews for forex accounts.

What happens if the bank refuses to disclose even after I provide written permission?
This is uncommon when documentation is complete and the signatory has clear authority. Possible reasons include mismatched signature cards, missing board resolutions, or requests that go beyond standard confirmation scope. Provide any requested supplements promptly. Persistent refusal without valid reason is rare for routine audits; your auditor can follow up formally, and in extreme cases legal remedies exist but are seldom needed.

Can the BIR obtain my detailed bank deposit information just because my financial statements were audited?
Generally no. Audited financial statements provide aggregated figures. The BIR's access to underlying bank deposit details under RA 1405 still requires your written consent or a court order in most tax audit or assessment scenarios. The secrecy law continues to apply.

Are there differences for sole proprietors versus corporations when authorizing disclosure?
Sole proprietors can usually authorize with a simple signed request plus personal ID. Corporations require additional proof of internal authority (board resolution or secretary's certificate) because the account belongs to the entity, not the individual signer. Banks scrutinize corporate authority documents closely to avoid unauthorized disclosures.

Key Takeaways

  • RA 1405 protects deposit confidentiality but explicitly allows disclosure to your external auditor when you provide specific, written permission—making standard audit confirmations a routine and lawful process.
  • Coordinate early with your auditor, prepare engagement-specific authorizations, and secure proper corporate authority documents where needed to avoid delays.
  • Notarization and, for overseas signatories, apostille or consular authentication are often required—plan these steps ahead to meet audit deadlines.
  • Most Philippine banks are experienced with auditor confirmation requests and respond efficiently when documentation is complete; problems usually arise from incomplete or mismatched paperwork rather than the law itself.
  • For ordinary private audit engagements of businesses or individuals, court orders or government agency involvement are unnecessary—the consent route suffices.
  • Understanding these practical mechanics empowers you to maintain both privacy compliance and reliable financial reporting for lenders, investors, regulators, or other stakeholders who rely on your audited statements.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login