Yes. A Philippine bank can be required to refund or reimburse money lost through a phishing scam, particularly when inadequate security controls, system failures, employee misconduct, poor fraud monitoring, or delayed action contributed to the loss. But reimbursement is not automatic. The result usually depends on how the transaction happened, what the customer disclosed or approved, how quickly the incident was reported, and whether the bank exercised the high degree of diligence required by Philippine banking law.
When can a bank be liable for a phishing loss?
A bank’s liability is determined from the entire transaction—not simply from whether an OTP, password, or registered device was used.
| Situation | Likely effect on the claim |
|---|---|
| A scammer accessed the account and transferred money without the account holder’s approval | Stronger case for reimbursement, especially if the bank’s security or fraud controls failed |
| The customer disclosed an OTP, PIN, or password | This weakens the claim but does not automatically excuse a separate failure by the bank |
| The customer personally initiated the transfer after being deceived | Recovery from the bank is usually harder because the bank may argue it merely carried out the customer’s instruction |
| A new device, mobile number, or email address was registered immediately before the transfer | May indicate account takeover and failure of account-change safeguards |
| The transaction was unusually large, rapid, foreign, or inconsistent with normal activity | May support an argument that the bank’s fraud monitoring should have detected or blocked it |
| A bank employee, agent, or service provider participated in or enabled the fraud | The bank may be responsible for that person’s acts or omissions |
| The customer reported immediately, but the bank failed to trace or hold recoverable funds | The bank’s delayed response may become an important liability issue |
| The customer merely entered the wrong account number | This is normally an erroneous transfer, not a phishing-related unauthorized transaction |
| The transaction was an ordinary fraudulent credit card purchase | The credit card dispute and chargeback process generally applies rather than the AFASA temporary-hold procedure |
The most important distinction is between an unauthorized transfer and an authorized-but-induced transfer.
An unauthorized transfer happens when the scammer takes control of the account and completes the transaction without the account holder’s real consent. An authorized-but-induced transfer happens when the victim personally presses “send” or approves payment because of a fake investment, fake seller, impersonation call, romance scam, or similar deception.
Both involve fraud, but the second type is more difficult to recover from the bank because the transaction may have been technically initiated by the customer. Even then, bank liability may remain possible where the bank ignored obvious warning signs or failed to implement required security controls.
Philippine laws that protect victims of phishing scams
Financial Products and Services Consumer Protection Act
Republic Act No. 11765, or the Financial Products and Services Consumer Protection Act of 2022, recognizes a financial consumer’s rights to:
- Protection of assets against fraud and misuse
- Data privacy and protection
- Fair treatment
- Timely handling and redress of complaints
Banks and other financial service providers must maintain a free consumer assistance mechanism, clearly explain what they are doing about a complaint, and implement information-security standards protecting the confidentiality, integrity, authenticity, availability, and non-repudiation of financial transactions. While an alleged unauthorized transaction is being investigated, the bank must suspend related interest, fees, and charges or provide a similar reasonable accommodation. (Supreme Court E-Library)
A bank cannot rely on an account agreement to take away the customer’s legal right to sue, obtain information, have a complaint addressed, or have personal data protected. The law also makes financial service providers responsible for the acts or omissions of their directors, officers, employees, and agents when dealing with consumers. They may be solidarily liable with accredited third-party service providers involved in financial transactions. (Supreme Court E-Library)
This means a standard clause stating that “all transactions made using the correct OTP are final” is not necessarily the end of the dispute. The clause must still be considered together with consumer-protection law, the bank’s own duties, and the actual evidence.
Anti-Financial Account Scamming Act
Republic Act No. 12010, or the Anti-Financial Account Scamming Act of 2024, commonly called AFASA, directly addresses phishing, vishing, smishing, account takeover, money mules, and other social-engineering schemes.
AFASA defines social engineering as obtaining sensitive identifying information through deception or fraud, resulting in unauthorized access to and control over a financial account. It includes scammers who impersonate banks or solicit credentials through calls, text messages, email, social media, and messaging applications. (Lawphil)
Under Section 6 of AFASA, banks and other BSP-supervised institutions must protect accounts using adequate risk-management systems and controls, including:
- Multi-factor authentication
- Automated fraud-management systems
- Account-owner verification
- Appropriate enrollment and device-registration controls
A bank found compliant by the BSP may be protected from liability for losses caused by AFASA offenses. Conversely, the law expressly provides for restitution of funds where the institution failed to employ adequate controls or failed to exercise the highest degree of diligence in preventing the loss. A criminal conviction of the scammer is not required before restitution may be ordered. (Lawphil)
Banks must exercise a very high degree of diligence
Philippine courts have repeatedly held that banking is affected with public interest. Banks must handle depositors’ accounts with meticulous care and observe standards higher than the ordinary diligence expected in most private transactions.
In Consolidated Bank and Trust Corporation v. Court of Appeals and L.C. Diaz and Company, the Supreme Court explained that the fiduciary nature of banking requires diligence higher than that of a “good father of a family.” Section 2 of the General Banking Law, Republic Act No. 8791, requires banks to maintain high standards of integrity and performance. (Supreme Court E-Library)
The Supreme Court has continued to describe the required standard as extraordinary or the highest degree of diligence, particularly in the handling of clients’ accounts. (Supreme Court E-Library)
Civil Code liability for negligence
The Civil Code of the Philippines provides additional legal grounds for recovery:
- Article 1159: Contracts must be complied with in good faith.
- Article 1170: A party guilty of fraud, negligence, delay, or violation of its obligation may be liable for damages.
- Articles 1172 and 1173: Negligence in performing an obligation creates liability based on the circumstances.
- Article 2176: A person whose fault or negligence causes damage may be liable under quasi-delict.
- Article 2180: Employers may be responsible for damage caused by employees acting within the scope of their work. (Lawphil)
These provisions can support claims for reimbursement, interest, and, in appropriate court cases, other proven damages.
Does sharing an OTP automatically remove the bank’s liability?
No, but it can seriously affect the outcome.
Customers are expected to protect passwords, PINs, OTPs, authentication codes, and other credentials. BSP rules allow banks to consider the account holder’s conduct before, during, and after the transaction when determining liability. The bank’s own acts or omissions—and those of its employees, agents, outsourced providers, and service providers—must also be examined.
Under Article 2179 of the Civil Code:
- If the customer’s negligence was the immediate and proximate cause of the loss, recovery may be denied.
- If the customer was only contributorily negligent and the bank’s lack of due care was the principal cause, recovery may still be allowed, although damages may be reduced. (Lawphil)
For example, suppose a customer disclosed an OTP during a fake bank call. Minutes earlier, the scammer had changed the registered device and email address. The account then sent several unusually large transfers to newly created recipients. If the bank failed to apply the required pause period, fraud monitoring, recipient verification, or behavioral checks, both the customer’s disclosure and the bank’s failures may be relevant.
The correct analysis is not merely, “Was an OTP used?” It is also:
- What exactly did the OTP authorize?
- Did the message identify the amount and recipient?
- Was the OTP used for login, device registration, password reset, or the actual transfer?
- Did the bank detect a new device or unusual location?
- Were contact details changed immediately beforehand?
- Did the transaction violate the customer’s normal pattern or limits?
- Did the bank receive and act on the fraud report promptly?
In Far East Bank & Trust Company v. Chante, the Supreme Court rejected reliance on transaction records alone where a system bug and major evidentiary gaps affected the questioned ATM withdrawals. The case did not involve modern phishing, but it illustrates an important principle: electronic authentication records are evidence, not necessarily conclusive proof that the account holder personally made or validly authorized the transaction. (Supreme Court E-Library)
Security controls banks are expected to maintain
BSP Circular No. 1213, Series of 2025, strengthened the information-technology controls expected of BSP-supervised financial institutions.
Depending on the institution’s operations and risk profile, relevant controls include:
- Real-time fraud monitoring
- Transaction-velocity and amount thresholds
- Monitoring of mobile-number, email, and device changes
- Geolocation checks
- Screening of suspicious devices, IP addresses, recipients, and merchants
- Detection of abnormal login and spending behavior
- Device fingerprinting
- Strong or adaptive authentication
- Detailed transaction alerts
- Recipient-identity verification
- A customer-accessible “kill switch”
- Customizable transaction limits
- A “money lock” feature
- Retention of detailed transaction logs
The circular also requires a 24-hour transaction pause after key account changes, such as changes to the registered mobile number, email address, or authenticated device, subject to limited alternatives involving strong controls and bank accountability. It directs institutions to reduce reliance on interceptable authentication methods such as OTPs sent by SMS or email.
A failure to implement or properly operate a relevant control can become evidence of inadequate risk management. However, the mere occurrence of fraud does not by itself prove that the bank’s systems were legally deficient.
What to do immediately after discovering a phishing transfer
1. Contact the bank through an official 24/7 fraud channel
Use the number shown in the bank’s official application, website, card, or account statement—not a number contained in the suspicious message.
Ask the bank to:
- Block online access and outgoing transfers
- Disable compromised cards or devices
- Activate the account’s kill switch, if available
- Mark each transaction as disputed
- Begin tracing the funds
- Contact every receiving institution
- Initiate the AFASA temporary-holding and coordinated-verification procedure
- Provide a case or complaint reference number
Do not wait for a police report or notarized affidavit before making the initial fraud report.
2. Give precise transaction information
Provide, as far as available:
- Account holder’s name
- Source account number
- Transaction amount
- Date and exact time
- Transaction reference number
- Recipient’s name and account number
- Receiving bank or e-wallet
- Transfer channel, such as InstaPay or PESONet
- Brief explanation of how the phishing occurred
BSP rules make the originating financial institution—the bank or provider from which the funds were sent—primarily responsible for assisting its customer and coordinating with the receiving institution.
3. Ask for a temporary hold under AFASA
Under BSP Circular No. 1215, Series of 2025, disputed funds transferred electronically between financial accounts may initially be held for up to five calendar days. The hold may be extended for up to 25 additional calendar days, for a total of 30 days. A longer hold requires an order from a competent court.
Upon receiving a complaint, the originating institution must verify the transaction information, preserve the source account, prepare a disputed-transaction report, and send holding requests to receiving and subsequent receiving institutions identified in the transfer chain.
A temporary hold is most useful when the money is still in the recipient account. If the funds have already been withdrawn, converted, or moved through several accounts, the hold may recover only part of the loss—or none at all. The coordinated verification must still proceed even when the funds are no longer present.
4. Submit supporting documents during the initial hold period
To support an extended hold, the account owner should submit a sworn complaint, affidavit, police report, or other supporting evidence within the initial five-day period, unless the applicable industry protocol permits otherwise. The documents should explain what happened and why the transaction is disputed.
A practical affidavit should state:
- When and how the scammer contacted you
- What the scammer claimed
- What information, link, application, or code was involved
- Whether you personally initiated or approved any transaction
- When you discovered the loss
- When and how you notified the bank
- The transaction references and recipient details
- Why you believe the transfers were unauthorized or fraudulently induced
Have the affidavit notarized when possible. If immediate notarization is unavailable, send the available evidence first and ask the bank what formal document must follow.
5. Secure all related accounts
Immediately:
- Change the online-banking password
- Change the password of the linked email account
- Remove unknown devices and application permissions
- Contact the telecommunications provider if SIM swapping is suspected
- Change PINs and disable compromised cards
- Review other bank accounts and e-wallets
- Enable lower transaction limits and stronger authentication
Use a clean, updated device where possible. Do not continue using a phone that may contain remote-access software or malicious applications until it has been properly checked.
6. Preserve evidence before deleting anything
Keep:
- Screenshots of messages, emails, websites, and social-media profiles
- The complete URL of the phishing page
- Email headers
- Call logs and phone numbers
- Audio recordings lawfully obtained
- OTP and transaction notifications
- Account statements
- Device-registration alerts
- Password-reset and contact-change notices
- Bank complaint acknowledgments
- Chat transcripts with the bank
- Police and incident reports
Export or back up messages before blocking the scammer. Write a chronological timeline while the details are still fresh.
7. Report the crime to law enforcement
A report may be made to the:
- Philippine National Police Anti-Cybercrime Group
- National Bureau of Investigation Cybercrime Division
- Cybercrime Investigation and Coordinating Center
- Appropriate local police unit
The BSP’s current complaint guide lists official law-enforcement reporting channels and encourages scam victims to make a criminal report.
In EastWest Rural Bank v. PNP Anti-Cybercrime Group Regional Anti-Cybercrime Unit 1, the Supreme Court dealt with a victim who disclosed an email address and OTP to a caller impersonating a bank employee. The Court upheld the use of a valid warrant to require the receiving bank to disclose account-holder and related computer data needed in the cybercrime investigation. The decision confirms that bank-secrecy rules do not prevent lawful tracing through proper judicial process. (Supreme Court E-Library)
What evidence should the bank investigate?
A proper investigation should go beyond confirming that the correct OTP or password was entered.
Relevant records may include:
- Login dates, times, IP addresses, and geolocation
- Device fingerprints and registered-device history
- Mobile-number and email-address changes
- Password-reset and account-recovery records
- OTP generation, delivery, and use
- The exact transaction linked to each OTP
- Recipient enrollment records
- Transaction limits and changes to those limits
- Fraud-management alerts and risk scores
- Behavioral or transaction-pattern anomalies
- The time the bank received the complaint
- The time hold requests were sent and acted upon
- Whether the recipient account had previous fraud flags
- Whether the funds were transferred onward or withdrawn
BSP Circular No. 1213 requires institutions to retain detailed transaction logs for at least five years, unless a longer period applies. These records can be important in a BSP adjudication or court case.
A consumer may not receive every internal fraud rule or confidential security detail. Still, the bank should provide a clear explanation of its factual findings and the basis for approving or denying reimbursement.
Documents commonly needed
| Document | Purpose |
|---|---|
| Government-issued ID | Verifies the complainant’s identity |
| Account statement or transaction history | Establishes the loss and transaction sequence |
| Written incident timeline | Organizes the facts |
| Screenshots, emails, texts, and call logs | Shows the phishing method |
| OTP, login, and device alerts | Helps determine what credentials were used |
| Bank complaint and reference number | Proves prompt reporting |
| Sworn affidavit or notarized complaint | Supports an extended hold and formal proceedings |
| Police, PNP-ACG, NBI, or CICC report | Supports the criminal and financial investigation |
| Telco certification or SIM-replacement record | Helps prove SIM swapping or loss of control |
| Proof of related expenses | Supports a claim for actual damages |
| Signed authorization or SPA | Required when another person acts for the victim |
Keep originals and submit copies unless the receiving office specifically requires the original.
How long does the process take?
| Process | Indicative period |
|---|---|
| Initial temporary hold | Up to 5 calendar days |
| Extended temporary hold | Up to 25 additional calendar days |
| Maximum administrative hold without court extension | 30 calendar days |
| Coordinated verification where no funds were held | Generally within 30 calendar days; up to 60 days for meritorious reasons |
| Notice of bank investigation result | Within 3 banking days after the investigation is concluded |
| BSP Consumer Assistance Mechanism | Approximately 55 to 65 days |
| BSP mediation | Approximately 50 to 60 days |
| BSP adjudication | Approximately 180 to 240 days, or 6 to 8 months |
The bank is not given an unlimited period simply because fraud investigations are complicated. BSP rules require the bank to formally inform the customer of the result within three banking days from the conclusion of its investigation. If the transaction is found unauthorized or fraudulent, the bank should correct or reverse it and related charges or make any provisional credit permanent.
The BSP periods are estimates stated in its official Circular No. 1169 FAQ. Cases involving several banks, multiple transfer layers, incomplete evidence, or high complaint volumes can take longer. (Bureau of the Treasury)
How to escalate an unresolved bank complaint to the BSP
The bank’s Financial Consumer Protection Assistance Mechanism, or FCPAM, is the first-level complaint process. The BSP Consumer Assistance Mechanism is the second-level process.
Follow these steps:
- File a written complaint with the bank’s FCPAM.
- Obtain proof of filing and a case reference.
- Wait for the bank’s response or document its failure to act.
- If unresolved, escalate the complaint through the BSP Online Buddy chatbot or the other channels in the BSP Consumer Assistance guide.
- Attach proof that the complaint was first submitted to the bank.
- Include a concise timeline, the amount claimed, transaction references, the bank’s response, and supporting evidence.
BSP-CAM does not generally require a lawyer. A representative may act for the complainant with a written and signed authorization. The bank must ordinarily submit an answer within 15 days after the BSP’s directive; the consumer may reply, and further exchanges or mediation may follow. (Bureau of the Treasury)
Can the BSP order the bank to reimburse the loss?
Yes. Under RA No. 11765, the BSP may adjudicate a purely civil financial claim seeking payment or reimbursement of up to ₱10 million. The principal claim limit excludes legal interest, attorney’s fees, and costs of suit. (Supreme Court E-Library)
Before formal adjudication, the consumer must first complete BSP-CAM. Mediation is voluntary because both sides must consent.
A formal BSP adjudication:
- Does not require payment of a filing fee
- Does not strictly require a lawyer
- Requires a verified formal complaint
- Requires supporting documents and witness affidavits, when available
- Cannot proceed simultaneously with a court or another tribunal involving the same claim
- Can award the actual money claim, legal interest, attorney’s fees, and costs
BSP adjudication does not award other forms of damages such as moral or exemplary damages. A consumer seeking those damages may need to file the proper court action instead. (Bureau of the Treasury)
The FCPA generally gives five years from the transaction or from discovery of deceit or material nondisclosure to bring a claim under the Act, subject to an absolute ten-year limit from the violation. Other causes of action may have different prescriptive periods, so delay should be avoided. (Supreme Court E-Library)
What compensation may be recovered?
Depending on the forum and evidence, possible relief may include:
- Reversal or refund of the unauthorized transfer
- Permanent retention of a provisional credit
- Reversal of interest, penalties, and transaction charges
- Legal interest
- Proven consequential or actual damages
- Attorney’s fees and costs where legally justified
- Moral or exemplary damages in a proper court case where bad faith, fraud, gross negligence, or other legal grounds are proven
The fact that a scammer committed the immediate theft does not necessarily break the connection between the bank’s negligence and the loss. The question is whether the bank’s breach was a substantial and legally proximate cause of the damage.
Common mistakes that weaken phishing claims
Reporting only through a phone call
A phone report is important, but obtain a reference number and follow it with a written complaint. Without a record, the time of notification may later be disputed.
Describing an account takeover as a “wrong transfer”
A wrong-account transfer and an unauthorized transfer follow different rules. Clearly state whether you personally entered the recipient and approved the payment.
Failing to disclose that an OTP was shared
Banks can usually determine that an OTP was used. Hiding this fact damages credibility. Explain exactly why it was shared, what the message said, and what you believed it would authorize.
Deleting messages or resetting the phone too early
Resetting may destroy evidence of malicious applications, account changes, links, and communications. Preserve evidence before cleaning the device.
Waiting for the bank’s final decision before reporting to police
Bank recovery and criminal investigation can proceed at the same time. A prompt police or cybercrime report may also support an extended temporary hold.
Accepting “valid OTP” as the entire investigation result
Ask whether the bank examined device changes, IP addresses, geolocation, payee enrollment, transaction behavior, limits, fraud alerts, and the timing of the complaint.
Filing false or exaggerated information
AFASA penalizes malicious reports that knowingly cause unwarranted holding of another person’s funds. A complaint should be accurate, specific, and supported by authentic evidence.
Special considerations for OFWs and foreigners
An OFW, foreign resident, or foreign account holder can generally use the bank’s complaint process and BSP-CAM without being physically present in the Philippines. Online submission and authorized representation are possible.
When another person will act on the account holder’s behalf, prepare a written authorization or Special Power of Attorney describing the representative’s authority to:
- Submit and receive documents
- Communicate with the bank and BSP
- Obtain transaction records
- Participate in mediation
- Enter into a settlement, if intended
For formal mediation or adjudication, a more specific SPA may be required. A document executed abroad may need notarization through a Philippine embassy or consulate, or an apostille from the competent authority of a country that is a party to the Apostille Convention. Documents not written in English or Filipino may also require a certified translation. Requirements should be confirmed with the bank, BSP, court, or agency receiving the document. (Philippine Embassy New Delhi)
Foreign citizenship does not ordinarily reduce the consumer protections attached to a Philippine bank account. What matters is the financial transaction and the jurisdiction of the Philippine regulator or court.
Frequently Asked Questions
Is a bank legally required to refund every phishing loss?
No. The bank must investigate the incident, but liability depends on the customer’s conduct, the bank’s controls and actions, causation, and the available evidence. AFASA specifically supports restitution where inadequate controls or failure to exercise the highest degree of diligence caused or contributed to the loss.
I gave the scammer my OTP. Can I still recover my money?
Possibly. Sharing the OTP is an important form of customer negligence and may reduce or defeat the claim. However, the bank must still examine whether its own security failures were the principal cause—for example, an unprotected device change, missing transaction pause, ignored fraud alerts, or clearly abnormal transfers.
What if I clicked a phishing link but did not approve any transfer?
That generally supports an unauthorized-transaction claim, especially if the scammer used captured credentials to register a device, reset the account, or transfer funds without your knowledge.
What if I personally sent money to the scammer?
A bank refund is harder because the payment instruction came from you. Your strongest claim may be against the scammer and recipient account holder. Bank liability may still arise if the bank failed to respond to clear fraud warnings, failed to apply required controls, or mishandled a prompt report while funds remained recoverable.
How quickly must I report the incident?
Immediately. Minutes can matter because InstaPay and other electronic transfers can be moved through several accounts quickly. Report first, then complete the affidavits and police documents.
Can the receiving bank freeze the scammer’s account?
The receiving institution may temporarily hold disputed funds under AFASA and BSP rules when the legal conditions are met. The administrative hold can last up to 30 calendar days; further extension generally requires a court order.
Does bank secrecy prevent the banks from tracing the money?
No. AFASA and its implementing rules permit relevant information sharing among institutions during coordinated verification. Law-enforcement agencies may also obtain account and computer data through appropriate legal processes, including a court-issued cybercrime warrant.
Does the bank have to provide its internal logs to me?
Not necessarily every confidential internal record. However, the bank must conduct a meaningful investigation and provide a clear explanation of the result. The BSP can examine bank records and systems, and records may be obtained through adjudicatory or judicial procedures when legally relevant.
Can I complain to the BSP without a lawyer?
Yes. A lawyer is not required for BSP-CAM and is not strictly required for BSP adjudication. Formal adjudication has procedural and evidentiary requirements, however, so careful preparation is important.
Does the AFASA temporary hold apply to fraudulent credit card purchases?
Generally, no. BSP Circular No. 1215 excludes ordinary credit card transactions, except when the credit card is used to perform an electronic fund transfer through an Automated Clearing House. Fraudulent card purchases should be disputed promptly through the card issuer’s fraud and chargeback process.
Key Takeaways
- A bank can be liable for a phishing loss when inadequate controls, negligence, system failures, employee misconduct, or delayed action caused or contributed to the loss.
- Sharing an OTP weakens a claim but does not automatically erase possible bank liability.
- AFASA allows restitution without first obtaining a criminal conviction when the bank failed to employ adequate risk-management systems or the highest degree of diligence.
- Report the transaction immediately through the originating bank’s official 24/7 fraud channel and request tracing, temporary holding, and coordinated verification.
- Submit a sworn complaint, affidavit, police report, and supporting evidence as early as possible—preferably within the initial five-day holding period.
- Preserve messages, transaction records, device alerts, call logs, and every bank complaint reference.
- Escalate an unresolved complaint to BSP-CAM after using the bank’s FCPAM.
- The BSP may adjudicate purely civil reimbursement claims of up to ₱10 million, while broader damages may require a court case.