Can a Bank Be Liable for Losses From Phishing Scams in the Philippines?

Yes, a bank can be liable for losses from phishing scams in the Philippines — but not automatically. The real question is whether the loss happened only because the victim was deceived, or whether the bank, e-wallet provider, or other financial institution failed to use the level of security, fraud monitoring, verification, and urgency required by Philippine law. This matters because phishing cases move fast: money can be transferred in seconds, withdrawn within minutes, and passed through several accounts before the victim fully understands what happened.

Philippine law now gives scam victims stronger tools than before. Banks and other BSP-supervised institutions must maintain adequate fraud controls, respond to disputed transactions, and, in proper cases, temporarily hold suspicious funds. A customer who clicked a fake link or entered an OTP is not automatically disqualified from recovering money. But the customer must act quickly and build a clear evidence trail.

Quick Answer: When Can a Bank Be Liable for a Phishing Scam?

A bank, e-wallet provider, or other BSP-supervised financial institution may be liable when it:

Situation Why it matters
Failed to use adequate risk management systems and controls The Anti-Financial Account Scamming Act, RA 12010, requires institutions to protect financial accounts using controls such as multi-factor authentication, fraud management systems, and proper verification.
Failed to exercise the highest degree of diligence Banks in the Philippines are held to a very high standard because banking is affected with public interest.
Failed to act promptly after a fraud report Under BSP rules on disputed transactions, institutions must have fraud reporting channels and may be required to temporarily hold funds.
Ignored red flags Examples include a new device, unusual transaction amount, rapid transfers, suspicious beneficiary account, sudden change in limits, or abnormal login location.
Sent or allowed risky clickable links BSP IT risk rules restrict the sending of clickable links or QR codes through email, SMS, or messaging apps unless specific conditions are met.
Could not produce reliable transaction logs Logs are important because they show device, IP address, transaction reference, authentication method, beneficiary details, and timing.
Allowed unauthorized withdrawals due to system error or weak procedures Philippine Supreme Court cases have repeatedly held banks liable for losses caused by internal lapses, weak verification, or system defects.

On the other hand, a bank may avoid liability if it proves that it had adequate controls, acted with the required diligence, and the loss was caused by the customer’s own act without any institutional lapse.

What Is Phishing in Philippine Banking?

Phishing is a form of deception where scammers trick a person into giving sensitive banking information, such as:

  • Online banking username and password
  • One-time password or OTP
  • Card number, CVV, or expiry date
  • Mobile banking PIN
  • Account number and identifying details
  • SIM, device, or email access
  • Personal information used to reset passwords

Common phishing methods in the Philippines include:

  • Fake bank SMS messages saying an account is “locked”
  • Fake delivery, customs, or e-wallet links
  • Calls from scammers pretending to be bank officers
  • Fake Facebook Marketplace or online selling payment confirmations
  • Emails that look like official bank advisories
  • QR code scams
  • Fake investment or job platforms asking users to “verify” bank accounts
  • SIM-swap scams combined with online banking takeover

Under RA 12010, phishing-type conduct generally falls under social engineering schemes. The law describes social engineering as obtaining another person’s sensitive identifying information through deception or fraud, resulting in unauthorized access or control over a financial account.

The Main Philippine Laws That Apply

Anti-Financial Account Scamming Act: RA 12010

The most important current law is the Anti-Financial Account Scamming Act, or RA 12010, signed in 2024.

RA 12010 covers scams involving financial accounts, including:

  • Bank accounts
  • Deposit accounts
  • Trust and investment accounts
  • Credit card accounts
  • Transaction accounts
  • E-wallet accounts
  • Accounts with payment service providers and other BSP-supervised institutions

The law punishes money muling and social engineering schemes. More importantly for victims, it also imposes duties on financial institutions.

Under Section 6 of RA 12010, institutions must protect access to financial accounts using adequate risk management systems and controls, such as:

  • Multi-factor authentication
  • Fraud management systems
  • Proper enrollment procedures
  • Reliable verification processes
  • Other security controls appropriate to the risk

The law also provides a key rule on liability: if the BSP determines that the institution complied with adequate risk controls, the institution is not liable for losses arising from money muling or social engineering offenses. But if the institution failed to employ adequate controls or failed to exercise the highest degree of diligence in preventing loss or damage, it can be liable for restitution to the account owner.

Importantly, a criminal conviction is not required before restitution may be ordered when the institution’s own failure caused or contributed to the loss.

Financial Products and Services Consumer Protection Act: RA 11765

The Financial Products and Services Consumer Protection Act, RA 11765, gives financial consumers specific rights, including:

  • Fair and equitable treatment
  • Protection of consumer assets against fraud and misuse
  • Data privacy and data protection
  • Timely handling and redress of complaints
  • Clear disclosure and responsible conduct by financial service providers

RA 11765 also requires financial service providers to maintain a free Financial Consumer Protection Assistance Mechanism, often called FCPAM. This is the bank’s or financial institution’s internal complaint and redress system.

If the consumer is not satisfied, the complaint may be elevated to the regulator, such as the Bangko Sentral ng Pilipinas for BSP-supervised institutions.

For purely civil financial disputes involving payment or reimbursement, the BSP may adjudicate claims within its authority, generally up to PHP 10 million, subject to the rules in BSP Circular No. 1169, Series of 2023.

General Banking Law and the Civil Code

The General Banking Law of 2000, RA 8791, recognizes the fiduciary nature of banking. In plain English, this means banks are expected to handle depositors’ money with a very high degree of care.

The Civil Code also matters. Under Article 1172, responsibility arising from negligence in the performance of an obligation is demandable. In banking disputes, this often comes up as culpa contractual, or negligence in the performance of a contractual obligation. Once a depositor shows that the bank failed to properly perform its obligation, the bank may need to prove that it was not negligent.

The Supreme Court explained in Consolidated Bank and Trust Corporation v. Court of Appeals and L.C. Diaz that banks must treat depositors’ accounts with meticulous care. The Court also stated that the banking standard is higher than the diligence of a good father of a family.

Supreme Court Guidance: Banks Are Held to a High Standard

Philippine case law is very helpful in understanding phishing-related bank liability, even though older cases may involve checks, ATM withdrawals, or unauthorized branch transactions rather than modern phishing links.

BDO v. Seastres: Unauthorized Withdrawals and Bank Negligence

In Banco de Oro Universal Bank, Inc. v. Seastres, the Supreme Court held the bank liable for unauthorized withdrawals and emphasized that a bank’s use of a third-party service provider does not reduce its obligation to the depositor. The Court found the bank negligent and liable for substantial damages.

The practical lesson is simple: a bank cannot escape responsibility by saying that another party, system, or contractor handled part of the process. If the account is with the bank, the bank remains responsible for the required level of diligence.

Solidbank v. L.C. Diaz: Banks Must Treat Accounts With Meticulous Care

In Solidbank v. L.C. Diaz, the Supreme Court emphasized that banks must exercise a high degree of care because the business of banking is imbued with public interest. The Court also explained that when the claim is based on breach of the bank’s contractual obligation, the bank cannot simply rely on general defenses about employee supervision.

This doctrine is useful in phishing disputes where the consumer argues that the bank’s systems, personnel, or procedures failed.

Far East Bank v. Chante: System Bugs and Unauthorized ATM Transactions

In Far East Bank and Trust Company v. Chante, the dispute involved ATM withdrawals and a system bug. The Supreme Court did not simply assume that the customer was responsible. It looked at the bank’s system, evidence, and ability to prove that the funds were validly dispensed.

This is important in digital scam cases because banks often rely on system logs. But system logs must be complete, reliable, and persuasive. A bank’s records are evidence, not magic words.

PNB v. Pike: Weak Verification Can Create Liability

In Philippine National Bank v. Pike, the Supreme Court held the bank liable for unauthorized withdrawals where the bank failed to follow proper verification procedures. The decision reflects a consistent rule: where money is taken from an account through weak procedures, the bank may be liable.

Is the Bank Automatically Liable if the Customer Was Phished?

No. Phishing cases are usually fact-heavy.

The bank will often argue:

  • The correct username and password were used.
  • The OTP was entered.
  • The transaction passed authentication.
  • The customer clicked the link or shared credentials.
  • The bank sent warnings not to share OTPs.
  • The bank’s system showed a valid transaction.

The customer may respond:

  • The transaction was unauthorized.
  • The OTP or credentials were obtained through fraud.
  • The bank failed to detect unusual behavior.
  • The bank allowed a new device, new beneficiary, or large transfer without adequate checks.
  • The bank did not send timely alerts.
  • The bank failed to stop transactions after the report.
  • The bank failed to temporarily hold funds.
  • The bank’s own messages, links, or processes confused customers.
  • The bank could not produce complete logs.

In real life, the result may not be all-or-nothing. A court or regulator may find that both sides contributed to the loss. In some Supreme Court banking cases, contributory negligence reduced recovery, but it did not automatically free the bank from liability.

Why Timing Matters: Transfers Can Move in Seconds

Many phishing losses involve account-to-account electronic fund transfers through channels such as InstaPay or PESONet.

Under BSP rules on account-to-account electronic fund transfers, near-real-time EFTs can result in immediate credit to the receiving account within seconds. This is why the first hour after the scam is critical.

If you discover a phishing transaction, do not wait for “banking hours” if the bank has a 24/7 fraud channel. Report immediately and ask for urgent action.

What to Do Immediately After a Phishing Scam

1. Call the bank’s fraud hotline or use the official in-app support channel

Report the unauthorized transaction immediately. Ask the bank to:

  • Block online banking access
  • Freeze or restrict the affected account
  • Disable transfers temporarily
  • Block the card, if involved
  • Start a fraud investigation
  • Issue a complaint or case reference number
  • Initiate a temporary hold request if funds were transferred to another institution

Use only official channels from the bank’s website, official app, or card back. Do not use hotline numbers from SMS links or social media comments.

2. Report the receiving account or e-wallet

If you can see the beneficiary bank, e-wallet, account number, mobile number, or transaction reference, report it too. Give the receiving institution:

  • Date and time of transaction
  • Amount
  • Transaction reference number
  • Sender account
  • Receiving account or wallet details
  • Screenshots of the transfer
  • Your bank’s complaint reference number

This matters because the receiving institution may still be able to temporarily hold funds if the money has not yet been withdrawn or moved.

3. Submit a written dispute immediately

A phone call is important, but a written complaint creates a clearer record.

Send the bank an email or secure message stating:

  • The transaction was unauthorized.
  • You are disputing it.
  • You request immediate investigation.
  • You request preservation of logs.
  • You request temporary holding of funds, if applicable.
  • You request a written report or explanation of the bank’s findings.

Avoid careless phrases like “I authorized the transaction but was scammed.” If the transfer was made because your credentials were stolen or you were deceived into entering details on a fake site, say clearly that the transaction was unauthorized and caused by fraud.

4. Preserve all evidence

Save everything before it disappears:

  • SMS messages
  • Email headers and sender addresses
  • Screenshots of fake websites
  • URLs
  • Call logs
  • Chat messages
  • Transaction receipts
  • Bank alerts
  • OTP messages
  • Device screenshots
  • Complaint reference numbers
  • Names or IDs of bank agents you spoke with
  • Timeline of events

Do not delete the phishing SMS or email. It may contain useful technical details.

5. Change passwords and secure your accounts

Immediately change passwords for:

  • Online banking
  • Email used for banking
  • E-wallets
  • Mobile phone account
  • Social media accounts connected to identity verification

Also:

  • Remove unknown devices from banking apps.
  • Revoke active sessions.
  • Change email recovery options.
  • Call your telco if SIM-swap or number takeover is suspected.
  • Enable stronger authentication where available.

6. Escalate to the BSP if the bank does not act properly

The BSP states that the bank’s FCPAM is the first-level recourse. If the bank does not act within a reasonable period, or if you are dissatisfied, you may escalate through the BSP’s consumer assistance process.

The BSP’s own guide explains the process through the BSP Online Buddy and consumer assistance channels.

Prepare proof that you first reported the matter to the bank.

7. Report to cybercrime authorities

For criminal investigation, victims commonly report to:

  • Philippine National Police Anti-Cybercrime Group
  • National Bureau of Investigation Cybercrime Division
  • Cybercrime Investigation and Coordinating Center
  • The bank or e-wallet provider’s fraud investigation unit

Relevant criminal laws may include the Cybercrime Prevention Act of 2012, RA 10175, the Access Devices Regulation Act, RA 8484, and RA 12010.

Temporary Holding of Funds Under BSP Rules

A major development for phishing victims is the BSP framework on temporary holding of funds subject of disputed transactions.

Under BSP Circular No. 1215, Series of 2025, BSP-supervised institutions involved in electronic fund transfers must follow rules on temporary holding and coordinated verification of disputed transactions.

In practical terms:

  • A victim reports a disputed transaction.
  • The originating institution verifies the complaint.
  • If the funds went to another institution, the originating institution may send a holding request.
  • The receiving institution checks whether funds remain.
  • Funds subject to a valid hold may be restricted while verification proceeds.
  • Funds generally cannot be held indefinitely without court authority.

The circular provides that temporary holding is generally limited to a maximum of 30 calendar days, including initial and extended holding periods, unless extended by a competent court.

The practical bottleneck is that scammers often withdraw or move funds quickly. If the money is already gone, the receiving bank may have nothing left to hold. This is why immediate reporting is essential.

Important Timelines in Phishing and Unauthorized Transfer Cases

Step or issue Typical rule or practical timeline
Near-real-time transfer Funds may reach the receiving account within seconds.
Fraud report to bank Should be done immediately, ideally within minutes or hours.
Initial temporary holding BSP rules allow short initial holding periods while verification begins.
Maximum temporary hold Generally up to 30 calendar days unless extended by court.
Coordinated verification if funds are held Generally completed within 30 calendar days.
Coordinated verification if no funds are held May be completed within 30 calendar days, extendable for meritorious reasons but not beyond the allowed maximum under the circular.
Bank complaint process Starts with the bank’s FCPAM. Response time varies depending on complexity.
BSP escalation Available if the consumer is dissatisfied or the bank fails to act within a reasonable period.
BSP adjudication May be available for purely civil financial claims within BSP authority, generally up to PHP 10 million.
Court action May be needed for larger claims, damages, provisional remedies, or cases involving multiple non-bank defendants.

Evidence That Can Strengthen a Claim Against the Bank

A phishing victim’s case becomes stronger when there is evidence that the bank’s systems or response failed.

Helpful evidence includes:

  • The transaction was unusual compared with your normal banking behavior.
  • A new device was enrolled shortly before the transfer.
  • A new beneficiary was added without proper verification.
  • Your transfer limit was increased without strong authentication.
  • Large or rapid transfers were allowed despite red flags.
  • The bank did not send timely transaction alerts.
  • The bank’s alert arrived only after the money was gone.
  • You reported immediately, but the bank delayed action.
  • The bank failed to send a temporary hold request.
  • The receiving institution failed to act despite an urgent request.
  • The bank refused to provide a clear investigation result.
  • The bank could not explain the IP address, device ID, location, or authentication method.
  • The bank’s own message included a clickable link that confused customers.
  • There were many similar complaints against the same beneficiary account or scam pattern.

Under BSP Circular No. 1213, Series of 2025, BSP-supervised financial institutions must maintain controls to prevent unauthorized digital onboarding, linking, and transactions. They must also collect and retain relevant transaction logs for at least five years.

Those logs can become important evidence in a dispute.

Documents to Prepare

Document or evidence Why it matters
Valid government ID Needed for bank complaint, BSP complaint, and law enforcement report.
Bank statement or transaction history Shows the unauthorized debit and account details.
Transaction receipt or reference number Helps trace the transfer.
Screenshots of SMS, emails, chats, or fake websites Shows the phishing method.
Call logs Helps prove when you reported the incident.
Bank complaint reference number Shows that you used the bank’s FCPAM first.
Written complaint to the bank Creates a formal paper trail.
Police, NBI, or cybercrime report Helps support fraud allegations and tracing.
Timeline of events Helps investigators understand exactly what happened.
Device and SIM information Useful if there was SIM-swap, device takeover, or malware.
Authorization letter or SPA Needed if an OFW, foreigner, elderly person, or unavailable account owner will act through a representative.
Corporate secretary’s certificate or board resolution Needed if the account belongs to a corporation or organization.

Special Notes for OFWs and Foreigners With Philippine Bank Accounts

Phishing victims are often overseas when the scam happens. This creates practical problems because Philippine banks may require identity verification, wet signatures, or notarized documents.

For OFWs and foreigners abroad:

  • Ask the bank whether it accepts secure email, in-app complaint filing, or video verification.
  • If appointing a representative in the Philippines, prepare a Special Power of Attorney.
  • If the SPA is signed abroad, the bank may require consular acknowledgment or apostille, depending on the country where it was signed.
  • Attach a copy of the passport or government ID used by the account owner.
  • If documents are in a foreign language, an English translation may be required.
  • Keep time-zone proof and screenshots showing when you discovered and reported the fraud.

RA 12010 can apply when the financial account is maintained with a Philippine institution or when the damage affects a person in the Philippines. A victim outside the Philippines should still report promptly to the Philippine bank or e-wallet provider.

Common Scenarios in Philippine Phishing Cases

“I clicked a fake bank link and entered my OTP. Can I still recover?”

Possibly, but it will be harder.

The bank will argue that the OTP proves authorization. You will need to show why the transaction should still be treated as unauthorized or why the bank failed to prevent the loss despite warning signs.

Relevant questions include:

  • Was the website clearly fraudulent?
  • Did the bank send confusing clickable links?
  • Was a new device enrolled?
  • Was the transaction unusual?
  • Were there multiple rapid transfers?
  • Did the bank send timely alerts?
  • Did you report immediately?
  • Did the bank act fast enough to hold funds?

Sharing an OTP is a serious weakness in the case, but it is not always the end of the inquiry.

“The bank says the transaction was valid because it used my password and OTP.”

Ask for the basis of the finding.

A proper investigation should not stop at “OTP used.” It should consider:

  • Device used
  • IP address
  • Location indicators
  • Browser or app information
  • Time of login
  • Whether a new device was registered
  • Whether credentials were reset
  • Whether transfer limits were changed
  • Beneficiary account details
  • Fraud monitoring alerts
  • Timing of your report

A valid authentication event is evidence, but it may not be conclusive if the authentication was obtained through social engineering and the bank failed to act on red flags.

“The money went to another bank or e-wallet. Who is responsible?”

There may be more than one institution involved:

  • The originating bank where the money came from
  • The receiving bank or e-wallet
  • Any intermediary payment system
  • The beneficiary account owner or money mule
  • The scammer or criminal syndicate

The originating bank should help initiate the fraud report and holding process. The receiving institution may have duties once notified or once its fraud monitoring system detects suspicious funds.

If a receiving institution fails to temporarily hold funds when required, RA 12010 and BSP rules may make that institution liable for loss or damage, including restitution.

“What if the scammer already withdrew the money?”

Recovery becomes more difficult, but the case is not automatically over.

The investigation should examine:

  • Whether the receiving institution had time to hold the funds
  • Whether the funds were transferred again
  • Whether the account was a money mule account
  • Whether the bank ignored suspicious account behavior
  • Whether KYC procedures were weak
  • Whether the institution failed to coordinate verification

Criminal tracing may still identify the money mule or scammer, but practical recovery may take longer.

“What if my phone was stolen or my SIM was taken over?”

Report to both the bank and the telco immediately.

Ask the bank to check:

  • Device registration
  • Login history
  • SIM or mobile number changes
  • Password resets
  • OTP delivery records
  • Failed login attempts
  • Changes in email or mobile number
  • Beneficiary enrollment

SIM-swap and phone theft cases often turn on whether the bank’s authentication system was strong enough and whether suspicious account changes triggered proper verification.

“Does the same rule apply to credit cards?”

Credit card disputes have their own rules and card-network processes. BSP Circular No. 1215 mainly addresses account-to-account electronic fund transfers and generally does not cover ordinary credit card transactions, except when a credit card is used to initiate an electronic fund transfer through an automated clearing house.

For credit card phishing, still report immediately, request card blocking, dispute the charges, and ask the issuer for chargeback or reversal procedures where available.

Where to File Complaints

Where to file Purpose
Bank or e-wallet FCPAM First-level complaint, account blocking, investigation, temporary holding request, refund or reversal request.
BSP Consumer Assistance Mechanism Second-level escalation if the institution does not act reasonably or you are dissatisfied.
BSP mediation or adjudication Possible route for civil reimbursement claims within BSP authority.
PNP Anti-Cybercrime Group Criminal investigation and cybercrime reporting.
NBI Cybercrime Division Criminal investigation, digital evidence, scam tracing.
Cybercrime Investigation and Coordinating Center Assistance and coordination for cybercrime reports.
Regional Trial Court Civil or criminal court proceedings, especially for larger claims, damages, provisional remedies, or complex multi-party disputes.

Under RA 12010, criminal cases for offenses under the law fall within the jurisdiction of the Regional Trial Court.

What Remedies Are Possible?

Depending on the facts, possible remedies may include:

  • Restitution or refund of the lost amount
  • Return of temporarily held funds
  • Reversal of disputed charges
  • Suspension or reversal of interest, fees, or penalties during investigation
  • Administrative sanctions against the bank or financial institution
  • Criminal prosecution of scammers, money mules, or insiders
  • Civil damages in court, such as actual damages, moral damages, exemplary damages, attorney’s fees, and costs, if legally proven

For many ordinary consumers, the most practical first goal is recovery of the transferred amount through the bank complaint process, temporary holding, coordinated verification, and BSP escalation.

Court action may become necessary when:

  • The amount is large
  • The bank denies liability despite strong evidence
  • Funds were moved through multiple institutions
  • There is suspected insider involvement
  • The case involves damages beyond simple reimbursement
  • The BSP route is unavailable or insufficient
  • The claim exceeds BSP adjudication limits

How to Write a Strong Bank Complaint

A clear complaint is better than an emotional but vague one. Include the key facts in order.

A practical structure is:

  1. Identify the account and disputed transaction. State your name, account type, last four digits of the account if appropriate, transaction date, amount, and reference number.

  2. State clearly that the transaction was unauthorized. Say that you did not intend to transfer funds to the beneficiary and that the transaction resulted from phishing, social engineering, account takeover, or fraud.

  3. Give the timeline. Include when you received the message, clicked the link, received OTPs, noticed the debit, called the bank, and received a reference number.

  4. Request urgent protective action. Ask the bank to freeze or restrict the affected account, disable suspicious access, and initiate temporary holding or coordinated verification.

  5. Ask for preservation and review of logs. Request review of device, IP, login, authentication, beneficiary enrollment, transfer limit, and transaction monitoring logs.

  6. Attach evidence. Include screenshots, receipts, SMS, emails, call logs, and police or cybercrime reports if already available.

  7. Ask for a written result. Request a written explanation of the investigation, including the basis for any denial.

Do not include your password, PIN, CVV, full OTP, or full card number in emails or complaint portals.

Frequently Asked Questions

Can a bank be liable for phishing losses in the Philippines?

Yes. A bank can be liable if it failed to use adequate fraud controls, failed to exercise the highest degree of diligence, failed to act properly after a report, or failed to temporarily hold disputed funds when required. Liability is not automatic; it depends on the evidence.

Can I get my money back if I clicked a phishing link?

Possibly. Clicking a phishing link makes the case harder, but it does not automatically defeat your claim. The bank’s security controls, transaction monitoring, alerts, response time, and handling of suspicious transfers still matter.

Is sharing an OTP considered authorization?

Banks often argue that OTP use proves authorization. But in phishing and social engineering cases, OTPs may be fraudulently obtained. The question is whether the bank can prove the transaction was properly authorized and whether it complied with required security and fraud controls.

Does the bank need to wait for the scammer to be convicted before refunding me?

Not always. Under RA 12010, conviction is not a prerequisite to restitution when the institution failed to employ adequate risk management systems or failed to exercise the highest degree of diligence.

What should I do first after discovering a phishing transfer?

Call the bank’s official fraud hotline or use the official app immediately. Ask for account blocking, fraud investigation, a complaint reference number, and temporary holding of funds if the money was transferred out.

How long does a bank phishing investigation take?

It depends on the complexity, number of institutions involved, and whether funds are still available. BSP rules on temporary holding and coordinated verification use calendar-day periods, including a general 30-day maximum for temporary holding unless extended by court.

Can BSP order a bank to reimburse me?

For certain civil financial consumer disputes within its authority, the BSP may adjudicate claims involving payment or reimbursement, generally up to PHP 10 million. The consumer normally must first go through the bank’s FCPAM and BSP Consumer Assistance Mechanism.

What if the money was sent to an e-wallet?

RA 12010 covers financial accounts including e-wallets and transaction accounts with payment service providers. Report to both the originating bank and the e-wallet provider immediately. Escalate to the BSP if the institution is BSP-supervised and does not act properly.

Can an OFW or foreigner file a complaint from abroad?

Yes. An OFW or foreigner with a Philippine bank or e-wallet account can file a complaint. If someone in the Philippines will act for the victim, the bank may require a Special Power of Attorney, and if signed abroad, it may need consular acknowledgment or apostille.

What if the bank already denied my claim?

Ask for the written investigation report and the specific basis for denial. Then escalate to the BSP Consumer Assistance Mechanism with your complaint, reference numbers, screenshots, transaction records, and proof that you first reported to the bank.

Key Takeaways

  • A bank can be liable for phishing losses in the Philippines, but liability depends on evidence.
  • RA 12010 requires banks and other financial institutions to use adequate fraud controls and the highest degree of diligence.
  • A customer who entered an OTP or clicked a phishing link is not automatically barred from recovery.
  • Immediate reporting is critical because electronic transfers can move in seconds.
  • Ask the bank to block access, investigate, preserve logs, and initiate temporary holding or coordinated verification.
  • Use the bank’s FCPAM first, then escalate to the BSP if the response is unreasonable or unsatisfactory.
  • Report serious phishing incidents to cybercrime authorities, especially when money mules, fake accounts, or organized scam groups are involved.
  • Strong evidence, a clear timeline, and fast action greatly improve the chances of recovery.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.