Credit Card Fraud Dispute and Bank Liability

Introduction

Credit card fraud is one of the most common consumer banking disputes in the Philippines. It may involve unauthorized online purchases, stolen cards, cloned cards, phishing, SIM swap fraud, account takeover, fraudulent card-not-present transactions, unauthorized cash advances, or charges made after the cardholder reported the card lost or compromised.

When fraud occurs, the immediate question is usually: Who bears the loss — the cardholder, the bank, the merchant, the payment network, or another third party?

The answer depends on the facts, the cardholder agreement, the timing of notice, the bank’s security systems, the authentication method used, the merchant’s role, the cardholder’s conduct, applicable banking regulations, electronic commerce rules, data privacy obligations, and general principles of contract, negligence, consumer protection, and evidence.

In the Philippine context, banks and credit card issuers are not automatically liable for every fraudulent transaction. But cardholders are also not automatically liable simply because a transaction appears on their statement. The legal issue is whether the transaction was authorized, whether the bank exercised the required degree of diligence, whether the cardholder promptly reported the fraud, and whether the bank fairly investigated the dispute.

I. What Is Credit Card Fraud?

Credit card fraud refers to the unauthorized use of a credit card, card details, card account, payment credentials, or related authentication information to obtain goods, services, cash, or financial benefit.

It may occur through:

  1. Lost or stolen physical card use
  2. Card cloning or skimming
  3. Counterfeit card transactions
  4. Unauthorized online purchases
  5. Card-not-present fraud
  6. Phishing or fake bank websites
  7. One-time password interception
  8. SIM swap or mobile number takeover
  9. Account takeover through compromised online banking
  10. Unauthorized card replacement or delivery interception
  11. Merchant collusion
  12. Malware or spyware
  13. Social engineering
  14. Fraudulent subscriptions or recurring charges
  15. Unauthorized cash advances
  16. Fraudulent installment conversion
  17. Identity theft and card application fraud
  18. Compromised e-commerce accounts linked to the card

Fraud cases differ greatly. A stolen physical card case is not the same as a phishing case. A disputed online charge authenticated by OTP is different from a charge processed without cardholder verification. Liability analysis depends on the exact fraud pattern.

II. Parties Involved in a Credit Card Transaction

A credit card transaction usually involves several parties:

1. Cardholder

The person to whom the card was issued and who is contractually bound to pay valid charges.

2. Issuing Bank or Card Issuer

The bank or financial institution that issued the credit card and bills the cardholder.

3. Merchant

The business that accepted the card for payment.

4. Acquiring Bank

The bank or payment institution that processes card payments for the merchant.

5. Payment Network

The card network, such as Visa, Mastercard, JCB, American Express, or similar card scheme, whose rules may govern authorization, chargebacks, fraud monitoring, and dispute procedures.

6. Payment Gateway or Processor

For online transactions, a gateway may route the transaction and handle authentication or settlement.

7. Telecommunications or Digital Service Providers

In OTP, SIM swap, and account takeover cases, telcos, e-wallets, email providers, or device platforms may become relevant.

Although the cardholder usually deals directly with the issuing bank, liability may be allocated behind the scenes among merchants, acquiring banks, issuers, and networks through chargeback rules.

III. Common Types of Credit Card Fraud

A. Lost or Stolen Card Fraud

This occurs when the physical card is lost or stolen and used before cancellation.

Important issues include:

  • When the card was lost
  • When the cardholder discovered the loss
  • When the bank was notified
  • Whether the transaction occurred before or after reporting
  • Whether the transaction required signature, PIN, contactless tap, or chip authentication
  • Whether the merchant checked identity or signature
  • Whether the bank blocked the card promptly

Cardholders should report loss immediately. Banks generally treat prompt notice as critical.

B. Card-Not-Present Fraud

This includes online, phone, mail order, in-app, or subscription transactions where the physical card is not presented.

Fraudsters may use:

  • Card number
  • Expiry date
  • CVV
  • Billing address
  • OTP
  • Stored card credentials
  • Compromised e-commerce account

Issues include whether 3D Secure or OTP was used, whether the merchant required authentication, and whether the transaction was unusual.

C. Skimming and Cloning

Skimming involves capturing card data, often through compromised POS terminals, ATM devices, or hidden card readers. Cloning involves creating a counterfeit card.

Indicators include:

  • Transactions in places the cardholder never visited
  • Multiple quick transactions
  • Foreign transactions
  • ATM or POS use shortly after legitimate use at a compromised terminal
  • Magnetic stripe fallback despite chip card issuance

Banks may examine card-present data, terminal records, chip vs. swipe information, and location patterns.

D. Phishing and Social Engineering

Phishing occurs when a fraudster tricks the cardholder into revealing card details, OTPs, passwords, or other credentials.

Common examples:

  • Fake bank emails
  • Fake delivery text messages
  • Fake rewards links
  • Fake credit limit increase offers
  • Fake account verification pages
  • Fraudster pretending to be bank staff
  • Fake fraud alert calls
  • Fake card replacement calls

Liability becomes more contested when the cardholder was deceived into giving credentials. Banks may claim the transaction was authenticated; cardholders may argue that the bank’s systems, warnings, fraud detection, or investigation were inadequate.

E. OTP Fraud

One-time passwords are widely used for online credit card transactions. Fraud may happen when:

  • The cardholder was tricked into giving the OTP
  • The OTP was intercepted
  • The SIM was swapped
  • The mobile number was compromised
  • The OTP was sent to an unauthorized number
  • The transaction proceeded without proper OTP validation
  • The OTP message did not clearly identify the transaction
  • Multiple OTPs were requested rapidly
  • The bank failed to detect unusual transaction patterns

OTP authentication is important evidence, but it is not always conclusive. The bank may still need to show that the transaction was properly authorized and that its systems functioned securely.

F. SIM Swap Fraud

SIM swap fraud occurs when a fraudster obtains control of the cardholder’s mobile number, allowing them to receive OTPs and alerts.

This may involve:

  • Fake ID submitted to telco
  • Insider collusion
  • Weak telco verification
  • Lost signal before fraud
  • Unauthorized SIM replacement
  • Sudden device or account changes
  • OTPs received by fraudster

SIM swap cases may involve both bank and telecommunications provider responsibilities.

G. Account Takeover

Account takeover occurs when a fraudster gains access to the cardholder’s online banking, mobile banking, card app, or email account.

The fraudster may:

  • View card details
  • Change contact details
  • Request card replacement
  • Increase limits
  • Enable online transactions
  • Add the card to a digital wallet
  • Convert purchases to installments
  • Make purchases through stored cards

Issues include login records, device fingerprinting, IP addresses, password resets, OTPs, and whether the bank detected abnormal account behavior.

H. Fraudulent Recurring Charges

Sometimes a cardholder authorizes one transaction but later sees unauthorized recurring charges.

Examples:

  • Free trial converted to paid subscription without clear consent
  • Merchant continues charging after cancellation
  • Hidden recurring billing
  • Duplicate monthly charges
  • Subscription made by a fraudster
  • Merchant refuses cancellation

These may be treated as billing disputes, unauthorized charges, or merchant disputes depending on facts.

I. Unauthorized Cash Advance

Cash advances are sensitive because they may involve ATM PIN use or card account compromise. Banks may argue that PIN use proves authorization, but cardholders may dispute this if the PIN was compromised, card cloned, device compromised, or withdrawal occurred abroad or in suspicious circumstances.

J. Identity Theft and Fraudulent Card Application

A person may discover that a credit card was issued in their name without authorization. This is not merely a disputed transaction; it is identity theft or account-opening fraud.

Issues include:

  • How the bank verified the applicant
  • What documents were used
  • Delivery address
  • Card activation records
  • Mobile number and email used
  • Spending pattern
  • Collection notices sent to the victim
  • Credit report impact

The victim should dispute the entire account, not merely individual transactions.

IV. The Legal Relationship Between Cardholder and Bank

The credit card relationship is contractual. The cardholder agreement usually provides that the cardholder must pay all valid charges, fees, interest, and charges arising from use of the card.

However, the bank cannot collect charges that were not authorized or legally chargeable. The bank must also comply with banking regulations, consumer protection standards, data privacy obligations, and its own contractual duties.

The cardholder agreement typically includes provisions on:

  • Authorized use
  • Safekeeping of card and PIN
  • Billing statements
  • Dispute periods
  • Lost card reporting
  • Liability before and after notice
  • Online transactions
  • OTP and authentication
  • Fees and interest
  • Supplementary cards
  • Installments
  • Cash advances
  • Foreign currency transactions
  • Chargeback procedures
  • Suspension or cancellation
  • Credit reporting
  • Collection

But contract clauses do not give banks unlimited power. They must still act with fairness, diligence, transparency, and good faith.

V. Bank’s Standard of Diligence

Banks in the Philippines are generally held to a high standard of diligence because banking is imbued with public interest. A bank is expected to treat accounts with care, maintain secure systems, and implement reasonable fraud prevention measures.

In credit card fraud disputes, this may require the bank to:

  • Maintain secure authorization systems
  • Send transaction alerts
  • Implement fraud monitoring
  • Block suspicious transactions
  • Provide accessible reporting channels
  • Promptly block compromised cards
  • Conduct a fair investigation
  • Preserve transaction logs
  • Provide meaningful dispute responses
  • Follow chargeback rules where applicable
  • Avoid collecting disputed amounts unfairly
  • Correct records when fraud is established

The bank is not an insurer against all fraud, but it must show that it exercised the diligence required by law, regulation, and industry standards.

VI. Cardholder’s Duties

Cardholders also have obligations.

A cardholder should:

  1. Safeguard the card.
  2. Keep PINs, OTPs, CVV, passwords, and account credentials confidential.
  3. Review statements regularly.
  4. Report lost cards immediately.
  5. Report unauthorized transactions promptly.
  6. Avoid clicking suspicious links.
  7. Use secure devices and networks.
  8. Update contact information.
  9. Preserve evidence of fraud.
  10. Cooperate with the bank’s investigation.
  11. File required dispute forms or affidavits.
  12. Avoid sharing OTPs even with persons claiming to be bank staff.

A cardholder’s negligence may affect liability. However, banks should not automatically deny a claim without a fair analysis of the facts.

VII. Unauthorized Transactions: General Principle

A cardholder should not be made liable for unauthorized transactions where the cardholder did not participate, consent, benefit, or negligently enable the transaction, and where the bank or merchant cannot prove valid authorization.

The central questions are:

  • Did the cardholder authorize the transaction?
  • Was the cardholder negligent?
  • Was the bank negligent?
  • Did the merchant follow required procedures?
  • Was authentication properly performed?
  • Did the transaction occur before or after the card was reported lost or compromised?
  • Did the bank block the card promptly after notice?
  • Did the bank investigate reasonably?
  • Did the bank provide evidence supporting its denial?

The mere appearance of a charge on a billing statement does not conclusively prove that the cardholder authorized it.

VIII. Burden of Proof in Fraud Disputes

In practical banking disputes, the bank often has access to records that the cardholder does not. These include:

  • Authorization logs
  • Merchant data
  • IP addresses
  • Device identifiers
  • OTP validation records
  • 3D Secure records
  • Card-present data
  • Terminal IDs
  • Chargeback records
  • Fraud monitoring notes
  • Call recordings
  • Card activation records
  • Delivery records
  • Internal investigation reports

A cardholder may have only statements, screenshots, SMS alerts, and personal testimony.

Because of this imbalance, a fair dispute process should not simply require the cardholder to prove a negative. The bank should be able to produce evidence showing why it considers the transaction valid.

IX. Importance of Prompt Reporting

Prompt reporting is crucial. The longer the delay, the more difficult it may be to investigate and reverse the transaction.

Cardholders should report immediately when they notice:

  • Lost or stolen card
  • Unauthorized charge
  • Suspicious SMS alert
  • OTP request not initiated by the cardholder
  • Unknown merchant charge
  • Sudden credit limit reduction due to fraudulent spend
  • Failed login alerts
  • Mobile number or email changed without consent
  • Card replacement request not made by cardholder
  • Unauthorized cash advance
  • Fraudulent installment conversion

A cardholder should report through official bank channels and obtain a reference number.

X. Transactions Before and After Notice

Many cardholder agreements distinguish between transactions made before and after the bank receives notice of card loss or compromise.

1. Before Notice

The bank may try to hold the cardholder liable for transactions before notice, especially if the card was lost or the cardholder was negligent. However, liability is not automatic. Fraud patterns, authentication failures, merchant negligence, and bank monitoring failures may still matter.

2. After Notice

Once the cardholder reports loss, theft, compromise, or unauthorized activity, the bank is expected to block the card and prevent further use. Transactions after proper notice are much harder for the bank to charge to the cardholder, unless the cardholder later authorized them or the notice was defective.

The exact time of notice should be documented through reference numbers, call recordings, emails, chat transcripts, or branch acknowledgment.

XI. The Dispute Process

A typical credit card fraud dispute involves the following steps:

1. Discovery of Fraud

The cardholder sees an unauthorized charge through SMS alert, app notification, online banking, email, or billing statement.

2. Immediate Report

The cardholder contacts the bank’s hotline, branch, app, email, or fraud reporting channel.

3. Card Blocking

The bank blocks the card and may issue a replacement.

4. Dispute Form

The bank may require a dispute form, affidavit of unauthorized transaction, police report, or supporting documents.

5. Temporary Credit or Suspension

Some banks may temporarily reverse the charge or suspend payment obligation while investigation is ongoing. Others may continue billing unless the dispute is accepted.

6. Investigation

The bank reviews transaction records, merchant response, authentication data, and chargeback eligibility.

7. Chargeback or Representment

For eligible transactions, the issuer may file a chargeback through the card network. The merchant or acquiring bank may contest.

8. Decision

The bank informs the cardholder whether the dispute is approved or denied.

9. Appeal or Escalation

If denied, the cardholder may request supporting evidence, appeal internally, file complaints, or pursue legal remedies.

XII. Chargeback

A chargeback is a card-network process where the issuing bank seeks reversal of a transaction from the merchant or acquiring bank.

Chargebacks may be available for:

  • Unauthorized transaction
  • Goods or services not received
  • Duplicate charge
  • Cancelled transaction
  • Credit not processed
  • Fraudulent card-not-present transaction
  • Incorrect amount
  • Merchant noncompliance
  • Recurring billing cancellation dispute

Chargeback rules are technical and deadline-driven. A cardholder should report disputes quickly because delay may cause loss of chargeback rights.

However, the bank’s failure to process a valid and timely dispute may itself become an issue.

XIII. Temporary Credit and Finance Charges

A common dispute is whether the cardholder must pay the disputed amount while investigation is pending.

Best practice is for the cardholder to:

  • Pay undisputed charges on time
  • Clearly identify disputed charges
  • Request suspension of finance charges on disputed amounts
  • Ask the bank not to report the disputed amount as delinquent while under investigation
  • Keep written confirmation

If the bank later confirms fraud, associated finance charges, late fees, and penalties should generally be reversed. If the dispute is denied, the bank may re-bill the amount.

XIV. Billing Statement Disputes

Cardholder agreements usually require disputes to be raised within a certain period after statement date. Failure to dispute within that period may allow the bank to treat the statement as correct.

However, this does not always defeat a fraud claim, especially when the cardholder did not receive the statement, the fraud was concealed, the bank had notice, or other equitable circumstances exist.

Still, cardholders should not rely on exceptions. They should dispute immediately and in writing.

XV. Evidence the Cardholder Should Collect

A strong fraud dispute should include evidence.

Useful documents include:

  1. Credit card statement showing disputed charges
  2. SMS or app alerts
  3. Screenshot of transaction notifications
  4. Date and time of discovery
  5. Report reference number
  6. Email or chat transcript with bank
  7. Dispute form submitted
  8. Affidavit of unauthorized transaction
  9. Police report, if obtained
  10. Proof card was in cardholder’s possession
  11. Proof cardholder was elsewhere
  12. Travel records
  13. Work attendance records
  14. Device logs, if relevant
  15. Telco records in SIM swap cases
  16. Screenshots of phishing messages
  17. Bank app login alerts
  18. Merchant cancellation emails
  19. Receipts proving different location
  20. List of all disputed transactions

A clear timeline is often more useful than scattered screenshots.

XVI. Evidence the Bank Should Review or Provide

A fair investigation should review, and where appropriate disclose or summarize, relevant evidence such as:

  • Merchant name and category
  • Transaction date and posting date
  • Authorization time
  • Amount and currency
  • Card-present or card-not-present status
  • Chip, swipe, tap, keyed, or online entry method
  • 3D Secure status
  • OTP validation status
  • Masked mobile number or channel where OTP was sent
  • IP address or device data, where available
  • Merchant response to chargeback
  • Delivery address for goods
  • Recipient details, if available
  • Transaction location
  • Terminal ID
  • Cash advance ATM location
  • CCTV availability, if relevant
  • Fraud monitoring flags
  • Reason for denial of dispute

A denial that merely says “transaction was valid” without meaningful explanation may be inadequate.

XVII. Special Issue: OTP Was Used

Banks often deny disputes by saying the OTP was successfully entered. OTP use is important, but it does not always conclusively prove that the cardholder authorized the transaction.

Questions include:

  • Was the OTP sent to the cardholder’s registered number?
  • Was the registered number changed before the transaction?
  • Was there a SIM swap?
  • Did the OTP message clearly state the merchant and amount?
  • Was the cardholder tricked by a fake bank representative?
  • Did multiple suspicious OTPs occur?
  • Did the bank detect unusual behavior?
  • Was the transaction inconsistent with the cardholder’s history?
  • Did the cardholder immediately report the fraud?
  • Was the OTP entered from the cardholder’s device or another device?
  • Did the bank’s system properly authenticate the transaction?

If the cardholder voluntarily disclosed an OTP despite clear warnings, the bank may argue cardholder negligence. But where the fraud involved system weaknesses, unclear messages, SIM takeover, or sophisticated impersonation, liability may be more complex.

XVIII. Special Issue: Card Was in Cardholder’s Possession

A cardholder may say, “My card was with me the whole time.” This is important evidence, especially for alleged card-present transactions.

If the bank says a physical card was used, it should explain whether the transaction was:

  • Chip transaction
  • Magnetic stripe transaction
  • Contactless transaction
  • Manual keyed transaction
  • Fallback transaction
  • Online transaction
  • Wallet token transaction

If the card was cloned, the bank should examine whether the transaction used compromised magnetic stripe data rather than chip authentication.

XIX. Special Issue: Contactless Transactions

Contactless cards allow tap payments. Some low-value transactions may not require PIN or signature.

Fraud issues include:

  • Lost card tapped repeatedly
  • Small transactions below verification threshold
  • Rapid multiple transactions
  • Transport or convenience store charges
  • Lack of SMS alerts for small amounts
  • Delay in blocking

If the cardholder promptly reports a lost card, later contactless charges should generally be disputed.

XX. Special Issue: Supplementary Cards

A principal cardholder may be liable for valid charges made by supplementary cardholders. However, if a supplementary card is used fraudulently, the same unauthorized transaction principles apply.

Issues include:

  • Who had possession of the supplementary card
  • Whether the supplementary cardholder authorized the charge
  • Whether the card was lost or compromised
  • Whether the principal cardholder reported cancellation
  • Whether charges exceeded agreed family or internal limits

The principal cardholder should monitor supplementary card use carefully.

XXI. Special Issue: Digital Wallets and Tokenized Cards

Credit cards may be linked to digital wallets or payment apps. Fraud may involve adding the card to a new device or wallet.

Questions include:

  • How was the card added?
  • Was OTP required?
  • Was the cardholder notified?
  • Was device binding performed?
  • Were transactions made through wallet token?
  • Did the bank detect new device enrollment?
  • Was the cardholder’s phone compromised?
  • Did the cardholder approve wallet provisioning?

Banks should have controls for card tokenization and device enrollment.

XXII. Special Issue: Merchant Non-Delivery and Scam Purchases

Not all disputes are “fraud” in the strict sense. Sometimes the cardholder authorized a purchase, but the merchant did not deliver goods or services.

Examples:

  • Online seller never ships item
  • Travel booking cancelled without refund
  • Subscription cancelled but billing continues
  • Merchant delivers counterfeit goods
  • Merchant charges duplicate amount
  • Service not provided

These may be merchant disputes rather than unauthorized transaction disputes. Chargeback may still be available, but evidence differs. The cardholder should provide order confirmations, cancellation notices, merchant communications, and proof of non-delivery.

XXIII. Special Issue: Family Member Use

Banks may deny a fraud claim if the transaction was made by a family member or someone with access to the card, device, OTP, or account.

Issues include:

  • Did the cardholder authorize the family member?
  • Was the card lent voluntarily?
  • Was the transaction beyond authority?
  • Was the user a supplementary cardholder?
  • Was there theft within household?
  • Was the transaction reported to police?
  • Did the cardholder benefit?

Unauthorized use by a family member may still be unauthorized as between the cardholder and bank, but proving lack of consent may be difficult.

XXIV. Special Issue: Delayed SMS Alerts

A cardholder may receive alerts late, after several transactions already occurred.

Questions include:

  • Did the bank send real-time alerts?
  • Were alerts delayed by telco issues?
  • Did the bank have alternative alerts?
  • Were transactions suspicious enough to trigger blocking?
  • Did the cardholder’s contact details remain updated?
  • Was the cardholder abroad or without signal?
  • Were small transactions exempt from alerts?

Banks should not rely solely on alerts if their fraud monitoring systems should have detected abnormal activity.

XXV. Special Issue: Foreign Transactions

Foreign fraud may involve online merchants, overseas POS transactions, or international ATM cash advances.

Issues include:

  • Was the cardholder in the Philippines at the time?
  • Was there travel notice?
  • Were transactions made in impossible locations?
  • Were multiple currencies involved?
  • Was the card-present data suspicious?
  • Were transactions consistent with past spending?
  • Did bank fraud monitoring block unusual foreign activity?
  • Are chargeback deadlines affected by foreign merchant rules?

Proof that the cardholder was physically elsewhere may be useful.

XXVI. Special Issue: Fraud After Card Replacement

Fraud may continue even after a card is replaced if the bank automatically updates recurring merchants or digital wallet tokens, or if the account itself remains compromised.

Cardholder should ask:

  • Was the old card fully blocked?
  • Were all tokens deactivated?
  • Were recurring authorizations transferred?
  • Was the online banking password reset?
  • Were devices reviewed?
  • Was the mobile number secure?
  • Were supplementary cards checked?
  • Was the replacement card intercepted?

Card replacement alone may not solve account takeover.

XXVII. Bank Liability: When May the Bank Be Liable?

A bank may be liable or required to reverse charges when:

  1. The transaction was unauthorized.
  2. The bank failed to block the card after notice.
  3. The bank failed to investigate properly.
  4. The bank ignored clear fraud indicators.
  5. The bank’s authentication or security system failed.
  6. The bank allowed transactions inconsistent with the cardholder’s profile without adequate verification.
  7. The bank processed transactions after cancellation.
  8. The bank failed to provide required alerts or disclosures.
  9. The bank mishandled card delivery or replacement.
  10. The bank accepted a fraudulent card application.
  11. The bank failed to follow chargeback procedures.
  12. The bank imposed fees and interest on proven fraudulent charges.
  13. The bank reported disputed fraud as delinquency without proper basis.
  14. The bank’s employees or agents were involved in fraud.
  15. The bank failed to safeguard personal or financial data.

Liability may be contractual, regulatory, civil, or administrative, depending on the case.

XXVIII. Bank Defenses

A bank may deny liability by arguing:

  1. The transaction was authenticated by OTP, PIN, chip, or 3D Secure.
  2. The cardholder disclosed credentials.
  3. The cardholder delayed reporting.
  4. The cardholder failed to safeguard the card.
  5. The cardholder benefited from the transaction.
  6. The transaction was made by an authorized user.
  7. The cardholder failed to dispute within the required period.
  8. The merchant provided proof of delivery.
  9. The cardholder’s device or email was compromised, not the bank’s system.
  10. The bank followed all security protocols.
  11. The chargeback was denied by the merchant or network.
  12. The cardholder contract assigns liability in the circumstances.

These defenses must be assessed against evidence and the bank’s duty of diligence.

XXIX. Cardholder Negligence

Cardholder negligence may affect recovery.

Examples include:

  • Writing PIN on the card
  • Sharing OTP with a caller
  • Giving card details to a fake website
  • Letting others use the card
  • Ignoring fraud alerts
  • Delaying report for weeks or months
  • Using weak passwords
  • Failing to secure phone or email
  • Responding to suspicious links
  • Leaving card unattended
  • Not updating contact details
  • Allowing unauthorized persons access to statements

However, negligence is not always all-or-nothing. Even where the cardholder made a mistake, the bank may still bear responsibility if it failed to detect obvious fraud, allowed abnormal transactions, or mishandled the dispute.

XXX. Comparative Fault

Some disputes involve shared fault. For example:

  • The cardholder clicked a phishing link.
  • The bank failed to flag a sudden series of high-value foreign transactions.
  • The telco allowed a SIM swap.
  • The merchant shipped goods to a suspicious address.

In such cases, liability may be allocated according to legal principles, contract, regulation, network rules, or settlement.

XXXI. Merchant Liability

The merchant may be responsible if it failed to follow card acceptance rules or acted negligently.

Examples:

  • Did not verify cardholder identity where required
  • Accepted suspicious transactions
  • Shipped goods to mismatched address
  • Failed to obtain valid authorization
  • Processed duplicate charges
  • Continued recurring billing after cancellation
  • Participated in fraud
  • Failed to deliver goods
  • Submitted false proof of delivery
  • Used insecure payment systems

Cardholders usually pursue the issuing bank first, but chargeback and recovery may ultimately involve merchant responsibility.

XXXII. Acquiring Bank and Payment Processor Responsibility

The acquiring bank or payment processor may be involved where merchant practices are suspicious, chargeback rules were violated, or the merchant is fraudulent.

Issuing banks may coordinate through network channels. A cardholder usually does not directly sue the acquiring bank unless facts justify it, but acquiring-side evidence may matter.

XXXIII. Data Privacy Issues

Credit card fraud often involves personal data compromise.

Banks and merchants process sensitive financial and identity information. They must protect personal data against unauthorized access, disclosure, alteration, or misuse.

Data privacy issues may arise when:

  • Card information was leaked
  • Bank account details were exposed
  • Statements were sent to wrong email
  • Replacement card was delivered to wrong person
  • Employees accessed records improperly
  • Merchant stored card data insecurely
  • Fraudster changed contact details
  • Bank disclosed disputed debt to third parties
  • Collection agents misused personal information

A cardholder may request information, correction, blocking, or investigation depending on the circumstances.

XXXIV. Credit Reporting and Collection During Dispute

Banks may report credit card delinquencies to credit information systems or refer accounts to collectors. But if the disputed balance consists of alleged fraud, the bank should handle reporting and collection carefully.

Cardholders should request in writing that the bank:

  • Mark the transactions as disputed
  • Suspend collection of disputed amounts during investigation
  • Avoid negative reporting while the fraud dispute is unresolved
  • Reverse finance charges and penalties if fraud is confirmed
  • Correct credit records after resolution
  • Recall the account from collectors if collection was premature

If the bank reports a fraudulent or disputed amount as delinquent without proper investigation, the cardholder may seek correction and damages where appropriate.

XXXV. Harassment by Collection Agencies

If the bank assigns the disputed balance to a collection agency, collectors must still act lawfully.

Improper collection includes:

  • Threats of arrest for ordinary debt
  • Public shaming
  • Calling relatives, coworkers, or employers without lawful basis
  • Misrepresenting themselves as court officers or police
  • Using abusive language
  • Repeated calls intended to harass
  • Refusing to acknowledge the pending dispute
  • Demanding payment of charges already reported as fraudulent

The bank may remain responsible for collection agents acting on its behalf.

XXXVI. Interest, Penalties, and Fees on Fraudulent Transactions

If a disputed transaction is proven unauthorized, the bank should reverse:

  • Principal fraudulent charge
  • Finance charges
  • Late payment fees
  • Overlimit fees
  • Installment processing fees tied to fraud
  • Foreign transaction fees tied to fraud
  • Cash advance fees tied to fraud
  • Collection charges tied to fraud
  • Taxes or charges imposed only because of the fraudulent transaction, where reversible

If the dispute is still pending, the cardholder should pay undisputed amounts and request suspension of charges on disputed items.

XXXVII. Minimum Payment Trap During Dispute

A cardholder may be tempted not to pay anything while disputing fraud. This can cause late fees on legitimate charges.

The safer approach is usually:

  1. Pay all undisputed charges.
  2. Identify disputed charges in writing.
  3. Request temporary hold or reversal of disputed charges.
  4. Ask the bank to waive fees related to disputed amounts.
  5. Keep proof of payment and dispute.

This reduces the bank’s argument that the account became delinquent for reasons unrelated to fraud.

XXXVIII. Installment Fraud

Fraudulent charges may be converted to installment terms, or installment transactions may be unauthorized from the start.

Issues include:

  • Who requested installment conversion?
  • Was conversion done through app, hotline, or merchant?
  • Was OTP required?
  • Was the cardholder notified?
  • Were processing fees charged?
  • Were monthly installment charges billed after dispute?
  • Was acceleration imposed?

If the underlying transaction is fraudulent, installment charges and fees should also be disputed.

XXXIX. Cash Advance Fraud

Cash advance fraud may involve higher fees and immediate interest.

The bank may rely on ATM PIN use, but cardholders may challenge:

  • How the PIN was obtained
  • Whether the card was cloned
  • Whether the ATM used chip or magnetic stripe
  • Whether the location was impossible
  • Whether CCTV exists
  • Whether the card was retained
  • Whether the bank sent alerts
  • Whether multiple withdrawals exceeded normal behavior
  • Whether the withdrawal occurred after report

Cash advance disputes should be reported immediately.

XL. Fraudulent Balance Transfer or Credit-to-Cash

Some credit cards allow balance transfer, credit-to-cash, cash installment, or loan-on-card facilities. Fraud may occur if a fraudster accesses the account and requests cash disbursement.

Questions include:

  • How was the request made?
  • What account received the funds?
  • Was the receiving account under the cardholder’s name?
  • Was OTP or call verification used?
  • Was the cardholder notified?
  • Were there unusual device or login patterns?
  • Did the bank verify the beneficiary account?
  • Was there a cooling-off or confirmation process?

Because funds may be transferred directly to a bank account, recovery may require coordination with receiving banks.

XLI. Card Delivery and Activation Fraud

Fraud may occur before the cardholder even receives the card.

Examples:

  • Replacement card delivered to wrong person
  • Courier released card without proper ID
  • Card intercepted in condominium or office
  • Fraudster requested change of delivery address
  • Card activated by unauthorized person
  • Card used before receipt by cardholder

Bank liability may arise if card issuance, delivery, or activation controls were weak.

XLII. Disputing an Entire Fraudulent Account

If a credit card was opened through identity theft, the victim should dispute the entire account.

The victim should request:

  • Application form
  • Submitted IDs
  • Selfie or video verification
  • Phone number and email used
  • Delivery address
  • Activation logs
  • Transaction history
  • Collection records
  • Credit reporting details
  • Closure of fraudulent account
  • Correction of credit records

The victim should also consider filing identity theft and data privacy complaints.

XLIII. Fraud Involving Supplementary or Corporate Cards

For corporate cards, liability may involve the company, employee-cardholder, approving officer, and bank.

Issues include:

  • Internal card policy
  • Authorized business use
  • Employee fraud
  • Merchant fraud
  • Lost card reporting
  • Spending limits
  • Expense approval
  • Corporate card agreement
  • Termination of employee
  • Card cancellation after resignation

Companies should maintain card controls and immediate cancellation procedures for departing employees.

XLIV. The Role of Affidavits and Police Reports

Banks sometimes require an affidavit of unauthorized transaction or police report.

An affidavit may state:

  • Cardholder’s identity
  • Card number, usually masked
  • Disputed transactions
  • Lack of authorization
  • Card possession or loss details
  • Date of discovery
  • Date of report to bank
  • Relevant facts such as phishing, SIM loss, travel, or identity theft
  • Commitment to cooperate

A police report may help establish seriousness, but it does not automatically prove the bank is liable. It is part of the evidence.

XLV. Sample Fraud Dispute Letter

A cardholder may write:

I dispute the following credit card transactions as unauthorized: [merchant, date, amount]. I did not make, authorize, participate in, or benefit from these transactions. I reported the matter through your hotline on [date/time] and received reference number [number].

Please block the affected card, investigate the transactions, initiate chargeback where applicable, suspend billing and finance charges on the disputed amounts, and provide the basis and supporting records if you deny the dispute. I will continue paying undisputed charges while this matter is under investigation.

Please also ensure that the disputed amounts are not reported as delinquent and are not referred to collection while the dispute remains unresolved.

This letter should be adapted to the facts.

XLVI. Sample Follow-Up After Denial

If the bank denies the dispute, the cardholder may respond:

I request reconsideration of your denial. Please provide the specific basis for your finding that the transactions were authorized, including the authentication method used, OTP validation record, merchant response, proof of delivery, transaction location, device or IP information where available, and the reason chargeback was denied or not pursued.

I also request reversal of finance charges and penalties related to the disputed transactions while the matter is under review. Your denial does not address the evidence I submitted showing that I did not authorize or benefit from the transactions.

A denial should be challenged with facts, not emotion alone.

XLVII. Escalation Within the Bank

Before filing external complaints, the cardholder should usually escalate internally.

Steps include:

  1. Call fraud hotline and obtain reference number.
  2. Submit dispute form and documents.
  3. Email customer service.
  4. Escalate to the bank’s complaints handling unit.
  5. Request written investigation result.
  6. Ask for supporting basis of denial.
  7. Request reconsideration.
  8. Keep all records.

Internal escalation creates a paper trail and may resolve the issue without litigation.

XLVIII. Complaints to Regulators

If the bank fails to act, denies without basis, continues collection, or mishandles the dispute, the cardholder may consider filing complaints with appropriate regulatory bodies.

A complaint should include:

  • Cardholder information
  • Bank name
  • Card account, masked
  • Disputed transaction list
  • Timeline
  • Proof of report
  • Bank responses
  • Evidence of unauthorized nature
  • Proof of payment of undisputed amounts
  • Collection harassment evidence, if any
  • Relief requested

Possible relief may include reversal of charges, waiver of fees, correction of credit records, investigation of bank conduct, and sanctions where warranted.

XLIX. Civil Action Against Bank

A cardholder may consider a civil action when the amount is significant or the bank’s conduct caused serious harm.

Possible claims may involve:

  • Breach of contract
  • Negligence
  • Damages
  • Violation of consumer protection duties
  • Wrongful collection
  • Defamation or credit damage
  • Failure to exercise banking diligence
  • Mishandling personal data
  • Unjust enrichment
  • Injunction against collection or reporting

Litigation requires evidence, cost-benefit analysis, and legal strategy.

L. Small Claims

If the dispute involves a money claim within small claims jurisdiction, a cardholder might consider small claims procedure for recovery of amounts paid or damages within allowable limits. However, cases involving complex fraud, injunctions, declaratory relief, or extensive evidence may not fit well in small claims.

The choice of remedy depends on the amount, complexity, and relief sought.

LI. Criminal Complaints

Credit card fraud may involve criminal conduct by the fraudster. The cardholder may report to law enforcement when there is identity theft, phishing, unauthorized account access, falsification, or theft.

However, criminal prosecution of the unknown fraudster is separate from the bank dispute. A bank may still need to resolve unauthorized charges even if the fraudster is not caught.

LII. Data Privacy Complaint

A data privacy complaint may be appropriate when:

  • Fraud resulted from mishandled personal data
  • Bank or merchant disclosed personal data improperly
  • Collection agents exposed disputed debt
  • Fraudulent account was opened using personal data
  • Card delivery information was misused
  • Cardholder’s data was not corrected after identity theft
  • Bank failed to respond to access or correction requests

The complaint should identify what personal data was involved, how it was misused, and what remedy is sought.

LIII. Defamation and Collection Abuse

If the bank or its collectors disclose alleged debt to employers, relatives, coworkers, or social media, the cardholder may have separate claims for harassment, defamation, privacy violation, or damages.

A disputed fraud charge should not become a tool for public shaming.

LIV. When the Cardholder Paid the Fraudulent Charge

Sometimes cardholders pay the disputed amount to avoid interest or credit damage while the investigation is pending.

Payment does not always mean admission, especially if the cardholder clearly stated the payment was made under protest.

The cardholder should write:

  • The amount is disputed.
  • Payment is made under protest.
  • The cardholder reserves the right to refund or reversal.
  • The bank should continue investigation.
  • Charges should not be treated as admitted.

If fraud is later confirmed, the bank should refund or credit the amount.

LV. Preserving Rights When Settling

If the bank offers compromise, the cardholder should read settlement terms carefully.

A settlement may include:

  • Partial reversal
  • Full reversal
  • Waiver of charges
  • Closure of card
  • Confidentiality
  • Release of claims
  • Credit record correction
  • No admission clause

Do not sign a broad waiver unless the consequences are understood. A settlement that reverses the charge but bars future claims may be acceptable in some cases, but not if the cardholder still has unresolved credit damage or collection issues.

LVI. Credit Card Fraud and Insurance

Some cards include fraud protection, purchase protection, travel insurance, or unauthorized transaction coverage. The cardholder should check whether the card product has insurance benefits.

However, insurance coverage may have:

  • Reporting deadlines
  • Exclusions for negligence
  • Maximum limits
  • Required police report
  • Documentation requirements
  • Exclusions for family member fraud
  • Exclusions for phishing or OTP disclosure

Insurance is separate from the bank’s own liability.

LVII. Business and Corporate Credit Cards

For corporate credit cards, businesses should adopt internal controls:

  • Limit issuance
  • Set transaction limits
  • Disable foreign or online transactions if not needed
  • Require receipts
  • Review statements monthly
  • Cancel cards of resigned employees
  • Restrict cash advances
  • Monitor unusual spending
  • Use alerts
  • Maintain approval workflows
  • Report fraud promptly

Corporate card fraud disputes may involve both external fraud and employee misuse.

LVIII. Preventive Measures for Cardholders

Cardholders can reduce risk by:

  1. Activating SMS, email, and app alerts.
  2. Locking the card when not in use if the bank offers card lock.
  3. Setting lower limits for online transactions.
  4. Disabling international or online use when unnecessary.
  5. Never sharing OTPs.
  6. Avoiding links from SMS or email.
  7. Using official bank apps only.
  8. Checking website URLs carefully.
  9. Avoiding saving cards on unfamiliar websites.
  10. Using virtual cards when available.
  11. Covering the keypad when entering PIN.
  12. Monitoring statements regularly.
  13. Reporting suspicious activity immediately.
  14. Updating mobile number and email with the bank.
  15. Securing phone, email, and SIM.
  16. Using strong passwords and two-factor authentication.
  17. Avoiding public Wi-Fi for financial transactions.
  18. Destroying old cards properly.
  19. Checking credit reports where available.
  20. Keeping bank hotline numbers saved.

LIX. Preventive Measures for Banks

Banks should reduce fraud risk by:

  1. Real-time fraud monitoring
  2. Risk-based authentication
  3. Clear OTP messages showing merchant and amount
  4. Transaction alerts
  5. Easy card lock and reporting channels
  6. Prompt blocking after notice
  7. Strong card delivery controls
  8. Secure card activation
  9. Device binding for app access
  10. Detection of abnormal spending patterns
  11. Limits on suspicious transactions
  12. Customer education
  13. Secure dispute handling
  14. Fair investigation procedures
  15. Proper oversight of collection agencies
  16. Data protection safeguards
  17. Cooperation with merchants, networks, and law enforcement
  18. Transparent denial explanations
  19. Timely chargeback filing
  20. Correction of records after fraud confirmation

LX. Red Flags of Credit Card Fraud

Cardholders should act quickly if they see:

  • OTP for a transaction they did not initiate
  • SMS alert for unknown merchant
  • Small test charge
  • Multiple rapid transactions
  • Foreign currency charge
  • Declined transaction alert for unknown purchase
  • Email saying card added to new device
  • Notice of mobile number or email change
  • Credit limit suddenly exhausted
  • Call from someone asking for OTP
  • Delivery of card not received
  • App login from new device
  • Bank statement with unknown recurring charge
  • Unauthorized installment conversion
  • Cash advance never made

Early reporting can prevent larger losses.

LXI. Timeline for a Fraud Dispute

A useful timeline should include:

  1. Date and time fraud was discovered
  2. Date and time card was blocked
  3. Bank hotline reference number
  4. List of disputed transactions
  5. Date dispute form was submitted
  6. Bank responses
  7. Any temporary credit
  8. Chargeback status, if known
  9. Denial or approval date
  10. Appeal date
  11. Collection or credit reporting incidents
  12. Final resolution

This timeline helps regulators, lawyers, or courts understand the case.

LXII. Practical Checklist for Cardholders

When unauthorized transactions appear:

  1. Lock or block the card immediately.
  2. Call the bank’s official hotline.
  3. Get a reference number.
  4. List all disputed transactions.
  5. Change online banking passwords.
  6. Check if mobile number or email was changed.
  7. Review supplementary cards.
  8. Submit dispute form promptly.
  9. Submit affidavit if required.
  10. Preserve screenshots and alerts.
  11. Pay undisputed charges.
  12. Request suspension of charges on disputed amounts.
  13. Follow up in writing.
  14. Request investigation basis if denied.
  15. Escalate if unresolved.

LXIII. Practical Checklist for Banks

When receiving a fraud dispute, the bank should:

  1. Block the affected card immediately.
  2. Confirm receipt of dispute.
  3. Identify all suspicious transactions.
  4. Provide dispute forms and requirements promptly.
  5. Preserve authorization logs.
  6. Check authentication records.
  7. Review transaction pattern.
  8. Initiate chargeback where applicable.
  9. Provide temporary relief when appropriate.
  10. Avoid collection of disputed amounts during review.
  11. Communicate investigation status.
  12. Give reasoned written decisions.
  13. Reverse charges if fraud is established.
  14. Correct credit records.
  15. Review possible system or merchant weaknesses.

LXIV. Frequently Asked Questions

Can the bank make me pay for transactions I did not make?

Not automatically. The bank must have a basis to treat the transaction as authorized or chargeable. You should dispute promptly and provide evidence.

Does OTP use automatically make me liable?

Not always. OTP use is strong evidence, but the surrounding circumstances matter, including phishing, SIM swap, unclear OTP message, account takeover, and bank fraud monitoring.

What should I pay while the dispute is pending?

Usually, pay undisputed charges and clearly dispute the fraudulent ones in writing. Ask the bank to suspend finance charges and negative reporting on disputed amounts.

What if the bank denies my dispute?

Ask for the specific basis and supporting records, file reconsideration, escalate internally, and consider regulatory complaint or legal action.

Can I ignore the bill because it contains fraud?

Ignoring the entire bill can create delinquency on legitimate charges. Pay undisputed amounts while preserving your dispute.

Can collectors call my employer or relatives?

Collectors should not harass or disclose debt to unrelated third parties. If they do, document it and complain.

What if the fraud happened abroad while I was in the Philippines?

Provide proof of your location and dispute immediately. Ask the bank for card-present or online transaction details.

What if my card was never lost?

Fraud can still happen through online compromise, cloning, merchant breach, tokenized wallet fraud, or account takeover.

Can I close the card during the dispute?

You may request card replacement or closure, but make sure the dispute continues and you keep access to statements and records.

Should I file a police report?

It may help, especially for large fraud, identity theft, SIM swap, or bank requirements. But also pursue the bank dispute process promptly.

LXV. Key Legal Principles

The key principles in Philippine credit card fraud disputes are:

  1. Credit card liability is based on valid, authorized transactions.
  2. The bank-cardholder relationship is contractual but regulated by public interest and consumer protection principles.
  3. Banks must exercise high diligence in handling financial accounts and fraud disputes.
  4. Cardholders must promptly report fraud and safeguard credentials.
  5. OTP, PIN, or electronic authentication is important but not always conclusive.
  6. A cardholder should not bear proven unauthorized charges.
  7. Banks should investigate fairly and explain denial meaningfully.
  8. Disputed fraud amounts should be handled carefully to avoid wrongful collection and credit damage.
  9. Chargeback rights are time-sensitive.
  10. Evidence, timelines, and written communications are essential.

Conclusion

Credit card fraud disputes in the Philippines require careful analysis of authorization, timing, authentication, negligence, bank diligence, merchant conduct, and evidence. A bank is not automatically liable for every fraudulent charge, but a cardholder is not automatically liable merely because a transaction appears on a statement or because an OTP or digital process was involved.

The strongest position for a cardholder is immediate reporting, clear written dispute, preservation of evidence, payment of undisputed charges, and persistent escalation if the bank gives an unsupported denial. The strongest position for a bank is secure systems, prompt blocking, fair investigation, transparent explanation, proper chargeback handling, and correction of records when fraud is established.

At its core, a credit card fraud dispute is about proof, diligence, and fairness. The Philippine legal framework expects banks to protect financial consumers and expects cardholders to act prudently. When fraud occurs, liability should follow the evidence, not assumptions.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login