Credit Card Fraud Liability for SMS (“Smishing”) Scams in the Philippines

Updated for the Philippine legal and regulatory landscape as of 2024. This is general information—consider getting advice from counsel for your specific facts.

---

1) The Problem in a Nutshell

“Smishing” is phishing via SMS: fraudsters pose as a bank, e-wallet, courier, or government office and trick a cardholder into clicking a link, sharing card details, OTPs, or installing malware. Losses typically appear as card-not-present (online) transactions. The core legal question is who bears the loss—the cardholder, the bank/issuer, the merchant, or the payment scheme—given the facts and applicable law.

---

2) Key Laws and Regulators

Primary statutes and rules that frequently come into play:

• Republic Act (RA) No. 8484 – Access Devices Regulation Act (ADRA) Criminalizes unauthorized use of access devices (including credit cards), skimming, and possession of device-making equipment. It supports criminal prosecution of the fraudster and clarifies that unauthorized use is unlawful.

• RA No. 10175 – Cybercrime Prevention Act Penalizes computer-related fraud, identity theft, illegal access/interception, and supports digital evidence handling.

• RA No. 10173 – Data Privacy Act (DPA) Governs protection of personal information and breach notification by personal information controllers (banks, merchants, processors, telcos).

• RA No. 11765 – Financial Products and Services Consumer Protection Act (FCPA) Establishes consumer protection standards for financial institutions regulated by the Bangko Sentral ng Pilipinas (BSP), the SEC, and the Insurance Commission. It prohibits abusive, deceptive, and unfair practices; mandates “suitability” of products, transparent disclosures, effective complaints handling, and fair resolution.

• BSP Regulations on Consumer Protection & Payment Card Risk BSP circulars and memoranda (issued under the FCPA and earlier frameworks) require banks to implement robust fraud risk management, strong customer authentication (SCA), monitoring, timely handling of disputes, and redress mechanisms. They also recognize the need for proportionate allocation of losses where the bank’s controls are deficient.

• RA No. 11934 – SIM Registration Act Requires SIM registration and empowers law enforcement/telcos to help trace smishing sources (administrative and criminal angles).

• Civil Code Governs negligence, proximate cause, and comparative/contributory negligence in civil claims (e.g., Articles 19–21 on human relations; Article 2176 on quasi-delict; Article 2180 on vicarious liability; Article 1170 on breach of obligations; Article 2179 on contributory negligence).

• E-Commerce Act (RA 8792) and Rules on Electronic Evidence Recognize electronic records and signatures, relevant in proving (or disproving) cardholder authorization and merchant authentication.

• NTC and DICT directives Direct telcos to block malicious SMS (e.g., links in texts), set filtering obligations, and coordinate takedowns. These affect prevention and evidence collection rather than civil liability allocation.

Key agencies you may interact with:

• BSP Consumer Assistance (for bank-issued cards),
• SEC (for non-bank credit providers),
• National Privacy Commission (NPC) (data privacy/breaches),
• PNP-Anti-Cybercrime Group (PNP-ACG) and NBI-CCD (criminal complaints),
• NTC (spam/SMS sender tracing issues).

---

3) Liability Basics: Who Pays When Smishing Strikes?

A. Starting Presumptions

1. Unauthorized Transactions: If the cardholder did not authorize the transaction, ADRA and general banking standards treat it as fraudulent.
2. Bank’s Duties: Banks are imbued with public interest; jurisprudence holds them to high standards of diligence. In the card space, that translates to robust authentication, monitoring, and fair dispute handling.
3. Cardholder’s Duties: Cardholders must exercise ordinary prudence—protect the card, PIN/OTP, and credentials; follow security advisories; promptly report loss or suspicious activity; and comply with terms (e.g., verifying statements).

B. Common Allocation Patterns (Fact-Sensitive)

• Pure third-party fraud with no cardholder negligence If the bank’s controls were weak (e.g., no effective SCA, inadequate anomaly detection, or known scam vectors not mitigated) and the cardholder promptly reported and did not share credentials/OTPs, banks often shoulder or reverse the loss through chargeback and goodwill/indemnity paths.

• Fraud after the cardholder shares OTPs or full credentials due to deception This is the gray area. Banks frequently argue cardholder negligence because OTPs are explicit authorization factors and terms usually say “never share OTPs.” However, it’s not automatic: the FCPA and consumer-protection rules discourage one-sided provisions that unfairly shift all risk to consumers. Liability assessment weighs:

  • Was the bank’s authentication proportionate to the risk?
  • Were there red flags (e.g., sudden high-risk merchant, foreign IP, device change, midnight bursts) the bank should have blocked?
  • Did the bank educate, warn, and configure default limits effectively? Result: shared or bank liability can still arise if controls were sub-par or response was delayed.

• Merchant/Acquirer issues (card-not-present) If the merchant/acquirer failed to comply with scheme rules (e.g., 3-D Secure flows, data mismatch) or accepted blatantly suspicious orders, chargeback rights can place loss on the merchant/acquirer.

• Lost or stolen physical card used for card-present transactions Liability often hinges on timing of notice to the issuer, EMV chip/PIN usage, and merchant verification. Transactions after notice are generally the issuer’s risk; before notice, issuers sometimes assert cardholder liability up to certain limits—again subject to fairness tests under the FCPA.

Bottom line: Allocation is not strictly “your OTP, your loss.” Philippine consumer-protection policy and risk-based authentication mean facts, controls, and timing matter.

---

4) Contract Terms vs. Consumer Protection

Cardholder agreements often include:

• “You are responsible for transactions authenticated with OTP or your device.”
• “Report unauthorized transactions within X days of statement.”
• “Never share your OTP; doing so makes you liable.”

Under the FCPA and BSP rules, such clauses are not absolute. Clauses that unreasonably waive rights or automatically shift all losses to consumers—despite weak controls or deficient dispute handling—may be unenforceable or result in regulator intervention. The issuer must prove the transaction was duly authenticated and fairly processed, and must maintain effective complaints handling with timely resolution and clear explanations.

---

5) Evidence: What Decides Most Disputes

• Authentication logs: 3-D Secure challenge results, device fingerprint, IP geolocation, velocity checks, merchant risk scores.
• Communications: The scam SMS, spoofed sender headers, screenshots, URLs, timestamps.
• Consumer behavior: Prompt reporting, prior warnings, whether the consumer’s device was compromised (malware/remote-access apps).
• Bank controls: Real-time alerts, step-up authentication, spending/merchant limits, geo-blocking, anomaly triggers, accuracy of fraud-monitoring models.
• Merchant compliance: Whether acquirer/merchant followed scheme rules and kept proof of strong customer authentication.

Because digital forensics and audit trails are central, preserve everything immediately.

---

6) Dispute & Redress Path (Typical Flow)

1. Immediate report to issuer (hotline/app)

   • Freeze card; request replacement.
   • Obtain case/reference number and written acknowledgment.

2. File a formal dispute

   • Submit a sworn statement/affidavit of fraud, screenshots of SMS, links, OTP prompts, and a timeline.
   • Ask for the authentication evidence (e.g., 3-D Secure logs) and the bank’s final position in writing.

3. Provisional credit / chargeback

   • Depending on scheme rules and bank policy, you may receive temporary credit while the bank investigates and pursues chargeback against the acquirer/merchant. Outcomes vary by merchant compliance and evidence.

4. Escalate internally

   • Use the bank’s complaints office or consumer protection officer if front-line handling stalls.

5. Regulatory escalation

   • BSP Consumer Assistance: for banks/credit card issuers under BSP.
   • SEC: if the issuer is a non-bank lending/credit company under SEC oversight.
   • NPC: if your personal data was mishandled or breached.
   • PNP-ACG/NBI-CCD: for criminal complaints (attach ADRA and cybercrime elements).

6. Civil action

   • For recovery of amounts, interest, damages (moral/exemplary where warranted), and attorney’s fees—often citing breach of contract, negligence, or unfair practices. Consider small claims for lower amounts (subject to jurisdictional thresholds) or regular trial courts for larger disputes.

Deadlines matter. Card agreements commonly set short windows (e.g., 30 days from statement) to dispute charges. Comply with them, while reserving rights under the FCPA and law.

---

7) How Banks Can Be Held Liable (Illustrative Theories)

• Breach of duty of diligence (high standard for banks) where controls were inadequate relative to known smishing patterns.
• Unfair or deceptive practice under the FCPA (e.g., blanket denial solely because an OTP was entered, despite obvious risk markers).
• Negligence in monitoring/alerts or in failing to act on anomalies.
• Breach of contract (failure to provide secure services as promised).
• Data privacy lapses (leading to targeted smishing using leaked personal data).
• Failure to provide accessible redress or to resolve complaints in a fair, timely manner.

---

8) How Cardholders Can Be Found Liable (Illustrative Theories)

• Contributory negligence (Civil Code) by sharing OTPs, card data, or installing malware, despite clear warnings.
• Failure to report promptly leading to additional losses.
• Ignoring security hygiene (jailbroken devices, unprotected SMS, side-loaded APKs) when risks were clearly disclosed.

Courts and regulators may apportion loss—shared liability is common where both sides could have prevented the loss.

---

9) Practical, Actionable Playbooks

A. If You Receive a Suspicious SMS

• Do not click links or call numbers in the SMS.
• Verify via the official banking app or the number on your card.
• Report the SMS to your bank and telco; block and delete.

B. If Fraud Already Happened

• Within hours: call issuer; freeze card; request replacement; export/app screenshots.
• Within 24–48 hours: file a written dispute and affidavit; request logs and merchant descriptors; ask about provisional credit.
• Within the bank’s stated timeline: press for a final written decision (approve/deny; basis).
• If denied: escalate to BSP/SEC (as applicable) and consider legal action. Simultaneously file PNP-ACG/NBI complaints to build a record and deter future activity.

C. Long-Term Risk Reduction

• Enable transaction notifications, per-transaction limits, and geo/merchant blocks.
• Prefer 3-D Secure (challenge-required) when available; disable “one-click” card on risky sites.
• Keep devices clean; avoid installing apps from links/QRs; use mobile OS protections.
• Use virtual card numbers for online purchases where your bank provides them.
• Maintain separate cards for recurring online merchants vs. everyday use.

---

10) Evidence Checklist for Your Dispute File

• Copies/screenshots of the SMS, including sender ID and timestamp.
• The URL and any landing page screenshots (if visited).
• Your bank alerts (SMS/email/app) with timestamps.
• Statement pages showing the disputed transactions.
• Your call logs and reference numbers with the bank.
• Device info (OS, model), whether you ever shared OTP, and why.
• Any police/NBI/PNP-ACG blotter or complaint.
• Correspondence with the merchant (if any).
• Request/response showing issuer’s authentication evidence (e.g., 3-D Secure outcome, device fingerprints, IP).

---

11) Criminal, Administrative, and Civil Tracks—Running in Parallel

It’s common to pursue:

• Criminal: ADRA + cybercrime complaints against John/Jane Doe (unknown fraudsters); law enforcement can subpoena telco records (helped by SIM registration).
• Administrative: complaints with BSP/SEC/NPC for regulatory oversight and remedies (e.g., directives to issuers, mediation).
• Civil: damages/refund action against liable parties (issuer/merchant) based on negligence, unfair practices, or breach.

Parallel tracks increase settlement pressure and improve the evidence paper trail.

---

12) Frequently Asked Questions

Q1: I entered the OTP because the SMS said my card would be blocked. Am I automatically liable? Not automatically. Sharing an OTP is a serious fact against the cardholder, but regulators look at overall fairness and whether the bank’s controls and warnings were adequate, and whether anomalies should have been blocked. Outcomes vary.

Q2: Can the bank refuse to show authentication logs? They may restrict raw data for security, but under consumer-protection principles you can request a clear explanation of how the transaction was authenticated and why the dispute was denied or approved.

Q3: How long will a chargeback take? Timelines depend on the scheme and acquirer response. Expect weeks to a few months. Keep all communications and diary the bank’s promised milestones.

Q4: The SMS came from a sender ID that looked like my bank. Does that shift liability? It strengthens your case that the scam was sophisticated, but the result still turns on controls vs. conduct (both yours and the bank’s) and the transaction evidence.

---

13) Sample Outline for a Dispute Letter / Affidavit

Subject: Dispute of Unauthorized Credit Card Transactions due to SMS Phishing

1. Identification: Cardholder name, last 4 digits, statement date.
2. Facts: Timeline (SMS received [date/time], link/content, what was clicked/shared, when you reported).
3. Disputed Transactions: Merchant, amount, date/time, why unauthorized.
4. Legal Basis: Cite unauthorized use (ADRA), consumer protection (FCPA), bank’s duty of diligence, and that you did not authorize the transactions.
5. Requests: Immediate reversal or provisional credit; detailed authentication explanation; copies/summaries of risk checks performed; final written resolution within stated timelines.
6. Attachments: Screenshots, statement pages, call references, police/NBI/PNP-ACG complaint (if filed).
7. Reservation of Rights: To escalate to BSP/SEC/NPC and to file civil/criminal actions.

---

14) Strategic Tips for Counsel and Compliance Teams

• Document bank controls: show policy alignment with BSP/FCPA expectations; demonstrate consumer education and timely alerts.
• Risk-based SCA: step-up where data, device, geolocation, and merchant risk intersect; adopt behavioral analytics.
• Clear denials: base decisions on evidence, not boilerplate “OTP shared.”
• Merchant monitoring: work with acquirers to identify high-risk MCCs and velocity patterns; enforce scheme compliance.
• Data governance: privacy-by-design, breach response, and cross-functional incident playbooks with telco escalation lanes.

---

15) Takeaway

In the Philippines, liability for SMS-enabled credit card fraud is fact-driven. The law condemns unauthorized use and protects consumers, but also expects prudence from cardholders. Banks must maintain strong, risk-based authentication and fair, transparent dispute processes; cardholders must act quickly and carefully. When those standards collide, regulators and courts frequently apportion loss based on who could realistically have prevented the fraud.

---

If you’re dealing with a live dispute, build your evidence file immediately and pursue internal, regulatory, and (if needed) legal remedies in parallel.