Disputing Unauthorized Credit Card Transactions and OTP Discrepancies

Introduction

Unauthorized credit card transactions are no longer limited to stolen physical cards. In the Philippines, disputes now often involve card-not-present purchases, mobile wallet linkages, one-time password (OTP) issues, SIM-related compromise, phishing, vishing, app-based fraud, and claims that a transaction was “authenticated” even when the cardholder insists no valid consent was given.

A recurring and difficult problem is the OTP discrepancy: the bank says an OTP was sent, used, or matched; the cardholder says no OTP was received, the OTP was delayed, the OTP referred to a different amount or merchant, or the OTP was divulged only because of fraud or deception. This raises legal questions on consent, proof, allocation of loss, bank diligence, cardholder negligence, evidence preservation, and available remedies.

In Philippine law and regulation, this area sits at the intersection of contract law, obligations and damages, consumer protection, banking regulation, electronic commerce, data privacy, cybersecurity, and quasi-delict. There is no single code exclusively governing all unauthorized credit card disputes, so the practical resolution of cases depends on a combined reading of statutes, Bangko Sentral ng Pilipinas (BSP) rules, card terms and conditions, and the factual record.

This article explains the Philippine legal framework, the role of OTPs, what counts as an unauthorized transaction, who bears the burden of proof, how banks and cardholders usually argue these disputes, the effect of negligence, how to build a strong complaint, and what remedies are realistically available.

I. What is an unauthorized credit card transaction?

An unauthorized credit card transaction is a charge incurred without the cardholder’s valid consent. In Philippine practice, it may include:

  • purchases made using stolen card details;
  • online transactions using card number, expiry date, CVV, and OTP without the cardholder’s real approval;
  • recurring charges not consented to or not properly cancelled;
  • card enrollment to digital platforms or tokenized wallets without authority;
  • fraudulent balance conversion, installment conversion, cash advance, or quasi-cash transaction;
  • merchant overcharge, duplicate posting, or manipulated amount;
  • transactions resulting from phishing, smishing, vishing, fake bank calls, fake courier texts, spoofed sites, or remote device compromise;
  • transactions where an OTP was allegedly used but the cardholder denies receiving it or says it was induced by fraud;
  • transactions posted after the card was reported lost, stolen, blocked, or replaced.

Not every disputed transaction is legally “unauthorized.” Some are really:

  • merchant disputes: goods not delivered, defective, cancelled but still charged;
  • billing disputes: duplicate charges, wrong amount, foreign exchange discrepancy;
  • family or employee misuse: done by someone who had access but exceeded authority;
  • friendly fraud: cardholder or household member actually approved the charge but later denies it.

The classification matters because chargeback reason codes, bank investigation paths, and legal arguments differ.

II. Why OTP discrepancies matter

The OTP is often treated by banks as proof that the cardholder participated in or authorized the transaction. But legally, an OTP is only one piece of evidence, not automatic conclusive proof of valid consent.

An OTP discrepancy may take several forms:

  1. No OTP received at all The customer never got any OTP message or in-app prompt.

  2. OTP received after the transaction The SMS arrived late, after the fraudulent charge was already posted or approved.

  3. OTP for a different merchant or amount The OTP message did not match the disputed transaction details.

  4. OTP was entered because of deception The customer was tricked by a fraudster pretending to be the bank, merchant, courier, or government agency.

  5. OTP linked to account takeover or SIM compromise The OTP may have gone to a fraudster through SIM swap, phone theft, malware, message forwarding, or compromised app permissions.

  6. No OTP was required Some transactions proceed under merchant/acquirer risk settings, tokenized credentials, stored card schemes, recurring arrangements, fallback authentication, or low-friction flows.

  7. Multiple OTP prompts / bombardment Fraudsters trigger repeated attempts until the customer becomes confused and discloses or approves one.

  8. 3D Secure or in-app approval inconsistency The bank relies not on SMS OTP but on app-based authentication or “frictionless” approval under card network rules, while the customer insists no meaningful approval occurred.

The legal significance of these discrepancies is simple: if the bank relies on authentication logs, it must still show that the authentication process was reliable, properly linked to the actual transaction, and not compromised by system defects or foreseeable fraud risks.

III. The Philippine legal framework

A. Civil Code: consent, obligations, diligence, damages

The starting point is the Civil Code. Credit card use is rooted in contract, but disputes may also implicate negligence and damages.

Relevant principles include:

  • Consent must be real and voluntary. A transaction imposed through fraud, mistake, impersonation, or system failure can be challenged.
  • Banks are expected to observe a high degree of diligence in dealing with the public because banking is impressed with public interest.
  • A bank may incur liability for breach of contract if it posts or insists on charges without adequate basis, mishandles a fraud report, or fails to investigate in good faith.
  • A bank or merchant may also face quasi-delict liability if negligent security, poor fraud controls, or careless handling of sensitive data caused loss.
  • Damages may be claimed if the customer proves actual loss and, in proper cases, moral, exemplary, and attorney’s fees.

In Philippine doctrine, banks are not ordinary businesses. Courts have repeatedly described them as institutions required to exercise meticulous care because the public relies on their systems and representations.

B. BSP consumer protection and electronic payments regulation

The BSP regulates banks and other supervised financial institutions. In unauthorized electronic transaction disputes, BSP rules matter heavily because they shape the bank’s operational obligations.

Broadly, BSP regulations require banks to maintain:

  • sound risk management;
  • customer protection standards;
  • complaint handling mechanisms;
  • fraud monitoring and security controls;
  • transparent disclosures;
  • procedures for dispute resolution and error handling;
  • controls over electronic and digital financial services.

For card and e-money channels, institutions are generally expected to implement security measures proportionate to the risks, including authentication, monitoring, alerting, and incident response. Where fraud patterns are known and recurring, a failure to improve controls may support an argument of negligence or regulatory noncompliance.

C. Truth in Lending and consumer transparency

Where finance charges, fees, reversals, and billing consequences are involved, disclosure rules matter. A cardholder disputing an unauthorized transaction often also disputes:

  • interest imposed while the dispute is pending;
  • late fees triggered by refusal to pay the questioned amount;
  • finance charges on revolving balances inflated by fraudulent postings;
  • collection action while investigation remains unresolved.

Banks are generally expected to provide sufficiently clear information on billing, fees, due dates, and dispute procedures.

D. Electronic Commerce Act and electronic evidence

Unauthorized credit card disputes often involve digital records: SMS logs, app logs, device fingerprinting, IP addresses, geolocation, 3D Secure data, and system event trails.

Philippine law recognizes electronic data and electronic documents as potentially admissible, subject to rules on authenticity, reliability, and evidentiary weight. This helps both sides:

  • the bank may present system logs to show transaction flow and authentication;
  • the cardholder may present screenshots, carrier records, device logs, and fraud reports to rebut the bank’s narrative.

The key is not whether evidence is electronic, but whether it is credible, attributable, intact, and relevant.

E. Data Privacy Act

Unauthorized transactions often involve unauthorized access to personal and financial data. The Data Privacy Act becomes relevant when:

  • cardholder data was mishandled;
  • the bank’s or merchant’s systems were compromised;
  • the customer’s complaint requires access to personal data held by the bank, such as logs and transaction records;
  • excessive or improper disclosure occurred during the investigation.

A cardholder may invoke data protection principles when requesting access to records, though banks may still lawfully withhold certain internal fraud methodologies or third-party confidential information. Still, privacy law strengthens the argument that institutions must protect personal and financial information with appropriate security safeguards.

F. Cybercrime and related penal laws

Some unauthorized transactions arise from phishing, identity theft, hacking, or fraudulent electronic communications. In those situations, criminal liability may attach to the fraudster under cybercrime and fraud laws. Practical reality, however, is that prosecution of unknown cybercriminals is often difficult. For the cardholder, the more immediate question remains civil allocation of loss between customer and bank.

IV. The contractual framework: cardholder agreement is important, but not absolute

Every credit card dispute is shaped by the terms and conditions of the card issuer. These usually contain provisions on:

  • duty to safeguard the card, CVV, PIN, OTP, and devices;
  • prompt reporting of loss, theft, or suspicious activity;
  • cardholder liability before and after notice;
  • conclusive evidence clauses regarding bank records;
  • treatment of online transactions;
  • chargeback procedures;
  • timelines for disputing statement entries;
  • exclusion of bank liability for certain third-party or internet-related incidents.

These clauses matter, but they are not absolute shields. A contract of adhesion, especially in banking and consumer settings, may be strictly construed against the drafter where ambiguous. Also, a clause that says bank records are conclusive cannot erase the court’s power to weigh evidence. If the system logs are incomplete, inconsistent, or disconnected from the actual disputed event, the bank may still lose.

Likewise, a generic clause making the cardholder liable for “all transactions authenticated by OTP” does not automatically prevail where the cardholder proves:

  • no OTP was received;
  • the OTP message content mismatched the transaction;
  • the bank had system issues;
  • the OTP was captured through a foreseeable security gap;
  • the customer was induced by fraud in circumstances the bank should reasonably have anticipated and guarded against.

V. What banks usually argue

In Philippine disputes, banks commonly rely on some or all of the following points:

  1. The transaction was authenticated They may cite OTP use, 3D Secure completion, app confirmation, or other authentication markers.

  2. The correct OTP was entered They may say only the customer could have received or supplied the OTP.

  3. The card details were accurately input This suggests the customer or someone with access to the card disclosed details.

  4. The transaction originated from the customer’s device, IP, or profile This is stronger if supported by reliable technical logs; weaker if generalized.

  5. The customer breached card security obligations Example: sharing OTP, card photo, CVV, login credentials, or clicking phishing links.

  6. The transaction is excluded from chargeback or reversal Particularly if it was a “secure” authenticated e-commerce transaction.

  7. The customer reported too late Delay can be used to argue contributory negligence or loss of chargeback opportunities.

  8. There is no proof of system error Banks often say their records show normal functioning and no technical fault.

  9. The dispute is with the merchant, not the bank This may be correct in some non-fraud merchant disputes, but less persuasive in clear unauthorized-use cases.

These arguments become much weaker when the customer promptly reported the issue, preserved evidence, and can show authentication irregularities or suspicious surrounding facts.

VI. What cardholders usually argue

A cardholder disputing unauthorized charges often raises:

  1. No valid consent The essential point: “I did not authorize this charge.”

  2. No OTP or wrong OTP context No OTP arrived, or the OTP message did not match the actual transaction.

  3. Authentication does not equal authorization Even if a system log says “authenticated,” the approval may have been produced by fraud, spoofing, account takeover, SIM compromise, malware, or defective process design.

  4. Bank security failure The issuer failed to detect abnormal behavior or failed to apply stronger controls despite fraud indicators.

  5. Known fraud pattern The transaction matches a pattern that banks should already know how to detect: unusual merchant category, high-risk foreign e-commerce, sudden multiple attempts, tokenization anomalies, device change, location mismatch, or rapid sequential purchases.

  6. Inadequate alerts or delayed blocking The bank failed to notify promptly or failed to block despite a timely report.

  7. Improper billing during investigation Interest and penalties were imposed on the questioned amount even while the dispute was being contested.

  8. Poor complaint handling The bank gave template denials, refused evidence access, or simply repeated that OTP was used without meaningful explanation.

  9. Contributory negligence should not swallow bank negligence Even if the customer made a mistake under sophisticated fraud, the bank may still bear all or part of the loss if its controls were inadequate.

VII. Is use of an OTP conclusive proof of authorization?

No. It is strong evidence, but not conclusive in every case.

Why OTP is not infallible

An OTP proves, at most, that a code linked to an authentication system was generated and apparently used. It does not automatically prove all of the following:

  • that the rightful cardholder received it;
  • that the rightful cardholder understood what it was for;
  • that the OTP message accurately described the transaction;
  • that the OTP was not intercepted or diverted;
  • that the customer was not deceived by a sophisticated fraud operation;
  • that the bank’s authentication logs are complete and tamper-free;
  • that the transaction details sent for authentication match the charge eventually posted.

In a legal dispute, the OTP issue should be broken down into separate factual questions:

  • Was an OTP actually generated?
  • To what number, device, or app session was it sent?
  • At what exact time?
  • For what merchant and amount?
  • Was the content of the authentication message complete and specific?
  • Was the OTP entered successfully?
  • From what channel or session?
  • Was there a simultaneous password reset, device enrollment, SIM change, or account recovery event?
  • Were there multiple failed attempts before success?
  • Was the transaction consistent with the cardholder’s profile and history?
  • Did the bank escalate to stronger verification when risk signals appeared?

A bank that merely says “the OTP was correctly entered” may still fall short if it cannot persuasively connect that fact to valid, informed, voluntary authorization.

VIII. OTP discrepancies and specific factual scenarios

1. No OTP received, but transaction pushed through

This can happen because:

  • merchant/acquirer did not require OTP;
  • a frictionless 3D Secure flow was used;
  • the bank’s system treated the transaction as low-risk;
  • credentials were used in a stored-card or recurring arrangement;
  • the OTP went to a compromised channel;
  • system logging is incomplete or inaccurate.

Legal relevance:

  • The bank cannot simply insist the customer “must have shared it” if no OTP evidence is produced.
  • If no OTP was required, the issuer may need to justify why the transaction was allowed under its risk controls.
  • The cardholder can argue absence of meaningful authentication.

2. OTP received after the transaction

This suggests timing irregularity:

  • system delay,
  • asynchronous message delivery,
  • poor log synchronization,
  • or mismatch between authentication and posting.

Legal relevance:

  • A late OTP may undermine the bank’s claim that the OTP secured that specific transaction.
  • The customer should preserve screenshots showing timestamps.

3. OTP message did not identify merchant or amount clearly

A vague OTP message can increase fraud risk. Example: “Your OTP is 123456. Do not share.” No merchant, amount, or transaction type.

Legal relevance:

  • The bank’s design may be criticized as inadequate because it deprives the user of a meaningful chance to detect fraud.
  • Better banking practice is to link the OTP to clear transaction details.

4. OTP was disclosed because of phishing or vishing

Common defense of banks: disclosing an OTP is negligence per se.

This is not always the end of the matter. The real question is whether the customer’s act was the sole proximate cause of the loss, or whether bank-side failures materially contributed. Consider:

  • Did fraudsters spoof official channels?
  • Had the bank warned customers about this exact scam?
  • Were there unusual transaction patterns that should have triggered review?
  • Was there a rapid series of abnormal charges after the first compromise?
  • Did the bank ignore the customer’s immediate call to block the card?

A customer tricked by an elaborate social engineering scheme may still have a weaker case than one who never shared anything, but not every disclosure automatically absolves the bank.

5. SIM swap or mobile compromise

If the OTP channel itself was compromised, issues arise involving:

  • telco processes,
  • SIM replacement safeguards,
  • device takeover,
  • malware,
  • account recovery flows.

Legal relevance:

  • Liability may involve not only the bank but potentially other entities depending on facts.
  • The cardholder should gather mobile carrier records, service interruption logs, sudden loss of signal history, and device change evidence.

6. Recurring or tokenized transactions after card replacement/blocking

Fraud can continue through:

  • merchant updater services,
  • tokenized credentials,
  • auto-billing relationships,
  • digital wallet tokens not fully deactivated.

Legal relevance:

  • The bank should explain why charges persisted after block/replacement.
  • The customer should ask whether a card-on-file token remained active.

IX. Burden of proof in disputes

There is no mechanical single-rule answer, but in practice:

A. The cardholder must first make a credible denial

The customer should clearly state:

  • which transactions are disputed,
  • when they were noticed,
  • that no authorization was given,
  • what happened with OTPs,
  • and what immediate steps were taken.

B. The bank then needs to substantiate its posting

Because the bank relies on its internal systems and records, it is usually in the better position to show:

  • transaction logs,
  • authentication method,
  • timestamps,
  • merchant/acquirer details,
  • 3D Secure records,
  • alert history,
  • card status,
  • blocking timeline,
  • investigation results.

C. Mere internal assertion may be insufficient

A denial letter that simply says “the transaction was authenticated using OTP sent to your registered number” may not be persuasive if challenged further. The greater the dispute, the more the bank may need to show reliability and traceability.

D. If the customer alleges negligence or damages, the customer must prove it

To recover damages beyond reversal of charges, the cardholder should show:

  • actual financial loss,
  • emotional distress where compensable and properly grounded,
  • bad faith, gross negligence, or oppressive conduct if seeking enhanced damages.

X. Standard of diligence expected from banks

Philippine banking law and jurisprudential principles generally hold banks to a high standard of diligence. In the context of unauthorized transactions, that can translate into expectations such as:

  • secure authentication design;
  • real-time fraud monitoring;
  • anomaly detection;
  • clear alerts showing merchant and amount;
  • effective blocking mechanisms;
  • prompt escalation upon fraud report;
  • well-documented investigation;
  • fair consumer complaint handling;
  • accurate synchronization of logs across systems;
  • controls against credential stuffing, account takeover, SIM-related fraud, and suspicious token provisioning.

A bank need not guarantee zero fraud. But it is not enough to say fraud exists everywhere. The issue is whether the bank acted with the degree of care expected of a financial institution entrusted with consumer accounts and payment credentials.

XI. Cardholder negligence and comparative fault

One of the hardest parts of these cases is the effect of the cardholder’s own mistake.

Examples of conduct that may count against the cardholder:

  • giving the OTP to another person;
  • clicking a fraudulent link and entering card details;
  • sharing CVV or full card information through chat or phone;
  • failing to report suspicious activity promptly;
  • writing down or exposing credentials carelessly;
  • ignoring repeated fraud alerts;
  • handing over the phone or SIM to untrusted persons.

But negligence is not always all-or-nothing. The legal analysis should ask:

  • Was the conduct truly negligent under the circumstances?
  • Was the scam sophisticated enough that a reasonable consumer might be deceived?
  • Did the bank’s own failures materially contribute?
  • Was the loss worsened by the bank’s delay after report?
  • Was the bank’s OTP design itself confusing or incomplete?

In some cases, the bank may argue estoppel: the customer’s own acts enabled the fraud. In response, the customer may argue that the bank’s systems lacked reasonable protective measures against foreseeable scams.

XII. Common evidence that matters

A strong unauthorized transaction complaint is evidence-driven. Useful evidence includes:

From the cardholder

  • credit card statements;
  • screenshots of SMS OTP messages with timestamps;
  • phone call logs showing calls to the bank;
  • emails or app messages to customer service;
  • screenshots of disputed merchant pages or fake links;
  • police or cybercrime blotter, when appropriate;
  • affidavit narrating the sequence of events;
  • proof of travel/location if the transaction occurred somewhere impossible for the cardholder;
  • proof the card was still in the cardholder’s possession;
  • screenshots showing delayed or mismatched OTP content;
  • screenshots of blocked card status or replacement requests;
  • telco records for SIM issues or service interruption.

From the bank

  • transaction authorization logs;
  • merchant descriptor and acquiring bank details;
  • 3D Secure / authentication logs;
  • device or session data if available;
  • timestamps for OTP generation, dispatch, and validation;
  • records of card blocking, replacement, and customer contact;
  • fraud team notes and investigation findings;
  • recordings or logs of hotline calls.

From third parties

  • merchant correspondence;
  • courier or platform records;
  • digital wallet account history;
  • telecom records.

The party that preserves contemporaneous evidence usually has the stronger practical position.

XIII. Immediate steps a cardholder should take

From a legal and practical standpoint, the cardholder should act quickly:

  1. Block the card immediately Use hotline, app, or branch.

  2. Report every disputed transaction in writing Verbal reports are not enough. Use email, app messaging, or formal complaint channels.

  3. List exact details Date, amount, merchant, whether OTP was received, and why it was unauthorized.

  4. Request temporary suspension of charges, fees, and collection activity on the disputed amount This is especially important if the statement due date is near.

  5. Preserve evidence Screenshots, messages, call logs, incident narrative.

  6. Change related credentials Banking app password, email password, mobile wallet credentials.

  7. Check other linked accounts E-wallets, subscriptions, digital marketplaces, stored cards.

  8. Document timelines precisely Exact times often decide OTP disputes.

  9. Escalate promptly if the first response is formulaic or dismissive Ask for the bank’s final written position and investigation basis.

XIV. Internal bank dispute process

Most issuers have formal dispute procedures. Typically, the cardholder:

  • files a dispute;
  • receives a case or reference number;
  • is asked for a complaint form and supporting documents;
  • waits for investigation, sometimes involving the merchant and card network;
  • may receive provisional credit, temporary suspension, or outright denial depending on issuer policy.

Legal pressure points during this stage:

  • whether the bank explains the basis for denial;
  • whether interest continues to accrue;
  • whether minimum payment calculations include the disputed amount;
  • whether the account is sent to collections despite a pending bona fide dispute;
  • whether the bank considers evidence of OTP mismatch or delayed OTP.

A bank that handles the dispute perfunctorily may expose itself to stronger regulatory and litigation risk.

XV. BSP complaint route

If the issuer’s response is unsatisfactory, the cardholder may bring the matter to the Bangko Sentral ng Pilipinas through its consumer assistance mechanisms, for banks and BSP-supervised financial institutions.

A BSP complaint is not exactly the same as a court case. It can, however, be very important because it:

  • compels the institution to respond through a formal channel;
  • creates a regulatory record;
  • can pressure the bank to reassess the dispute;
  • highlights possible noncompliance with consumer protection and risk management expectations.

In practice, a well-documented complaint to the BSP should include:

  • account and card details sufficient to identify the case;
  • exact disputed transactions;
  • timeline of discovery and reporting;
  • OTP discrepancy details;
  • copies of the bank’s responses;
  • explanation of why the denial is incorrect;
  • requested relief, such as reversal of charges, removal of fees and interest, correction of records, and cessation of collection efforts.

The BSP may not always adjudicate damages the way a court can, but it is often a significant escalation step.

XVI. Court action and possible causes of action

Where the amount is significant or the bank refuses relief, judicial action may be considered.

Possible legal theories include:

A. Breach of contract

The bank wrongfully billed or refused reversal despite lack of authorization and inadequate investigation.

B. Negligence / quasi-delict

The bank failed to implement reasonable security or failed to act with the diligence required of financial institutions.

C. Damages

If the customer suffered actual loss, reputational injury, emotional distress, or oppressive collection practices.

D. Injunctive relief, in proper cases

For example, to restrain wrongful collection or adverse reporting while a serious dispute is unresolved, though this depends on procedural posture and proof.

E. Declaratory or recovery relief

Seeking declaration that the disputed charges are invalid and must be reversed.

The correct venue and procedure depend on the amount, the parties, and the relief sought.

XVII. Can a cardholder refuse to pay the disputed amount?

As a practical matter, this is risky unless handled carefully.

From the cardholder’s perspective, paying an unauthorized charge seems unfair. But nonpayment may trigger:

  • finance charges,
  • late fees,
  • delinquency tagging,
  • collection activity,
  • credit record consequences.

A more defensible approach is to:

  • expressly dispute the specific transactions in writing;
  • ask that interest, penalties, and collection on the disputed amount be suspended;
  • clarify whether the undisputed portion of the statement will be paid;
  • preserve proof that the dispute was timely raised.

Some cardholders pay under protest to avoid compounding penalties, then continue pursuing reversal. Others withhold only the disputed amount. The better course depends on the bank’s policy, the amount involved, and the strength of the evidence.

Legally, the cardholder should avoid any communication that could be construed as admitting the disputed charge.

XVIII. Interest, penalties, and collection while dispute is pending

One major pain point in the Philippines is that disputed amounts may continue generating charges or trigger collection calls while the case is unresolved.

Potential legal issues include:

  • whether it is fair or contractually proper to charge interest on a plausibly unauthorized amount;
  • whether the bank acted in bad faith by escalating collection despite prompt dispute;
  • whether the cardholder’s credit standing was harmed without adequate basis;
  • whether harassment or abusive collection practices occurred.

A demand letter may ask for:

  • reversal of the principal disputed amount;
  • removal of finance charges, late fees, overlimit fees, and taxes related to it;
  • correction of adverse internal or external records;
  • written confirmation that no collection action will continue on the disputed amount.

XIX. Merchant chargeback versus issuer liability

Not all unauthorized transaction disputes are solved solely by arguing with the issuer. Sometimes the chargeback route through the card network matters more.

A chargeback is essentially a reversal mechanism within card network rules between issuer, acquirer, and merchant. Grounds may include:

  • fraud;
  • no authorization;
  • duplicate processing;
  • credit not processed;
  • goods/services issues.

The bank may say the merchant presented proof of authentication. But even then, the cardholder can still challenge the bank if:

  • the bank failed to assert the correct dispute basis;
  • the bank mishandled the chargeback;
  • the bank denied the claim without properly considering contrary evidence.

Chargeback rights are contractual/network-based, while court claims are legal remedies. They are related, but not identical.

XX. OTP discrepancies as evidence of system weakness

An OTP dispute may reveal broader institutional weaknesses, such as:

  • poor SMS delivery reliability;
  • insufficient transaction detail in alerts;
  • lack of binding between OTP and transaction data;
  • failure to detect merchant-risk anomalies;
  • lack of re-verification after unusual account events;
  • excessive reliance on a single authentication factor vulnerable to SIM compromise;
  • incomplete audit trails.

In a strong case, the cardholder’s goal is to show that the problem is not merely “I deny the charge,” but rather: “Your system treated an insecure or compromised event as valid, and your records do not reliably prove genuine authorization.”

That is a much more powerful legal framing.

XXI. Role of phishing, spoofing, and social engineering

Philippine unauthorized transaction disputes increasingly involve deception rather than brute-force hacking. Fraudsters exploit:

  • spoofed bank names or caller IDs;
  • fake delivery texts;
  • fake account suspension notices;
  • fake KYC updates;
  • fake rewards or points redemption;
  • impersonation of bank fraud teams;
  • fake QR or payment links.

In these cases, banks often take the position that the customer “voluntarily” gave the OTP. But consent obtained through deception is not equivalent to a freely intended purchase. The harder question is whether the customer’s gullibility or carelessness breaks the causal chain.

A nuanced legal assessment should consider:

  • the sophistication of the scheme;
  • whether the bank had repeatedly warned about that exact scheme;
  • whether the bank’s fraud analytics should have flagged the transaction anyway;
  • whether the transaction amount, merchant type, geography, or sequence was abnormal;
  • whether the bank’s communications environment allowed spoof-like confusion.

XXII. Transactions after notice or after card block

If the cardholder reported the fraud and the bank still allowed further transactions, the bank’s position becomes more difficult.

Important distinctions:

  • before notice: liability may depend more on cardholder conduct and circumstances;
  • after notice/block request: the bank generally has a much stronger duty to prevent further use, subject to technical realities.

If charges continue after blocking, ask:

  • Was the block effective immediately?
  • Were tokenized or recurring transactions left active?
  • Was the replacement card linked automatically to stored credentials?
  • Was there internal delay between hotline confirmation and system-level block?

Post-notice charges are often among the strongest grounds for reversal.

XXIII. Data access and requests for records

A disputed customer should request records that clarify the bank’s position. Typical requests include:

  • full transaction details;
  • OTP generation and validation timestamps;
  • method of authentication used;
  • merchant name and descriptor;
  • whether 3D Secure was used;
  • whether the transaction was card-not-present, recurring, tokenized, or wallet-linked;
  • date and time the card was blocked;
  • whether any replacement or digital enrollment occurred;
  • explanation of denial beyond template language.

The bank may not disclose every internal fraud-control detail, but a refusal to provide meaningful specifics can support the view that the denial lacks substance.

XXIV. Practical weaknesses that often undermine bank denials

Bank denials are especially vulnerable when they rely on broad assertions such as:

  • “Our records show it is valid.”
  • “OTP was sent to your registered number.”
  • “The merchant confirmed the transaction.”
  • “This is a secure e-commerce charge.”

Those statements may be inadequate if they do not answer:

  • What exact transaction was the OTP for?
  • What was the OTP message content?
  • What was the timestamp sequence?
  • Was the merchant/amount shown?
  • Did the customer report immediately?
  • Were there prior suspicious attempts?
  • Was this a first-time merchant or geography?
  • Was a risk score generated?
  • Why did monitoring not escalate it?

In litigation or regulatory review, detail matters.

XXV. Damages: when can they be claimed?

Reversal of the charge is the most common remedy. Damages may also be claimed, but they require stronger proof.

Actual damages

Possible when the customer proves:

  • money actually paid on the fraudulent charge;
  • extra finance charges and fees;
  • costs caused by wrongful account freezing or collection;
  • replacement or recovery expenses.

Moral damages

Possible in proper cases where there is bad faith, oppressive conduct, humiliation, anxiety, reputational injury, or grossly insensitive treatment. Mere denial of a dispute is not always enough.

Exemplary damages

Possible when conduct is wanton, reckless, or in bad faith, and as deterrence.

Attorney’s fees

May be awarded when the customer is compelled to litigate due to the bank’s unjustified refusal or bad-faith behavior.

A strong damages claim often depends less on the existence of the fraud itself and more on how the bank behaved after the customer reported it.

XXVI. Special issue: family members, household users, supplementary cards

Not every “unauthorized” case is external fraud. Problems arise when:

  • a spouse, child, helper, or employee used the card or OTP without permission;
  • a supplementary cardholder incurred charges beyond what the principal expected;
  • the customer previously saved card details on a shared device.

Legally, these cases can be more difficult because the bank may argue the transaction arose within the customer’s sphere of control. The analysis then focuses on:

  • who had authority,
  • what was disclosed,
  • whether apparent authority existed,
  • whether the cardholder negligently enabled the use.

XXVII. Special issue: recurring subscriptions and free trials

Recurring charges often cause confusion. A cardholder may think a charge is unauthorized when it actually stems from:

  • an uncancelled subscription,
  • a free trial converted to paid plan,
  • a merchant updater service after card replacement,
  • hidden recurring terms in a platform sign-up.

These are not always OTP disputes, but OTP discrepancies can appear if only the first enrollment had authentication and later rebills did not. The legal question is then whether there was valid original consent to recurring billing and whether cancellation was effective.

XXVIII. Special issue: merchant-presented evidence

Merchants may present:

  • checkout logs,
  • IP addresses,
  • delivery confirmations,
  • account screenshots,
  • usage records,
  • “successful 3D Secure” data.

This does not necessarily settle the matter. For digital goods or platform accounts, the question becomes:

  • was the underlying account compromised?
  • was delivery made to the fraudster?
  • is the merchant’s evidence truly linked to the cardholder?
  • were there obvious fraud markers the merchant ignored?

Issuer and merchant evidence can be challenged for incompleteness or attribution weakness.

XXIX. How to frame a strong legal complaint

A persuasive complaint should not be emotional only. It should be structured.

A. State the core position

“I did not authorize these transactions.”

B. Identify each transaction

Date, amount, merchant, posting date.

C. Explain the OTP discrepancy precisely

  • no OTP received;
  • OTP late;
  • OTP for different merchant/amount;
  • OTP obtained through fraud;
  • no meaningful authentication;
  • transaction pushed through despite blocked card.

D. Emphasize promptness

When the bank was notified and what was requested.

E. Challenge conclusory denials

Ask for exact basis and logs.

F. Assert the bank’s duty of diligence

Point to unusual patterns and failure of safeguards.

G. Demand specific relief

  • reversal of charges;
  • removal of fees and interest;
  • suspension of collection;
  • written findings;
  • correction of account records.

H. Reserve rights

State that the complaint is without prejudice to regulatory and legal remedies.

XXX. Sample legal issues that often decide the case

The following questions frequently determine outcomes:

  • Was the disputed transaction reported immediately?
  • Did the cardholder ever receive an OTP?
  • If yes, what exactly did the OTP message say?
  • Was the OTP linked to the same merchant and amount?
  • Did the bank prove successful authentication, or merely assert it?
  • Were there fraud indicators that should have triggered stronger controls?
  • Did the bank allow repeated attempts?
  • Did the bank stop later charges after the first report?
  • Was the disputed amount kept in billing and collections during investigation?
  • Did the bank give a reasoned response, or only a template denial?
  • Was the customer’s conduct negligent, and if so, was it the sole proximate cause?
  • Did the bank’s own shortcomings materially contribute?

XXXI. Limits of the cardholder’s case

Even a sympathetic customer does not always win. The case weakens where evidence shows:

  • the cardholder knowingly gave the OTP after explicit warnings;
  • the OTP message clearly displayed merchant and amount, and the customer still approved it without deception sufficient to mitigate fault;
  • the transaction was consistent with the customer’s device, account, and behavior;
  • the report was significantly delayed;
  • there is proof that the dispute is actually with a family member or known user;
  • the transaction is really a merchant quality/cancellation issue, not fraud.

The truth of the facts matters more than the label “unauthorized.”

XXXII. Best legal theory in OTP discrepancy cases

In many Philippine cases, the strongest theory is not merely “fraud happened,” but this combination:

  1. No valid consent existed.
  2. The bank cannot treat OTP/authentication logs as conclusive proof.
  3. The bank failed to exercise the high degree of diligence expected of financial institutions.
  4. The bank’s post-report handling was deficient, unfair, or in bad faith.
  5. Therefore the disputed charges, and their resulting fees and consequences, must be reversed, with damages where justified.

That framing integrates contract, consumer protection, and negligence principles.

XXXIII. Practical remedies cardholders usually seek

In real disputes, cardholders usually ask for:

  • permanent reversal of unauthorized transactions;
  • reversal of all related interest, penalties, and taxes;
  • cancellation of installment or conversion entries arising from the fraud;
  • written confirmation that the cardholder is not liable;
  • correction of delinquency or collection records;
  • cessation of collection calls and letters;
  • issuance of replacement card and security reset;
  • disclosure of investigation basis;
  • compensation for losses where warranted.

XXXIV. Conclusion

In the Philippines, disputes over unauthorized credit card transactions and OTP discrepancies are not resolved simply by asking whether an OTP was “used.” The real legal questions are broader: Was there genuine authorization? Was the authentication process reliable and meaningfully tied to the transaction? Did the bank exercise the extraordinary diligence expected of a financial institution? Did the cardholder act negligently, and if so, to what extent? Who is in the best position to explain the digital trail?

An OTP is important evidence, but not infallible and not always decisive. A customer’s denial must be credible and supported, but a bank’s internal logs must also withstand scrutiny. Template denials, vague references to authentication, and automatic reliance on OTP usage are often inadequate where the facts point to fraud, process defects, poor controls, or weak investigation.

The strongest Philippine cases are built on speed of reporting, careful documentation, precise description of the OTP discrepancy, challenge to conclusory bank assertions, and insistence on the bank’s high duty of care. Where the institution’s controls failed, or where it handled the complaint unfairly, the law can support reversal of the charges and, in appropriate cases, damages and regulatory intervention.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login