Fraudulent Credit Card Transactions & Liability in the Philippines

A practical, everything-you-need-to-know legal guide (Philippine context)

1) The legal backbone

• Access Devices Regulation Act (ADRA) — Republic Act (RA) No. 8484, as amended (notably by RA 11449), criminalizes the fraudulent use, possession, manufacture, and trafficking of “access devices” (including credit cards and card numbers). It also frames duties of issuers and cardholders when a card is lost, stolen, or compromised.
• Credit Card Industry Regulation Law — RA 10870 places credit card issuers under Bangko Sentral ng Pilipinas (BSP) supervision and sets standards on transparency, billing, collections, and dispute handling.
• Financial Products and Services Consumer Protection Act (FPSCPA) — RA 11765 empowers the BSP (for banks/issuers), SEC, and Insurance Commission to enforce fair treatment, suitability, disclosure, and effective redress (complaint handling) for financial consumers.
• Data Privacy Act — RA 10173 and its IRR govern handling of personal data; security breaches must be reported to the National Privacy Commission (NPC) and affected individuals when there is a risk of harm.
• E-Commerce Act — RA 8792 recognizes electronic documents and signatures, relevant to online transactions and evidentiary rules.
• Civil Code & Penal Code — Provide general bases for damages, negligence, and criminal liability (e.g., estafa, theft, falsification) where facts fit.

Key idea: Philippine statutes chiefly punish the fraudster and regulate issuer conduct; who eats the loss on an unauthorized transaction is then determined by a mix of law, BSP rules, the network rules (Visa/Mastercard/JCB/AmEx), and your cardholder agreement, applied to the facts (e.g., whether you acted with gross negligence, whether the merchant used EMV, how quickly you reported, and what evidence exists).

2) What counts as a “fraudulent” or “unauthorized” transaction?

Common categories:

1. Card-present

   • Counterfeit/skimmed (fake magstripe/clone; chip data not compromised).
   • Lost/stolen (physical card taken).
   • Never received (intercepted in the mail).

2. Card-not-present (CNP)

   • Phishing/social engineering (credential/OTP theft).
   • Merchant compromise (data breach).
   • Account takeover (address/phone/email changed, new cards/limits).
   • “Friendly fraud” (a household member or buyer denies an authorized purchase).

3. Cash advance/ATM fraud tied to the card account.

3) Allocation of loss: who is liable?

A. General allocation principles

• Issuer vs. cardholder: If the transaction is truly unauthorized and you promptly reported and acted with ordinary care, issuers generally absorb the loss (and reverse interest/fees that arose from the fraud).
• Cardholder negligence: If facts show gross negligence (e.g., sharing OTPs, writing your PIN on the card, ignoring obvious compromise, delayed reporting without good reason), issuers may deny reversal in whole or part under your card agreement and fraud policies.
• Merchant/acquirer liability: In EMV environments, liability for counterfeit card-present fraud typically shifts to the party not EMV-compliant (e.g., a non-chip merchant terminal, or issuer not enabling chip).
• Network rules & chargebacks: Visa/Mastercard/AmEx/JCB rules set detailed chargeback rights, documentation, and strict deadlines (often counted in days from posting or statement date). Missed windows can forfeit rights—even if the transaction was fraudulent.

No fixed peso cap in law. Unlike some jurisdictions, Philippine statutes do not impose a universal statutory cap (e.g., ₱2,500 or US$50). Liability turns on facts, contracts, and applicable rules. That said, many issuers adopt “zero-liability” policies for genuinely unauthorized transactions reported promptly, subject to exclusions (e.g., gross negligence or participation in fraud).

B. Specific scenarios

1. Card-present, counterfeit at a non-EMV merchant

   • Likely liable: Merchant/acquirer (by network liability shift).
   • Cardholder impact: Should be reversed once chargeback succeeds; you must still dispute on time.

2. Card-present, lost/stolen with valid chip+PIN or offline contactless

   • Fact-intensive: Issuer investigates whether PIN/credentials were compromised, whether unusual spending occurred, and how quickly you reported.
   • Gross negligence may shift loss to the cardholder.

3. CNP (online, mail/phone order) with 3-D Secure/OTP

   • If OTP used: Issuer may argue strong customer authentication was passed; you must explain how credentials were stolen (phishing, SIM swap).
   • If no OTP (merchant exempt, recurring, or low-risk): Issuer typically bears more risk, but will still examine your reporting timeliness and behavior.

4. Account takeover (address/phone/email changed)

   • Issuer duty: Robust KYC/auth; red flags; notice of profile changes.
   • If issuer’s controls failed and you were diligent, issuers usually reverse.

5. “Friendly fraud” / household use

   • Harder to win because the transaction is often technically “authorized” by someone with access. Evidence (e.g., delivery address, device fingerprint, IP) helps.

4) What the laws and regulators expect of issuers

• BSP-supervised issuers must:

  • Maintain robust fraud controls (EMV, monitoring, anomaly detection, SCA/OTP).
  • Provide clear disclosures and accessible complaint-handling.
  • Offer reasonable dispute processes and timely resolution with written outcomes.
  • Reverse finance charges/fees tied solely to proven fraud.
  • Keep and protect personal data; notify of privacy breaches where there’s risk of harm.

• FPSCPA strengthens enforcement: administrative sanctions, restitution, and directives where consumer protection lapses occur.

• ADRA and the Revised Penal Code provide the criminal pathway against offenders (NBI-CCD or PNP-ACG investigations; prosecution by the State).

5) Your obligations as a cardholder

• Safeguard the card & credentials (PIN, CVV, OTPs, app passcodes). Never share OTPs—even with someone claiming to be from the bank.
• Monitor statements/alerts and report immediately upon suspicion (hotline, app, email).
• Cooperate in the investigation: Submit dispute forms, Affidavit of Loss/Unauthorized Use, government ID, police blotter if asked, and any supporting screenshots/emails.
• Preserve evidence: SMS logs, email headers, call records, delivery receipts, device screenshots, and merchant correspondence.
• Keep your details current (mobile, email, address) and enable transaction alerts.

6) The dispute process, step by step

1. Lock the card (via app/phone) and request replacement.
2. File a dispute in writing: identify transaction(s), date posted, amount, why unauthorized, and when/how you discovered and reported the issue.
3. Cooperate with issuer requests: affidavit, IDs, proof you controlled the card, any phishing evidence, police/NBI report if relevant.
4. Temporary credit? Some issuers extend provisional credits; these can be reversed if the investigation later deems the charge valid.
5. Chargeback & representment cycle: The issuer may file chargebacks with the network; the merchant can represent with evidence; there can be 2nd presentments, arbitration, and fees.
6. Final decision: Issuer provides a written result. If adverse, you can escalate (see below).

7) How to escalate if you disagree

• Issuer internal appeal — Ask for a reconsideration or final review; request the basis (e.g., merchant evidence, logs), subject to privacy/network limits.
• Regulator complaint — File with the BSP Consumer Assistance Mechanism (for bank/issuer matters). Provide your dispute correspondence and evidence.
• National Privacy Commission — If your personal data was mishandled or breach notifications were lacking.
• Civil action — For damages (e.g., breach of contract, negligence, moral/exemplary damages) if issuer/merchant conduct caused loss.
• Criminal action — For fraudsters under ADRA, estafa, or related offenses (coordinate with NBI-Cybercrime Division or PNP-Anti-Cybercrime Group).
• Small Claims — For straightforward money claims (up to the prevailing monetary threshold) without need for a lawyer; useful for fee/interest reversals or minor disputes.

8) Evidence that moves the needle

• For CNP fraud: Screenshots of phishing pages/messages, email headers, proof you never received OTP or that SIM-swap occurred (telco records), device logs, delivery records showing a different address/name, IP/device fingerprints if issuer can share.
• For card-present fraud: Proof you had physical custody (e.g., CCTV, travel records), merchant POS slips showing fallback magstripe where chip should have been used.
• For account takeover: Timeline of profile-change notifications, proof you reported immediately, and copies of any suspicious emails/SMS.

9) Practical prevention checklist

• Enable real-time SMS/app/email alerts and transaction limits.
• Turn on 3-D Secure/OTP for online purchases; prefer tokenized wallets with device biometrics.
• Avoid public Wi-Fi for purchases; use reputable merchants; beware of “urgent” payment links.
• Protect your mobile number (SIM-swap risk) and email (enable MFA).
• Shred/obscure statements and card mailers; collect new cards personally.
• Keep OS/browsers updated; use password managers; never reuse passwords.

10) Frequently asked questions

Q: Do I pay the disputed amount while the case is pending? A: Follow your issuer’s instruction. Many advise paying undisputed amounts to avoid finance charges, while placing the disputed amount in suspense; some provide provisional credit. Interest/fees tied solely to proven fraud should be reversed.

Q: The merchant is offshore. Can I still win? A: Yes—network chargeback rules apply globally. Provide strong evidence and meet deadlines.

Q: I shared my OTP because a “bank officer” called. Am I automatically liable? A: Not automatically, but this can be treated as gross negligence. Still report immediately; outcomes vary by facts (e.g., sophisticated social engineering, spoofed caller IDs, lack of bank warnings).

Q: The issuer says the transaction passed 3-D Secure. A: You can still contest (SIM-swap, malware, account takeover, or merchant credential-stuffing). Provide telco tickets, device forensics, and your activity timeline.

11) Sample dispute letter (you can adapt)

Subject: Dispute of Unauthorized Credit Card Transactions – [Card Last 4: 1234] To: [Issuer Dispute Resolution / Email]

I am disputing the following transaction(s) on my account [Name, Card Last 4, Account No.]: • Merchant / Date Posted / Amount: [list each]

Reason: I did not authorize these transactions, did not benefit therefrom, and my card/credentials were compromised.

Discovery & Reporting: I discovered the charges on [date/time] and notified your hotline/app on [date/time; reference no.].

Evidence attached: [screenshots, emails/SMS headers, police blotter/NBI ticket if any, travel logs, delivery records, etc.]

Kindly reverse the charges, fees, and interest attributable to these unauthorized transactions and issue a card replacement. Please provide your written resolution and any additional documents you require.

Signature [Name, Address, Contact No., Email] Attachment: Valid ID

12) Quick action plan (if you’re reading this because fraud just happened)

1. Lock/Block the card and request replacement.
2. Document everything (timestamps, hotlines called, ref nos.).
3. Dispute in writing within the shortest possible time (ideally within days).
4. File police/NBI report if advised; keep copies.
5. Monitor your credit limit/statement and follow up for the written decision.
6. Escalate (BSP/NPC/courts) if necessary.

Final note

Outcomes are intensely fact-specific. The strongest cases combine prompt reporting, clear evidence, and consistent story aligned with the technical markers (EMV usage, OTP logs, device/IP data). When in doubt, act immediately, keep a paper trail, and escalate through the BSP framework if you hit a wall.