HOW TO RESOLVE UNAUTHORIZED PAYMAYA (MAYA) TRANSACTIONS IN THE PHILIPPINES
A comprehensive legal guide for consumers, counsel, and compliance officers
Updated 11 June 2025 | Philippine jurisdiction
Disclaimer. This article is for general information and does not constitute legal advice. Laws, regulations, and jurisprudence may change; consult a qualified Philippine lawyer for advice on a specific case.
1. The Regulatory Landscape
| Layer | Principal Statutes / Issuances | Key Points |
|---|---|---|
| Primary legislation | ▪ Financial Products and Services Consumer Protection Act (“FCPA”, R.A. 11765, 2022) ▪ National Payment Systems Act (“NPSA”, R.A. 11127, 2018) ▪ Anti-Money Laundering Act (“AMLA”, R.A. 9160 as amended) ▪ E-Commerce Act (R.A. 8792) ▪ Cybercrime Prevention Act (R.A. 10175) ▪ Data Privacy Act (R.A. 10173) |
Establishes financial consumer “Bill of Rights,” defines payment system operators, criminalises cyber-offences, and protects personal data. |
| BSP circulars & memoranda | ▪ BSP Circular No. 1150 (2022) – Implementing Rules of the FCPA ▪ Circular No. 1105 (2021) – Guidelines for Electronic Payment & Financial Services (EPFS) ▪ Circular No. 1048 (2019) – Consumer protection framework ▪ Memorandum No. M-2022-016** – E-wallet Dispute and Reimbursement Guidelines |
Mandates internal complaint handling, turnaround times, and reimbursement for unauthorized electronic fund transfers. |
| PayMaya’s licences & rules | Maya Philippines, Inc. is licensed by the BSP as: 1) an Electronic Money Issuer (EMI), 2) Operator of Payment System (OPS), and 3) Virtual Asset Service Provider (for its crypto feature). Its Terms & Conditions (T&C) form a contract with each user and are subject to the laws above. |
2. What Counts as an “Unauthorized Transaction”?
- No Consent – The accountholder did not initiate, authorize, or benefit from the transfer or purchase.
- No Negligence Exception – The loss was not due to “gross negligence” or “fraudulent act” of the user (e.g., sharing OTP or PIN).
- Covered Instruments – Debit from e-wallet balance, linked Maya Bank deposit, Maya-issued Visa/Mastercard prepaid card, or Maya QR payments.
- Time-Bar – Under Maya T&C and BSP rules, the incident must generally be reported within 15 calendar days from discovery to preserve reimbursement rights.
3. Immediate Consumer Action Plan (Golden Hour)
| Step (Chronological) | Why | How |
|---|---|---|
| 1. Freeze or Lock Account | Prevent further leakage. | Use Maya App › Account › Lock Card/Wallet or call Hotline #12353. |
| 2. Change Credentials | Potential compromise of password/MPIN. | Reset MPIN, disable biometrics, update email & phone. |
| 3. Document Everything | Preserve admissible evidence (Sec. 1, Rule 11, Rules on Electronic Evidence). | Screenshots of ledger, SMS/OTP logs, confirmation emails, CCTV (if point-of-sale). |
| 4. Report to Maya (Day 0) | Triggers BSP-mandated dispute clock. | In-app chat, email (support@maya.ph), or hotline. Ask for Reference ID. |
| 5. File Cybercrime Report (within 24 h) | Required for large losses and to deter further fraud. | PNP-ACG or NBI-CCD: execute Sworn Statement, attach screenshots, IDs, proof of ownership. |
| 6. Monitor Turnaround | BSP M-2022-016: Ten (10) business days to resolve straight-forward cases; 20 days for exceptional cases (fraud rings, international traces). | Keep diary of calls/emails; follow up in writing. |
4. Internal Dispute Process Before PayMaya
Submission of “Dispute Form” – Include transaction IDs, amount, date/time, device used, and narrative.
Provisional Credit – BSP allows, but does not mandate, temporary credit during investigation; Maya grants this at its discretion for ≤ PHP 10,000 claims.
Forensic Review – Device logs, IP address mapping, OTP delivery records, and velocity checks.
Outcome Notice – Written result (email/SMS) stating:
- a. Approval of reimbursement (full/partial) – funds must be returned within two (2) business days of notice; or
- b. Denial – specific factual and legal basis citing “user negligence” or “transaction authenticated by valid OTP.”
5. Escalating Beyond PayMaya
A. Bangko Sentral ng Pilipinas (BSP)
Who: BSP Consumer Assistance Mechanism (CAM), Financial Consumer Protection Department.
When: If Maya’s final response is unsatisfactory or no response within BSP-prescribed period.
How:
- Digital form at consumeraffairs.bsp.gov.ph or physical filing.
- Attach Reference ID, Maya response, proof of identity, sworn certification of non-forum shopping.
Outcome: BSP may: (1) order reimbursement; (2) impose monetary penalties up to PHP 200,000 per transactional breach + daily fines; and/or (3) refer criminal aspects to DOJ.
B. National Privacy Commission (NPC)
- Appropriate where unauthorized transaction stems from a personal-data breach or SIM-swap attack.
- File a Privacy Complaints-Assisted Investigation (PCAI) within one year from discovery (Sec. 46, NPC Rules).
C. Civil & Criminal Remedies
| Cause of Action / Offence | Statute | Jurisdiction / Venue | Prescriptive Period |
|---|---|---|---|
| Estafa / Fraud | Art. 315, Rev. Penal Code | RTC where any element occurred | 20 yrs |
| Qualified Theft | Art. 310 | RTC | 20 yrs |
| Hacking / Computer-related Fraud | Sec. 6, R.A. 10175 | RTC Cybercrime Court | 10 yrs |
| Civil Damages (contractual / quasi-delict) | Arts. 19, 20, 2176, Civil Code | MTC ≤ PHP 400 k; RTC > PHP 400 k | 4 yrs (quasi-delict); 10 yrs (written contract) |
| Small Claims (refund ≤ PHP 1 m w/o atty) | A.M. 08-8-7-SC | MTC | 5 yrs |
6. Evidentiary Best Practices
| Evidence Type | Admissibility Rule | Tips |
|---|---|---|
| Screenshots | Rule 11, Sec. 1–2, REE; Sec. 5 (b) FCPA IRR | Use device’s built-in screenshot tool; keep metadata. |
| Emails/SMS | Business records exception, Sec. 45, Rules on Evidence | Request telco certification if SMS authenticity is challenged. |
| Syslog / IP logs | “Computer Data” under Sec. 6, R.A. 10175 | Secure Chain-of-Custody Form from Maya/BSP. |
| CCTV / KYC video | Electronic evidence | Retain original file; submit via optical disc or secured cloud link. |
7. Allocation of Liability
Issuer (Maya) is strictly liable for unauthorised debits unless it proves:
- (a) gross negligence or fraud of user; and
- (b) reasonable authentication (multi-factor) was in place (BSP Cir. 1105, §29).
Merchant bears liability for card-present fraud if failed to implement EMV tokenization/3-D Secure (Visa/Mastercard rules, BSP Circular 859).
Intermediary banks are jointly liable if due-diligence failures in AMLA KYC contributed to fund-muling.
8. Reimbursement Timelines at a Glance
| Stage | Clock Starts | Deadline | Reference |
|---|---|---|---|
| User to PayMaya | Discovery | 15 calendar days | Maya T&C §10.3 |
| PayMaya Initial Probe & Response | Receipt of dispute | 10 business days (straight) / 20 business days (complex) | BSP M-2022-016 §4 |
| BSP CAM mediation | Complete docket | 30 business days to decide | FCPA IRR Rule 9 |
| BSP enforcement order to Maya | Issuance of directive | Immediate compliance or within period specified (usually 2–5 days) | BSP Manual of Regulations for Banks, Part I, X009 |
9. Practical Pointers for Counsel & Compliance Teams
| For Lawyers Representing Consumers | For In-House & Compliance (Maya / EMI) |
|---|---|
| Draft a demand letter citing FCPA §§4–6 and BSP circular breaches; request reimbursement plus interest (Art. 2200, Civil Code) and moral damages. | Maintain ticket audit trail; tag potential FCPA cases; escalate “red” tickets to CAM liaison within 24 h. |
| Compute actual damages: principal loss + consequential losses (e.g. late fees, damaged credit score). | Run real-time fraud analytics; monitor compromise patterns (SIM-swap clusters, device fingerprinting). |
| Consider filing class suit where multiple users affected by same phishing scheme (Rule 3, Sec. 12, 1997 Rules). | Implement continuous authentication (behavioural biometrics) to meet “reasonable standard of care.” |
10. Frequently-Asked Questions (FAQ)
Q1. Can Maya deny reimbursement because I shared my OTP after being duped by a fake Maya agent? A. The FCPA recognizes “proportionate liability.” If sharing the OTP is deemed “gross negligence,” Maya may refuse or reduce reimbursement. Mitigating factors—elderly victim, social-engineering sophistication—can be raised before BSP.
Q2. Is there a maximum amount Maya must reimburse? A. No statutory cap. Maya is liable up to the full loss proved, plus interest from date of demand (Art. 2209, Civil Code), unless gross negligence or fraud of the consumer is established.
Q3. Does Maya have to give me CCTV or server logs? A. Under the Data Privacy Act’s “right to access,” you may request your own personal data (transaction logs). Server-side fraud tools may be redacted if disclosure endangers security controls (NPC Advisory Opinion 2023-031).
Q4. I missed the 15-day internal reporting deadline—do I lose all rights? A. Contractually, Maya may bar claims, but statutory rights (FCPA, Civil Code) survive. Delay, however, weakens the causation link and may be construed as contributory negligence.
11. Checklist for Consumers (Printable)
- Secure account: lock wallet, reset MPIN, enable biometrics.
- Gather evidence: screenshots, SMS, emails, CCTV.
- File Maya dispute with complete form and affidavit.
- Obtain Reference ID and log every follow-up.
- Report to PNP-ACG or NBI-CCD (bring two valid IDs).
- Escalate to BSP CAM if needed (include Maya denial).
- Evaluate civil/criminal action; consult counsel.
12. Conclusion
The Philippine legal framework—anchored on the 2022 FCPA and BSP’s consumer-centric circulars—places the burden of due care and reimbursement squarely on e-money issuers like Maya for unauthorized transactions, with clear pathways for escalation. For consumers, speed and documentation are critical; for issuers, robust authentication and transparent dispute handling are key to compliance and trust.