Identity Theft in the Philippines: How to Dispute a Fraudulent Business Account Registration

Identity Theft in the Philippines: How to Dispute a Fraudulent Business Account Registration

This guide is general information for the Philippine context as of today. It isn’t legal advice. For specific cases, consult a Philippine lawyer or accredited counsel.

Executive summary

If someone used your identity to open a business account (e.g., bank/fintech merchant account, marketplace seller account, telco/utility business line, payment gateway, or even government registrations like DTI/SEC/BIR), move fast:

  1. Contain the damage: Notify the provider’s fraud team in writing, ask for an immediate hold/closure, and get a “no-liability” confirmation.
  2. Create a paper trail: File a police blotter or NBI Cybercrime Division complaint, prepare a notarized Affidavit of Identity Theft/Non-Consent, and keep copies of everything.
  3. Get your data and proof: Use a Data Subject Access Request (DSAR) under the Data Privacy Act to obtain the impostor’s onboarding/KYC files, device/IP logs, and transaction history.
  4. Escalate: If the provider drags its feet, escalate to the right sector regulator (BSP, SEC, IC, NTC, DTI/NPC—details below).
  5. Fix your records: Dispute any credit bureau entries via the Credit Information Corporation (CIC)/accredited bureaus and correct BIR/DTI/SEC records if a business was registered in your name.
  6. Consider charges: For strong cases, explore criminal complaints (identity theft under the Cybercrime Prevention Act; falsification, estafa) and civil claims for damages.

What counts as “fraudulent business account registration”

  • Opening a merchant account or business banking/e-money account using your name, ID, or TIN without consent.
  • Creating a seller/storefront on marketplaces or delivery platforms using your identity.
  • Getting a business line with a telco/utility in your name.
  • Registering a sole proprietorship (DTI Business Name), listing you as an incorporator/director (SEC), or tagging your TIN to a BIR business registration—all without your consent.

Legal foundations you can rely on

  • Cybercrime Prevention Act (RA 10175) – criminalizes computer-related identity theft and related offenses.
  • Data Privacy Act (RA 10173) – protects personal data, gives you DSAR rights, and allows complaints to the National Privacy Commission (NPC) for negligent processing/leaks.
  • Financial Consumer Protection Act (RA 11765) – mandates dispute/complaint handling by supervised financial institutions; empowers BSP/SEC/IC to enforce consumer rights.
  • Access Devices Regulation Act (RA 8484) – covers fraudulent use/possession of access devices (often implicated when IDs/cards/data are misused).
  • Revised Penal Code – falsification (Arts. 171–172), use of fictitious name/concealing true name (Art. 178), estafa (Art. 315), and related offenses.
  • E-Commerce Act (RA 8792) – recognizes e-signatures/e-transactions; relevant to platform onboards and evidentiary rules.
  • SIM Registration Act (RA 11934) – if SIM-based OTPs or SIM identity were abused.
  • Rules on Electronic Evidence – govern admissibility of electronic records, logs, and device traces.

Who regulates what (for escalation)

  • BSP (Bangko Sentral ng Pilipinas): Banks, e-money issuers, digital banks, payment system operators.
  • SEC: Securities brokers, financing/lending companies, investment houses, and corporate registrations (incorporators/officers).
  • Insurance Commission (IC): Insurance/HMO entities.
  • DTI: Consumer protection (non-financial) and Business Name registrations (sole proprietorship).
  • National Telecommunications Commission (NTC): Telcos/ISPs; SIM registration issues.
  • National Privacy Commission (NPC): Personal data misuse and controller negligence across sectors.
  • NBI Cybercrime Division / PNP Anti-Cybercrime Group (ACG): Criminal complaints and investigation support.
  • BIR: Tax registration corrections/cancellations (RDO handling; e.g., BIR Form 1905 for updates/closure).

A practical playbook (step by step)

1) Confirm and contain

  • Contact the provider immediately (fraud/disputes channel). Do it in writing (email + ticket).

  • Ask for:

    • Urgent account freeze/closure and chargeback reversal (if funds moved through the fraudulent account).
    • Certification that you are not liable, the account was fraudulent, and dates of closure/flagging.
    • Preservation of all logs, KYC files, CCTV/branch footage (if any), and recordings (litigation hold).

  • Secure your own credentials: Change passwords, revoke app sessions, enable MFA, and consider SIM replacement if you suspect SIM swap/OTP compromise.

2) Build your paper trail

  • Police blotter (at your local station) and/or NBI Cybercrime complaint.
  • Notarized Affidavit of Identity Theft / Non-Consent (template below).
  • Compile: ID copies, selfies proving identity, proof of residence, timestamps, screenshots, and any notices/demands you received.

3) Get the provider’s evidence (DSAR)

  • Send a Data Subject Access Request under the Data Privacy Act to the provider (the Personal Information Controller):

    • Request copies of your personal data they processed, KYC documents submitted by the impostor, device/browser fingerprints, IP/MAC addresses, timestamps, branch/agent info, and decisioning logs used to approve the account.
    • Ask for the legal basis for processing and the source of the data (if not you).
    • Demand rectification/erasure and restriction of processing for the fraudulent account.

4) Dispute in writing (internal provider process)

  • File a written dispute that:

    • Denies authorship/consent to open the business account.
    • Cites the Data Privacy Act and RA 10175 as applicable.
    • Demands closure, no-liability letter, and notifications to credit bureaus and affected downstream partners.
    • Provides your Affidavit, police/NBI reference, and KYC discrepancies you’ve identified.

  • Track timelines. Philippine providers publish complaint SLAs; if they exceed or give a defective reply, escalate.

5) Regulator escalation (choose based on entity)

  • Banks/e-money/payment providers → escalate to BSP if unresolved or mishandled.
  • Financing/lending companies or securities platforms → escalate to SEC.
  • Insurance/HMOIC.
  • Marketplaces, couriers, platform sellersDTI (Consumer Protection Group).
  • Telcos/ISPs (SIM/lines) → NTC (and telco’s own SIM-fraud unit).
  • Data handling failures (e.g., they onboarded an impostor with lax KYC, leaked your data, or ignored DSAR) → NPC complaint.

Tip: When escalating, attach your original dispute, provider response (or lack of it), Affidavit, police/NBI reference, and a simple timeline of events.

6) Government registrations done in your name

DTI (Business Name – sole proprietorship)

  • File a petition to cancel the business name or a request to nullify the registration due to fraud/identity theft.

  • Attach: Affidavit, ID, police/NBI reference, and any provider letters.

  • Ask DTI to:

    • Cancel the BNRS entry,
    • Issue a certification that you did not apply, and
    • Notify BIR and local LGU (if a business permit was issued off that record).

SEC (Corporation/Partnership)

  • If you were listed as an incorporator/director/officer without consent:

    • Write to SEC (Company Registration/Monitoring or Enforcement & Investor Protection) seeking correction and administrative action.
    • Provide sworn denial and supporting evidence.
    • Request orders compelling the entity to amend its papers and, when warranted, show-cause/revocation or referral for criminal action.

BIR (Business registration/TIN misuse)

  • Visit your RDO to correct or cancel any business registration tied to your TIN due to fraud (e.g., via BIR Form 1905 for registration updates/closure, plus affidavit and police/NBI reference).
  • Ask for clearance that you are not liable for returns/taxes of the impostor business; request reversal of open cases created by the fraudulent registration.

7) Credit reporting and watchlists

  • Pull your credit report from the Credit Information Corporation (CIC) (through its accredited bureaus).
  • File a dispute/correction if any fraudulent business credit lines or obligations appear.
  • Ask providers to send universal data-correction notices to any bureau they reported to.

8) Criminal and civil options

  • Criminal: Consider complaints for computer-related identity theft (RA 10175), falsification (Arts. 171–172 RPC), estafa (Art. 315 RPC), access device fraud (RA 8484), and related offenses. File with the City/Provincial Prosecutor (attach affidavits and evidence).
  • Civil: Claims for damages under the Civil Code (e.g., abuse of rights, quasi-delict Art. 2176) and injunctive relief to stop ongoing harm.
  • Protective measures: Seek court orders for preservation/discovery of electronic evidence and, when urgent, injunctive relief.

Evidence you should preserve (checklist)

  • Emails/SMS/app notices, demand letters, screenshots of dashboards or alerts.
  • Provider responses, ticket numbers, and call logs (date/time/agent).
  • Copies of IDs the impostor used (if disclosed), selfies, and KYC files.
  • Device, IP, and access logs; branch CCTV or video-KYC recordings.
  • Delivery addresses, bank accounts, and contact numbers tied to the fraudulent account.
  • DTI/SEC/BIR documents or numbers created in your name.
  • Credit bureau entries and statements.

How to write your dispute (core points)

  • Identity: “I am [Full Name], [DOB], [address], holder of [ID type/number/TIN].”
  • Denial: “I did not apply for or authorize the business account/registration with reference [number].”
  • Discovery: “I learned of this on [date] via [alert/letter/notice].”
  • Harm: “This caused [unauthorized charges/demands/credit impact/tax issues].”
  • Demands: Freeze/close, certify no liability, provide full DSAR data, correct downstream reports, notify regulators as needed.
  • Legal basis: Cite RA 10173 (data rights), RA 10175 (identity theft), RA 11765 (financial consumer protection), applicable sector rules.
  • Attachments: Affidavit, IDs, police/NBI reference, proof.

Templates (fill-in; tailor to your facts)

A) Affidavit of Identity Theft / Non-Consent (outline)

REPUBLIC OF THE PHILIPPINES )
___________________________ ) S.S.

AFFIDAVIT OF IDENTITY THEFT / NON-CONSENT

I, [Full Name], of legal age, Filipino, [civil status], and a resident of [address], do hereby depose:

1. I am the holder of [ID type/number] and TIN [if any].
2. I did NOT apply for, authorize, or consent to the opening/registration of [describe the business account/BN/SEC/BIR registration] under my name.
3. On [date], I discovered the fraudulent registration through [notice/alert/letter].
4. I immediately reported the matter to [provider], lodged dispute ticket no. [____], and requested closure and certification of non-liability.
5. I also filed a report with [Police Station/NBI], reference no. [____] on [date].
6. I suffer/face potential harm including [credit impact, tax liability, collections].
7. I execute this Affidavit to attest to the foregoing and to support requests with [provider/regulator/courts] for cancellation, rectification, and investigation.

IN WITNESS WHEREOF, I have hereunto set my hand this [date] at [city], Philippines.

[Affiant’s Signature over Printed Name]

SUBSCRIBED AND SWORN to before me this [date] at [city], affiant exhibiting [ID type/number].

Notary Public
Doc. No. ___; Page No. ___; Book No. ___; Series of 20__

B) DSAR (Data Subject Access Request) to a Provider

Subject: Data Subject Access Request – Fraudulent Business Account in My Name

Dear Data Protection Officer,

I am [Full Name], ID [type/number]. I did not open the business account with reference [____]. Under RA 10173, I request:

1) Copies of all personal data processed for this account (KYC images, ID scans, forms, call/chat recordings).
2) All access logs, device/browser fingerprints, IP addresses, timestamps, and decisioning notes used to approve the account.
3) The source from which you obtained my data and the legal basis for processing.
4) Immediate rectification/erasure and restriction of processing; closure of the account; and written certification of my non-liability.
5) Notice to any third parties/credit bureaus/regulators to whom you disclosed or reported this account.

Please respond within a reasonable period and preserve all evidence.

Sincerely,
[Name] / [Mobile] / [Email]

C) Dispute Letter to Provider (Fraud Team)

Subject: URGENT – Fraudulent Business Account Registration / Request for Closure & Certification

To: [Provider Fraud/Disputes Team]

I deny opening or authorizing the business account [reference]. I request:
• Immediate freeze/closure and reversal of related transactions.
• Written certification that I am not liable and that the account was fraudulent.
• Full DSAR response (KYC, logs, IP/device data, decision notes).
• Rectification/erasure and notices to any bureaus/regulators you reported to.

Attached: Affidavit, ID, police/NBI reference, proof of residence, and screenshots.

Respectfully,
[Name]

Special scenarios and tips

  • Branch onboarding: Ask for CCTV pulls and teller/agent identifiers; these often link to the impostor.
  • Video-KYC or e-KYC: Demand recordings and liveness checks; look for mismatched metadata (device locale, IP geolocation, timestamp anomalies).
  • SIM/OTP abuse: Replace SIM, enable port-out pins, and file with NTC if your number was used to defeat OTPs.
  • Platform storefronts: Ask for store takedown, funds hold, and buyer/fulfillment logs to trace the fraudster.
  • Charges/collections: Reply to demands with your Affidavit and no-liability certification; tell collectors to cease while the dispute is pending.
  • CIC disputes: Submit your Affidavit and provider’s no-liability letter to accelerate correction.

Frequently asked questions

Do I really need a lawyer? Not always to start, but engage counsel if the amount is material, if you’ll file criminal/civil actions, or if government registrations (DTI/SEC/BIR) are involved.

Will the provider give me the impostor’s info? They may redact third-party PII. Ask for sufficient technical evidence (device/IP/logs) to prove non-authorship without exposing others’ PII.

How long will this take? Internal disputes vary by provider. Regulators also have their own complaint timelines. File early, follow up, and escalate promptly when deadlines lapse.

What if my physical IDs were lost? Report the loss, replace them, and keep the loss report—many providers will require it to tag your profile as high-risk and strengthen verification.

Final reminders

  • Act quickly, but keep everything in writing.
  • Preserve evidence and insist on a litigation hold from providers.
  • Escalate smartly to the right regulator.
  • Clean up your records with DTI/SEC/BIR and CIC so the fraud doesn’t follow you.
  • When in doubt, speak to counsel—especially before filing criminal or civil actions.

If you share a few details (what kind of account, any notices you’ve received, and which agencies or companies are involved), I can tailor a step-by-step plan and draft letters that fit your exact situation.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login