Liability for credit card scams involving OTP sharing

The rise of digital transactions in the Philippines has been met with an equally sophisticated surge in cybercrime. Among the most prevalent schemes is the social engineering attack, where cardholders are coerced or deceived into sharing their One-Time Password (OTP). In the legal landscape of Philippine banking, the question of who bears the loss—the bank or the customer—hinges on the concepts of negligence, "gross negligence," and the evolving regulatory framework of the Bangko Sentral ng Pilipinas (BSP).

I. The Nature of the OTP and the "Golden Rule"

In the Philippines, the OTP is legally treated as a Multi-Factor Authentication (MFA) tool. Under BSP Circulars, it serves as the final layer of verification. From a legal standpoint, the moment a user shares an OTP, they are essentially handing over the "keys to the vault."

Most Terms and Conditions (T&Cs) of Philippine banks explicitly state that the OTP is confidential and that its disclosure to any third party—even those claiming to be bank representatives—constitutes a breach of the cardholder's duty of care.

II. The Legal Framework: BSP Circular No. 1140

The primary regulation governing this issue is BSP Circular No. 1140 (Series of 2022), which amended the Manual of Regulations for Banks (MORB). This circular outlines the responsibility of Bangko Sentral Supervised Financial Institutions (BSFIs) regarding fraud.

  • The "Gross Negligence" Standard: Historically, banks have denied all reimbursement claims involving OTP sharing by citing "gross negligence" on the part of the client. Gross negligence is defined by Philippine jurisprudence as a "standard of care even lower than slight care," or a "conscious indifference to consequences."
  • The Burden of Proof: While the bank initially holds the power to deny a claim, Circular 1140 emphasizes that banks must conduct a thorough investigation. They cannot simply issue a blanket denial. They must prove that the transaction was authenticated and that the customer failed to exercise even the most basic caution.

III. When is the Bank Liable?

Despite the sharing of an OTP, a cardholder may still argue for bank liability or at least a "shared liability" under the following circumstances:

  1. Systemic Delays: If the cardholder immediately called the bank to report a suspicious prompt or to block the card, and the bank failed to act promptly, the bank may be held liable for transactions occurring after the report.
  2. SIM Swapping: If the scam involved a "SIM swap" where the telecommunications provider issued a new SIM to a fraudster without proper verification, the liability may shift to the Telco or the Bank for failing to detect a change in device/SIM patterns.
  3. Inadequate Security Systems: Under the Consumer Protection Act (RA 7394) and the Financial Products and Services Consumer Protection Act (RA 11765), banks have a "fiduciary duty" to protect their clients' funds. If a bank’s system failed to flag an "out-of-character" transaction (e.g., a 100,000 PHP transfer at 3 AM from a student account), the bank can be cited for failing to implement adequate fraud detection systems.

IV. The Impact of Republic Act No. 11765

The Financial Products and Services Consumer Protection Act (FCPA), signed in 2022, significantly strengthened the position of Filipino consumers. It grants the BSP the power to:

  • Adjudicate claims involving a limited amount (currently up to 10 Million PHP).
  • Compel banks to reimburse users if the bank is found to have "inadequate" security measures or if the bank's T&Cs are found to be unconscionable.

V. Jurisprudence: The "Fiduciary Nature" of Banking

The Philippine Supreme Court has consistently ruled (e.g., Simex International vs. Court of Appeals) that the banking business is "impressed with public interest." Banks are expected to exercise the highest degree of diligence—not just reasonable diligence.

However, in cases of OTP sharing, courts often find a contributory negligence on the part of the user. In the Philippines, if the user’s negligence was the proximate cause of the loss, they may bear the full brunt. But if the bank’s system flaws contributed to the loss, the court may apply a mitigated liability approach, where the loss is split between the bank and the client.

VI. Practical Steps for Recourse

If a cardholder falls victim to an OTP-sharing scam, legal and regulatory recourse follows this path:

  1. Immediate Notification: Filing a formal dispute and requesting a "Temporary Credit" while the investigation is ongoing.
  2. BSP Consumer Assistance Mechanism (CAM): If the bank denies the claim, the client can elevate the matter to the BSP through their online webchat or email.
  3. Cybercrime Investigation: Reporting to the PNP Anti-Cybercrime Group (ACG) or the NBI Cybercrime Division. A police report is often a mandatory attachment for formal bank disputes.

Summary Table: Liability Breakdown

Scenario Likely Liable Party Legal Basis
User willingly gave OTP to a "caller" User Gross Negligence / Breach of T&Cs
OTP sent to a SIM cloned via Telco error Bank/Telco Breach of Security Protocols
User reported scam, but Bank failed to freeze Bank Failure of Fiduciary Duty
System Hack (No OTP involved) Bank Strict Liability for System Security

The prevailing legal reality in the Philippines remains stern: The sharing of an OTP is generally considered a voluntary act that waives many consumer protections. Unless the consumer can prove a systemic failure on the part of the financial institution, the liability for "authorized" transactions—even those authorized under duress or deceit—often rests with the cardholder.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login