Liability for Unauthorized Credit Card Transactions and OTP Scams

In the rapidly evolving digital economy of the Philippines, the shift toward cashless transactions has been accompanied by a sophisticated rise in financial cybercrime. Central to these disputes is the question of liability: When a credit card is swiped or a One-Time Password (OTP) is surrendered to a scammer, who bears the loss—the cardholder or the bank?

The legal framework governing these issues is built upon a combination of special laws, Bangko Sentral ng Pilipinas (BSP) regulations, and established jurisprudence.

1. The Degree of Diligence Required

The Philippine Supreme Court has consistently held that the banking business is "impressed with public interest." Consequently, banks are required to exercise the highest degree of diligence—more than that of a "good father of a family"—in the handling of their customers' accounts.

However, this is not an absolute liability. Cardholders also have a duty to exercise reasonable care under the terms and conditions of their credit card agreement. Liability often hinges on where the "breach" of security occurred.

2. Unauthorized Transactions: The "Lost or Stolen" Scenario

Under Republic Act No. 10870 (The Philippine Credit Card Industry Regulation Law), the liability for transactions following the loss of a card is clearly defined:

  • Notification as the Trigger: The cardholder must notify the credit card issuer immediately upon discovering the loss or theft of the card.
  • Pre-Notification Liability: Transactions made before the bank is notified are generally the responsibility of the cardholder, provided they fall within the limits and terms specified in the contract.
  • Post-Notification Immunity: Once the bank is notified of the loss, the cardholder is absolved of any financial liability for transactions incurred after that point.

3. The OTP Scam: Vishing, Smishing, and Phishing

The most contentious area of modern financial law involves OTP scams. In these scenarios, the physical card is often in the owner's possession, but the "digital keys" (the OTP) are obtained by fraudsters through social engineering.

The Role of the OTP

An OTP serves as a form of Multi-Factor Authentication (MFA). In the eyes of most banking systems, the input of a correct OTP is prima facie evidence that the cardholder authorized the transaction.

Bank’s Defense: Gross Negligence

Banks typically argue that if a customer voluntarily provides an OTP to a third party (even under pretenses of "system updates" or "security checks"), the customer has committed Gross Negligence. Under most Credit Card Terms and Conditions, gross negligence by the cardholder exempts the bank from liability.

Cardholder’s Defense: System Vulnerability

Conversely, if the scam resulted from a data breach at the bank or a compromise of the bank's SMS gateway, the bank may be held liable. If the cardholder can prove they did not receive the OTP, or that the bank’s security system failed to flag highly irregular patterns (e.g., ten high-value transactions in different countries within minutes), the bank may be found to have failed its duty of "highest degree of diligence."

4. Regulatory Protections (BSP Circulars)

The Bangko Sentral ng Pilipinas (BSP) provides the regulatory muscle to protect consumers. Key provisions include:

  • BSP Circular No. 1140: This mandates that financial institutions must have robust fraud management systems. It emphasizes that banks must provide "quick-response" mechanisms for consumers to report unauthorized transactions.
  • Liability Shifting: If a bank fails to implement required security features (such as EMV chips or 3D Secure protocols), the liability for fraudulent transactions may shift from the cardholder to the bank.
  • The 360-Degree Rule: Banks are required to conduct a thorough investigation of disputed transactions. During the investigation, the disputed amount should generally be "frozen" or not earn interest, depending on the bank's internal policy and BSP guidelines.

5. Legal Recourse and Remedies

If a cardholder is victimized by an unauthorized transaction or an OTP scam, the following steps are mandated by Philippine procedure:

  1. Immediate Notification: Call the bank’s hotline to block the card.
  2. Formal Written Dispute: Submit a formal "Letter of Dispute" within the period required by the bank (usually 20–30 days from the statement date).
  3. BSP Consumer Affairs: If the bank denies the claim, the cardholder can file a formal complaint with the BSP Consumer Protection and Market Conduct Office (CPMCO). The BSP can mediate or adjudicate the dispute.
  4. Criminal Action: Under Republic Act No. 10175 (Cybercrime Prevention Act of 2012) and Republic Act No. 8484 (Access Devices Regulation Act), the perpetrator of the fraud can be prosecuted. However, catching the anonymous scammer is often difficult, leaving the civil dispute between the bank and the customer as the primary path for recovery.

6. Summary Table of Liability

Scenario Primary Liable Party Condition
Physical Theft (Reported) Bank For transactions after the report.
Physical Theft (Unreported) Cardholder Until the loss is formally communicated.
OTP Shared by User Cardholder Usually deemed "Gross Negligence."
Bank System Breach Bank Failure of the "Highest Degree of Diligence."
SIM Swapping/Cloning Bank / Telco Failure to verify identity for SIM replacement.

Conclusion

In the Philippines, the "Highest Degree of Diligence" standard places a heavy burden on banks to protect their infrastructure. However, the "Gross Negligence" doctrine serves as a significant hurdle for cardholders who fall for social engineering scams. As jurisprudence evolves, the focus remains on whether the security breach was a result of a system failure or a human error induced by deception.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login