Reporting Unauthorized “CODA” Debit Transactions in a Philippine Bank Account: A Complete Legal Guide
Unauthorized “CODA” debits typically appear in bank statements or SMS alerts as “CODA”/“CODA” merchant descriptors* linked to online top-ups, digital goods, or aggregator-processed payments. Regardless of the exact merchant behind the label, the legal and procedural playbook for Philippine consumers is the same: act fast, lock down access, dispute through the bank’s formal channels, and escalate using sector regulators and law enforcement where needed. This article lays out everything you need—legal bases, timelines, evidence, dispute mechanics across payment rails (card, account-to-account, and direct debit), escalation routes, and model documents.
I. Legal Framework
Financial Consumer Protection Act (FCPA), R.A. No. 11765 (2022)
- Codifies the right to dispute unauthorized transactions, to timely redress, and to clear disclosures by banks and payment service providers (PSPs).
- Requires banks/PSPs to operate an internal Consumer Assistance Mechanism (CAM) and to investigate complaints; places burden of proof on the institution to show the consumer’s fraud, gross negligence, or bad faith when denying claims.
Civil Code (obligations, negligence, and damages)
- Supports claims for restitution and, if litigated, damages (actual, moral, exemplary) where the bank/PSP breaches duties of diligence or security.
Access Devices Regulation Act, R.A. No. 8484
- Penalizes fraudulent use of access devices (debit/credit cards, account credentials). Useful for criminal complaints against perpetrators.
Cybercrime Prevention Act, R.A. No. 10175
- Covers phishing, hacking, identity theft, and unauthorized access; basis for PNP-ACG/NBI action.
Data Privacy Act, R.A. No. 10173
- If personal data compromise is suspected (SIM swap, phishing, credential leak), you may invoke data subject rights and file with the National Privacy Commission (NPC).
Bangko Sentral ng Pilipinas (BSP) Regulations & Payment System Rules
- Implement financial consumer protection, dispute handling, strong customer authentication (SCA), and e-payment rails (debit cards, InstaPay/PESONet, and direct debits). Banks and PSPs must keep audit trails (device fingerprints, IPs, OTP logs) and provide fair dispute timelines.
II. What Counts as “Unauthorized”?
- Transactions you did not initiate, authorize, or benefit from, including those arising from phishing, social engineering, SIM swap, malware, stolen card/number, or compromised credentials.
- OTP entry alone is not conclusive proof of consent; OTPs can be captured via phishing or SIM swaps.
- “Friendly fraud” (e.g., household member’s unauthorized use) is still unauthorized vis-à-vis the bank unless you expressly permitted it.
III. Immediate Action Plan (First 0–24 Hours)
Lock down the account
- Use the app/online banking to lock/freeze the debit card, toggle “block e-commerce” if available, and change your login password/PIN.
- Turn off biometric logins then re-enroll after password reset.
Secure your SIM and email
- Call your telco for SIM swap check and bar unauthorized SIM change.
- Change email password; enable authenticator-based 2FA (avoid SMS-only 2FA if possible).
Document everything
- Screenshots of SMS alerts, app ledger, statement, OTP logs, and your lock/freeze actions.
- Note the exact timestamps, amounts, reference numbers, merchant descriptors (“CODA*…”) and your IP/device at the time of discovery.
Report to the bank/PSP immediately
- Phone hotline + in-app chat/email. Get a case/reference number.
- Request a temporary freeze and transaction dispute.
IV. Filing the Bank Dispute (Within 24–72 Hours)
Prepare a short packet:
- Dispute Form (bank-provided) or your affidavit narrating: when you noticed the debits; why they’re unauthorized; steps taken to secure the account; confirmation you did not share OTPs knowingly or authorize anyone to transact.
- IDs and specimen signatures (as required by the bank).
- Evidence: screenshots, statements, device change logs, telco letter (if SIM swap suspected), email security alerts, police blotter (optional but persuasive).
- Relief sought: reversal/refund, account/card replacement, written investigation report, and timeline.
Practical timeline: Most banks ask that disputes be lodged as soon as practicable and often within 30 calendar days from statement date for card transactions. File immediately upon discovery even if you’re within 30 days.
V. How the Rail Affects the Dispute
A. Card-Not-Present (CNP) Debit Card Transactions
- Think of online transactions where your debit card number was used.
- Banks may process via Visa/Mastercard dispute rules (“chargeback”) with windows typically up to 120 days from posting, subject to scheme codes.
- The bank should check 3-D Secure logs (e.g., 3DS challenge status), device fingerprint, and whether SCA passed.
- Refund Standard: If the bank cannot demonstrate a properly authenticated transaction tied to your device and consent—or if 3DS/SCA wasn’t properly applied—refund is typically warranted.
B. Account-to-Account (A2A) Transfers (InstaPay/PESONet, Internal Transfers)
- If you see “CODA” as narrative in an A2A push, treat as unauthorized transfer.
- Banks review session logs (IP, device ID), login method, OTP delivery, and velocity (unusual pattern).
- If compromise (phishing/SIM swap) is indicated and no negligence is proven on your part, the bank should restore funds or offer provisional credit during investigation.
C. Direct Debit (Pull) from Your Account
If a mandate was set up without your consent (e-mandate fraud) or debits exceeded mandate terms:
- Demand the mandate record (date/time, device/IP, proof of your authorization).
- Absent a valid mandate or if authentication is defective, push for immediate reversal and mandate cancellation.
Note: Whether “CODA” is a card merchant, a payment aggregator, or a mandate originator, the investigating bank remains your primary counterparty for the dispute when funds left your deposit account or card.
VI. Allocation of Liability
Under the FCPA and BSP standards, banks/PSPs must:
- Investigate diligently and explain their findings; and
- Prove consumer fraud/gross negligence to deny a claim.
Examples where consumer fault is often alleged (but still fact-sensitive): sharing one-time passwords, jailbroken devices, ignoring security alerts, writing passwords on the card, etc.
OTP entry ≠ automatic consent; banks must still show secure enrollment, possession, and knowledge factors consistent with SCA.
VII. Outcomes, Credits, and Interest
- Provisional credit may be provided while the bank investigates; ask for it explicitly.
- If the bank confirms unauthorized use, expect reversal/refund of principal.
- For litigated claims, courts may award legal interest (6% p.a.) from finality of judgment on money awards; pre-judgment interest depends on the court’s findings.
- Fees/penalties charged due to the fraud (overdraft fees, replacement card fees) should be waived.
VIII. Escalation Ladder (If Bank Response is Inadequate)
Bank’s CAM (Internal)
- Ask for the final written response and the root-cause analysis (authentication logs, mandate proof).
Bangko Sentral ng Pilipinas (BSP)
- File a financial consumer complaint with details, evidence, and the bank’s final response.
- Relief sought: refund, policy correction, and regulatory action for control failures.
National Privacy Commission (NPC)
- If you suspect a data breach (bank, PSP, or merchant) or SIM swap, file a complaint/assistance request invoking your data subject rights (access, erasure, restriction).
PNP Anti-Cybercrime Group / NBI Cybercrime Division
- File a criminal complaint (R.A. 8484 / 10175). Bring bank letters, logs, and your affidavit. Request subpoenas to trace beneficiary accounts and devices.
Civil Action
- For restitution and damages (actual, moral, exemplary) if administrative channels fail or the loss is significant.
IX. Evidence Checklist
- Bank dispute case number and all correspondence.
- Screenshots: alerts, ledger entries, OTP messages, device login notifications.
- Full account statement covering at least one cycle before and after the incident.
- Device and telco notes: SIM swap ticket, email security alerts, authenticator logs.
- Affidavit of Non-Authorization and (optionally) Police Blotter.
- If direct debit: copy of mandate and authentication evidence (request from bank).
X. Common Bank Defenses—and How to Respond
“You entered the OTP.”
- Reply: OTPs can be phished or redirected via SIM swap; demand 3DS/SCA logs, device match, and risk assessment notes.
“Transactions were done on your registered device.”
- Ask for device fingerprint hash, IP geolocation, and time of device registration. If registration changed shortly before the debits, that favors compromise.
“We used industry-standard security.”
- Standards do not override statutory duties; the issue is whether your specific transaction was properly authenticated and whether the bank exercised diligence.
“You reported late.”
- You must report promptly, but delay alone does not prove consent or negligence, especially if you reported upon discovery and within the bank’s published window.
XI. Preventive Practices (Post-Incident)
- App hygiene: keep OS updated; avoid sideloading; use hardware-token/Authenticator over SMS where possible.
- Account settings: enable transaction alerts, set per-day limits, and keep e-commerce toggle OFF by default.
- Credential discipline: unique passwords; password manager; never share OTPs or click links from unsolicited messages.
- SIM security: add a SIM change PIN (ask telco), disable value-added services you don’t use.
- Mandate watch: review active direct debit mandates and revoke those you don’t recognize.
XII. Model Documents
A. Affidavit of Non-Authorization (Template)
AFFIDAVIT OF NON-AUTHORIZATION I, [Name], of legal age, [civil status], residing at [Address], after being duly sworn, depose and state:
- On [date/time], I discovered multiple debit entries in my [Bank] account ending [XXXX] with descriptors “CODA/[details]” totaling ₱[amount].
- I did not initiate, authorize, permit, or benefit from these transactions, nor did I share my credentials/OTP knowingly with any person.
- Upon discovery, I immediately secured my account (card freeze, password reset) and reported to [Bank] under Case No. [number].
- I respectfully request reversal/refund and a written investigation report, including authentication/mandate logs.
- I am executing this affidavit to attest to the foregoing and for all legal purposes. [Signature over printed name] SUBSCRIBED AND SWORN… [Notarial block]
B. Demand/Complaint Letter to Bank (Template)
Subject: Unauthorized “CODA” Debits – Demand for Reversal and Investigation Dear [Bank CAM/Customer Care], I report unauthorized debits dated [dates] totaling ₱[amount] with descriptors “CODA/[details].” I did not authorize these transactions. Attached are screenshots/statements and my Affidavit of Non-Authorization. Under R.A. 11765 and BSP consumer protection standards, please (1) reverse/refund the debits or extend provisional credit, (2) provide the mandate/authentication logs (3DS/SCA, device ID, IP, OTP), and (3) confirm cancellation of any mandate/card credentials involved. Kindly issue a final written response within your published turnaround time. Sincerely, [Name, contact details]
XIII. Frequently Asked Questions
Do I need a police report? Not legally required to start a bank dispute, but it strengthens your case, especially for regulator/law-enforcement escalation.
Will the bank replace my card/account number? Yes, request card/account reissuance and blocklist the old credentials.
Can I recover from the merchant directly? If the descriptor maps to a known platform, you can parallel-file with the merchant’s support to speed reversal; however, your bank remains the primary dispute point for money that left your account.
What if the bank denies my claim? Ask for the complete basis (logs, mandate, scheme decision) and escalate to BSP; consider civil/criminal action if warranted.
XIV. One-Page Quick Checklist
- Freeze card / change passwords / secure SIM & email
- File bank dispute (get case #) within 24–72 hours
- Submit affidavit + evidence pack
- Ask for provisional credit and written investigation report
- If needed: escalate to BSP → NPC → PNP-ACG/NBI
- Replace card/account; audit mandates; harden security
Bottom Line
Unauthorized “CODA” debits are treated as financial consumer incidents. Philippine law presumes protection, not forfeiture: banks must investigate and can only deny when they prove your fraud or gross negligence. Move quickly, keep meticulous records, insist on logs and clear findings, and use the regulator and law-enforcement escalators if the initial response falls short.