Unauthorized Bank Debits in the Philippines: How to Dispute Unknown Merchant Transactions

An unfamiliar merchant debit can be a hidden subscription, a payment processor using a name you do not recognize, or genuine card fraud. The safest response is to act immediately: preserve the transaction details, block further use of the card or account, report the debit through the bank’s 24/7 fraud channel, and file a written dispute before the bank’s deadline. Philippine financial consumer rules require banks to handle fraud concerns promptly and fairly, while newer anti-scam rules may allow funds to be traced and temporarily held when the disputed transaction is an electronic transfer between financial accounts.

Is the Unknown Merchant Transaction Really Unauthorized?

A transaction is unauthorized when you did not make it, approve it, or knowingly allow another person to make it.

An unfamiliar merchant name does not automatically mean fraud. The name appearing on your bank statement—called the billing descriptor—may belong to:

  • A payment processor rather than the store
  • A parent company operating under another brand
  • An app store handling an in-app purchase
  • A hotel, restaurant, or transport service using a third-party terminal
  • A recurring subscription you previously authorized
  • A temporary verification charge
  • A merchant that submitted the transaction several days after the purchase

Before concluding that the debit is fraudulent, compare the amount and date with recent purchases, email receipts, app-store histories, online subscriptions, food-delivery accounts, transport apps, and digital wallets.

Do not spend days investigating on your own. If you cannot identify the transaction quickly, report it to the bank and secure the account while the bank verifies the merchant information.

Unauthorized transaction, merchant dispute, or mistaken transfer?

These problems follow different processes:

Situation Example Correct approach
Unauthorized merchant transaction Someone used your debit-card details at an online store Fraud report and card-network dispute or chargeback
Authorized merchant dispute You paid for an item, but it was not delivered Contact the merchant, then file a merchant dispute if unresolved
Recurring payment dispute A service charged you after cancellation Submit cancellation records and dispute the recurring charge
Erroneous transfer You sent money to the wrong account Immediately request recovery through the sending bank
Scam-induced transfer You personally sent money because of impersonation or deception Report as fraud or social engineering, not merely an “unknown merchant” debit
Pending authorization A transaction appears but has not yet been posted Secure the card and ask whether the authorization can still be stopped

Correct classification matters. A bank may reject a fraud claim when the records show that you authorized the payment but later became dissatisfied with the merchant. Conversely, describing a stolen-card transaction merely as a “refund request” may prevent the bank from treating it as a priority fraud concern.

Your Rights Under Philippine Law

Financial consumer rights under Republic Act No. 11765

The Financial Products and Services Consumer Protection Act, Republic Act No. 11765 of 2022, gives financial consumers five basic rights:

  • Fair and equitable treatment
  • Disclosure and transparency
  • Protection of assets against fraud and misuse
  • Data privacy and protection
  • Timely handling and redress of complaints

The law applies to banks and other financial service providers regulated by the Bangko Sentral ng Pilipinas, or BSP. It also authorizes the BSP to adjudicate purely civil claims for payment or reimbursement of up to ₱10 million, exclusive of interest and other charges. (Bureau of the Treasury)

BSP rules for unauthorized transactions

BSP Circular No. 1160, Series of 2022, requires BSP-supervised financial institutions to provide a free, accessible, and active 24/7 reporting channel for fraud and unauthorized transactions.

The bank where your account is maintained—the originating financial institution—is primarily responsible for receiving and investigating your complaint. It may coordinate with the merchant’s acquiring bank, payment network, digital-wallet provider, or receiving institution.

Depending on the circumstances, the bank may:

  • Block the affected card, account access, or payment credential
  • Suspend disputed interest or fees
  • Place available disputed funds on hold
  • Provide provisional credit
  • Trace funds through another institution
  • Reverse or correct a transaction found to be unauthorized

Provisional credit is not automatic. It may be non-withdrawable while the investigation is pending.

After the investigation is concluded, the bank must communicate its formal result within three banking days. This does not mean that every investigation must be completed within three days; the three-day period begins only after the investigation has ended. If the transaction is found to be unauthorized or fraudulent, the bank should correct or reverse it and make any applicable provisional credit permanent.

Anti-Financial Account Scamming Act

The Anti-Financial Account Scamming Act, Republic Act No. 12010 of 2024, or AFASA, requires financial institutions to maintain adequate controls against account scams, including appropriate authentication and fraud-management systems.

A bank that fails to use adequate safeguards or to exercise the legally required degree of diligence may be liable for restitution. A criminal conviction of the scammer is not necessarily required before institutional liability can be considered. (Lawphil)

Under BSP Circular No. 1215, Series of 2025, disputed funds involved in qualifying electronic account-to-account transfers may initially be held for up to five calendar days and, when supported by the verification process, for a total of up to 30 calendar days. Only a court may authorize a longer hold.

These temporary-hold rules do not cover every card purchase. Circular No. 1215 generally concerns electronic fund transfers between financial accounts and expressly excludes ordinary credit-card transactions, except when a credit card is used to make an electronic transfer through an automated clearing house. A debit-card merchant purchase will normally proceed through the card issuer and the Visa, Mastercard, or BancNet dispute system.

Banks must exercise a high degree of diligence

Section 2 of the General Banking Law, Republic Act No. 8791, recognizes the fiduciary nature of banking. This means banks must maintain high standards of integrity and performance because depositors entrust them with their money. (Lawphil)

Articles 1170 and 1173 of the Civil Code of the Philippines may also apply when a loss is caused by fraud, negligence, delay, or failure to exercise the diligence required by the circumstances.

In Philippine Bank of Commerce v. Court of Appeals, G.R. No. 97626, March 14, 1997, the Supreme Court emphasized the high degree of care expected from banks. The decision also shows that a depositor’s contributory negligence may reduce recoverable damages without necessarily eliminating the bank’s responsibility. (Supreme Court E-Library)

In Far East Bank and Trust Company v. Chante, G.R. No. 170598, October 9, 2013, the Court held the bank liable in an ATM dispute where the evidence showed a defect in the bank’s system. The ruling does not mean that every transaction authenticated by a PIN or one-time password is automatically refundable; liability still depends on the particular evidence and the conduct of both the bank and the customer. (Supreme Court E-Library)

What to Do Immediately After Seeing an Unauthorized Bank Debit

1. Preserve the transaction details

Take screenshots or download a statement showing:

  • Transaction date and time
  • Posting date
  • Amount and currency
  • Exact merchant descriptor
  • Reference or trace number
  • Whether the transaction is pending or posted
  • Any foreign transaction, conversion, or service fee

Do not crop out the account name, statement date, or surrounding entries if they help establish the sequence of events. Mask unnecessary account digits when sending copies outside the bank.

Also save relevant text messages, emails, push notifications, receipts, and login alerts. If you received suspicious calls or messages, preserve the sender’s number, username, profile, and links without opening them again.

2. Lock or block the affected payment method

Use the bank’s mobile application to lock the card when that feature is available. Then call the bank’s official fraud hotline and request permanent blocking and replacement when unauthorized use appears likely.

Ask the bank whether the compromised credential was:

  • The physical card number
  • A virtual card
  • A digital-wallet token
  • A recurring-payment token
  • Your online banking account
  • A linked e-commerce or payment account

Replacing the physical card may not stop every recurring or tokenized payment. Ask whether the bank can revoke merchant tokens and automatic card-updater services connected to the old card number.

Change the passwords for online banking, email, digital wallets, and shopping accounts. Use unique passwords and activate multi-factor authentication. If your mobile signal suddenly disappeared or you suspect SIM replacement, contact your telecommunications provider immediately.

3. Report the debit through the bank’s 24/7 fraud channel

Call only the number printed on the card, shown in the banking application, or published on the bank’s official website.

Provide the minimum information needed to identify the transaction. Never disclose your full PIN, one-time password, card verification value, or online banking password. A legitimate bank representative should not need those secrets to receive a dispute.

Request:

  • A complaint or case reference number
  • Written acknowledgment
  • The name or identifier of the receiving officer
  • Confirmation that the card or account has been secured
  • The bank’s dispute form
  • The deadline for submitting supporting documents
  • The expected investigation process
  • Confirmation whether provisional credit is available

A phone call protects the account quickly, but it should be followed by a written complaint.

4. File a written dispute

State clearly that you are disputing an unauthorized merchant transaction. Identify every debit separately.

A useful written dispute contains:

  1. Your name and the last four digits of the affected account or card
  2. The transaction date, posting date, amount, and merchant descriptor
  3. A direct statement that you did not make or authorize the transaction
  4. The date and time you first discovered it
  5. Whether the card remained in your possession
  6. Whether you received or disclosed any OTP, PIN, password, or verification request
  7. Whether anyone else was authorized to use the card
  8. The steps you took to secure the account
  9. The result you are requesting, such as reversal, replacement, and waiver of related fees
  10. A list of attached evidence

Avoid broad statements such as “all charges are fraudulent” when only certain entries are disputed. Incomplete identification is a common cause of delay.

5. Ask the bank for the transaction’s authentication details

The bank may not immediately provide every internal security record, but you can ask it to examine and explain:

  • Whether the transaction was card-present or card-not-present
  • Whether the chip, magnetic stripe, contactless function, or manual card entry was used
  • Whether an OTP, PIN, or 3-D Secure authentication was recorded
  • Whether the transaction used a digital-wallet token
  • The merchant category and acquiring institution
  • The device, channel, or geographic indicators
  • Whether there were failed attempts before or after the debit
  • Whether the transaction matched your normal account activity

An OTP, PIN, or device record is relevant evidence, but it should not end the inquiry by itself when there are indications of account takeover, phishing, SIM swapping, malware, system error, or compromised merchant credentials.

6. Submit supporting documents without delay

When AFASA’s temporary-hold procedure applies, documents supporting an extended hold may need to be submitted during the initial five-day period. These can include a sworn complaint, affidavit, police report, or other evidence required by the industry protocol.

Even in an ordinary debit-card dispute, prompt submission helps the bank meet card-network deadlines and request information from the merchant’s acquiring bank.

7. Report possible crimes separately

Unauthorized use of card or account credentials may violate the Access Devices Regulation Act, Republic Act No. 8484 of 1998. Online account intrusion, computer-related fraud, and related conduct may also fall under the Cybercrime Prevention Act, Republic Act No. 10175 of 2012. Social-engineering schemes and money-mule activity may be prosecuted under RA No. 12010. (Lawphil)

For substantial losses, repeated unauthorized activity, identity theft, phishing, or account takeover, consider filing with:

  • The Philippine National Police
  • The National Bureau of Investigation Cybercrime Division
  • The Cybercrime Investigation and Coordinating Center

The BSP’s consumer guidance encourages scam and fraud victims to report the incident to law-enforcement agencies in addition to notifying the financial institution. An NBI online complaint facility is also available.

A police or NBI report does not replace the bank dispute. Both processes should proceed separately.

Documents Commonly Needed for a Bank Dispute

Document or evidence Why it matters
Bank dispute form Creates the bank’s formal investigation record
Government-issued identification Confirms the account holder’s identity
Account statement or transaction screenshot Identifies the disputed entry
Written narrative or affidavit Explains why the transaction was unauthorized
Card-possession statement Shows whether the physical card was lost or remained with you
Merchant correspondence Supports cancellation, non-delivery, or merchant-identity issues
Subscription cancellation proof Important for recurring-payment disputes
SMS, email, or app alerts Establishes discovery and reporting times
Call logs and complaint reference numbers Shows prompt notification
Police, NBI, or cybercrime report Supports allegations of fraud or account takeover
Proof of travel or location May contradict the transaction location
Device or login records May help show unauthorized access

A bank may request an affidavit notarized by a Philippine notary. Follow the bank’s document instructions, but retain copies and obtain proof of submission.

How Long Does a Dispute Take?

There is no single deadline covering every type of unauthorized debit.

Stage Usual legal or procedural point
Initial fraud report Report immediately through the bank’s 24/7 channel
Written acknowledgment Should be provided promptly after the report
Initial AFASA hold, when applicable Up to five calendar days
Total AFASA temporary hold Up to 30 calendar days, unless extended by a court
Bank investigation Must be completed within a reasonable period based on complexity
Formal bank result Within three banking days after the investigation concludes
Bank-specific card dispute window Depends on the bank and card-network rules
BSP Consumer Assistance Mechanism BSP materials estimate approximately 55–65 days for the full CAM exchange, although workload and complexity may cause delay
BSP mediation Generally 30 days, subject to extension for meritorious reasons

Card-dispute filing periods are contractual and vary. For example, BPI’s published debit-card terms require certain disputes within 60 calendar days from the transaction date, while Metrobank’s current card dispute form states an 80-calendar-day period for covered card complaints. These are examples, not universal deadlines. File the dispute immediately instead of assuming that you have 60, 80, or 120 days. (BPI Help)

How the Bank Determines Who Bears the Loss

A bank should examine the full circumstances rather than relying on a single fact. BSP rules direct institutions to consider the actions or omissions of the account holder, the bank, other participating institutions, and compliance with applicable regulations.

Relevant questions include:

  • Did the customer report the transaction promptly?
  • Was the physical card lost, stolen, or still in the customer’s possession?
  • Was an OTP or PIN entered?
  • Could the customer have been deceived into providing credentials?
  • Did the bank’s fraud system detect unusual behavior?
  • Did the bank properly respond to earlier warning signs?
  • Was the card used in a way inconsistent with the customer’s history?
  • Did the bank use appropriate authentication and security controls?
  • Did the merchant provide evidence of authorization?
  • Did the customer allow a family member, employee, or companion to use the card?
  • Did the customer ignore repeated bank alerts or delay blocking the account?

Use of an OTP does not always settle the issue

Banks often rely on OTP, PIN, chip, or device records to show authentication. Those records are important, but authentication and genuine consent are not always the same.

A scammer may have obtained an OTP through phishing, impersonation, remote-access software, SIM swapping, or manipulation. The customer’s conduct may affect liability, but the bank must still examine whether its security controls, alerts, transaction monitoring, and response procedures were adequate.

A merchant problem is not always bank fraud

A transaction you knowingly approved is usually not “unauthorized” merely because:

  • The goods were defective
  • The delivery was late
  • You forgot about the purchase
  • You misunderstood the subscription terms
  • A companion used the card with your permission
  • You later regretted the transaction

These may still support a merchant dispute, cancellation claim, or chargeback, but the evidence and dispute category will be different.

Scam-induced transfers require precise reporting

When you personally transferred the money after being deceived, do not falsely state that you never authorized the transaction. Explain that you technically initiated the transfer but that your consent was obtained through social engineering, impersonation, or fraud.

That distinction helps the bank activate the correct tracing, temporary-hold, and coordinated-verification procedures under RA No. 12010 and Circular No. 1215.

Knowingly making a malicious or false fraud report can have legal consequences. State the facts accurately, including any credentials you disclosed or actions you performed.

What to Do if the Bank Denies or Delays the Claim

1. Request the final written decision

Ask for a written explanation identifying:

  • The evidence considered
  • The reason for denial
  • The applicable account or card term
  • Whether merchant documents were obtained
  • Whether OTP, PIN, token, or device authentication was recorded
  • Whether the transaction was examined under the bank’s fraud-management procedures
  • The internal appeal or reconsideration process

A verbal statement that “the transaction was valid” is not a useful final resolution.

2. File an internal appeal or reconsideration

Respond point by point. Attach documents the first investigator may have overlooked, such as:

  • Proof that the card was in your possession
  • Evidence that you were elsewhere
  • Earlier fraud alerts
  • Screenshots of phishing messages
  • Evidence of SIM loss or replacement
  • Proof that you promptly reported the incident
  • Similar unauthorized transactions
  • Cancellation or refund correspondence
  • A police or NBI report

Do not resend the same vague complaint. Explain specifically why the bank’s conclusion does not address the evidence.

3. Escalate the complaint to the BSP

The bank’s Financial Consumer Protection Assistance Mechanism is the first-level remedy. The BSP Consumer Assistance Mechanism is generally the second level, so you should first give the bank an opportunity to resolve the complaint.

You may escalate through the BSP Online Buddy chatbot or submit the BSP Consumer Information and Relief Form using the channels explained in the BSP guide on filing a consumer complaint.

Attach:

  • Your complaint to the bank
  • Proof that the bank received it
  • The bank’s final response, if available
  • Transaction records
  • Your supporting evidence
  • A concise timeline
  • The specific relief requested

Do not send your PIN, password, complete card number, OTP, passport details, or unnecessary copies of sensitive identity documents to the BSP.

Under BSP procedures, the bank generally has 15 days from the BSP’s directive to submit its answer. The consumer may then reply within 30 days, followed by additional response periods when necessary.

4. Consider BSP mediation or adjudication

When Consumer Assistance Mechanism proceedings do not resolve the dispute, qualifying cases may proceed to mediation.

For purely civil claims seeking payment or reimbursement, BSP adjudication may be available when the amount does not exceed ₱10 million, excluding interest, fees, and costs. The BSP’s adjudicatory remedy focuses on payment or reimbursement and does not function as a general forum for every type of moral, exemplary, or consequential damage claim.

A BSP adjudication decision is final and executory, subject to the remedies allowed by RA No. 11765, including a petition for certiorari before the Court of Appeals within the statutory period.

Barangay conciliation is generally not the practical first remedy for a dispute against a bank. Filing at the barangay also does not stop contractual card-dispute deadlines.

Common Mistakes That Weaken Unauthorized Debit Claims

  • Waiting for the merchant before blocking the card. Merchant verification can happen after the payment method is secured.
  • Making only a phone call. Follow it with a written dispute and preserve the case number.
  • Using the wrong dispute category. Distinguish fraud, recurring billing, non-delivery, mistaken transfer, and scam-induced payment.
  • Failing to identify every transaction. List each date, amount, and descriptor separately.
  • Deleting scam messages. Preserve the original evidence even when it is embarrassing or shows that credentials were disclosed.
  • Reporting only to the police. Law-enforcement reporting does not replace the bank’s dispute process.
  • Missing the bank’s filing period. Card-network and bank deadlines may expire before a criminal investigation is completed.
  • Sharing sensitive credentials during the complaint. Banks and the BSP do not need your PIN, password, or OTP.
  • Assuming replacement automatically stops subscriptions. Ask the bank to address recurring tokens and automatic card-updater services.
  • Withdrawing provisional credit. Some provisional credits are non-withdrawable and may be reversed if the investigation finds the transaction valid.
  • Calling an authorized scam payment “unauthorized.” Describe exactly how the deception occurred.
  • Filing a knowingly false report. False allegations can expose the complainant to legal consequences.

Foreigners and Philippine Account Holders Living Abroad

Foreign nationals with accounts at Philippine banks may use the same bank complaint and BSP consumer-protection processes.

An account holder abroad should first use the bank’s official international hotline, secure online messaging facility, or designated complaint email. Keep evidence of the time difference, unsuccessful calls, and dates of submission.

When another person will act in the Philippines:

  • A signed written authorization may be accepted for parts of the BSP Consumer Assistance Mechanism.
  • Mediation or adjudication may require a special power of attorney.
  • A bank may require a notarized or apostilled authorization executed abroad.
  • A foreign corporation may need an equivalent board authorization or corporate secretary’s certificate.

Requirements differ by bank and stage of proceedings. Confirm the exact form, notarization, and apostille requirements before sending original documents. BSP rules expressly recognize authorized representatives, with stricter proof of authority for mediation and adjudication.

Frequently Asked Questions

Can the bank refuse my claim because an OTP was used?

The bank may treat OTP use as evidence of authentication, but it should still consider how the OTP was obtained, whether the transaction was unusual, whether its fraud controls worked properly, and whether phishing, impersonation, SIM swapping, or account takeover occurred. OTP use does not create an automatic refund, but neither should it replace a full investigation.

How quickly should I report an unknown merchant transaction?

Report it as soon as you discover it, ideally on the same day. Delays can allow additional transactions, reduce the chance of tracing funds, and cause you to miss the bank’s card-dispute deadline.

Do I need a police report before the bank investigates?

Not always. The bank should receive and evaluate the initial fraud report even without a police report. It may later request one, particularly for substantial losses, account takeover, repeated fraud, or an extended temporary hold under anti-scam procedures.

Can I dispute a recurring subscription I forgot to cancel?

Forgetting to cancel usually does not make a charge unauthorized. Review the merchant’s cancellation terms. You may have a valid dispute if you cancelled on time, the merchant continued charging after cancellation, the terms were misleading, or the recurring authority was not properly obtained.

What if I recognize the amount but not the merchant name?

Check receipts, app-store purchases, payment processors, restaurants, hotels, transport services, digital wallets, and family-authorized use. Ask the bank for the merchant category and acquiring information, but secure the card immediately when the transaction still appears suspicious.

Will the bank refund the money while investigating?

The bank may provide provisional credit, but this is not guaranteed. It may be non-withdrawable and can be reversed if the investigation concludes that the transaction was valid.

What if the transaction is still pending?

A pending authorization may disappear, change amount, or later post. You should still block or lock the card if you did not authorize it. Ask the bank whether the authorization can be stopped and whether a formal dispute must wait until posting.

Can I complain directly to the BSP without contacting the bank?

The normal process requires you to complain first through the bank’s Financial Consumer Protection Assistance Mechanism. Escalate to the BSP when the bank does not resolve the matter, fails to respond properly, or issues an unsatisfactory final decision.

What if I voluntarily transferred the money to a scammer?

Report it immediately as a scam-induced or social-engineering transaction. Give an accurate account of what you did and how you were deceived. Ask the sending institution to trace the funds and initiate the temporary-hold and coordinated-verification process when RA No. 12010 and BSP Circular No. 1215 apply.

Can the bank charge me for reporting fraud?

BSP rules require financial institutions to maintain a free 24/7 channel for reporting fraud, scams, and unauthorized transactions. Ordinary incidental costs—such as notarization, document certification, printing, or obtaining records—may still arise.

Key Takeaways

  • An unfamiliar merchant descriptor is not always fraud, but you should not delay securing the account.
  • Lock or block the card, preserve evidence, and report the transaction through the bank’s official 24/7 fraud channel.
  • Follow the phone report with a detailed written dispute identifying every transaction.
  • Ask for a case number, written acknowledgment, replacement card, authentication details, and the bank’s filing deadline.
  • BSP Circular No. 1160 requires fair investigation and a formal result within three banking days after the investigation concludes.
  • RA No. 12010 may allow qualifying electronic-transfer funds to be traced and temporarily held for up to 30 days.
  • Card-network deadlines vary by bank, so file immediately rather than relying on a supposed universal 60- or 90-day period.
  • OTP or PIN use is important evidence but does not eliminate the need to examine phishing, account takeover, bank controls, and other circumstances.
  • A police or cybercrime report supports the case but does not replace the bank dispute.
  • If the bank’s response is inadequate, complete the internal process and escalate the complaint to the BSP Consumer Assistance Mechanism.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.