Unauthorized Credit Card Fraud and Notice Requirement to the Bank

I. Introduction

Unauthorized credit card fraud occurs when a credit card, card details, card account, or credit line is used without the cardholder’s consent. In the Philippines, this issue commonly arises from lost or stolen cards, phishing, skimming, card-not-present fraud, unauthorized online purchases, identity theft, account takeover, or misuse of one-time passwords and authentication credentials.

The central legal question is often this: Who bears the loss—the cardholder, the bank or credit card issuer, or the merchant?

The answer depends heavily on several factors, especially:

  1. whether the transaction was truly unauthorized;
  2. whether the cardholder acted with negligence or fraud;
  3. when and how the cardholder notified the issuing bank;
  4. whether the bank complied with regulatory duties on security, investigation, disclosure, and dispute handling;
  5. whether the cardholder’s own conduct contributed to the loss.

In the Philippine setting, the topic is governed by a combination of banking regulations, consumer protection rules, contract law, electronic commerce principles, cybercrime laws, data privacy rules, and the specific terms and conditions of the credit card agreement.

II. Nature of Credit Card Relationships

A credit card transaction usually involves several parties:

  1. Cardholder – the person to whom the credit card is issued.
  2. Issuer – the bank or financial institution that issued the card.
  3. Merchant – the seller or service provider that accepts the card.
  4. Acquirer – the bank or institution that processes card transactions for the merchant.
  5. Payment network – such as Visa, Mastercard, JCB, American Express, or similar networks.

The cardholder’s legal relationship with the issuing bank is primarily contractual. The cardholder agrees to be bound by the cardholder agreement, including provisions on payment, interest, fees, billing, disputed charges, liability for lost or stolen cards, and notice requirements.

However, the contract is not the only source of rights and obligations. Credit card issuers in the Philippines are regulated entities and must comply with rules issued by the Bangko Sentral ng Pilipinas, consumer protection standards, cybersecurity requirements, and applicable laws.

III. What Constitutes Unauthorized Credit Card Fraud

Unauthorized credit card fraud may include:

1. Lost or Stolen Card Use

This happens when the physical card is lost or stolen and later used by another person without authority.

2. Card-Not-Present Fraud

This involves unauthorized online, phone, or mail-order transactions where the physical card is not presented. Fraudsters may use the card number, expiry date, CVV, billing address, or other card details.

3. Phishing and Social Engineering

Fraudsters may trick cardholders into revealing card details, OTPs, passwords, or login credentials through fake bank messages, emails, calls, or websites.

4. Skimming

Skimming occurs when card information is illegally copied through a compromised terminal, ATM, or device.

5. Account Takeover

This happens when a fraudster gains access to the cardholder’s online banking, mobile app, or card account and performs transactions, changes contact details, or authorizes purchases.

6. Unauthorized Supplementary Card Use

Disputes may arise when a supplementary cardholder uses the card beyond what the principal cardholder expected. This is more complicated because the supplementary cardholder usually has authority to use the card, and the principal cardholder is often contractually liable for supplementary card charges.

7. Identity Theft and Fraudulent Card Issuance

A person may use another person’s identity documents to apply for a credit card. The victim may later receive statements or collection notices for a card they never applied for.

IV. Legal Character of Unauthorized Transactions

An unauthorized credit card transaction is generally one made without the cardholder’s consent or authority.

Consent may be express or implied. A transaction is clearly unauthorized when the cardholder neither made nor approved it. But a dispute becomes more difficult when the transaction involved correct card details, OTP authentication, mobile app confirmation, or login credentials.

Banks often argue that use of correct credentials, OTPs, or registered devices indicates authorization. Cardholders, on the other hand, may argue that fraudsters obtained access through deception, malware, SIM swap, phishing, or security compromise.

Thus, the legal question is not merely whether the transaction passed technical authentication. The deeper question is whether the cardholder actually authorized the transaction and whether any party failed to exercise the required degree of diligence.

V. The Notice Requirement to the Bank

The notice requirement is one of the most important issues in unauthorized credit card fraud.

A typical credit card agreement provides that the cardholder must immediately notify the bank if:

  1. the card is lost;
  2. the card is stolen;
  3. card details are compromised;
  4. unauthorized transactions appear;
  5. the cardholder receives suspicious alerts;
  6. the cardholder suspects fraud;
  7. the cardholder’s mobile number, email, online account, or device has been compromised.

The purpose of notice is to allow the bank to block the card, prevent further transactions, investigate, preserve evidence, and protect both the bank and the cardholder from additional losses.

A. Immediate Notice

Most cardholder agreements require immediate notice or notice “as soon as possible.” This means the cardholder must report the loss, theft, or suspicious transaction without unreasonable delay after discovering it.

A cardholder who notices unauthorized transactions but waits several days or weeks before reporting may face difficulty disputing liability, especially for transactions that occurred after the time when notice could reasonably have been given.

B. Notice Before and After Fraudulent Transactions

Liability may differ depending on timing.

If the cardholder notifies the bank before fraudulent use occurs, and the bank fails to block the card, the bank may bear responsibility for transactions that should have been prevented.

If the cardholder notifies the bank after the unauthorized transaction has already occurred, the issue becomes whether the cardholder was negligent, whether the bank’s systems failed, and whether the transaction should have been detected or blocked.

If fraudulent transactions continue after notice, the cardholder has a stronger argument that the bank should bear the loss for post-notice transactions, assuming the bank had reasonable opportunity to act.

C. Manner of Notice

Notice is commonly made through:

  1. customer hotline;
  2. mobile banking app;
  3. branch report;
  4. email to the bank’s official channel;
  5. written dispute form;
  6. card blocking request;
  7. official fraud report channel.

For evidentiary purposes, the cardholder should preserve proof of notice, such as:

  1. case reference number;
  2. call logs;
  3. screenshots of app reports;
  4. email acknowledgment;
  5. written complaint copy;
  6. name or ID of bank representative;
  7. date and time of report.

The date and time of notice are crucial because they can determine whether subsequent transactions are attributable to bank delay or cardholder delay.

VI. Cardholder’s Duty of Diligence

A cardholder must exercise reasonable care in using and safeguarding the credit card and account credentials.

This includes:

  1. keeping the card secure;
  2. not sharing the card number, CVV, PIN, OTP, password, or login credentials;
  3. regularly reviewing statements and transaction alerts;
  4. promptly reporting unauthorized transactions;
  5. updating contact details with the bank;
  6. avoiding suspicious links, fake websites, and unknown callers;
  7. protecting mobile devices and email accounts used for banking authentication;
  8. immediately requesting card blocking when compromise is suspected.

Negligence may affect liability. If the cardholder voluntarily gives an OTP to a fraudster, ignores repeated fraud alerts, delays reporting, or allows another person unrestricted access to the card, the bank may argue that the cardholder caused or contributed to the loss.

However, not every fraud incident automatically means the cardholder was negligent. Fraud schemes can be sophisticated, and banks also have independent duties to maintain secure systems and effective fraud monitoring.

VII. Bank’s Duties in Unauthorized Credit Card Fraud

Banks and credit card issuers in the Philippines are expected to observe high standards of diligence because banking is imbued with public interest.

A credit card issuer should generally:

  1. maintain secure card issuance and transaction systems;
  2. implement fraud detection and monitoring;
  3. provide reliable customer service and reporting channels;
  4. promptly block compromised cards upon notice;
  5. investigate disputed transactions fairly;
  6. provide clear dispute procedures;
  7. comply with consumer protection rules;
  8. protect cardholder data;
  9. issue accurate billing statements;
  10. refrain from unfair collection while a legitimate dispute is pending;
  11. explain the basis for approving or denying a dispute.

Banks cannot rely solely on fine print if their own negligence, system weakness, delayed response, or inadequate investigation contributed to the loss.

VIII. Effect of Cardholder Agreement Terms

Credit card agreements usually contain provisions on:

  1. liability for all transactions made using the card;
  2. liability for supplementary cards;
  3. duty to report loss or theft immediately;
  4. presumption that transactions using the card or credentials are valid;
  5. dispute periods for billing errors;
  6. finance charges and late payment charges;
  7. bank’s right to suspend or cancel the card;
  8. collection and reporting to credit bureaus;
  9. governing law and venue.

These contractual terms are important, but they are not absolute. Contract provisions may be challenged if they are contrary to law, public policy, consumer protection rules, or if enforcement would allow the bank to benefit from its own negligence.

A bank cannot impose liability mechanically without properly considering whether the transaction was authorized, whether the cardholder was negligent, and whether the bank complied with its own duties.

IX. Billing Statement Dispute Periods

Credit card agreements often require the cardholder to report billing errors or disputed charges within a specified period from receipt of the statement. Some agreements provide that failure to dispute within that period may make the statement conclusive or binding.

In practice, this means a cardholder should review monthly statements carefully and report unauthorized charges immediately.

However, a contractual dispute period should not be used to defeat a legitimate fraud complaint where the cardholder did not reasonably discover the fraud earlier, where the bank failed to provide proper notice, or where the transaction involved identity theft or system compromise. The surrounding facts matter.

X. The Role of OTPs, PINs, CVVs, and Authentication

Modern credit card fraud disputes often turn on authentication.

Banks may say that a transaction was valid because it used:

  1. the correct card number;
  2. the CVV;
  3. the OTP;
  4. a registered mobile number;
  5. a correct password;
  6. mobile app approval;
  7. biometric login;
  8. 3-D Secure authentication.

But authentication is not always the same as consent. A fraudster may obtain credentials through phishing, SIM swap, malware, device theft, compromised email, or fake bank calls.

Still, when an OTP or password was voluntarily disclosed by the cardholder, banks often treat this as negligence. The cardholder’s response is usually to show that the bank’s systems, warnings, or controls were inadequate, or that the transaction pattern was so unusual that it should have triggered fraud detection.

The stronger cases for the cardholder are those where:

  1. the card was in the cardholder’s possession;
  2. the cardholder did not disclose OTPs or credentials;
  3. transactions were unusual in amount, location, timing, or merchant type;
  4. several rapid transactions occurred;
  5. the bank failed to send timely alerts;
  6. the bank failed to block suspicious activity;
  7. transactions continued after notice;
  8. the bank gave only a generic denial without meaningful investigation.

XI. Lost or Stolen Card: Liability Before and After Notice

For lost or stolen cards, liability commonly depends on whether unauthorized transactions occurred before or after the bank was notified.

Before Notice

The bank may argue that the cardholder remains liable for transactions made before the loss was reported, especially if the cardholder failed to safeguard the card or delayed reporting.

The cardholder may dispute liability by showing absence of negligence, suspicious transaction patterns, lack of proper verification, or failure of the bank’s security systems.

After Notice

Once the bank receives notice and has reasonable opportunity to block the card, the cardholder should generally not be made liable for subsequent unauthorized use caused by the bank’s failure to act.

This is why evidence of notice is critical.

XII. Online Fraud and Card-Not-Present Transactions

Online credit card fraud is especially common because fraudsters do not need the physical card. They only need enough card information to complete a transaction.

Card-not-present disputes often involve:

  1. online shopping platforms;
  2. digital subscriptions;
  3. gaming purchases;
  4. foreign merchants;
  5. travel bookings;
  6. money transfer platforms;
  7. wallet top-ups;
  8. cryptocurrency-related merchants;
  9. recurring charges.

The bank’s investigation should consider whether the transaction used 3-D Secure, whether OTP was required, whether the cardholder’s registered device was used, whether IP address or location data was inconsistent, whether the merchant had proper authentication, and whether the transaction pattern was suspicious.

XIII. Fraudulent Credit Card Applications and Identity Theft

In some cases, the victim never applied for the credit card. Fraudsters may use stolen IDs, fake employment records, forged signatures, or compromised personal data.

The victim should immediately dispute the account, deny the application, request copies of application documents, file an affidavit of denial or complaint, and report possible identity theft.

The bank must investigate whether it complied with know-your-customer requirements and whether the card was issued through proper verification. If the bank issued a card based on forged or insufficient documents, the victim should not be treated as a legitimate debtor.

XIV. Supplementary Cards

A principal cardholder is usually liable for charges made by supplementary cardholders because the supplementary card is issued upon the principal cardholder’s authority.

However, disputes may arise if:

  1. the supplementary card was issued without valid authorization;
  2. the supplementary cardholder exceeded internal family or business instructions;
  3. the card was used after cancellation was requested;
  4. the supplementary card was lost or stolen;
  5. the supplementary cardholder committed fraud.

As between the bank and the principal cardholder, the bank will usually rely on the card agreement. As between the principal and supplementary cardholder, there may be a separate civil or criminal issue depending on the circumstances.

XV. Philippine Legal Framework

A. Civil Code Principles

The Civil Code applies to obligations and contracts. Credit card agreements are contracts, and parties must comply with their obligations in good faith.

Relevant Civil Code principles include:

  1. contracts have the force of law between the parties;
  2. obligations arising from contracts must be performed in good faith;
  3. negligence may create liability;
  4. damages may be awarded for breach of obligation;
  5. fraud, bad faith, or gross negligence may increase liability;
  6. a party cannot unjustly enrich itself at another’s expense.

A cardholder may invoke breach of contract, negligence, or damages if the bank mishandled a fraud report, failed to block the card, ignored evidence, or pursued collection despite a valid dispute.

B. Banking Law and BSP Regulation

Banks and credit card issuers are supervised by the Bangko Sentral ng Pilipinas. BSP regulations generally emphasize responsible lending, disclosure, fair treatment, data protection, cybersecurity, consumer assistance, and complaint handling.

Credit card issuers are expected to maintain proper systems for risk management, fraud prevention, customer communication, and dispute resolution.

C. Financial Consumer Protection

The Financial Products and Services Consumer Protection Act strengthened consumer protection in financial transactions. It requires financial service providers to treat consumers fairly, provide proper disclosure, protect consumer assets and data, and establish effective complaints-handling mechanisms.

In credit card fraud disputes, this framework supports the cardholder’s right to a fair, timely, and transparent investigation.

D. Access Devices Regulation Act

Republic Act No. 8484, known as the Access Devices Regulation Act of 1998, penalizes fraudulent acts involving access devices, including credit cards. It covers acts such as using counterfeit access devices, unauthorized use, possession of device-making equipment, trafficking in access devices, and other fraudulent schemes involving cards and account access.

This law is relevant where a fraudster used or obtained card information without authority.

E. Cybercrime Prevention Act

Republic Act No. 10175, the Cybercrime Prevention Act of 2012, may apply when credit card fraud is committed through computer systems, online platforms, phishing, hacking, identity theft, or other cyber means.

Cyber-related fraud may involve illegal access, computer-related identity theft, computer-related fraud, or other punishable conduct.

F. Data Privacy Act

Republic Act No. 10173, the Data Privacy Act of 2012, may apply if cardholder data was compromised due to poor data security, unauthorized processing, breach of personal information, or mishandling of sensitive personal information.

A bank, merchant, payment processor, or other entity may face liability if its data protection failures contributed to the fraud.

G. Electronic Commerce Act

Republic Act No. 8792, the Electronic Commerce Act, recognizes electronic documents, electronic signatures, and electronic transactions. It may be relevant in proving online transactions, digital authorizations, electronic records, logs, and authentication.

XVI. Burden of Proof

In a dispute, each side usually has evidentiary burdens.

The cardholder should prove or establish:

  1. the transaction was not made or authorized by them;
  2. when the unauthorized transaction was discovered;
  3. when notice was given to the bank;
  4. that they exercised reasonable care;
  5. that they did not disclose credentials or OTPs, if true;
  6. that the bank failed to act properly, if applicable.

The bank should be able to show:

  1. how the transaction was authenticated;
  2. whether OTP, 3-D Secure, PIN, or app approval was used;
  3. transaction logs;
  4. merchant details;
  5. fraud investigation results;
  6. notices or alerts sent to the cardholder;
  7. action taken after the cardholder’s report;
  8. contractual basis for charging the cardholder.

A mere assertion that “the transaction was authenticated” may not be enough in a serious dispute. A fair investigation should explain why the bank concluded that the cardholder is liable.

XVII. Evidence the Cardholder Should Preserve

A cardholder disputing unauthorized credit card fraud should preserve:

  1. billing statements;
  2. SMS and email alerts;
  3. screenshots of unauthorized transactions;
  4. bank app notifications;
  5. fraud report reference numbers;
  6. call logs;
  7. emails to and from the bank;
  8. written dispute forms;
  9. police reports, if filed;
  10. affidavits of denial;
  11. screenshots of phishing messages or fake websites;
  12. proof that the card was in the cardholder’s possession;
  13. travel records or location evidence showing impossibility of physical use;
  14. device and SIM records where relevant;
  15. merchant communications;
  16. bank denial letters;
  17. collection letters or credit bureau notices.

The strongest fraud disputes are evidence-driven. The cardholder should build a timeline showing discovery, notice, bank response, investigation, and disputed billing.

XVIII. Practical Steps After Discovering Unauthorized Credit Card Use

A cardholder should act immediately.

First, call the bank’s official hotline or use the official app to block the card. Second, request a reference number. Third, file a written dispute and identify every unauthorized transaction. Fourth, ask the bank to reverse or temporarily suspend the disputed charges pending investigation. Fifth, change passwords and secure email, mobile banking, and devices. Sixth, preserve evidence. Seventh, file reports with appropriate authorities if identity theft, cybercrime, or data breach is involved. Eighth, escalate to the bank’s consumer assistance channel if the initial response is inadequate.

The cardholder should avoid paying disputed charges as an admission, although minimum payment issues require care. Some cardholders pay “under protest” to avoid interest or adverse reporting, but they should clearly state in writing that payment is not an admission of liability.

XIX. Complaints and Remedies

A. Internal Bank Dispute Process

The first step is usually to file a dispute directly with the issuing bank. The complaint should be clear and documented.

A good dispute letter should include:

  1. cardholder’s name;
  2. card number, masked except last four digits;
  3. transaction dates;
  4. merchant names;
  5. amounts;
  6. date of discovery;
  7. date and time of notice to the bank;
  8. statement that the transactions were unauthorized;
  9. request for reversal;
  10. request to suspend interest, penalties, and collection on disputed amounts;
  11. request for investigation documents or explanation;
  12. attached evidence.

B. Escalation to BSP

If the bank fails to resolve the complaint fairly, the cardholder may escalate the matter through the BSP’s consumer assistance mechanism. BSP-supervised financial institutions are expected to have consumer assistance processes and to respond to complaints.

C. Civil Action

The cardholder may consider civil action for damages, injunction, declaratory relief, breach of contract, or negligence if the bank wrongfully insists on payment, reports the cardholder as delinquent, harasses the cardholder through collection, or mishandles the fraud complaint.

D. Criminal Complaint

If a fraudster is identifiable, criminal complaints may be filed under relevant laws, including those on access device fraud, cybercrime, falsification, estafa, identity theft, or related offenses.

E. Data Privacy Complaint

If the fraud appears connected to unauthorized disclosure, breach, or misuse of personal information, a complaint may be considered under data privacy laws.

XX. Collection While Fraud Dispute Is Pending

A major issue is whether the bank may continue billing, charging interest, or pursuing collection while the disputed transaction is under investigation.

From a fairness and consumer protection perspective, a bank should handle disputed amounts carefully and should not use abusive collection tactics. The cardholder should request that collection, penalties, interest, and adverse credit reporting be suspended as to the disputed amount while the investigation is pending.

If the bank continues collection despite a credible and documented dispute, the cardholder may raise this as part of a complaint to regulators or in a civil claim.

XXI. Credit Bureau Reporting

Unauthorized transactions can damage a cardholder’s credit record if the bank treats the disputed amount as unpaid debt.

A cardholder should expressly demand that the bank refrain from reporting the disputed amount as delinquent while the fraud investigation is ongoing. If adverse reporting already occurred, the cardholder should demand correction once the dispute is resolved in their favor.

Wrongful credit reporting may support claims for damages if it causes reputational, financial, or business harm.

XXII. Common Bank Defenses

Banks commonly raise the following defenses:

  1. the transaction was authenticated by OTP;
  2. the cardholder failed to report the loss immediately;
  3. the dispute was filed beyond the statement dispute period;
  4. the cardholder was negligent in protecting the card or credentials;
  5. the transaction matched the cardholder’s usual behavior;
  6. the merchant obtained valid authorization;
  7. the cardholder benefited from the transaction;
  8. the cardholder allowed another person to use the card;
  9. the bank complied with its procedures;
  10. the cardholder agreement makes the cardholder liable.

These defenses are not automatically conclusive. They must be tested against the facts, evidence, regulatory standards, and fairness principles.

XXIII. Common Cardholder Arguments

Cardholders commonly argue:

  1. they did not authorize the transaction;
  2. the card was in their possession;
  3. no OTP was received or shared;
  4. the transaction was unusual or suspicious;
  5. the bank failed to detect abnormal activity;
  6. the bank failed to send timely alerts;
  7. the bank failed to block the card after notice;
  8. the bank failed to investigate properly;
  9. the bank gave a generic denial;
  10. the cardholder reported promptly upon discovery;
  11. the bank’s security process was inadequate;
  12. the disputed charges should not accrue interest or penalties.

The most persuasive arguments are those supported by documents and a clear timeline.

XXIV. Special Issue: OTP Sharing and Social Engineering

Many Philippine credit card fraud cases involve a fraudster pretending to be a bank representative and convincing the cardholder to reveal OTPs or account information.

Banks often state that they repeatedly warn customers not to share OTPs and that disclosure of OTPs makes the cardholder liable.

The cardholder may still argue, depending on the facts, that:

  1. the bank’s fraud controls were inadequate;
  2. the transaction was suspicious;
  3. the fraudster already possessed sensitive information that should not have been available;
  4. the bank failed to detect account takeover;
  5. the bank failed to act after notice;
  6. the bank’s warnings or authentication process were insufficient;
  7. the bank’s own breach or third-party compromise enabled the fraud.

However, as a practical matter, OTP disclosure significantly weakens the cardholder’s position. Philippine banks commonly treat OTP sharing as strong evidence of cardholder negligence.

XXV. Special Issue: SIM Swap and Mobile Number Compromise

SIM swap fraud occurs when a fraudster gains control of the cardholder’s mobile number, allowing them to receive OTPs and bank alerts.

In such cases, the cardholder may argue that they did not receive the OTPs and did not authorize the transactions. The dispute may involve both the bank and the telecommunications provider.

Evidence may include:

  1. sudden loss of mobile signal;
  2. telco reports;
  3. SIM replacement records;
  4. unauthorized account changes;
  5. transaction timestamps;
  6. bank logs showing OTP delivery;
  7. proof of immediate report after discovering the compromise.

SIM swap cases are fact-intensive because the bank may claim that OTP authentication occurred, while the cardholder may show that the OTP was intercepted through unauthorized SIM control.

XXVI. Special Issue: Merchant Liability

Sometimes the merchant may bear responsibility, especially where:

  1. the merchant failed to verify identity;
  2. the merchant accepted suspicious transactions;
  3. the merchant shipped goods despite fraud indicators;
  4. the merchant failed to comply with card network rules;
  5. the merchant processed recurring charges after cancellation;
  6. the merchant’s system was breached.

However, cardholders usually deal directly with the issuing bank. The bank may then pursue chargeback or recovery through the card network and merchant-acquirer system.

XXVII. Chargebacks

A chargeback is a reversal process under card network rules. It allows the issuing bank to dispute a transaction with the acquiring bank or merchant under certain grounds, including fraud, non-delivery, duplicate billing, cancellation, or unauthorized transaction.

The cardholder should file disputes promptly because chargeback windows are time-sensitive. Delay can prejudice the bank’s ability to recover from the merchant and may affect the cardholder’s case.

Chargeback rules are not the same as Philippine statutory law, but they are important in practice because they govern how banks and merchants resolve card disputes internally.

XXVIII. Interest, Penalties, and Finance Charges on Disputed Amounts

A recurring problem is whether banks may impose interest, late fees, and finance charges on disputed fraudulent amounts.

The cardholder should insist that disputed charges be placed under investigation and that interest or penalties attributable to those charges be reversed if the dispute is found valid.

If the cardholder refuses to pay the disputed amount but continues paying undisputed charges, they should clearly communicate that non-payment relates only to the fraudulent charges. This helps avoid the appearance of general default.

XXIX. Demand Letters and Collection Agencies

If the bank refers the account to a collection agency while a fraud dispute is pending, the cardholder should respond in writing and attach proof of the pending dispute.

The cardholder should demand that the collector cease collection of disputed amounts until the bank completes a fair investigation. Harassing, threatening, deceptive, or abusive collection practices may be raised before regulators or courts.

XXX. Sample Notice and Dispute Letter

Subject: Dispute of Unauthorized Credit Card Transactions and Request for Reversal

Dear [Bank Name],

I am writing to formally dispute unauthorized transactions charged to my credit card ending in [last four digits].

I did not make, authorize, consent to, or benefit from the following transactions:

Date Merchant Amount Reference No.
[Date] [Merchant] [Amount] [Reference]

I discovered the unauthorized transactions on [date and time]. I reported the matter to your hotline/app/branch/email on [date and time] and was given reference number [reference number]. I requested that the card be blocked immediately.

I request that your bank:

  1. reverse the unauthorized transactions;
  2. suspend interest, penalties, and finance charges on the disputed amounts;
  3. refrain from collection activity and adverse credit reporting while the dispute is pending;
  4. provide the basis, logs, authentication records, merchant details, and investigation findings relating to the disputed transactions;
  5. confirm in writing that the card has been blocked and replaced.

Attached are copies of my statement, screenshots, alerts, proof of report, and other supporting documents.

This letter is made without admission of liability and with full reservation of my rights.

Sincerely, [Name]

XXXI. Sample Timeline for a Fraud Complaint

A useful timeline may look like this:

Event Date and Time Evidence
Unauthorized transaction occurred [Date/time] SMS alert, statement
Cardholder discovered transaction [Date/time] Screenshot, app notification
Cardholder called bank [Date/time] Call log, reference number
Bank blocked card [Date/time] Confirmation SMS/email
Written dispute submitted [Date/time] Email, dispute form
Bank response received [Date/time] Email/letter
Follow-up complaint filed [Date/time] Complaint acknowledgment
BSP escalation filed [Date/time] BSP reference

This kind of timeline helps establish prompt notice and responsible conduct.

XXXII. Factors That May Determine Liability

The outcome of a credit card fraud dispute commonly depends on these factors:

  1. whether the cardholder promptly reported the fraud;
  2. whether the transaction occurred before or after notice;
  3. whether the cardholder shared OTPs, PINs, or passwords;
  4. whether the cardholder lost the physical card;
  5. whether the card was physically present with the cardholder;
  6. whether the transaction was unusual;
  7. whether the bank sent alerts;
  8. whether the bank’s fraud system flagged the transaction;
  9. whether the bank acted promptly after notice;
  10. whether the bank gave a reasoned investigation result;
  11. whether merchant verification was weak;
  12. whether data breach, SIM swap, or account takeover occurred;
  13. whether the cardholder disputed within the required period;
  14. whether the bank continued to impose charges despite a valid dispute.

No single factor is always decisive. The totality of circumstances matters.

XXXIII. Best Practices for Cardholders

Cardholders should:

  1. activate transaction alerts;
  2. use low transaction limits where possible;
  3. lock the card when not in use if the app allows it;
  4. never share OTPs, PINs, CVVs, or passwords;
  5. avoid saving cards on unfamiliar websites;
  6. check statements regularly;
  7. report suspicious transactions immediately;
  8. use only official bank websites and apps;
  9. keep mobile numbers and emails updated;
  10. secure phones with strong passcodes;
  11. avoid clicking links in bank-like messages;
  12. document every communication with the bank.

XXXIV. Best Practices for Banks

Banks should:

  1. maintain strong fraud detection systems;
  2. use risk-based authentication;
  3. send real-time transaction alerts;
  4. provide easy card locking and blocking;
  5. maintain 24/7 fraud reporting channels;
  6. investigate disputes thoroughly;
  7. explain denial decisions clearly;
  8. suspend disputed charges when appropriate;
  9. prevent unfair collection during pending disputes;
  10. strengthen anti-phishing education;
  11. protect customer data;
  12. coordinate with merchants and card networks for chargebacks.

XXXV. Conclusion

Unauthorized credit card fraud in the Philippines is not resolved by a simple rule that the cardholder always pays or that the bank always absorbs the loss. Liability depends on authorization, negligence, notice, timing, evidence, bank conduct, and regulatory obligations.

The notice requirement is central. A cardholder who promptly reports a lost card, compromised account, or unauthorized transaction is in a much stronger position than one who delays. Once the bank receives notice, it must act promptly and responsibly to prevent further loss. Transactions occurring after proper notice are especially difficult for a bank to charge to the cardholder if the bank failed to block the card or otherwise respond effectively.

At the same time, cardholders must safeguard their cards, credentials, OTPs, devices, and account access. Sharing OTPs or delaying reports can seriously weaken a claim. But banks also bear a high duty of diligence, especially because they design and control the systems through which credit card transactions are authorized, monitored, disputed, and collected.

In the Philippine legal context, the issue sits at the intersection of contract law, banking regulation, consumer protection, access device fraud, cybercrime, electronic transactions, and data privacy. The strongest position—whether for cardholder or bank—is always the one supported by prompt action, complete documentation, and a clear factual timeline.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login