An unauthorized bank transfer is frightening because the money can move through several accounts within minutes. In the Philippines, your best chance of recovering funds usually depends on how fast you report, how complete your evidence is, and whether your bank or e-wallet provider promptly triggers the required fraud-handling process. This guide explains what counts as an unauthorized transfer, what to do in the first few hours, what Philippine laws protect you, how to escalate to the BSP and law enforcement, and what documents you should prepare.
What Counts as an Unauthorized Bank Transfer?
An unauthorized bank transfer happens when money leaves your bank account, e-wallet, or other financial account without your consent. Common examples include:
- Online banking transfers you did not make
- InstaPay or PESONet transfers caused by account takeover
- E-wallet transfers after phishing, SIM swap, malware, or stolen phone access
- ATM or debit card transactions using stolen card details
- QR payments or merchant transfers you did not authorize
- Transfers made after someone tricked you into giving passwords, OTPs, or account credentials
It is different from an erroneous transfer, where you personally sent money but typed the wrong account number or selected the wrong recipient. It is also different from a merchant dispute, where you paid a seller but the seller failed to deliver the goods or services. Those situations may still have remedies, but banks usually handle them differently.
For electronic fund transfers, the important institution to contact first is usually your Originating Financial Institution (OFI) — the bank, e-wallet, or financial provider where the money came from. Under BSP rules, complaints about fund transfers or alleged unauthorized transactions are filed with the OFI, which is primarily responsible for assisting the client and coordinating with the receiving institution.
Your Immediate Priorities in the First Few Hours
When you discover an unauthorized transfer, act as if the next 30 minutes matter. In many fraud cases, the first receiving account is only a pass-through account. The funds may be withdrawn, converted, or sent onward quickly.
1. Secure the account immediately
Do this before arguing with the bank about liability:
- Lock your card or account through the official app, if available.
- Change your online banking password using only the official app or website.
- Log out all devices, if the app has that option.
- Disable biometrics or remove unknown devices linked to the account.
- Call the bank’s fraud hotline and request account blocking or temporary restrictions.
- If your phone was stolen or compromised, contact your telco to suspend the SIM.
- If your email was compromised, change the password and enable two-factor authentication.
Avoid clicking links in SMS, email, or social media messages claiming to be from the bank. Go directly to the official app, official website, branch, or published hotline.
2. Report to your bank or e-wallet provider through its 24/7 fraud channel
BSP Circular No. 1160 requires BSP-supervised institutions to provide free and active reporting channels for fraud-related concerns, which may include phone, mobile number, online portal, email, chatbot, instant messaging, or other monitored channels available on a 24/7 basis. The consumer should receive an immediate written acknowledgment through the same channel.
When reporting, state clearly:
“I am reporting an alleged unauthorized transaction. I did not authorize this transfer. Please block further access, initiate the dispute process, coordinate with the receiving institution, and hold or freeze the disputed funds if still available.”
Ask for:
- Complaint or case reference number
- Name or ID of the agent, if available
- Date and time of report
- Confirmation that the report was treated as a fraud or unauthorized transaction report
- Confirmation that the receiving bank or e-wallet will be notified
- Confirmation whether provisional credit, account blocking, or fund holding is available
Under BSP Circular No. 1160, after receiving fund transfer disputes or alleged unauthorized transactions, the OFI must immediately inform the Receiving Financial Institution (RFI). Pending investigation, the institutions should take actions such as suspending interest, fees, or charges; holding disputed funds if still intact; providing reasonable accommodation such as provisional credit or temporary hold; and taking other necessary actions such as account blocking or freezing of funds.
3. Preserve evidence before anything disappears
Take screenshots or download records showing:
- Transaction reference number
- Amount
- Date and exact time
- Destination bank or e-wallet, if shown
- Account number or partial account number
- SMS, email, or app notification
- Device login alerts
- OTP messages
- Phishing links, fake pages, fake caller numbers, or chat messages
- Bank complaint reference number
- Any failed login attempts or password reset messages
Do not delete suspicious SMS, emails, browser history, call logs, or chat threads. These may help show how the account was compromised.
4. File a written dispute, not only a phone report
A phone call is useful for emergency blocking, but a written complaint creates a clearer record. Send an email or use the bank’s official complaint form. Keep the language simple and factual.
Include:
- Your full name
- Account type and last four digits of account number, if safer
- Transaction details
- Statement that you did not authorize the transfer
- When and how you discovered it
- What security events happened before the transfer, if any
- Screenshots or PDF statements
- Your request for investigation, fund hold, reversal, and written findings
Do not include your full PIN, password, OTP, complete card number, or full online banking credentials. The BSP’s own complaint guide warns consumers not to share PINs, passwords, account numbers, credit card or ATM card numbers, passbooks, passports, or other identification cards when unnecessary for BSP complaint processing.
Your Legal Rights Under Philippine Law
Financial Consumer Protection Act: RA 11765
Republic Act No. 11765, or the Financial Products and Services Consumer Protection Act, protects consumers of deposits, payments, remittances, and digital financial products. It recognizes financial consumers’ rights to fair treatment, disclosure and transparency, protection of assets against fraud and misuse, data privacy, and timely handling and redress of complaints. (Supreme Court E-Library)
For unauthorized transfers, three rights matter most:
| Right | What it means in practice |
|---|---|
| Protection of consumer assets | Banks and e-wallets must maintain systems and controls to protect your funds from fraud and misuse. |
| Timely redress | Your complaint should not be ignored or passed around without clear action. |
| Data protection | Your information should be handled securely, but data privacy should not be misused as an excuse to avoid lawful fraud investigation. |
RA 11765 also requires financial service providers to maintain a Financial Consumer Protection Assistance Mechanism (FCPAM) for free assistance on complaints, inquiries, and requests. In cases of disputed amounts or unauthorized transactions, the provider must suspend interest, fees, and charges or provide similar reasonable accommodations while investigation is pending. (Supreme Court E-Library)
The BSP and SEC may adjudicate purely civil financial consumer claims where the relief sought is payment or reimbursement of money not exceeding ₱10 million. (Supreme Court E-Library)
BSP Rules on Fraud and Unauthorized Transactions
BSP Circular No. 1160 provides practical protections for unauthorized transactions. It requires banks and other BSP-supervised institutions to prioritize fraud-related concerns, maintain 24/7 reporting channels, acknowledge reports, coordinate between originating and receiving institutions, and formally inform the client of the investigation result within three banking days from conclusion of the investigation. If the transaction is found unauthorized or fraudulent, the institution should correct or reverse the transaction and related interest, charges, or fees, or make the provisional credit permanent.
This does not mean every complaint is automatically refunded. The bank will usually examine:
- Whether the transaction was authenticated
- Whether the account holder shared credentials or OTPs
- Whether the bank’s fraud monitoring system flagged suspicious activity
- Whether the bank followed its own security procedures
- Whether there were delays in reporting
- Whether the bank, its employees, agents, or outsourced providers failed to comply with BSP rules
BSP Circular No. 1160 expressly allows liability assessment to consider the actions of the account holder before, during, and after the transaction, as well as the acts or omissions of the bank, its employees, agents, outsourced entities, or service providers.
Anti-Financial Account Scamming Act: RA 12010
Republic Act No. 12010, the Anti-Financial Account Scamming Act (AFASA), is now one of the most important laws for Philippine bank and e-wallet scams. It covers financial accounts such as bank deposit accounts, credit card accounts, transaction accounts, e-wallets, and other accounts used for financial products or services. (Lawphil)
AFASA penalizes:
- Money muling — using, lending, selling, renting, buying, or recruiting others to use financial accounts to receive or move proceeds from crimes, offenses, or social engineering schemes
- Social engineering schemes — using deception, false representation, or electronic communications to obtain sensitive identifying information that results in unauthorized access and control over a financial account
- Related offenses such as opening accounts under fictitious names, using another person’s identity documents, buying or selling accounts, and aiding or attempting these acts (Lawphil)
AFASA also requires institutions to protect access to client financial accounts through adequate controls such as multi-factor authentication (MFA), fraud management systems, and account owner verification processes. If an institution fails to employ adequate controls or fails to exercise the highest degree of diligence, it may be liable for restitution, and conviction of the scammer is not required before restitution may be ordered. (Lawphil)
Temporary holding of disputed funds
AFASA allows institutions to temporarily hold funds subject of a disputed transaction for a BSP-prescribed period not exceeding 30 calendar days, unless extended by a court. A transaction may be treated as disputed if there is reasonable ground to believe it is unusual, without clear economic purpose, from an unlawful source, or facilitated through social engineering. (Lawphil)
BSP Circular No. 1215, Series of 2025, implements this by requiring coordinated verification and allowing temporary holding of disputed funds for not more than 30 calendar days, inclusive of initial and extended holding periods. Once held, the amount in the beneficiary account is considered credited but cannot be withdrawn during the holding period.
In practical terms, this is why fast reporting matters. If the funds are still in the receiving account or somewhere in the transaction chain, a timely complaint may help trigger a hold before the money disappears.
Access Device Fraud, Cybercrime, and Estafa
Depending on the facts, unauthorized bank transfers may also involve:
- Republic Act No. 8484, the Access Devices Regulation Act of 1998, as amended by RA 11449, which penalizes fraudulent acts involving access devices such as cards, account numbers, and other means of obtaining money or value. It includes using unauthorized access devices, trafficking in unauthorized access devices, disclosing access device information without authority, and obtaining money through an access device with intent to defraud. (Lawphil)
- Republic Act No. 10175, the Cybercrime Prevention Act of 2012, which covers offenses such as computer-related fraud and identity theft. (Lawphil)
- Article 315 of the Revised Penal Code, on estafa or swindling, when fraud or deceit caused financial damage.
- Republic Act No. 10173, the Data Privacy Act of 2012, when personal data was unlawfully processed or compromised. (Lawphil)
A criminal complaint is not the same as a bank dispute. The bank dispute is aimed at tracing, holding, reversing, or reimbursing the funds. The criminal complaint is aimed at investigating and prosecuting the scammer, money mule, or syndicate.
What Philippine Courts Say About Bank Responsibility
Philippine courts have long treated banking as a business affected with public interest. In Consolidated Bank and Trust Corporation v. Court of Appeals and L.C. Diaz and Company, the Supreme Court explained that the bank-depositor relationship is governed by contract, but banks must observe high standards because of the fiduciary nature of banking. The Court said banks must treat deposit accounts with meticulous care and assume a degree of diligence higher than that of a good father of a family. (Supreme Court E-Library)
In Banco de Oro Universal Bank, Inc. v. Seastres, the Supreme Court held BDO liable after unauthorized withdrawals were allowed despite the bank’s own procedures. The Court reiterated that banks must exercise the highest degree of diligence in handling client accounts and verifying withdrawals. (Supreme Court of the Philippines)
These cases do not mean the bank is automatically liable in every online scam. They do mean that banks cannot casually dismiss unauthorized transaction complaints, especially where their own security systems, employee actions, verification process, or fraud response may have contributed to the loss.
Step-by-Step Guide: What to Do After an Unauthorized Transfer
Step 1: Call the bank’s fraud hotline immediately
Use the bank’s official website, app, card back, or branch-published number. Do not use a number sent by SMS or found in a suspicious email.
Ask the bank to:
- Block online banking access
- Lock debit card or linked card
- Freeze suspicious outgoing activity
- Initiate unauthorized transaction dispute
- Notify the receiving institution
- Hold disputed funds if still intact
- Give you a written acknowledgment and case number
Step 2: Send a written complaint the same day
Your written complaint should be short, complete, and organized. Attach screenshots but avoid over-sharing sensitive data.
Suggested format:
| Detail | What to include |
|---|---|
| Subject line | “Urgent Unauthorized Transaction Report – Request for Fund Hold and Investigation” |
| Account owner | Full name and registered contact details |
| Transaction | Date, time, amount, reference number, destination institution if known |
| Statement | “I did not authorize this transaction.” |
| Security issue | Phishing, stolen phone, SIM issue, unknown login, no OTP received, or other relevant facts |
| Request | Investigation, fund hold, account protection, reversal, written result |
| Attachments | Screenshots, statement, fraud messages, police report if already available |
Step 3: Ask whether a sworn statement or police report is needed
For quick initial reporting, banks should not delay emergency action just because you do not yet have a notarized affidavit. But for extended verification, escalation, insurance review, or criminal investigation, they may ask for:
- Affidavit of unauthorized transaction
- Police report or cybercrime complaint record
- Valid ID
- Account statement
- Screenshot of transaction history
- Screenshots of phishing messages or fake pages
- Device or SIM incident report, if relevant
BSP Circular No. 1215 recognizes that affidavits, sworn statements, police reports, and other supporting documents may be used in the temporary holding and coordinated verification process, including by beneficiary account owners who challenge a hold.
Step 4: Report to law enforcement if there is fraud, phishing, account takeover, or money mule activity
The BSP’s complaint guide encourages scam or fraud victims to report to law enforcement agencies such as the Philippine National Police (PNP), National Bureau of Investigation (NBI), or Cybercrime Investigation and Coordinating Center (CICC) because these agencies can conduct criminal investigation and apprehension.
Bring or prepare:
- Government ID
- Bank complaint reference number
- Screenshots and transaction records
- URLs, phone numbers, email addresses, and social media accounts used by the scammer
- Timeline of events
- Sworn statement or complaint-affidavit
- Device, SIM, or email compromise details, if applicable
Step 5: Escalate to the BSP if the bank response is delayed or unsatisfactory
The BSP Consumer Assistance Mechanism is a second-level recourse, meaning you generally report to your bank or e-wallet provider first. For new complaints, BSP instructs consumers to report first to the BSI’s FCPAM or customer service channel. If unsatisfied with the action or response, the complaint may be escalated through the BSP Online Buddy (BOB) chatbot until a BSPCMS reference number is generated. If you cannot access BOB, you may use the Complaint/Inquiry/Reply form and email the BSP with proof that you first used the provider’s FCPAM.
Escalate when:
- The bank refuses to receive the complaint
- No written acknowledgment is given
- The bank says “final and irreversible” without investigation
- The bank fails to explain what was done with the receiving institution
- You receive no meaningful update
- The written result is unsupported by facts
- Fees, interest, or penalties continue despite a pending unauthorized transaction dispute
Step 6: Track all deadlines and responses
Create a simple timeline:
| Date and time | Event | Proof |
|---|---|---|
| June 1, 9:05 PM | Unauthorized transfer discovered | App screenshot |
| June 1, 9:15 PM | Fraud hotline called | Call log, reference number |
| June 1, 9:40 PM | Written complaint emailed | Sent email |
| June 2 | Account blocked | Bank confirmation |
| June 3 | Police report filed | Complaint record |
| June 5 | BSP complaint filed | BSPCMS reference |
This timeline is useful because liability may depend partly on what you did before, during, and after the unauthorized transaction.
Documents You May Need
| Purpose | Documents commonly requested |
|---|---|
| Bank dispute | Valid ID, transaction screenshot, account statement, written complaint, fraud messages, case reference |
| Fund hold or extended verification | Affidavit, sworn statement, police report, supporting screenshots, transaction reference |
| BSP escalation | Proof you first reported to the bank, bank response or lack of response, complaint reference, supporting documents |
| PNP/NBI/CICC complaint | Complaint-affidavit, IDs, screenshots, phone/email/chat records, URLs, account details, bank certification if available |
| Civil recovery or court action | Demand letters, bank findings, BSP records, affidavits, evidence of loss, expert or digital evidence if needed |
Practical Timelines to Expect
| Process | Typical timing |
|---|---|
| Emergency bank report | Immediately, ideally within minutes or hours |
| Written acknowledgment | Usually immediate or within the bank’s complaint system timeline |
| Initial account blocking | Often same day, depending on bank channel and verification |
| OFI-to-RFI coordination | Should be immediate upon receipt of unauthorized transaction report under BSP rules |
| Formal investigation result | BSP Circular No. 1160 requires formal notice within 3 banking days from conclusion of investigation |
| Temporary holding of disputed funds under AFASA/BSP rules | Up to 30 calendar days, unless extended by court |
| BSP escalation | After bank FCPAM action is unsatisfactory or unresolved |
| Criminal investigation | Variable; may take weeks to months depending on evidence, account tracing, subpoenas, and agency workload |
| Civil or adjudicatory recovery | Variable; BSP adjudication may be available for qualifying purely civil claims up to ₱10 million |
Special Situations
You gave the OTP or password after being tricked
Do not assume the case is hopeless. Banks may argue customer negligence, but social engineering is specifically recognized under AFASA. The investigation should still consider whether the bank had adequate security controls, fraud monitoring, suspicious transaction detection, transaction limits, device checks, or warnings. AFASA requires institutions to protect access through controls such as MFA and fraud management systems, and BSP regulations now require fraud systems that can detect suspicious or fraudulent transactions and trigger temporary holding when appropriate. (Lawphil)
The bank says InstaPay or PESONet transfers are final
Settlement finality does not mean the bank may ignore a fraud complaint. The transaction may be difficult to reverse if the money has been withdrawn or moved onward, but BSP rules still require complaint handling, coordination, investigation, and possible holding of disputed funds if available.
BSP Circular No. 1195 specifically addresses consumer redress standards for account-to-account electronic fund transfers under the National Retail Payment System framework, including domestic P2P, P2M, and P2B payments. (Bureau of Soils and Water Management)
The receiving account belongs to a money mule
A money mule is a person whose account is used to receive, transfer, or withdraw proceeds of crimes, offenses, or social engineering schemes. Under AFASA, lending, selling, renting, buying, or allowing the use of a financial account for such proceeds can be a punishable offense. (Lawphil)
This matters because the recipient may not be the mastermind. The real fraudster may have used a student, job applicant, online seller, or financially desperate person to receive and move the funds.
You are an OFW, foreigner, or outside the Philippines
You can still report to the Philippine bank or e-wallet provider through official digital channels. If a sworn affidavit, special power of attorney, or notarized statement is needed, check whether the receiving Philippine institution will accept:
- A document notarized before a Philippine Embassy or Consulate
- A locally notarized document with an apostille, if executed in an Apostille Convention country
- A local notarization plus consular authentication, if the country is not covered by apostille arrangements
Philippine consular posts commonly handle notarization or acknowledgement of private documents such as affidavits, sworn statements, and special powers of attorney for use in the Philippines, while apostilled documents from competent foreign authorities may also be accepted depending on the country and document type. (Philippine Embassy)
Common Mistakes That Hurt Unauthorized Transfer Claims
- Waiting several days before reporting
- Reporting only through social media comments instead of official fraud channels
- Failing to get a case reference number
- Deleting OTP messages, phishing links, or call logs
- Sending the BSP a complaint without first reporting to the bank
- Sharing full PINs, passwords, or OTPs in emails or forms
- Giving inconsistent timelines
- Saying “I was scammed” without identifying the exact disputed transaction
- Accepting a verbal denial without asking for written findings
- Posting full account details publicly on Facebook, X, TikTok, or group chats
Frequently Asked Questions
Can I get my money back after an unauthorized bank transfer?
Yes, it is possible, but not guaranteed. Recovery depends on how fast you report, whether the funds are still traceable or intact, how the transaction was authenticated, whether the bank followed BSP rules, and whether the bank or e-wallet provider had adequate fraud controls. If the transaction is found unauthorized or fraudulent, BSP rules require correction or reversal of the transaction and related fees or charges.
Should I report to the bank, BSP, or police first?
Report to the bank or e-wallet provider first because emergency blocking, OFI-to-RFI coordination, and possible fund holding must start there. Report to the BSP if the bank’s response is unresolved or unsatisfactory. Report to PNP, NBI, or CICC if there is phishing, identity theft, account takeover, money mule activity, or another criminal scam.
What if the bank says I authorized it because an OTP was used?
Ask for a written explanation of the investigation findings. OTP use is important evidence, but it is not always the end of the inquiry. Social engineering, SIM compromise, device takeover, malware, unusual transaction patterns, bank system weakness, or failure of fraud monitoring may still be relevant.
Can the bank reveal the name of the recipient account holder?
Usually, the bank will be cautious because of bank secrecy and data privacy rules. However, AFASA allows coordinated verification and gives the BSP authority to investigate and inquire into financial accounts involved in prohibited acts. Bank secrecy and data privacy laws do not apply in the same way to financial accounts subject to BSP investigation under AFASA. (Lawphil)
How long can disputed funds be held?
Under AFASA and BSP Circular No. 1215, disputed funds may be temporarily held for not more than 30 calendar days, including initial and extended holding periods, unless a court extends the period. (Lawphil)
Do I need a notarized affidavit?
For emergency reporting, you should report immediately even without an affidavit. For extended investigation, BSP escalation, law enforcement, or court use, a notarized affidavit or sworn statement may be requested. If you are abroad, you may need consular notarization or apostille depending on where the document is executed.
What if I transferred money to the wrong account by mistake?
That is usually treated as an erroneous transfer, not an unauthorized transfer. Report immediately to your own bank and provide your name, contact number, source account, payee details, amount, date, and time. BSP Circular No. 1160 separately discusses erroneous transactions and requires the consumer to report the mistake to the OFI with key transaction details.
Can I file a case directly in court?
Yes, depending on the facts and amount involved, but court action is usually slower and more expensive than immediate bank reporting, BSP escalation, and law enforcement reporting. For qualifying purely civil claims involving payment or reimbursement of money not exceeding ₱10 million, RA 11765 gives the BSP adjudicatory authority over covered financial transactions. (Supreme Court E-Library)
Is the bank always liable for unauthorized transfers?
No. Liability depends on the facts. Philippine law considers both the customer’s actions and the bank’s acts or omissions. However, banks are held to a high standard of diligence because banking is imbued with public interest, and courts have held banks liable where their negligence or failure to follow safeguards allowed unauthorized withdrawals.
Key Takeaways
- Report the unauthorized transfer to your bank or e-wallet provider immediately through its official 24/7 fraud channel.
- Ask for account blocking, OFI-to-RFI coordination, disputed fund holding, written acknowledgment, and a case reference number.
- File a written dispute the same day and preserve screenshots, OTP messages, phishing links, call logs, and transaction records.
- RA 11765 protects financial consumers’ rights to asset protection, fair treatment, data privacy, and timely complaint redress.
- BSP Circular No. 1160 requires priority handling of fraud-related concerns and coordination between originating and receiving institutions.
- RA 12010, or AFASA, strengthens remedies against money muling, social engineering, and misuse of financial accounts.
- Disputed funds may be temporarily held for up to 30 calendar days under AFASA and BSP rules, unless extended by a court.
- Escalate to BSP after using the bank’s FCPAM if the response is delayed, incomplete, or unsatisfactory.
- Report to PNP, NBI, or CICC when the facts suggest phishing, account takeover, cybercrime, or money mule activity.
- Do not share PINs, passwords, OTPs, complete account details, or sensitive IDs in unsecured emails, forms, or public posts.