If you saw a charge you did not make, the most important question is not simply “Was my card used?” but when you reported it, what kind of transaction it was, and whether the bank can prove it was authorized. In the Philippines, liability for unauthorized credit card transactions may fall on the cardholder, the credit card issuer, the merchant/acquirer, or the fraudster — depending on the facts. The law gives cardholders strong dispute rights, but it also expects them to report quickly, preserve evidence, and continue paying any undisputed part of the bill.
The Basic Rule: Who Pays for Unauthorized Credit Card Charges?
There is no single answer for every case. Philippine law looks at the timing and cause of the unauthorized transaction.
| Situation | Usual liability result |
|---|---|
| Card was lost or stolen, and transactions happened before you reported it | Initially for the cardholder’s account, but still disputable if fraudulent or unauthorized |
| Card was lost or stolen, and transactions happened after you reported it | Generally not the cardholder’s liability |
| Online transaction using card details, but you still have the physical card | Depends on the bank’s investigation, authentication records, merchant records, and evidence of fraud |
| Supplementary card used by an authorized supplementary cardholder | Usually charged to the principal cardholder, unless issuance or use was unauthorized |
| Bank issued a card or supplementary card without clear consent | Bank may bear the loss if it cannot prove application, consent, receipt, and authorized use |
| Fraudster used stolen card details, phishing, skimming, hacking, or identity theft | Fraudster has criminal and civil liability; bank/merchant liability depends on security and dispute findings |
The practical rule is this: report first, dispute in writing, and force the issue into the bank’s formal investigation process. A customer service phone call is helpful for blocking the card, but it is not enough if you later need to prove what happened.
Legal Basis in the Philippines
Republic Act No. 10870: Philippine Credit Card Industry Regulation Law
Republic Act No. 10870, enacted in 2016, is the main law regulating the Philippine credit card industry. It covers credit card issuers, acquirers, and credit card transactions.
For lost or stolen cards, Section 15 states that any transaction made before reporting the loss or theft to the credit card issuer shall be for the account of the cardholder. Section 18 also gives cardholders up to 30 calendar days from statement date to report any error or discrepancy in the billing statement, and the issuer must take action within 10 business days from receipt of the notice. (Supreme Court E-Library)
This does not mean the bank can automatically ignore your dispute. BSP Circular No. 1003, which implements RA 10870, clarifies that even transactions made before the report may still be disputed. If the transaction is found to be unauthorized or fraudulent, the bank must correct or reverse it, including related finance charges and fees. (Supreme Court E-Library)
BSP Circular No. 1003: Credit Card Issuer Duties
BSP Circular No. 1003 requires banks to have a Consumer Assistance Unit for credit card complaints. It also provides a practical timeline:
- The cardholder has up to 30 calendar days from statement date to report a billing error or discrepancy.
- The report may be written, verbal, or through another documented means.
- The bank must take action within 10 business days from receipt of notice and relevant documents.
- The bank must conduct a thorough investigation, make corrections if warranted, and send a written explanation within 90 days after receipt of the notice, before collecting the contested amount. (Supreme Court E-Library)
This 90-day period matters. Many cardholders give up after the first customer service denial. But under BSP rules, a proper dispute should be investigated, documented, and answered in writing.
Republic Act No. 8484, as Amended by RA 11449: Access Device Fraud
Credit cards are “access devices” under Republic Act No. 8484, the Access Devices Regulation Act of 1998. The law defines an access device broadly to include cards, account numbers, PINs, codes, and other means of account access. It also defines an unauthorized access device as one that is stolen, lost, expired, revoked, cancelled, suspended, or obtained with intent to defraud. (Lawphil)
RA 8484 also says that when an access device is lost, the holder must notify the issuer upon knowledge of the loss. Full compliance absolves the holder from financial liability for fraudulent use from the time the loss or theft is reported. (Lawphil)
RA 11449, enacted in 2019, strengthened RA 8484 by adding modern fraud offenses such as skimming, copying or counterfeiting cards, possessing skimming devices or malware, fraudulently accessing online banking or credit card accounts, and hacking. It also increased penalties, including imprisonment and fines, and treats certain large-scale or system-hacking offenses as economic sabotage. (Supreme Court E-Library)
Republic Act No. 11765: Financial Products and Services Consumer Protection Act
RA 11765, enacted in 2022, gives financial consumers additional protection. It requires financial service providers to maintain a free consumer assistance mechanism for complaints, inquiries, and requests. Importantly, for alleged disputed amounts or unauthorized transactions, the provider must suspend the imposition of interest, fees, and charges, or provide similar reasonable accommodations while the final investigation is pending.
This is very useful when a bank says: “Pay first while we investigate.” The better response is to request in writing that the disputed amount be segregated and that interest, late fees, penalties, and negative credit reporting on the disputed amount be suspended pending investigation.
Supreme Court Doctrine: Prompt Notice Protects the Cardholder
In Spouses Ermitaño v. Court of Appeals and BPI Express Card Corp., the Supreme Court dealt with unauthorized purchases made after the cardholder reported a lost card. The Court ruled that prompt notice to the credit card company should be enough to relieve the cardholder from liability for unauthorized use after notice. The Court rejected a contract stipulation that kept the cardholder liable until the company had notified all member merchants, calling it unfair, unjust, and contrary to public policy. (Supreme Court E-Library)
This case remains important because it shows how Philippine courts look beyond fine print. A credit card contract is usually a contract of adhesion — a take-it-or-leave-it contract prepared by the bank. Such contracts are not automatically void, but one-sided clauses may be struck down when they become unfair under the circumstances.
When the Bank Must Prove Consent and Authorized Use
In Bank of the Philippine Islands v. Spouses Sarda, the Supreme Court held that BPI could not recover credit card charges where it failed to prove receipt, consent, authorized issuance of a supplementary card, and actual authorized use. The Court emphasized that statements of account alone were not enough to prove that the alleged cardholder made the purchases. It also noted that credit card issuers must exercise proper diligence before issuing cards, and that merchants must perform due diligence to establish the cardholder’s identity. (Supreme Court E-Library)
This is especially relevant when a person receives a demand letter for a card they never applied for, a supplementary card they never authorized, or transactions they never made.
What Counts as an Unauthorized Credit Card Transaction?
An unauthorized transaction may include:
- Purchases made after your card was stolen or lost
- Online purchases using your card number, CVV, expiry date, or OTP without your consent
- Transactions after your card was reported blocked or compromised
- Charges made by a merchant you never dealt with
- Duplicate charges or inflated amounts
- Transactions made through a supplementary card you did not request or approve
- Cash advances you did not perform
- Foreign currency transactions from a place you never visited
- Card-not-present transactions caused by phishing, smishing, vishing, malware, or leaked card details
Not every unfamiliar charge is fraud. Some merchants use a different billing name from their store name. Before filing a formal fraud dispute, check:
- Your email receipts
- App subscriptions
- Food delivery, ride-hailing, gaming, cloud storage, and streaming accounts
- Family members or supplementary cardholders
- Hotel deposits, car rental holds, and foreign transaction conversions
But if you are not sure, report immediately anyway. Delay is one of the most common reasons banks deny disputes.
Step-by-Step: What to Do Immediately After Seeing an Unauthorized Charge
1. Lock or block the card immediately
Use the bank app if available, then call the hotline. Ask for:
- Permanent blocking or temporary lock
- Replacement card
- Reference number
- Date and time of report
- Name or ID of the agent, if provided
Take screenshots if you reported through the app or chat.
2. File a formal dispute with the issuer
Do not rely only on a phone call. Submit a written dispute through the bank’s official channel, email, app, branch, or dispute form.
Your dispute should include:
- Your name and contact details
- Last four digits of the card only
- Statement date
- Transaction date and posting date
- Merchant name
- Amount and currency
- Reason you dispute the charge
- Statement that you did not authorize, benefit from, or participate in the transaction
- Request to reverse the charge and related finance charges, fees, and penalties
- Request to suspend interest, fees, collection, and negative credit reporting on the disputed amount while under investigation
3. Preserve evidence
Save everything before it disappears:
- Billing statement
- SMS alerts
- Email alerts
- App notifications
- Screenshots of the transaction
- Bank chat logs
- Hotline reference numbers
- Timeline of events
- Proof that you were elsewhere, if relevant
- Travel records, passport stamps, boarding passes, or work attendance records
- Police blotter, NBI complaint, or PNP Anti-Cybercrime report, if available
Do not delete phishing texts, emails, or suspicious links. Take screenshots and preserve sender details.
4. Pay only the undisputed portion, if possible
If your bill includes legitimate purchases plus fraudulent charges, pay the legitimate portion on time. For the disputed amount, ask the bank in writing to segregate it and suspend interest, penalties, and late charges pending investigation.
This helps avoid a common problem: the bank later says the entire account became delinquent because the cardholder ignored the bill.
5. Follow up before the payment due date and before 30 days from statement date
The 30-day period from statement date under RA 10870 and BSP Circular No. 1003 is important. Even if you reported by phone earlier, submit a documented dispute within that window whenever possible.
If you discovered the fraud after 30 days, still report it. Explain when and how you discovered the transaction. A late dispute is harder, but it is not always hopeless, especially in cases of identity theft, non-receipt of statements, fraud concealment, or bank system issues.
6. Escalate to BSP if the bank denies or ignores you
The BSP Consumer Assistance Mechanism is a second-level recourse. BSP instructs consumers to first report to the financial institution’s Financial Consumer Protection Assistance Mechanism or customer service channel. If unsatisfied, the consumer may escalate through the BSP Online Buddy or, if there is no access to BOB, by sending a CIR Form and proof of prior bank complaint to BSP.
BSP’s official complaint page explains that BOB can process complaints and issue a reference number, while email submission remains available through consumeraffairs@bsp.gov.ph for those without access to BOB. (Bureau of the Treasury)
Who May Be Liable?
The cardholder
The cardholder may be liable when:
- The transaction was actually authorized.
- The transaction was made by a supplementary cardholder within authority.
- The card was lost or stolen and the transaction happened before reporting, unless later found fraudulent and reversible.
- The cardholder unreasonably delayed reporting despite receiving alerts or statements.
- The cardholder shared the card, PIN, OTP, CVV, password, or account access with another person.
- The dispute is unsupported and the bank can show credible authentication and usage records.
But banks sometimes overstate this. The mere fact that an OTP was used does not automatically prove the cardholder authorized the transaction. A fair investigation should consider phishing, SIM compromise, device compromise, unusual spending pattern, IP/device mismatch, merchant risk, and whether the bank’s fraud detection acted reasonably.
The credit card issuer or bank
The issuer may be liable or required to reverse the charge when:
- The transaction occurred after timely report of loss, theft, or compromise.
- The transaction is found unauthorized or fraudulent after investigation.
- The bank failed to block the card after notice.
- The bank failed to follow its own dispute procedure.
- The bank issued a card or supplementary card without clear, documented consent.
- The bank cannot prove receipt, acceptance, or authorized use.
- The bank continued charging interest, penalties, or collection pressure on a disputed unauthorized amount without proper accommodation.
- The bank’s system, personnel, agent, or outsourced service provider contributed to the unauthorized transaction.
RA 11765 is especially important here because financial service providers are responsible for the acts or omissions of their directors, officers, employees, agents, and accredited third-party service providers in dealing with financial consumers.
The merchant and acquirer
The merchant is the store, website, airline, hotel, or platform that accepted the card. The acquirer is the institution that processes card transactions initially accepted by the merchant.
For the cardholder, the direct dispute is usually with the issuer. Behind the scenes, the issuer may pursue a chargeback through the card network against the acquirer or merchant. The merchant may bear the loss if it accepted a transaction without required verification, failed to follow card network rules, processed duplicate charges, or could not produce adequate proof of the transaction.
RA 10870 recognizes the acquirer’s role and requires service level agreements between acquiring banks and partner merchants to include a duty for merchants to perform due diligence in establishing the identity of cardholders. The Supreme Court relied on this framework in BPI v. Sarda. (Supreme Court E-Library)
The fraudster
The fraudster may face criminal and civil liability under:
- RA 8484, as amended by RA 11449, for access device fraud
- RA 10175, the Cybercrime Prevention Act of 2012, for computer-related fraud, identity theft, illegal access, or related cyber offenses
- The Revised Penal Code, when the facts also support estafa, falsification, theft, or other crimes
- Civil Code provisions on damages, if the victim or affected institution pursues civil recovery
RA 10175 penalizes computer-related fraud and computer-related identity theft, which may apply when credit card credentials or identity information are acquired or used through online means. (Lawphil)
Common Real-Life Scenarios
“My card was stolen, and the thief used it before I called the bank.”
Under RA 10870, pre-report transactions are initially for the cardholder’s account. But under BSP Circular No. 1003, you may still dispute them. If the investigation shows the transactions were unauthorized or fraudulent, the bank should reverse the charges, including related finance charges and fees. (Supreme Court E-Library)
Evidence that helps:
- Police blotter
- Time of theft
- Time of bank report
- Transaction timestamps
- CCTV request, if available
- Proof that signatures or IDs were not verified
- Location evidence showing you were elsewhere
“I still have my physical card, but someone used it online.”
This is common in card-not-present fraud. The bank will usually check whether the CVV, OTP, 3D Secure authentication, device fingerprint, IP address, and merchant records support the transaction.
Do not simply say, “I did not do it.” Give a timeline:
- Where your card was stored
- Whether you received an OTP
- Whether you clicked any link
- Whether your phone was lost or SIM was compromised
- Whether the transaction pattern was unusual
- Whether the merchant is unknown to you
“The bank says an OTP was used, so I must pay.”
An OTP is strong evidence, but it should not end the investigation automatically. Ask for the basis of the denial in writing. Request details the bank can disclose, such as transaction channel, authentication method, device or merchant category, and why the bank concluded that you authorized the transaction.
If phishing, SIM swap, malware, or account takeover is possible, report the cybercrime aspect to the NBI Cybercrime Division or PNP Anti-Cybercrime Group. The NBI’s Citizens Charter includes investigative assistance for victims of computer crimes and a complaint-filing process through its cybercrime division. (National Bureau of Investigation)
“A supplementary card was used, but I never requested it.”
This is a serious dispute. The bank should be able to show a clear request, documented consent, delivery, acceptance, and authorized use. In BPI v. Sarda, the Supreme Court rejected the bank’s claim where it failed to prove consent and authorized use of the principal and supplementary cards. (Supreme Court E-Library)
“A collection agency is harassing me while my dispute is pending.”
RA 10870 and BSP Circular No. 1003 prohibit harassment, abuse, oppression, and unfair collection practices. BSP rules also list examples such as threats of violence, obscene or insulting language amounting to an offense, false threats, communicating false credit information, deceptive collection methods, and contacting the cardholder before 6:00 a.m. or after 10:00 p.m. without permission. (Supreme Court E-Library)
Send the bank a written objection and ask it to recall or suspend collection of the disputed amount. If the conduct continues, include screenshots, call logs, recordings where legally obtained, and collection letters in your BSP complaint.
“Can I be jailed for not paying a disputed credit card bill?”
For ordinary non-payment of a credit card debt, no. Article III, Section 20 of the 1987 Constitution states that no person shall be imprisoned for debt or non-payment of a poll tax. (Lawphil)
But fraud is different. A person may face criminal liability if the credit card was used with intent to defraud, if a false identity was used, if card data was stolen, or if the facts fall under RA 8484, RA 11449, RA 10175, estafa, falsification, or another penal law.
Documents to Prepare for a Credit Card Dispute
| Document | Why it matters |
|---|---|
| Billing statement | Shows statement date, posting date, amount, and merchant |
| Screenshot of transaction alert | Helps prove when you first learned of the charge |
| Bank dispute form or email | Creates a documented complaint |
| Hotline reference number | Proves timely reporting |
| Affidavit of unauthorized transaction | Often required by banks for fraud investigation |
| Police blotter or cybercrime complaint | Useful for lost card, theft, phishing, identity theft, or large amounts |
| Copy of valid ID | Used by banks to verify the complainant |
| Travel, work, or location proof | Helps show you could not have made the transaction |
| Email/SMS phishing evidence | Supports account compromise or social engineering |
| Prior correspondence with merchant | Useful for duplicate billing, failed refunds, or cancelled orders |
For Filipinos abroad and foreigners dealing with Philippine banks, most initial disputes can be filed by email, app, or hotline. If a notarized affidavit is required, the bank may accept a notarized document from abroad, but for Philippine court or formal agency use, foreign notarization may need apostille or consular authentication depending on the country and purpose.
Practical Timeline
| Stage | Usual timing |
|---|---|
| Blocking the card | Same day, usually immediately after report |
| Formal dispute filing | Ideally within a few days; legally important within 30 calendar days from statement date |
| Bank initial action | Within 10 business days after notice and relevant documents |
| Bank investigation | Up to 90 days after receipt of notice under BSP Circular No. 1003 |
| BSP escalation | After bank response is unsatisfactory or the bank fails to act through its FCPAM |
| Criminal complaint | May be filed when there is theft, phishing, skimming, hacking, identity theft, or fraud evidence |
The biggest bottlenecks are incomplete documents, delayed reporting, failure to get reference numbers, and disputes made only by phone without written proof.
Frequently Asked Questions
Who is liable for unauthorized credit card transactions in the Philippines?
It depends on the facts. If the transaction happened after you reported the card lost, stolen, or compromised, the issuer generally should bear the loss. If it happened before reporting, it may initially be charged to you, but you can still dispute it. If the investigation confirms fraud, the bank should reverse the charge and related fees.
Do I have to pay unauthorized credit card charges while the dispute is pending?
You should pay the undisputed portion of the bill. For the disputed amount, ask the bank in writing to suspend interest, penalties, collection activity, and negative credit reporting while the investigation is pending. RA 11765 supports this request for alleged unauthorized transactions.
What is the deadline to dispute a credit card transaction?
Under RA 10870 and BSP Circular No. 1003, cardholders must be given up to 30 calendar days from statement date to report billing errors or discrepancies. Report earlier if possible. If the 30 days has passed, still report and explain when you discovered the fraud.
Can the bank deny my dispute because an OTP was used?
The bank may treat OTP use as strong evidence, but it should still investigate the full circumstances. OTP use may occur in phishing, SIM compromise, malware, or account takeover cases. Ask for the written basis of denial and escalate if the explanation is incomplete or unreasonable.
What if the bank refuses to reverse the charge?
Ask for the final investigation result in writing. Then escalate to BSP through the BSP Consumer Assistance Mechanism, attaching your dispute, the bank’s response, statements, screenshots, reference numbers, and proof that the charge was unauthorized.
Should I file a police report or NBI cybercrime complaint?
File one when the case involves theft, lost card, phishing, hacking, identity theft, SIM compromise, skimming, or a significant amount. A police blotter or NBI/PNP cybercrime complaint is not always required for every bank dispute, but it strengthens your evidence.
Can the bank send a collection agency while the charge is disputed?
The bank may collect undisputed amounts, but it should not harass you or misrepresent a disputed debt. RA 10870 and BSP rules prohibit abusive and unfair collection practices. Document collection calls, messages, letters, and threats, then include them in your bank and BSP complaints.
What if the unauthorized charge is from a foreign merchant?
Dispute it with your Philippine issuer immediately. Foreign merchant cases may take longer because the issuer may need information from the card network, acquirer, or merchant abroad. Provide proof that you did not travel, did not order from the merchant, or did not receive goods or services.
Is the principal cardholder liable for a supplementary card’s transactions?
Usually yes, if the supplementary card was validly requested, issued, received, and used by an authorized supplementary cardholder. But if the supplementary card was issued without clear consent or used without authority, the principal cardholder can dispute liability and require the bank to prove authorization.
Can unpaid credit card debt become a criminal case?
Mere non-payment is not a crime. The Constitution prohibits imprisonment for debt. But fraudulent use of a credit card, false identity, skimming, hacking, identity theft, or using a card with intent to defraud may create criminal liability under RA 8484, RA 11449, RA 10175, the Revised Penal Code, or other laws.
Key Takeaways
- Report unauthorized credit card transactions immediately and get a reference number.
- File a written dispute, not just a hotline complaint.
- The 30-day period from statement date is important, but late-discovered fraud should still be reported.
- Under BSP rules, the bank must investigate and correct or reverse charges found to be unauthorized or fraudulent.
- Transactions after timely report of loss, theft, or compromise generally should not be charged to the cardholder.
- Ask the bank to suspend interest, penalties, collection, and negative reporting on the disputed amount while investigation is pending.
- Escalate unresolved disputes to the BSP Consumer Assistance Mechanism.
- Fraudsters may face criminal liability, but ordinary non-payment of credit card debt is not punishable by imprisonment.
- Keep documents, screenshots, statements, reference numbers, and timelines; in credit card disputes, evidence often decides liability.