QuestionsQuestions (Republic Act No. 11449)
It recognizes advances in technology and the widespread use of access devices, and states that the State will regulate issuance and use to define liabilities and protect rights. It also declares that criminals exploiting access devices undermine public trust in the banking industry, and that crimes using access devices constitute economic sabotage and are heinous crimes punishable to the maximum level allowed by law.
It broadens “Access Device” to include not only cards/plates/codes/account numbers, but also electronic serial numbers, PINs, or other telecommunications service/equipment/instrumental identifiers, and other account-access means that can obtain money, goods, services, or other things of value, or initiate fund transfers other than those originated solely by paper instrument.
It is unauthorized access into or interference with a computer system/server or information and communications system, or access to corrupt, alter, steal, or destroy without the owner’s knowledge and consent, including introduction of computer viruses and similar acts, resulting in corruption, destruction, alteration, theft, or loss of electronic data messages or electronic documents.
It defines Card Skimming as fraud involving illegal copying of information from the magnetic stripe of a payment card to gain access to customer accounts.
The prohibited acts include producing, using, trafficking in counterfeit access devices; skimming/copying/counterfeiting credit/payment/debit cards with intent to access and operate the accounts regardless of whether cash is withdrawn or monetary injury occurs; producing or possessing software/hardware (e.g., skimming devices or malware) used to perpetrate the acts; accessing online banking/ATM/debit/credit accounts in a fraudulent manner regardless of monetary loss; and hacking as defined in the Act.
No. For the prohibited acts under Section 9(p) (skimming/counterfeiting and obtaining information with intent to access and operate the account), it is explicitly unlawful “whether or not cash is withdrawn or monetary injury is caused.”
It criminalizes fraudulent access regardless of whether it results in monetary loss to the account holder; hence, actual loss is not required for liability under that item.
It increases penalties and provides graduated imprisonment and fines depending on (1) the specific prohibited act/item, (2) whether at least one account was accessed or credit gained in cases involving possession of 10 or more counterfeit/unauthorized access devices, (3) whether the offense was committed after conviction for another offense under the same section, and (4) whether the circumstances constitute “economic sabotage”.
If the offender has possession of 10 or more counterfeit access devices/unauthorized access devices and was able to access at least one account or gain credit by fraudulent use, the penalty is imprisonment of not less than 12 years and not more than 20 years plus a fine twice the equivalent of the aggregate amount of all affected or exposed bank accounts, with a minimum fine of P500,000.
Imprisonment of not less than 6 years and not more than 12 years plus a fine of P300,000 or twice the equivalent of the aggregate amount of all affected or exposed bank accounts, whichever is higher.
Imprisonment of not less than 4 years and not more than 6 years and a fine twice the value of the fraudulent obtained credit, without prejudice to civil liability.
It increases the penalty: imprisonment of not less than 12 years but not more than 20 years and a fine of P800,000 or twice the value obtained by the offender, whichever is higher, without prejudice to civil liability; it also covers attempts to commit the same.
Economic sabotage is deemed committed when any prohibited act is committed under any of the circumstances: (1) the act involves hacking of a bank’s system; (2) skimming affected 50 or more payment cards; or (3) the prohibited act affected 50 or more online banking accounts, credit cards, payment cards, and debit cards.
Life imprisonment and a fine not less than P1,000,000 but not more than P5,000,000.
If a cardholder abandons or surreptitiously leaves the stated place without informing the credit card company, and the outstanding unpaid balance is past due for at least 90 days and exceeds P200,000, the cardholder is prima facie presumed to have used the credit card with intent to defraud.
All issuers of access devices (banks, financing companies, other financial institutions, and partner merchants) must conduct an initial investigation on reported access device fraud and furnish real-time reports to the NBI and the Anti-Cybercrime Group of the PNP. The report must narrate the fraud and identify the perpetrator if feasible, and it shall constitute the complaint necessary for further investigation and prosecution. Banks/financial institutions remain regulated by BSP; other issuers by SEC.