ERC Rules on Switching, Billing, and Disconnection

Policy declaration and purpose

The State recognizes the advances in technology and the widespread use of access devices in commercial transactions.
The State must protect rights and define liabilities of parties in commercial transactions by regulating the issuance and use of access devices.
The State acknowledges that advances in information technology on access devices have been exploited by criminals and criminal syndicates to perpetrate fraudulent activities undermining public trust in the banking industry.
The law declares that commission of a crime using access devices is a form of economic sabotage and a heinous crime, punishable to the maximum level allowed by law.
The law frames access-device fraud as a serious offense due to its deleterious effect on the economy.

Key definitions under the amended law

“Access Device” means any card, plate, code, account number, electronic serial number, personal identification number, or other telecommunications service, equipment, or instrumental identifier, or other means of account access that can be used to obtain money, goods, services, or any other thing of value, or to initiate a transfer of funds (other than a transfer originated solely by paper instrument).
“Payment Card” refers to cards accepted by terminals to withdraw cash and/or make payment for purchase of goods or services, fund transfer, and other financial transactions, typically linked to electronically deposits, prepaid, or loan credit accounts.
“Counterfeit Access Device” means access that is counterfeit, fictitious, altered, or forged; or an identifiable component of an access device or counterfeit access device; or any fraudulent copy or reproduction of a valid access device.
“Hacking” refers to unauthorized access into or interference in a computer system/server or information and communications system; or any access to corrupt, alter, steal, or destroy using a computer or similar information and communication device without the owner’s knowledge and consent, including introduction of computer viruses and like, resulting in corruption, destruction, alteration, theft, or loss of electronic data message or electronic documents.
“Payment Card” (alternate definition in the amendment) includes any kind of debit card (but not a credit card) issued by a bank or business entity enabling a customer to access an automated teller machine to perform transactions such as deposits, cash withdrawals, and obtaining account information; a payment card is considered an access device for purposes of the Act.
“Card Skimming” means a type of fraud involving illegal copying of information from the magnetic stripe of a payment card to gain access to customer accounts.
“Application” means a computer program designed to perform a group of coordinated functions, tasks, or activities for the benefits of the user.
“Online Banking” refers to the use of the internet by bank customers to manage bank accounts and perform account transactions.

Prohibited acts constituting access device fraud

The amended law declares the following acts to constitute access device fraud and to be unlawful.
Producing, using, trafficking in one or more counterfeit access devices constitutes access device fraud.
Skimming, copying, or counterfeiting any credit card, payment card or debit card and obtaining any information therein with intent of accessing the account and operating the same, whether or not cash is withdrawn or monetary injury is caused against the account holder or the depository bank, constitutes access device fraud.
Production or possession of any software component such as programs, application, or malware, or any hardware component such as skimming device or any electronic gadget or equipment used to perpetrate any of the foregoing acts constitutes access device fraud.
Accessing, with or without authority, any application, online banking account, credit card account, ATM account, or debit card account in a fraudulent manner, regardless of whether monetary loss results, constitutes access device fraud.
Hacking—unauthorized access into or interference in a computer system/server, or information and communication system, or access to corrupt, alter, steal, or destroy without the owner’s knowledge and consent, including introduction of computer viruses and like resulting in corruption, destruction, alteration, theft, or loss of electronic data messages or electronic documents—constitutes access device fraud.

Penalties and escalation rules

A person committing any act constituting access device fraud under the immediately preceding section is punished under the penalty scheme in Section 10.
Section 10(a): Imprisonment of not less than twelve (12) years and not more than twenty (20) years and a fine twice the equivalent of the aggregate amount of all affected or exposed bank accounts, but the fine is not less than PHP 500,000.00 if the offender possesses ten (10) or more counterfeit access devices and/or unauthorized access devices and was able to access at least one (1) account or had gained credit by fraudulent use of any such access device in possession.
Section 10(b): Imprisonment of not less than six (6) years and not more than twelve (12) years and a fine of PHP 300,000.00 or twice the equivalent of the aggregate amount of all affected or exposed bank accounts, whichever is higher, if the offender possesses ten (10) or more counterfeit access devices and/or unauthorized access devices but was not proven to have accessed any account or gained any credit through those access devices.
Section 10(c): Imprisonment of not less than four (4) years and not more than six (6) years and a fine of twice the value of the fraudulent obtained credit, without prejudice to civil liability, for an offense involving fraudulent use of a credit card.
Section 10(d): Imprisonment of not less than six (6) years and not more than ten (10) years and a fine of PHP 500,000.00 or twice the value obtained by the offender, whichever is higher, without prejudice to civil liability, for an offense under the specified items in Section 9—which does not occur after a conviction for another offense under the same section.
Section 10(e): Imprisonment of not less than ten (10) years and not more than twelve (12) years and a fine of PHP 500,000.00 or twice the value obtained by the offender, whichever is higher, without prejudice to civil liability, for an offense under Section 9(a), (f), and (q)—which does not occur after a conviction for another offense under Section 9.
Section 10(f): Imprisonment of not less than twelve (12) years but not more than twenty (20) years and a fine of PHP 800,000.00 or twice the value obtained by the offender, whichever is higher, without prejudice to civil liability, for any offense under Section 9 that occurs after a conviction for another offense under the same section, or an attempt to commit the same.
Section 10(g): Life imprisonment and a fine not less than PHP 1,000,000.00 but not more than PHP 5,000,000.00 if the offense constitutes economic sabotage, which is deemed committed when any prohibited act under Section 9 is committed under:
- (1) the prohibited act involves the hacking of a bank’s system; or
- (2) the act of skimming affects fifty (50) or more payment cards; or
- (3) the prohibited act affected fifty (50) or more online banking accounts, credit cards, payment cards, and debit cards.

Credit card presumption of intent to defraud

A cardholder who abandons or surreptitiously leaves the place of employment, business, or residence stated in the credit card application, without informing the credit card company where the cardholder could actually be found, is prima facie presumed to have used the credit card with intent to defraud.
The presumption applies when, at the time of abandonment or surreptitious leaving, the outstanding and unpaid balance is past due for at least ninety (90) days and is more than PHP 200,000.00.

Reporting requirements and investigating bodies

All companies engaged in issuing access devices—including banks, financing companies, and other financial institutions issuing access devices—shall conduct an initial investigation on any reported access device fraud.
All partner merchants shall also conduct the required initial investigation on any reported access device fraud.
Issuing entities must furnish real time reports on the result of the initial investigation to the National Bureau of Investigation (NBI) and the Anti-Cybercrime Group of the Philippine National Police (PNP).
The report must contain a narration about the fraud committed and an identification of the perpetrator, if feasible.
The report shall constitute the complaint necessary for the NBI or the Anti-Cybercrime Group of the PNP to pursue further investigation and prosecution of the fraud.
Banks, financing companies, and other financial institutions issuing access devices—including their subsidiaries and affiliates—continue to be regulated and supervised by the Bangko Sentral ng Pilipinas, while other access device issuers continue to be regulated and supervised by the Securities and Exchange Commission.

Separability, repeals, and amendment coverage

Section 7 provides that if any separable provision of Republic Act No. 11449 is declared unconstitutional, the remaining provisions continue in force.
Section 8 repeals, amends, or modifies inconsistent laws, decrees, executive orders, rules and regulations, or parts thereof, to the extent of the inconsistency.
The Act expressly amends Republic Act No. 8484 by:
- updating Section 2 (Declaration of Policy),
- updating Section 3 (Definition of Terms),
- amending Section 9 (Prohibited Acts),
- amending Section 10 (Penalties),
- amending the last sentences of Section 14 (cardholder presumption),
- and amending Section 16 (Reporting Requirements).