crimes in the Philippines

[OPINION] Should banks be held liable for the BDO/Unionbank phishing scam?

Roberto Figueroa
[OPINION] Should banks be held liable for the BDO/Unionbank phishing scam?
'We should not lose sight of who the real villain is here'

You have to give it to Filipinos for always injecting humor in everything they do – even in the perpetration of scams. The recent news about the unauthorized fund transfers from BDO depositors’ accounts to the UBP account of Mark Nagoyo brought to the fore the issue of bank liability for online scams and the Filipino brand of humor. 

I suspect that whoever is the perpetrator of this scam is a Filipino, considering that only a Filipino would fully understand the irony of the manner this scam was done. The last name of the UBP account holder “Nagoyo” is a Filipino word which means “you have been fooled.” What caught my attention though was its seeming similarity with another last name that is very familiar to those who are into cryptocurrency: Nakamoto. I really thought that what I was reading was the name of Satoshi Nakamoto, the mysterious developer of Bitcoin. Whether this seeming similarity with the name of the Bitcoin developer was intentional or not, we will only find out once the perpetrator has been arrested. 

Must Read

Inside job? Bangko Sentral, BDO still uncertain how much hackers got

Inside job? Bangko Sentral, BDO still uncertain how much hackers got

According to the affected BDO depositors, they never authorized the fund transfers to Nagoyo. Some said they clicked a link they received (which makes this a case of phishing), but some said they never received, much less clicked, any link at all. Understandably, the BDO depositors are up in arms. They vented their anger and disappointment on social media. No less than the BSP Governor issued a statement that they “are in close coordination with BDO as well as UBP on this incident to ensure that remedial measures are being undertaken, including reimbursement of affected consumers.”

This begs the question: are banks liable for online scams? The BSP statement expressly adverted to the possible reimbursement of affected consumers as part of the remedial measures to be undertaken. Of course, the funds to be used for reimbursing the affected consumers will be the bank’s money. Even though there is no admission of guilt on the part of the banks, once they reimburse the affected consumers, such act will confirm the public perception that banks are in a way liable for this scam. This perception seems to blur the fact that the banks, just like the affected consumers, are also victims of this scam.

Banks are what lawyers would call corporations impressed with public interest. They are held to a higher standard in their dealings with the public. The basic law on banking, RA 8791 which was enacted into law in 2000, provides the statutory basis for the degree of care and diligence that must be followed by banks. Section 2 of this law provides that the fiduciary nature of banking requires banks to observe a “high standard of integrity and performance.” But as early as 1990, even prior to the enactment of this statutory basis, the Supreme Court in Simex International (Manila) Inc. v. CA, 89 SCRA 360, already ruled that: 

“The banking system is an indispensable institution in the modern world and plays a vital role in the economic life of every civilized nation. Whether as mere passive entities for the safe-keeping and saving of money or as active instruments of business and commerce, banks have become an ubiquitous presence among the people, who have come to regard them with respect and even gratitude, most of all, confidence…”

The point is that as a business affected with public interest and because of the nature of its functions, the bank is under obligation to treat the accounts of its depositors with meticulous care, always having in mind the fiduciary nature of their relationship.

This was reaffirmed in 2003 when the SC in The Consolidated Bank and Trust Corp v. CA, 410 SCRA 562 explained the “high standard of integrity and performance” to be observed by banks in this wise:

“This fiduciary relationship means that the bank’s obligation to observe ‘high standards of integrity and performance’ is deemed written into every deposit agreement between a bank and its depositor. The fiduciary nature of banking requires banks to assume a degree of diligence higher than that of a good father of a family. Article 1772 of the Civil Code states that the degree of diligence required of an obligor is that prescribed by law or contract, and absent such stipulation then the diligence of a family. Section 3 of RA 8791 prescribes the statutory diligence required from banks – that banks must observe ‘high standards of integrity and performance’ in servicing their depositors.”

From these court rulings, one can distill the following:

(1) Banks are indispensable institutions and play a vital role in society. In practice, banks discharge essential functions for the economy: financial intermediation, money supply creation, and payment systems.

(2) There appears to be a fiduciary relationship that exists between the bank and its depositors. This is true even if it is well settled in our jurisdiction that the relationship between the bank and the depositors is primarily contractual in nature, specifically, that of a contract of loan or simple mutuum. In this contract of loan, the bank is the debtor and the depositor is the creditor. As to whether this fiduciary nature applies to other businesses of banks that do not concern deposits remains debatable. I personally believe that it should not. 

(3) The statutory degree of diligence to be observed by banks is the “high standard of integrity and diligence.” What it means exactly is not defined in the law. What is clear though is that this is higher than the diligence of a good father of a family. 

(4) In certain cases, like when a bank enters into a mortgage contract, the SC ruled that banks must exercise the “highest degree of diligence and high standards of integrity and performance.” Despite the use of the superlative “highest” in describing the banks’ degree of diligence, this does not mean that banks will always be liable for any loss suffered by depositors. This only means that banks are expected to be more prudent and exercise more care than private individuals in their dealings. 

Applying the above to the BDO/UBP case, if the banks involved in this phishing incident can establish that they have put in place effective controls meant to prevent the occurrence of this scam, they can raise a strong defense. The law does not require the impossible from the banks. Of course, the converse of this is also true. This means that if banks have been remiss in updating their IT and information security infrastructure to prevent occurrence of fraud, then they will be held liable. In the latter case, they fail to discharge their responsibilities as an institution held to the highest degree of care and high standards of integrity and performance.

From Our Archives

Phishing victims turn to class-action lawsuits against banks

Phishing victims turn to class-action lawsuits against banks

For the depositors who receive the link and clicked it, it is possible that they can be held guilty of contributory negligence. This may not totally relieve the banks of any liability, but the depositors’ contributory negligence may result in the reduction of the banks’ liability. 

All told, nobody wins if we put blame on the victim of scams, be it the depositor or the bank. Demonizing banks as institutions out to get the depositors’ money, or painting the depositors as negligent actors in this phishing scam, would not be beneficial to all parties concerned. We should not lose sight of who the real villain is here – the scammer himself. And fighting this villain requires the cooperation and responsible actions of both banks and depositors. – Rappler.com

Roberto L. Figueroa is a professorial lecturer in Banking and Financial Law at the UP College of Law.