Third Regular Session
Begun and held in Metro Manila, on Monday, the twenty-third day of July, two thousand eighteen.
REPUBLIC ACT No. 11449
An Act Providing for Additional Prohibitions to and Increasing Penalties for Violations of Republic Act No. 8484, Otherwise Known as the "Access Devices Regulation Act of 1998"
Be it enacted by the Senate and House of Representatives of the Philippine Congress Assembled:
Section 1. Section 2 of Republic Act No. 8484 is hereby amended to read as follows:
"Sec. 2. Declaration of Policy. The State recognizes the recent advances in technology and the widespread use of access devices in commercial transactions. Toward this end, the State shall protect the rights and define the liabilities of parties in such commercial transactions by regulating the issuance and use of access devices.
"The State likewise acknowledges that the advances in information technology on access devices have been exploited by criminals and criminal syndicates in perpetrating fraudulent activities that ultimately undermine the trust of the public in the banking industry. Due to this deleterious effect on the economy, the State declares that the commission of a crime using access devices is a form of economic sabotage and a heinous crime and shall be punishable to the maximum level allowed by law."
Section 2. Section 3 of the same Act is hereby amended to read as follows:
"Sec. 3. Definition of Terms. For purposes of this Act, the terms:
"(a) Access Device means any card, plate, code, account number, electronic serial number, personal identification number, or other telecommunications service, equipment, or instrumental identifier, or other means of account access that can be used to obtain money, good, services, or any other thing of value or to initiate a transfer of funds (other than a transfer originated solely by paper instrument);
"(b) Payment Card cards that can be used by cardholders and accepted by terminals to withdraw a cash and/or make payment for purchase of goods or services, fund transfer, and other financial transactions. Typically, payment cards are electronically linked deposits, prepaid, or loan credit accounts;
"(c) Counterfeit Access Device means any access device that is counterfeit, fictitious, altered, or forged, or an identifiable component of an access device or counterfeit access device or any fraudulent copy or reproduction of a valid access device;
"x x x
"(l) x x x;
"(m) x x x;
"(n) Hacking refers to the unauthorized access into or interference in a computer system/server or information and communications system; or any access in order to corrupt, alter, steal, or destroy using a computer or other similar information and communication devices, without the knowledge and consent of the owner of the computer or information and communications system, including the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, theft or loss of electronic data messages or electronic documents;
"(o) Payment Card refers to any card of whatever material or form including any kind of debit card, but not a credit card, issued by a bank or business entity that enables a customer to access an automated teller machine in order to perform transactions such as deposits, cash withdrawals and obtaining account information. A payment card shall be considered as an access device for the purposes of this Act;
"(p) Card Skimming refers to a type of fraud which involves illegal copying of information from the magnetic stripe of payment card to gain access to customer accounts;
"(q) Application refers to a computer program designed to perform a group of coordinated functions, tasks, or activities for the benefit of the user; and
"(r) Online Banking refers to the use of the internet by bank customers in order to manage thqir bank accounts and perform account transactions."
Section 3. Section 9 of the same Act is hereby amended to read as follows:
"Sec. 9. Prohibited Acts. The following acts shall constitute access device fraud and are hereby declared to be unlawful:
"(a) producing, using, trafficking in one or more counterfeit access devices;
"x x x
"(o) x x x;
"(p) x x x;
"(q) skimming, copying or counterfeiting any credit card, payment card or debit card, and obtaining any information therein with the intent of accessing the account and operating the same whether or not cash is withdrawn or monetary injury is caused by a perpetrator against the account holder or the depositary bank;
"(r) production or possession of any software component such as programs, application, or malware, or any hardware component such as skimming device or any electronic gadget or equipment that is used to perpetrate any of the foregoing acts;
"(s) accessing, with or without authority, any application, online banking account, credit card account, ATM account, debit card account, in a fraudulent manner, regardless of whether or not it will result in monetary loss to the account holder; and
"(t) hacking refers to the unauthorized access into or interference in a computer system/server, or information and communication system, or any access in order to corrupt, alter, steal, or destroy using a computer or other similar information and communication devices without the knowledge and consent of the owner of the computer or information and communication system, including the introduction of computer viruses and the like resulting in the corruption, destruction, alteration, theft, or loss of electronic data messages or electronic documents."
Section 4. Section 10 of the same Act is hereby amended to read as follows:
"Sec. 10. Penalties. Any person committing any of the acts constituting access device fraud enumerated in the immediately preceding section shall be punished with:
"(a) imprisonment for not less than twelve (12) years and not more than twenty (20) years and a fine twice the equivalent of the aggregate amount of all affected or exposed bank accounts, but the fine shall not be less than Five hundred thousand pesos (₱500,000.00) in the case of an offender who is in possession of ten (10) or more counterfeit access devices and/or unauthorized access devices and was able to access at least one (1) account or had gained credit by the fraudulent use of any of such access device in his possession;
"(b) imprisonment for not less than six (6) years and not more than twelve (12) years and a fine of Three hundred thousand pesos (₱300,000.00) or twice the equivalent of the aggregate amount of all affected or exposed bank accounts, whichever is higher, in 'the case of an offender who is in possession of ten (10) or more counterfeit access devices and/or unauthorized access devices, but was not proven to have accessed any account or have gained any credit through any of the aforementioned access devices;
"(c) imprisonment for not less than four (4) years and not more than six (6) years and a fine of twice the value of the fraudulently obtained credit, without prejudice to the civil liability of the offender, in the case of an offense involving fraudulent use of a credit card;
"(d) imprisonment for not less than six (6) years and not more than ten (10) years and a fine of Five hundred thousand pesos (₱500,000.00) or twice the value obtained by the offender, whichever is higher, without prejudice to the civil liability of the offender, in the case of an offense under items (b), (c), (d), (e), (g), (h), (i), (j), (k), (l), (m), (n), (o), (p), (r), (s), and (t) of Section 9 hereof, which does not occur after a conviction for another offense under the same section;
"(e) imprisonment for not less than ten (10) years and not more than twelve (12) years and a fine of Five hundred thousand pesos (₱500,000.00) or twice the value obtained by the offender, whichever is higher, without prejudice to the civil liability of the offender, in the case of an offense under Section 9(a), (f), and (q), which does not occur after a conviction for another offense under Section 9;
"(f) imprisonment for not less than twelve (12) years but not more than twenty (20) years and a fine of Eight hundred thousand pesos (₱800,000.00) or twice the value obtained by the offender, whichever is higher, without prejudice to the civil liability of the offender, in the case of any offense under Section 9, which occurs after a conviction for another offense under the same section, or an attempt to commit the same; and
"(g) life imprisonment and a fine of not less than One million pesos (₱1,000,000.00) but not more than Five million pesos (₱5,000,000.00) if the offense constitutes economic sabotage. Economic sabotage is deemed committed when any of the prohibited acts described in Section 9 hereof is committed under the following circumstances:
(1) the prohibited act involves the hacking of a banks system;
(2) the act of skimming affected fifty (50) or more payment cards; or
(3) the prohibited act affected fifty (50) or more online banking accounts, credit cards, payment cards, and debit cards."
Section 5. The last sentence of Section 14 of the same Act is hereby amended to read as follows:
"Sec. 14. x x x
"A cardholder who abandons or surreptitiously leaves the place of employment, business or residence stated in his application for credit card, without informing the credit card company of the place where he could actually be found, if at the time of such abandonment or surreptitious leaving, the outstanding and unpaid balance is past due for at least ninety (90) days and is more than Two hundred thousand pesos (₱200,000.00), shall be prima facie presumed to have used his credit card with intent to defraud."
Section 6. Section 16 of the same Act is hereby amended to read as follows:
"Sec. 16. Reporting Requirements. All companies engaged in the business of issuing access devices, including banks, financing companies and other financial institutions issuing access devices, as well as all partner merchants, shall conduct initial investigation on any reported access device fraud and furnish real-time reports on the result thereof to the National Bureau of Investigation (NBI) and the Anti-Cybercrime Group of the Philippine National Police (PNP). The report shall contain a narration about the fraud committed and an identification of the perpetrator, if feasible. The report shall further constitute the complaint necessary for the NBI or the Anti-Cybercrime Group of the PNP to pursue further investigation and prosecution of the fraud. Notwithstanding this requirement, banks, financing companies and other financial institutions, including their subsidiaries and affiliates, issuing access devices shall continue to be regulated and supervised by the Bangko Sentral ng Pilipinas while other companies issuing access devices shall continue to be regulated and supervised by the Securities and Exchange Commission."
Section 7. If any separable provision of this Act is declared unconstitutional, the remaining provisions shall continue to be in force.
Section 8. All laws, decrees, executive orders, rules and regulations or parts thereof which are inconsistent with this Act are hereby repealed, amended or modified accordingly.
Section 9. This Act shall take effect fifteen (15) days after its publication in the Official Gazette or in a newspaper of general circulation.
(Sgd) VICENTE C. SOTTO III
President of the Senate
(Sgd) GLORIA MACAPAGAL-ARROYO
Speaker of the House of Representatives
This Act which originated in the House of Representatives was passed by the House of Representatives on February 5, 2018, amended by the Senate of the Philippines on June 3, 2019, and which amendments were concurred in by the House of Representatives on June 4, 2019.
(Sgd) MYRA MARIE D. VILLARICA
Secretary of the Senate
(Sgd) DANTE ROBERTO P. MALING
Acting Secretary General
House of Representatives
(Sgd) RODRIGO ROA DUTERTE
President of the Philippines
Approved: August 28, 2019.
The Lawphil Project - Arellano Law Foundation