The Supreme Court (SC) has ruled that bank deposits remain confidential under Philippine law, but limited account holder information may be disclosed in cybercrime investigations when authorized by a court-issued warrant under the Cybercrime Prevention Act of 2012.
The Supreme Court ruled that while your bank deposits are private, banks may be ordered by a court to reveal who owns an account when investigating cybercrime.
In a Decision penned by Associate Justice Ramon Paul L. Hernando, the SC’s First Division denied the petition filed by EastWest Rural Bank (EastWest), which sought to invalidate court and police orders directing the disclosure of certain computer data in connection with a cybercrime investigation.
Background of the Case
The case arose from a complaint filed by Leonard Vendiola, who was scammed by an individual posing as a bank employee. The caller tricked Vendiola into revealing his email address and one-time password (OTP), enabling the unauthorized transfer of PHP 10,000 from his bank account to an account maintained with EastWest.
Vendiola reported the incident to the Philippine National Police Anti-Cybercrime Group (PNP-ACG), which applied for a Warrant to Disclose Computer Data to identify the EastWest account holder allegedly involved in the scam.
The Regional Trial Court (RTC) granted the application and issued a Disclosure Order, directing EastWest to preserve and disclose relevant data related to the account holder.
EastWest’s Arguments
EastWest challenged the warrant, arguing that the Bank Secrecy Law strictly prohibits banks from disclosing any information related to bank deposits, including the identity of account holders. The bank further contended that the Cybercrime Prevention Act did not repeal the Bank Secrecy Law, and that it should not be covered by the disclosure provisions of the cybercrime law because it is a financial institution, not a communications service provider.
Supreme Court Ruling
The Supreme Court rejected these arguments and upheld the validity of both the Warrant to Disclose Computer Data and the Disclosure Order.
The Court clarified that while the Bank Secrecy Law protects the confidentiality of bank deposits and financial transactions, it does not prohibit the disclosure of basic identifying information when such disclosure is expressly authorized by law. Under the Cybercrime Prevention Act, law enforcement agencies may, upon securing a court-issued warrant, compel the disclosure of computer data necessary for the investigation of cybercrime offenses.
The SC further ruled that EastWest qualifies as a “service provider” under the Cybercrime Prevention Act. The Court noted that the bank’s digital banking services, including online banking platforms, mobile applications, and automated electronic notifications, allow customers to communicate and transact through computer systems. As such, EastWest processes and stores substantial amounts of computer data, bringing it within the scope of lawful disclosure obligations under the cybercrime law.
Legal Significance
The ruling highlights the balance between protecting bank secrecy and enabling effective cybercrime investigations, affirming that financial privacy is not absolute when weighed against lawful efforts to combat cybercrime.
🔍 Key Takeaways
- Bank deposits remain confidential under the Bank Secrecy Law.
- Account holder identity may be disclosed with a court-issued warrant.
- Banks may be treated as service providers under the Cybercrime Prevention Act.
Case Reference:
EastWest Rural Bank v. PNP-ACG, G.R. No. 273720, July 29, 2025