Can Banks Disclose Account Holder Information in Cybercrime Cases?

The Philippine Supreme Court ruling on bank secrecy and cybercrime investigations: when deposit confidentiality applies and when account information may be disclosed.

Last reviewed: June 28, 2026General legal information, not legal advice

Can Banks Disclose Account Holder Information in Cybercrime Cases?

News hook: In July 2025, the Philippine Supreme Court issued a landmark ruling in G.R. No. 273720 (EastWest Rural Bank v. PNP Anti-Cybercrime Group), holding that banks can be compelled under a court-issued Warrant to Disclose Computer Data to reveal who holds an account — while deposit amounts and transaction records remain protected under the 70-year-old Bank Secrecy Law.

Legal question

When law enforcement investigates a cybercrime — such as online scams, vishing (voice phishing), or unauthorized fund transfers — can a bank be legally required to disclose information about an account holder without violating the Bank Secrecy Law (Republic Act No. 1405)? And if so, how much information can be disclosed, and through what legal mechanism?

Applicable laws and rules

Why this matters

Online financial scams have become one of the most common crimes affecting Filipinos. Victims of vishing, phishing, and unauthorized fund transfers urgently need law enforcement to trace where stolen money went — which means identifying the bank accounts that received the funds. At the same time, the 1955 Bank Secrecy Law was designed to protect depositors' financial privacy. The tension between these two interests affects every victim who reports a cybercrime to the PNP Anti-Cybercrime Group or the NBI Cybercrime Division, and every bank that receives an order to produce records. The Supreme Court's ruling resolves precisely which information can flow in a cybercrime investigation and which cannot.

The legal frame

Republic Act No. 1405, enacted in 1955, declares all deposits in domestic banking institutions to be absolutely confidential and prohibits their examination, inquiry, or disclosure without the depositor's written permission. The only statutory exceptions are: the depositor's own written consent; cases of impeachment; a court order in cases of bribery or dereliction of duty by a public official; and when the deposit is itself the subject matter of litigation. These exceptions are narrow by design and have rarely been expanded by the courts. Foreign currency deposits under RA 6426 (1972) carry an even stricter rule: only the depositor's express written permission unlocks them, with no equivalent court-order exception.

The Cybercrime Prevention Act of 2012 (RA 10175) created a separate legal mechanism: the Warrant to Disclose Computer Data (WDCD). Upon application by law enforcement and judicial authorization, a WDCD compels any "service provider" to disclose subscriber information, traffic data, and relevant computer data within 72 hours. The central question resolved in G.R. No. 273720 was whether banks qualify as "service providers" under RA 10175 — and whether a WDCD can override RA 1405's confidentiality requirements.

The Supreme Court held that RA 1405 and RA 10175 govern entirely different subject matter and therefore coexist without conflict. RA 1405 protects the contents of deposits: the amounts, balances, and transaction history. RA 10175 governs computer data and subscriber information — which includes identifying details about who holds an account, such as the account holder's name, address, and account number. Because these are distinct categories, a WDCD issued under RA 10175 can lawfully compel a bank to reveal the identity of an account holder without violating the Bank Secrecy Law. What it cannot do is reach deposit amounts or financial transaction records — those remain shielded by RA 1405 and require a separate legal basis (such as an AMLC order under the Anti-Money Laundering Act) to access.

Two additional routes exist for obtaining financial account information in specific contexts. Under the Anti-Money Laundering Act (RA 9160, as amended by RA 11521 in 2021), the Anti-Money Laundering Council may examine deposit accounts — including their contents — upon obtaining an ex parte order from the Court of Appeals based on probable cause that the account is related to a predicate offense. For six specified crimes (kidnapping for ransom, drug violations, hijacking, destructive arson, murder, and terrorism), AMLC may act without any court order. Separately, the Anti-Financial Account Scamming Act of 2024 (RA 12010) grants the Bangko Sentral ng Pilipinas explicit authority to investigate financial accounts involved in scams and share findings with law enforcement, but information obtained under AFASA may only be used for prosecuting AFASA violations.

What individuals should know

If you are a victim of an online financial scam or unauthorized fund transfer, you may file a complaint with the PNP Anti-Cybercrime Group or the NBI Cybercrime Division. Law enforcement can apply to a court for a WDCD to compel the receiving bank to identify the account holder. This process does not expose your own account information — the WDCD is directed at the suspect's account. If your money was transferred to a specific bank account, document the transaction reference number, the recipient account number and bank (if visible), the date and amount, and any communications from the scammer. These details support the WDCD application. If the scam involved money laundering, your attorney can advise whether an AMLC referral is appropriate to seek examination of the transaction records, not just the account holder's identity. Note that as of 2026, the 20th Congress has bank secrecy reform on its LEDAC legislative agenda, including proposals that could further expand the circumstances under which deposit information may be examined — so this area of law continues to evolve.

Ask PHLaw.AI

Try: "I was a victim of a vishing scam and money was transferred to another bank account — can the PNP get a warrant to find out who owns that account?"

Ask about this topic

Sources