BANK SECRECY ACT (RA NO.

1405)  The phrase of whatever nature prescribes any

“AN ACT PROHIBITING DISCLOSURE OF OR INQUIRY restrictive interpretation of deposits. Moreover,
INTO, DEPOSITS WITH ANY BANKING INSTITUTION AND it is clear from the immediately quoted
PROVIDING PENALTY THEREFOR.” provision that, generally the law applies not
only to money which is deposited but also to
 This will help form a sense of trust towards those which are invested. This further shows
banking institutions that the law was not intended to apply only to
 To protect the depositors deposits in the strict sense of the word.
 This is NOT absolute (in relation to RA 9160 Otherwise, there would have been no need to
AMLA) add the phrase or invested.
When an individual deposits in a bank they are known
as the depositors/creditos, the bank is now liable to  In investments such as UITF it is governed by
these said depositors upon their deposit. BPS (Bangko Sentral ng Pilipinas), meaning it is
under the guidance and regulation of BSP. In
RA NO. 1405 or The Secrecy of Bank Deposits Mutual Funds it is investments of corporation
Two main PUPOSE of RA NO. 1405 thus it is governed SEC (Security Exchange
1. To encourage people to deposit their money in Commission). The SEC has the jurisdictions and
banking institutions. This will result to cash guidelines that are in accordance with mutuals
circulation. funds.
2. To discourage private hoarding, in order to
utilize and use the funds for the benefit of the FOREIGN SECURITY DEPOSIT
country.  Foreign currency deposits are governed by a
PDIC – Philippine Deposit Insurance Corporation different law which is the Foreign Currency
 1/5 of 1% of the total liability/deposit Deposits Act (RA 6426).
 Remittance of the bank are in exchange for
insurances, that will serve as premiums on the EXCEPTIONS: THE FF ARE THE EXCEPTIONS OF THE
part of the bank. BANKS SECRECY LAW
Borrowers – people who banks lend funds to. 1. UNDER RA 1405
 Section 2 of Republic Act No. 1405 provides that
When there is a sense of secrecy a transfer of capital bank deposits and government bond
occurs investments may be examined, inquired and
looked into in the following instances:
PROHIBITED ACTS
 Any person, government official, bureau or BEFORE AMENDMENT VS. AFTER AMENDMENT
office that, examines, inquires or looks into a Before Amendment:
bank deposit or government bond investment  When the examination is made in the course of
in any of the instances not allowed in Section 2 a special or general examination of a bank
This will help in determining when can someone regarding bank fraud and irregularities
apply or inquire.  When the examination is made by an
 Any official or employee of a banking institution independent auditor hired by the bank to
may not disclose to any person of any conduct its regular audit
information concerning said deposits  Written permission of the depositor
 Impeachment
DEPOSITS COVERED  Contentment order of the Court
General Rule  When it is the subject matter of the
 All deposits of whatever nature with banks or litigation/legal action (of the said bank account
banking institutions found in the Philippines (is or deposit)
covered by the rules) After Amendment:
 Investments in bonds issued by the Philippine  Upon written permission or consent in writing
government, its branches, and institutions. by the depositor.
Treasure Bonds – are government issued bonds. VALID IF - made knowingly, voluntarily and with
Same with treasury bills and treasury notes. sufficient awareness of the relevant
circumstances and likely consequences.
TRUST FUNDS  Impeachment
 The money deposited under the trust  Upon court order for: Bribery or Dereliction of
agreement is intended not merely to remain duty of public officials
with the bank but to be invested by it  When money deposited or invested is the
elsewhere. subject matter of the litigation. The money
Hold in trust but will be used for investment. (Ex. deposited should be the very thing in
UITF – Unit Investment Trust Fund). The fund used discussion.
to acquired UITF’s are also covered by the secrecy.
UNDER OTHER LAWS
NAVPU – Net Asset Value Per Unit Bank deposits and investments may be examined in the
 To hold that this type of account is not following circumstances:
protected by R.A. 1405 would encourage
private hoarding of funds that could otherwise 1. Subpoena and Subpoena duces tecum – is an
be invested by banks in other ventures order to produce or present documents made
by the Ombudsman. This is exercised by the
 Ombudsman when the following conditions deposits, placements, trust accounts, assets and
occur: records in a bank or financial institution in
 there must be a case pending before a connection with anti-terrorism case.
court of competent jurisdiction 9. Commission on Audit (COA) is the auditor of
 the account is clearly identified government agencies, to the revenue and
 Inspection is limited to the subject receipts of, and expenditures or uses of funds
matter of the pending case. and properties, owned or held in trust by, or
 The account holder must be notified to pertaining to, the Government or any of its
be present during inspection subdivisions, agencies or instrumentalities,
including government-owned and controlled
2. In RA NO. 3019 Bank deposits of a public corporations with original charters.
official, his spouse and unmarried children may - The COA’s jurisdiction is not just within
be taken into consideration in the enforcement government agencies depending in the
of Section 8 of The Anti-Graft and Corrupt circumstance.
Practices Act. (Lifestyle Check) these are people AOM (Audit Observation Memo) – these are the
that are under strict monitoring preliminary findings of an internal auditor.
3. Directors, officers, stockholders and related
interests who contract a loan or any form of Notice of Disallowance – is a notice given by COA to
financial accommodation with their bank or inform an entity if something is not allowed that is
related bank are required to execute a written related to the audit.
waiver of secrecy of deposits pursuant.
10. Presidential Commission on Good Government
4. CIR Commissioner of Internal Revenue – is (PCGG) - conduct of its investigations to recover
authorized to to inquire into bank deposit ill-gotten wealth accumulated by former
accounts. President Ferdinand E. Marcos.
 an application for compromise of tax
liability or a determination of a GARNISHMENT OF DEPOSITS INCLUDING FOREIGN
decedent’s gross estate under The DEPOSITS
National Internal Revenue Code
1. Bank Deposits
The agreement of tax compromised has gone through - garnishment of bank deposit does not
the process of audit. If the investigation has lead to violate the law. Garnishment pertains to the
certain findings, the finding must be then explained. attachment of deposits to satisfy a certain
decision or judgement. The disclosure is
Under cooperative law when sales are from members purely incidental to the execution process
these are not taxable or exempt. But there is a limit, a and it was not the intention of the
threshold of 10,000,000 legislature to place bank deposits beyond
the reach of judgement creditor.
a request for tax information of specific taxpayers made
by a foreign tax authority pursuant to a tax treaty 2. Foreign Deposits
- General Rule - Foreign currency deposits
5. Anti-Money Laundering Council - authorized to shall be exempt from attachment,
examine and inquire into bank deposits or garnishment, or any other order or process
investments with banks or nonbank of any court, legislative body, government
agency or any administrative body
With court order - when there is probable cause that whatsoever.
the deposits or investments are related to an unlawful - Exception - The application of Section 8 of
activity or a money laundering offense. R.A. 6426 depends on the extent of its
Without court order - predicate crimes, such as justice.
kidnapping for ransom, violation of the Comprehensive - The garnishment of foreign currency
Dangerous Drugs Act, hijacking and other violations, deposit should be allowed to prevent
destructive arson and murder. injustice and for equitable grounds, it would
negate Article 10 of the New Civil Code
6. Bangko Sentral - is authorized to examine bank which provides that “in case of doubt in the
deposits or investments in the course of a interpretation or application of laws, it is
periodic or special examination to ensure presumed that the lawmaking body
compliance with The Anti-Money Laundering intended right and justice to prevail.
Law. - In this exception, it is allowed in order to
- conduct annual testing which is limited to fully serve the administration of justice and
the determination of the existence and true in order to satisfy the judgement.
identity of the owners of numbered - The law was not made to have a good effect
accounts for the agreed party or judgement creditor.
7. Philippine Deposit Insurance Commission
(PDIC) and the Bangko Sentral may inquire into SUMMARY OF THE NON DISCLOSURE AGREEMENT.
bank deposits when there is a finding of unsafe
bank activities. It is a non disclosure, the bank has a non disclosure
8. Court of Appeals (special court) - may issue an agreement with the depositors, otherwise they will be
order authorizing law enforcement officers to penalized.
examine and gather information on the
It is not absolute, there are certain cases where both other information would directly and certainly identify
government agencies and officials can inquire. an individual.
(h) Personal information controller refers to a person or
organization who controls the collection, holding,
processing or use of personal information, including a
person or organization who instructs another person or
DATA PRIVACY organization to collect, hold, process, use, transfer or
REPUBLIC ACT NO. 10173 disclose personal information on his or her behalf. The
“AN ACT PROTECTING INDIVIDUAL PERSONAL term excludes:
INFORMATION IN INFORMATION AND (1) A person or organization who performs such
COMMUNICATIONS SYSTEMS IN THE GOVERNMENT functions as instructed by another person or
AND THE PRIVATE SECTOR, CREATING FOR THIS organization; and
PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR (2) An individual who collects, holds, processes or uses
OTHER PURPOSES” personal information in connection with the individual’s
SECTION 1. Short Title. – This Act shall be known as the personal, family or household affairs.
“Data Privacy Act of 2012”. (i) Personal information processor refers to any natural
or juridical person qualified to act as such under this Act
SEC. 2. Declaration of Policy. – It is the policy of the to whom a personal information controller may
State to protect the fundamental human right of outsource the processing of personal data pertaining to
privacy, of communication while ensuring free flow of a data subject.
information to promote innovation and growth. The (j) Processing refers to any operation or any set of
State recognizes the vital role of information and operations performed upon personal information
communications technology in nation-building and its including, but not limited to, the collection, recording,
inherent obligation to ensure that personal information organization, storage, updating or modification,
in information and communications systems in the retrieval, consultation, use, consolidation, blocking,
government and in the private sector are secured and erasure or destruction of data.
protected.f (k) Privileged information refers to any and all forms of
data which under the Rules of Court and other pertinent
SEC. 3. Definition of Terms. – Whenever used in this laws constitute privileged communication.
Act, the following terms shall have the respective (l) Sensitive personal information refers to personal
meanings hereafter set forth: information:
(a) Commission shall refer to the National Privacy (1) About an individual’s race, ethnic origin, marital
Commission created by virtue of this Act. status, age, color, and religious, philosophical or
(b) Consent of the data subject refers to any freely political affiliations;
given, specific, informed indication of will, whereby the (2) About an individual’s health, education, genetic or
data subject agrees to the collection and processing of sexual life of a person, or to any proceeding for any
personal information about and/or relating to him or offense committed or alleged to have been committed
her. Consent shall be evidenced by written, electronic or by such person, the disposal of such proceedings, or the
recorded means. It may also be given on behalf of the sentence of any court in such proceedings;
data subject by an agent specifically authorized by the (3) Issued by government agencies peculiar to an
data subject to do so. individual which includes, but not limited to, social
(c) Data subject refers to an individual whose personal security numbers, previous or current health records,
information is processed. licenses or its denials, suspension or revocation, and tax
(d) Direct marketing refers to communication by returns; and
whatever means of any advertising or marketing (4) Specifically established by an executive order or an
material which is directed to particular individuals. act of Congress to be kept classified.
(e) Filing system refers to any act of information relating
to natural or juridical persons to the extent that, SEC. 4. Scope. – This Act applies to the processing of all
although the information is not processed by types of personal information and to any natural and
equipment operating automatically in response to juridical person involved in personal information
instructions given for that purpose, the set is structured, processing including those personal information
either by reference to individuals or by reference to controllers and processors who, although not found or
criteria relating to individuals, in such a way that specific established in the Philippines, use equipment that are
information relating to a particular person is readily located in the Philippines, or those who maintain an
accessible. office, branch or agency in the Philippines subject to the
(f) Information and Communications System refers to a immediately succeeding paragraph: Provided, That the
system for generating, sending, receiving, storing or requirements of Section 5 are complied with.
otherwise processing electronic data messages or
electronic documents and includes the computer This Act does not apply to the following:
system or other similar device by or which data is (a) Information about any individual who is or was an
recorded, transmitted or stored and any procedure officer or employee of a government institution that
related to the recording, transmission or storage of relates to the position or functions of the individual,
electronic data, electronic message, or electronic including:
document. (1) The fact that the individual is or was an officer or
(g) Personal information refers to any information employee of the government institution;
whether recorded in a material form or not, from which (2) The title, business address and office telephone
the identity of an individual is apparent or can be number of the individual;
reasonably and directly ascertained by the entity (3) The classification, salary range and responsibilities of
holding the information, or when put together with the position held by the individual; and
(4) The name of the individual on a document prepared purposes for which the data were collected and
by the individual in the course of employment with the processed: Provided, That personal information
government; collected for other purposes may lie processed for
(b) Information about an individual who is or was historical, statistical or scientific purposes, and in cases
performing service under contract for a government laid down in law may be stored for longer periods:
institution that relates to the services performed, Provided, further,That adequate safeguards are
including the terms of the contract, and the name of the guaranteed by said laws authorizing their processing.
individual given in the course of the performance of The personal information controller must ensure
those services; implementation of personal information processing
(c) Information relating to any discretionary benefit of a principles set out herein.
financial nature such as the granting of a license or
permit given by the government to an individual, RULE IV DATA PRIVACY PRINCIPLES
including the name of the individual and the exact Section 17. General Data Privacy Principles. The
nature of the benefit; processing of personal data shall be allowed, subject to
(d) Personal information processed for journalistic, compliance with the requirements of the Act and other
artistic, literary or research purposes; laws allowing disclosure of information to the public,
(e) Information necessary in order to carry out the and adherence to the principles of transparency,
functions of public authority which includes the legitimate purpose, and proportionality.
processing of personal data for the performance by the Section 18. Principles of Transparency, Legitimate
independent, central monetary authority and law Purpose and Proportionality. The processing of personal
enforcement and regulatory agencies of their data shall be allowed subject to adherence to the
constitutionally and statutorily mandated functions. principles of transparency, legitimate purpose, and
Nothing in this Act shall be construed as to have proportionality.
amended or repealed Republic Act No. 1405, otherwise a. Transparency. The data subject must be aware of the
known as the Secrecy of Bank Deposits Act; Republic Act nature, purpose, and extent of the processing of his or
No. 6426, otherwise known as the Foreign Currency her personal data, including the risks and safeguards
Deposit Act; and Republic Act No. 9510, otherwise involved, the identity of personal information
known as the Credit Information System Act (CISA); controller, his or her rights as a data subject, and how
(f) Information necessary for banks and other financial these can be exercised. Any information and
institutions under the jurisdiction of the independent, communication relating to the processing of personal
central monetary authority or Bangko Sentral ng data should be easy to access and understand, using
Pilipinas to comply with Republic Act No. 9510, and clear and plain language.
Republic Act No. 9160, as amended, otherwise known b. Legitimate purpose. The processing of information
as the Anti-Money Laundering Act and other applicable shall be compatible with a declared and specified
laws; and purpose which must not be contrary to law, morals, or
(g) Personal information originally collected from public policy.
residents of foreign jurisdictions in accordance with the c. Proportionality. The processing of information shall
laws of those foreign jurisdictions, including any be adequate, relevant, suitable, necessary, and not
applicable data privacy laws, which is being processed in excessive in relation to a declared and specified
the Philippines. purpose. Personal data shall be processed only if the
purpose of the processing could not reasonably be
SEC. 11. General Data Privacy Principles. – The fulfilled by other means.
processing of personal information shall be allowed,
subject to compliance with the requirements of this Act SEC. 12. Criteria for Lawful Processing of Personal
and other laws allowing disclosure of information to the Information. – The processing of personal information
public and adherence to the principles of transparency, shall be permitted only if not otherwise prohibited by
legitimate purpose and proportionality. law, and when at least one of the following conditions
Personal information must, be:, exists:
(a) Collected for specified and legitimate purposes (a) The data subject has given his or her consent;
determined and declared before, or as soon as (b) The processing of personal information is necessary
reasonably practicable after collection, and later and is related to the fulfillment of a contract with the
processed in a way compatible with such declared, data subject or in order to take steps at the request of
specified and legitimate purposes only; the data subject prior to entering into a contract;
(b) Processed fairly and lawfully; (c) The processing is necessary for compliance with a
(c) Accurate, relevant and, where necessary for legal obligation to which the personal information
purposes for which it is to be used the processing of controller is subject;
personal information, kept up to date; inaccurate or (d) The processing is necessary to protect vitally
incomplete data must be rectified, supplemented, important interests of the data subject, including life
destroyed or their further processing restricted; and health;
(d) Adequate and not excessive in relation to the (e) The processing is necessary in order to respond to
purposes for which they are collected and processed; national emergency, to comply with the requirements
(e) Retained only for as long as necessary for the of public order and safety, or to fulfill functions of public
fulfillment of the purposes for which the data was authority which necessarily includes the processing of
obtained or for the establishment, exercise or defense personal data for the fulfillment of its mandate; or
of legal claims, or for legitimate business purposes, or as (f) The processing is necessary for the purposes of the
provided legitimate interests pursued by the personal
by law; and information controller or by a third party or parties to
(f) Kept in a form which permits identification of data whom the data is disclosed, except where such interests
subjects for no longer than is necessary for the are overridden by fundamental rights and freedoms of
the data subject which require protection under the obtained, used for unauthorized purposes or are no
Philippine Constitution. longer necessary for the purposes for which they were
collected. In this case, the personal information
RIGHTS OF THE DATA SUBJECT controller may notify third parties who have previously
SEC. 16. Rights of the Data Subject. – The data subject is received such processed personal information; and
entitled to: (f) Be indemnified for any damages sustained due to
(a) Be informed whether personal information such inaccurate, incomplete, outdated, false, unlawfully
pertaining to him or her shall be, are being or have been obtained or unauthorized use of personal information.
processed; (b) Be furnished the information indicated
hereunder before the entry of his or her personal
information into the processing system of the personal SECURITY OF PERSONAL INFORMATION
information controller, or at the next practical SEC. 20. Security of Personal Information. –
opportunity: (a) The personal information controller must implement
(1) Description of the personal information to be reasonable and appropriate organizational, physical and
entered into the system; technical measures intended for the protection of
(2) Purposes for which they are being or are to be personal information against any accidental or unlawful
processed; destruction, alteration and disclosure, as well as against
(3) Scope and method of the personal information any other unlawful processing.
processing;
(4) The recipients or classes of recipients to whom they (b) The personal information controller shall implement
are or may be disclosed; reasonable and appropriate measures to protect
(5) Methods utilized for automated access, if the same personal information against natural dangers such as
is allowed by the data subject, and the extent to which accidental loss or destruction, and human dangers such
such access is authorized; as unlawful access, fraudulent misuse, unlawful
(6) The identity and contact details of the personal destruction, alteration and contamination.
information controller or its representative;
(7) The period for which the information will be stored; RULE IX DATA BREACH NOTIFICATION
and Section 38. Data Breach Notification.
(8) The existence of their rights, i.e., to access, a. The Commission and affected data subjects shall be
correction, as well as the right to lodge a complaint notified by the personal information controller within
before the Commission. seventy-two (72) hours upon knowledge of, or when
there is reasonable belief by the personal information
(c) Reasonable access to, upon demand, the following: controller or personal information processor that, a
(1) Contents of his or her personal information that personal data breach requiring notification has
were processed; (2) Sources from which personal occurred.
information were obtained;
(3) Names and addresses of recipients of the personal b. Notification of personal data breach shall be required
information; (4) Manner by which such data were when sensitive personal information or any other
processed; information that may, under the circumstances, be used
(5) Reasons for the disclosure of the personal to enable identity fraud are reasonably believed to have
information to recipients; been acquired by an unauthorized person, and the
(6) Information on automated processes where the data personal information controller or the Commission
will or likely to be made as the sole basis for any believes that such unauthorized acquisition is likely to
decision significantly affecting or will affect the data give rise to a real risk of serious harm to any affected
subject; data subject.
(7) Date when his or her personal information
concerning the data subject were last accessed and c. Depending on the nature of the incident, or if there is
modified; and (8) The designation, or name or identity delay or failure to notify, the Commission may
and address of the personal information controller; investigate the circumstances surrounding the personal
data breach. Investigations may include on-site
(d) Dispute the inaccuracy or error in the personal examination of systems and procedures.
information and have the personal information
controller correct it immediately and accordingly, unless Section 39. Contents of Notification.
the request is vexatious or otherwise unreasonable. If The notification shall at least describe the nature of the
the personal information have been corrected, the breach, the personal data possibly involved, and the
personal information controller shall ensure the measures taken by the entity to address the breach. The
accessibility of both the new and the retracted notification shall also include measures taken to reduce
information and the simultaneous receipt of the new the harm or negative consequences of the breach, the
and the retracted information by recipients thereof: representatives of the personal information controller,
Provided, That the third parties who have previously including their contact details, from whom the data
received such processed personal information shall he subject can obtain additional information about the
informed of its inaccuracy and its rectification upon breach, and any assistance to be provided to the
reasonable request of the data subject; affected data subjects.

(e) Suspend, withdraw or order the blocking, removal or RULE X. OUTSTANDING AND SUBCONTRACTING
destruction of his or her personal information from the AGREEMENTS
personal information controller’s filing system upon Section 43. Subcontract of Personal Data. A personal
discovery and substantial proof that the personal information controller may subcontract or outsource
information are incomplete, outdated, false, unlawfully the processing of personal data: Provided, that the
personal information controller shall use contractual or RULE XI REGISTRATION AND COMPLIANCE
other reasonable means to ensure that proper REQUIREMENT
safeguards are in place, to ensure the confidentiality, Section 46. Enforcement of the Data Privacy Act.
integrity and availability of the personal data processed, Pursuant to the mandate of the Commission to
prevent its use for unauthorized purposes, and administer and implement the Act, and to ensure the
generally, comply with the requirements of the Act, compliance of personal information controllers with its
these Rules, other applicable laws for processing of obligations under the law, the Commission requires the
personal data, and other issuances of the Commission. following:

Section 44. Agreements for Outsourcing. a. Registration of personal data processing systems
Processing by a personal information processor shall be operating in the country that involves accessing or
governed by a contract or other legal act that binds the requiring sensitive personal information of at least one
personal information processor to the personal thousand (1,000) individuals, including the personal
information controller. data processing system of contractors, and their
a. The contract or legal act shall set out the subject- personnel, entering into contracts with government
matter and duration of the processing, the nature and agencies;
purpose of the processing, the type of personal data
and categories of data subjects, the obligations and b. Notification of automated processing operations
rights of the personal information controller, and the where the processing becomes the sole basis of making
geographic location of the processing under the decisions that would significantly affect the data
subcontracting agreement. subject;

b. The contract or other legal act shall stipulate, in c. Annual report of the summary of documented
particular, that the personal information processor security incidents and personal data breaches;
shall:
1. Process the personal data only upon the documented d. Compliance with other requirements that may be
instructions of the personal information controller, provided in other issuances of the Commission.
including transfers of personal data to another country
or an international organization, unless such transfer is Section 47. Registration of Personal Data Processing
authorized by law; 2. Ensure that an obligation of Systems.
confidentiality is imposed on persons authorized to The personal information controller or personal
process the personal data; information processor that employs fewer than two
3. Implement appropriate security measures and hundred fifty (250) persons shall not be required to
comply with the Act, these Rules, and other issuances of register unless the processing it carries out is likely to
the Commission; pose a risk to the rights and freedoms of data subjects,
4. Not engage another processor without prior the processing is not occasional, or the processing
instruction from the personal information controller: includes sensitive personal information of at least one
Provided, that any such arrangement shall ensure that thousand (1,000) individuals.
the same obligations for data protection under the
contract or legal act are implemented, taking into
account the nature of the processing;
5. Assist the personal information controller, by
appropriate technical and organizational measures and
to the extent possible, fulfill the obligation to respond
to requests by data subjects relative to the exercise of
their rights;
6. Assist the personal information controller in ensuring
compliance with the Act, these Rules, other relevant
laws, and other issuances of the Commission, taking
into account the nature of processing and the
information available to the personal information
processor;
7. At the choice of the personal information controller,
delete or return all personal data to the personal
information controller after the end of the provision of
services relating to the processing: Provided, that this
includes deleting existing copies unless storage is
authorized by the Act or another law;
8. Make available to the personal information controller
all information necessary to demonstrate compliance
with the obligations laid down in the Act, and allow for
and contribute to audits, including inspections,
conducted by the personal information controller or
another auditor mandated by the latter;
9. Immediately inform the personal information
controller if, in its opinion, an instruction infringes the
Act, these Rules, or any other issuance of the
Commission.