In EastWest Rural Bank v. Philippine National Police–Anti-Cybercrime Group Unit 1 (G.R. No. 273720, July 29, 2025), the Supreme Court affirmed the authority of law enforcement agencies, upon judicial authorization, to compel banks to disclose limited account-holder information in cybercrime investigations without violating the long-standing confidentiality of bank deposits under Republic Act No. 1405, or the Bank Secrecy Law. The ruling carefully recalibrates the balance between bank secrecy and the State’s power to investigate increasingly sophisticated cybercrimes.
The controversy arose from a reported cyber-fraud incident involving unauthorized fund transfers from a bank account following a fraudulent phone call. After discovering the illicit transfer, the victim reported the matter to law enforcement authorities. To identify the perpetrator, investigators applied for and obtained a Warrant to Disclose Computer Data (WDCD) from the Regional Trial Court, pursuant to the Cybercrime Prevention Act. A corresponding disclosure order was thereafter issued, directing the bank where the recipient account was maintained to disclose and preserve specific information relating to the account, including the account holder’s name, address, verification documents, contact details, and other identifying information necessary to establish identity.
The bank questioned the validity of the WDCD on three substantive grounds: first, that the Cybercrime Prevention Act did not expressly or impliedly repeal the Bank Secrecy Law; second, that it did not qualify as a “service provider” under the Cybercrime Prevention Act; and third, that the disclosure order violated the statutory confidentiality of bank deposits.
On the first issue, the Supreme Court agreed that the Cybercrime Prevention Act did not repeal the Bank Secrecy Law, either expressly or by implication. There was no express repeal, as the Cybercrime Prevention Act contained no provision withdrawing or revoking the confidentiality accorded to bank deposits. Neither was there implied repeal. Implied repeal arises only when two statutes are irreconcilably inconsistent or when the later law covers the entire subject matter of the earlier one and is intended as a substitute. Neither circumstance was present.
While both statutes touch on the disclosure of information, they do not govern the same subject matter. The Bank Secrecy Law focuses narrowly on the confidentiality of bank deposits, while the Cybercrime Prevention Act addresses a broader universe of data relevant to cybercrime, including computer data, subscriber information, and traffic data. These are distinct categories. Moreover, the Cybercrime Prevention Act was never intended to replace the Bank Secrecy Law; its scope is far wider and directed at combating cyber-enabled offenses.
On the second issue, the Court held that the bank qualified as a “service provider” under the Cybercrime Prevention Act, even if it was not primarily engaged in communication services. The law defines a service provider broadly as any public or private entity that provides users the ability to communicate by means of a computer system, or that processes or stores computer data on behalf of such users. The Court noted that modern banking operations—through online banking platforms, mobile applications, and automated electronic notifications—necessarily involve computer-based communication systems. This operational reality placed banks within the statutory definition.
On the third issue, the Court ruled that compelling the disclosure of limited identifying information did not undermine the confidentiality of bank deposits protected by the Bank Secrecy Law. The Court emphasized that the law primarily protects the financial details of deposits, not basic identifying information. While the scope of confidentiality is broad, it is not absolute. Existing statutes, including the Cybercrime Prevention Act, provide narrowly tailored exceptions.
The Cybercrime Prevention Act allows disclosure upon compliance with strict requisites: a court-issued warrant based on probable cause; a valid, officially docketed complaint where disclosure is demonstrably necessary and relevant to the investigation; and judicial authorization strictly limiting disclosure to subscriber information and relevant traffic data. In this case, all requisites were satisfied. The investigation involved cyber-related offenses, the information sought was essential to identify the perpetrator, and the disclosure order was carefully circumscribed.
Ultimately, the decision underscores that bank secrecy is not an impenetrable shield against lawful investigation. Rather, it coexists with the State’s duty to protect the public from cybercrime. By insisting on judicial oversight and proportionality, the Court reaffirmed that privacy and public safety are not mutually exclusive—but must be balanced with prudence and precision.
