Criminal Exposure of Payment Gateways, Digital Banks, and E-Wallets for Weak KYC Controls

Introduction: Why fintech compliance failures can become a criminal case

Payment gateways, digital banks, and e-wallets sit at the “choke points” of modern commerce: onboarding users, moving funds, and converting value across platforms. That position creates legal risk under Philippine counter-terrorism financing laws because funds do not need to be successfully used for a terrorist attack for criminal liability to attach. Even “routine” fintech activity—account opening, wallet top-ups, merchant settlement, API-based pay-ins/pay-outs—can become evidence of unlawful facilitation if controls are weak and the platform processes transactions for terrorists or persons linked to them.

This article explains how Philippine law treats terrorism financing, what enforcement tools exist (including asset-freezing and bank inquiry powers), and what compliance measures digital financial platforms should implement to reduce exposure—especially where failures in KYC and screening allow illicit groups to move funds.

Governing laws and rules that shape fintech exposure

Republic Act No. 10168 (2012), the Terrorism Financing Prevention and Suppression Act of 2012, is the central statute criminalizing the financing of terrorism as a stand-alone offense. It penalizes not only direct funding for attacks, but also making funds or financial services available with prohibited intent or knowledge.

Fintech entities must also consider the broader anti-money laundering framework because terrorism financing compliance is institutionally enforced through the Anti-Money Laundering Council (AMLC), created under Republic Act No. 9160 (2001), the Anti-Money Laundering Act of 2001, as amended. A later amendment, Republic Act No. 11521 (2021), further strengthened the AMLA framework and expanded regulated sectors, reinforcing an enforcement environment where compliance expectations for financial intermediaries are high.

On the procedural side, the Supreme Court issued Administrative Matter No. 22-2-19-SC (2023), Rules on the Anti-Terrorism Act of 2020 and Related Laws, which recognizes and operationalizes AMLC powers relevant to terrorism financing investigations and asset-freezing in the anti-terrorism ecosystem.

Is there “strict liability” for payment gateways and fintech?

Philippine terrorism financing law is not framed as pure “strict liability” in the sense that every compliance failure automatically equals a criminal conviction. Under Republic Act No. 10168 (2012), the offense of financing of terrorism requires that a person willfully and without lawful excuse possesses/provides/collects/uses funds or makes funds/financial services available with unlawful and willful intention that the same be used, or with knowledge that they are to be used, in whole or in part, for terrorism-related purposes. The law also states that knowledge or intent may be inferred from attendant circumstances, and it is not necessary that the funds were actually used to carry out a terrorist act (Republic Act No. 10168, Section 4, 2012).

However, the practical warning for fintech is this: where KYC/CDD and screening are weak, the fact pattern often produces circumstances from which intent or knowledge can be inferred (for example, repeated transactions connected to designated persons, obvious red flags, structuring, use of mules, repeated chargebacks tied to the same cluster, or routing through suspicious merchants).

Financing of terrorism under RA 10168: what conduct is punished

Under Republic Act No. 10168 (2012), financing of terrorism includes directly or indirectly possessing, providing, collecting, or using property or funds, or making available property, funds, or financial services, with the intention or knowledge that these will be used (in full or part) to carry out or facilitate a terrorist act, or by/for a terrorist organization or individual terrorist (Republic Act No. 10168, Section 4, 2012).

Two aspects are especially important for fintech operations:

• “Financial service or other related services” is expressly covered, capturing payment processing, wallet services, merchant acquiring, payout APIs, stored value mechanisms, and settlement functions (Republic Act No. 10168, Section 4, 2012).
• No need for successful use of funds: a platform does not get a “safe outcome” merely because law enforcement stopped the plan or the funds never reached the intended end-use (Republic Act No. 10168, Section 4, 2012).

Dealing with property or funds of designated persons: a separate danger zone

A fintech’s biggest operational risk often arises at the screening stage. Republic Act No. 10168 (2012) separately penalizes dealing (directly or indirectly) with property or funds that a person knows or has reasonable ground to believe is owned or controlled by a designated person, or making available funds/financial services to them (Republic Act No. 10168, Section 8, 2012).

This “reasonable ground to believe” language is where weak KYC and screening become highly consequential. If an institution’s onboarding and monitoring are so deficient that it cannot reliably detect designated persons or their proxies, prosecutors may argue that the institution (or officers involved) operated in a manner that created reasonable grounds that were ignored.

Corporate exposure: who goes to jail when the “offender” is a company

Fintech platforms are typically corporate entities, but Philippine law focuses criminal accountability on human decision-makers. Under Republic Act No. 10168 (2012), when the offender is a corporation, partnership, association, or other juridical person, the penalty is imposed on the responsible officers who participated in, or allowed by their gross negligence, the commission of the crime, or who knowingly permitted or failed to prevent it. The court may also suspend or revoke the entity’s license (Republic Act No. 10168, Section 9, 2012).

For regulated fintech, this creates a governance imperative: compliance cannot be treated as a back-office formality. Where systems, staffing, and escalation processes are underbuilt, the risk is not only administrative—it can become personal criminal exposure for officers who approved, tolerated, or failed to remedy glaring deficiencies.

Penalties under RA 10168 that fintech officers should take seriously

Under Republic Act No. 10168 (2012), financing of terrorism and dealing with funds of designated persons are punishable by reclusion temporal (maximum) to reclusion perpetua and a fine of PHP 500,000 to PHP 1,000,000(Republic Act No. 10168, Sections 4 and 8, 2012). These are severe felony-level consequences, not mere regulatory penalties.

AMLC enforcement powers: why bank secrecy is not a shield

A common misconception is that bank secrecy laws prevent meaningful inquiry. Philippine jurisprudence and rules recognize that terrorism financing is a well-established exception in the AML/CTF framework.

In Calleja, et al. v. Executive Secretary, et al. (G.R. No. 252578, 2021), the Supreme Court discussed how AMLC authority has long included the ability to conduct bank inquiries without prior court order for certain serious crimes, and highlighted the continuity of terrorism as an exception to bank secrecy through amendments over time, including the enactment of Republic Act No. 10168 (2012) and the latest AMLA amendments (2021).

Further, the Supreme Court’s Rules on the Anti-Terrorism Act of 2020 and Related Laws (A.M. No. 22-2-19-SC, 2023) expressly recognizes that, notwithstanding bank secrecy and related laws, the AMLC is authorized to inquire into or examine deposits and investments without a court order in this anti-terrorism financing context, and may enlist assistance from other government instrumentalities (A.M. No. 22-2-19-SC, 2023).

Asset-freezing and the immediate compliance duty of financial institutions

Counter-terrorism financing enforcement is not limited to prosecution. It also involves targeted restrictions on funds. Republic Act No. 10168 (2012) requires covered institutions and relevant agencies, upon receipt of a freeze order notice, to immediately preserve the subject property or funds and serve notice to the owner/holder. Failure to comply carries criminal penalties of imprisonment from six (6) months to four (4) years and a fine of PHP 100,000 to PHP 500,000, aside from administrative sanctions (Republic Act No. 10168, Section 16, 2012).

Separately, the Supreme Court’s anti-terrorism rules recognize AMLC authority to issue ex parte freeze orders“without delay” in relation to property or funds related to terrorism financing and other specified violations (A.M. No. 22-2-19-SC, 2023). For fintech operations, this means response time and internal controls for freeze implementation are not optional—they are a legal requirement.

KYC failures as the gateway risk: how weak onboarding becomes evidence

KYC is not merely about collecting IDs. In terrorism financing investigations, weak KYC tends to produce a predictable evidentiary pattern:

• Inability to reliably identify the true user (use of mules, synthetic identities, identity farming).
• Inability to link accounts that should be connected (device fingerprint clusters, shared funding sources, repeated beneficiary reuse).
• Delayed detection of suspicious behavior (rapid in/out flows, micro-splitting, transaction layering through merchants).
• Failure to screen and re-screen against designation/proscription lists and adverse information.

Because intent or knowledge may be inferred from attendant circumstances (Republic Act No. 10168, Section 4, 2012), a persistent pattern of ignored alerts, repeated exceptions, or knowingly tolerated onboarding gaps can be framed as willful blindness, reckless disregard, or gross negligence—especially for responsible officers under the corporate-offender provision (Republic Act No. 10168, Section 9, 2012).

Typical fintech scenarios that can trigger liability risk

Below are situations that commonly arise in payment and wallet ecosystems and may attract scrutiny when tied to terrorism financing indicators:

Scenario	Why it matters under RA 10168	Risk control expectation
Wallet accounts opened using mule identities, then used for rapid fund transfers to multiple recipients	May support an inference that the platform made funds/financial services available with knowledge inferred from circumstances	Stronger identity verification, device/link analysis, velocity limits, escalations
Merchant accounts with unusual settlement patterns and frequent chargebacks, linked to suspicious beneficiaries	May constitute “dealing” with funds of designated persons if there are reasonable grounds to believe links exist	Merchant due diligence, ongoing monitoring, beneficiary screening
Failure to implement or promptly execute freeze orders	Separate punishable non-compliance with freeze order obligations	Freeze-order playbook, 24/7 response, audit logs
Processing transactions for persons later confirmed as designated, without re-screening or monitoring	Designation-related prohibitions can apply; “reasonable grounds to believe” can be argued if controls were deficient	Continuous screening, periodic re-verification, alert governance

Compliance measures that reduce criminal and regulatory exposure

Fintech entities should maintain controls that show serious prevention and fast containment. The following measures are commonly expected in a robust program for payment gateways, digital banks, and e-wallets:

• Risk-based KYC/CDD (stronger verification for higher-risk profiles; documented decisioning and exceptions).
• Screening against designated/proscribed persons and repeat screening at meaningful intervals and trigger events.
• Transaction monitoring tuned to terrorism-financing typologies (including micro-donations, rapid pass-through, and layering patterns).
• Clear governance and accountability: defined responsible officers, escalation matrices, and documented responses to red flags (relevant to corporate liability via gross negligence under Republic Act No. 10168, Section 9, 2012).
• Freeze order readiness: ability to preserve funds immediately and serve notice as required, with strong audit trails (Republic Act No. 10168, Section 16, 2012).

How Supreme Court rulings and rules reinforce enforcement reality

Recent Supreme Court materials confirm that counter-terrorism financing enforcement is designed to operate effectively despite traditional confidentiality barriers. In Eastwest Rural Bank v. Philippine National Police Anti-Cybercrime Group, et al. (G.R. No. 273720, 2025), the Court discussed how statutes like the AMLA and the Anti-Terrorism Act create lawful exceptions to bank deposit confidentiality in criminal investigations, and recognized that AMLC authority may allow examination of deposits without a court order in anti-terrorism contexts.

In addition, the Supreme Court’s A.M. No. 22-2-19-SC (2023) underscores that AMLC tools—including bank examination authority and ex parte freeze orders—are integral to terrorism financing suppression. For fintech, this means compliance weaknesses can be investigated with speed, and asset restrictions can be implemented rapidly.

Conclusion: what digital finance platforms should do now

Philippine law treats terrorism financing as a grave offense with heavy imprisonment penalties, and corporate structures do not insulate responsible officers where participation, tolerance, or gross negligence is shown. Under Republic Act No. 10168 (2012), the absence of a completed terrorist act is not a defense if the provision of funds or financial services is established with prohibited intent or knowledge, which may be inferred from circumstances.

Digital banks, e-wallets, and payment gateways should act on three immediate priorities:

• Upgrade KYC and ongoing screening to reliably identify users and detect designated-person risk.
• Strengthen monitoring and escalation so that repeated red flags are resolved, documented, and remediated.
• Implement freeze-order readiness with tested workflows, clear ownership, and auditable execution timelines, consistent with statutory duties (Republic Act No. 10168, 2012) and Supreme Court rules (A.M. No. 22-2-19-SC, 2023).

In a high-velocity payments environment, compliance must be designed as an operational capability, not a checklist—because the criminal consequences can be life-changing for both institutions and the officers responsible for control failures.

About Nicolas and De Vega Law Offices

 Nicolas and de Vega Law Offices is a full-service law firm in the Philippines.  You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines.  You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.