The number of digital banking customers in Spain increased by 44% between 2018 and 2020 alone, according to the Global Digital Banking Index 2021, prepared by N26. A trend that has accelerated during the pandemic due to the exponential increase in purchases on-line and the use of electronic means of payment, as well as the massive closure of the offices of banking entities. The b-side of the digitization of banking operations is the inevitable increase in fraud, for which more and more victims are going to court to hold the bank accountable. And it is that banks, as guarantors and depositories of their clients’ funds, must respond for security breaches in their systems.
A fraudulent charge is one that is ordered by a third party who has accessed the bank details of the holder of the bank account (account numbers, card number, PIN, DNI…) by duplicating, cloning the cards or phishing. What is not the same, points out the lawyer Elena Novel, that an unauthorized charge, which occurs when the user provides a third party, for example an online store, voluntarily and without deception, the data of their accounts or cards to perform a transaction, but the amount is higher than agreed. Only if it is a fraudulent charge will the bank, as a payment service provider, be responsible for replacing the stolen money, unless it proves that there was gross negligence on the part of the account holder.
In this regard, Patricia Suárez, president of Asufin, points out that the payment services law obliges the provider to comply with the necessary security measures to ensure the identity of the client and the authentication of the operations. Thus, the law imposes a quasi-objective liability on the bank whenever the victim has not given real authorization to transfer the money. “The responsibility is imputed directly to the bank regardless of whether it has incurred in fault or fraud, being exonerated only in cases of force majeure or exclusive fault of the injured party”, explains the lawyer Rosana Pérez. Despite this, the lawyers consulted maintain that in most cases the banks reject their responsibility and do not return what was stolen. “The refusal by system”, confirms Iñigo Serrano, founding partner of Sello Legal. As described by Serrano, the entities limit themselves to stating that the operation was authorized and do not provide more information about its traceability.
The usual thing, says Miguel de Prada, director of the legal department of dPG Legal, is that banks dismiss claims arguing that the injured clients are guilty of not protecting their personal passwords. After this refusal, De Prada acknowledges that until now few affected have gone to court to sue the entities. “Since there was little or no jurisprudence in this regard, the fear of losing the trial and being ordered to pay costs discouraged victims from suing the banks and considered their money lost,” he observes.
Jurisprudence
However, this reality is changing and the reason is that, as Pérez indicates, recent jurisprudence is practically unanimous in considering that the bank must return the amounts stolen by a third party, since as the depositary of the funds it has the obligation legal to keep and return the saved money.
In fact, the only way for the bank to avoid a refund is to prove that the affected account holder was grossly negligent. A concept that, as the lawyer Olalla Carballo clarifies, is susceptible to interpretation by the courts. “There are resolutions that appreciated gross negligence in the client if the messages or emails of the phishing they contained some misspelling”, comments Carballo. However, the lawyer adds that currently in these cases, even if it is recognized that the victim has committed an oversight, it is not classified as serious and the bank is not exempt from its responsibility. This was the case in a case resolved by the Provincial Court of Pontevedra in December 2021 in which the bank was sentenced to return the 4,000 euros swindled.
Likewise, a recent judgment of the Provincial Court of Madrid has defined the serious negligence of the client as “a conduct characterized by a significant degree of lack of diligence, which arises or occurs at the initiative of the user, not as a consequence of the deception to which he has been induced by a professional criminal”. Therefore, De Prada concludes that serious lack of diligence cannot be attributed to a victim of fraud, since he provides her personal passwords to a third party as a result of manipulation.
In this sense, Serrano adds that, when it comes to qualifying the seriousness of the lack of diligence, an 80-year-old person without handling electronic media is not the same as a young person used to making purchases online. “Most likely, case law will end up shaping a criterion like the one they have for abusive clauses: average consumer, normally informed, reasonably attentive and insightful,” he predicts. Novel insists that it does not matter how the fraud is committed, whether it is phishing or card cloning, since the responsibility of the banks will be determined based on whether there has been fault or gross negligence on the part of the affected party and that the entity can prove it.
