The Madrid Provincial Court defined phishing as “the theft of a bank’s identity by a phisher in order to obtain sensitive information, such as passwords of bank accounts, credit cards or any other information on the bank that may allow to enter customers’ accounts via online banking. Internet users receive an email or any kind of instant message, informing them that they should change their bank passwords and providing them a link to access the webpage of the alleged banking entity in order to make the suggested change. In most phishing methods, deception techniques are used, through which the phisher uses the program code from the bank or similar service against the victim, and the page acquires the look of the actual banking entity.”
In fact, this activity is classed as a criminal offence -article 248 of the Criminal Code-, the bank may be liable and obliged to reimburse the defrauded amounts to the victim if a number of conditions are met, such as (i) lack of consent by the payer; (ii) the payer has not committed fraud; (iii) has not engaged in grossly negligent behaviour; and (iv) has notified this incident as soon as they become aware of it.
Thus, article 36.1 of the Spanish Royal decree-law, of 23 November, on payment services and other urgent financial measures, establishes that “payment transactions are deemed authorised when the payer has consented to them. In the absence of such a consent, the payment transaction shall be deemed unauthorised.” Article 44 of the aforementioned legal text, on the “authentication test and execution of payment transactions”, sets out that “whenever a user of payment services denies having authorised a payment transaction that has already been executed or alleges that it was incorrectly executed, the payment services provider is liable to prove that the payment transaction was authenticated, accurately registered and accounted, and that it was not subject to a technical failure or other fault in the service provided by the payment services provider.”
As a result of the above, article 45 of the Spanish Royal Decree-law 19/2018 sets out that: “in the event that a unauthorised payment transaction is executed, the payment services provider shall immediately refund the payer the amount of the unauthorised transaction and, in any case, at the latest by the end of the following working day when the transaction has been discovered or notified, unless the payment services provider has reasonable cause to suspect of fraud and notifies said cause in writing to the Bank of Spain, on the form and with the contents and deadlines that it defines. As the case may be, the payment services provider shall bring the payer’s payment account from which the amount has been taken back to the status it would have had if the unauthorised transaction was not executed.”
There is a considerable body of case-law through which the courts have sentenced different banking entities to reimburse the amounts taken by phishing techniques.
The ruling by the Barcelona Provincial Court of 7 March 2013 sentenced a banking entity to refund to a company the amount of 32,099 euros because the entity did not take the additional security measures provided for in the Agreement General Conditions, after (i) unusual flows of funds in a current account, and (ii) transfers to suspicious accounts which the entity should have detected.
The ruling of the Zaragoza Provincial Court of 14 May 2013 sentenced a bank to reimburse 20,947 euros to a customer after pointing out that the Payment Services Act [Act 16/2009, of 13 November, Repealed by Royal Decree-Law 19/2018, of 25 November 2018], clearly articulates that “unless undue delay by the user of the electronic banking service in notifying the irregularity of the transactions, the bank shall immediately refund the amount of the unauthorized transaction and, as the case may be, shall bring the payment account from which the amount has been taken back to the status it would have had if the unauthorised transaction was not executed. Therefore and except for fraud or grossly negligent behaviour by the account holder, the responsibility of the transaction lies with the bank, which must also prove the proper function of the computer system.”
The ruling 178 of the 9th Section of the Madrid Provincial Court of 4 may 2015 sentenced a bank to pay to a user an amount of 17,390.35 euros. In this case, the victim provided the codes and passwords in a cloned webpage pretending to be the bank’s web page. The ruling establishes that article 31 LSP -of the Act 16/2009 repelled by the existing Royal Decree-Law 19/2018 sets out “a quasi-absolute liability system of the payment service provider.” In the same way, the ruling of the Badajoz Provincial Court, 2nd Section, of 7 February 2013, states “with reversal of the burden of proof upon presumption of the lack of authorisation of the payment order or transfer if the customer denies it.”
Thus, the ruling of the Albacete Provincial Court of 23 February 2016 states that “a quasi-absolute liability system of the payment service provider is established (…) because in this electronic trading framework, the payment service provider must refund the amount of the deduction to its customer, who had contracted the electronic payment service for unauthorised transactions, presuming the lack of authorisation if the customer denies it, with the exceptions provided under article 32 of the aforementioned law: the customer has engaged in grossly negligent behaviour (a simple or minor lack of diligence is not enough) in their obligations (basically consisting in applying the customised “reasonable protection means” with which they are equipped and notifying the unauthorised payment “as soon as they become aware of it”, former art. 27) or has acted fraudulently (obviously), along with a kind of “excess” amounting up to 150 euros for the sole scenarios of misplacement or theft of access systems (that would not be even applied in the event that the theft took place after the notification or notice of the lack of authorisation to the provider entity).”
With regards to grossly negligent behaviour, there is extensive case law determining that this negligence is closer to wilful misconduct. Thus, the ruling of the Supreme Court of 30 January 2003 reviews the concept in depth, aligning it with “inexcusable lack of diligence” or “wilful misconduct statements that aim to deceit”, or “breaching the duty of good faith that must govern relations.”
Moreover, the ruling of 12 March 2018 of the Alicante Provincial Court acknowledged that “in the event of loss, misplacement, theft or use by an unauthorised person, the duty of the instrument’s holder is notifying without delay the fact to the services provider that bears, from then on, and except in cases of fraud by the holder of the means of payment, the economic consequences of using the payment instrument.”
In short, the responsibility of the banking entity is determined by the implementation of the agreement of the current account deposit by which an irregular deposit is placed with the consequence provided in article 307.3 of the Commerce Code, whereby mistaking the deposit money with the estate of the depository, the depository must bear the risks arising from the duty of retaining the deposit. We reach the same conclusion if we examine the fact from another angle, payment as a method of extinguishing obligations (articles 1156 et seq. of the Civil Code). The depository’s duty of refunding the deposit to the depositor (articles 1766 CC and 306 of the Commerce Code) is extinguished by the payment, but it is only effective when it is made to the person in favour of whom the obligation is constituted or to other person authorised to receive it on their behalf, as article 1162 CC states.
It is so determined in said ruling of 12 March 2018 by the Alicante Provincial Court when establishing that “both in telephone and internet banking, the bank must check in any case the authenticity of the order (…) The transfer being false (i.e. the payer is not the holder of the account) is a risk borne by the bank because, initially, the debtor is only released upon payment to the actual creditor, therefore, if the bank executes a false order, it should reimburse in the corresponding account the charged amounts (…) Accordingly, there is a bank responsibility for system security flaws that determines the execution of unauthorised payment orders by their customer, with the sole exception that the bank proves the guilt or negligence of the victim.
If, in general, the bank has the obligation, according to the STS 311/2016, of 12 May, of checking the authenticity of the payer’s signature, which is obvious, it is more relevant to do so in the online banking framework through any of the already existing systems which provide a high level of assurance, such as random keys submitted by the entity directly to the user for every transaction and the electronic signature.”
Therefore, the payment of the deposit to a person different to one of the defined under the aforementioned standard does not produce the obligation discontinuance of the depository regarding the refund of the deposit.
The Commercial and Corporate Law Department at Belzuz Abogados counts with certified professionals to provide all the legal advice necessary for banking phishing cases.
Belzuz Abogados SLP
La presente publicación contiene información de carácter general sin que constituya opinión profesional ni asesoría jurídica. © Belzuz Abogados, S.L.P., quedan reservados todos los derechos. Se prohíbe la explotación, reproducción, distribución, comunicación pública y transformación total o parcial, de esta obra, sin autorización escrita de Belzuz Abogados, S.L.P.