Viernes, 21 Febrero 2020

Banking operations – Dangers of new technologies?

VolverThe Litigation and Arbitration Law Department of Belzuz Abogados S.L.P. – Sucursal em Portugal has faced growing queries from aggrieved parties, in particular regarding transactions involving banks; the complexity of such operations, the usual involvement of various stakeholders and the use of more or less sophisticated technical means of digital communication are factors that enable the occurrence of incidents in this field.

The question arises acutely about home banking, i.e. the simple act of performing banking operations via the Internet without having to go to a bank or ATM.

Associated with home banking is computer fraud, which enables third parties to abusively or without authorisation take hold of amounts deposited, via computer, by accessing customised security identification data, corrupting or subverting the computer means used, for their own benefit.

The most common computer fraud modes are “phishing” and “pharming”, all of them raise the question of who bears responsibility for fraudulent handling the victim’s bank account over the Internet.

Phishing”, as defined by the Supreme Court of Justice, “involves digital fraud achieved through attempts to acquire personal data, e.g., by sending e-mails allegedly from the recipient’s bank and requesting confidential data such as account or contract number, VAT number or any other personal information, so that the recipient, by opening them and providing the requested information by clicking on to links to other pages (...) enables the theft of bank information and subsequent use thereof by the issuer of such requests and/or messages”.

In turn, “pharming” is a more sophisticated phishing attack, which “corrupts” the very domain name, redirecting the user to a fake site, wholly similar to the actual one, whenever they type the correct address.

The user is taken to the fake site, even if they correctly enter the address of the site they intended to visit, and no e-mail is sent with misleading messages.

Finally, “CEO Fraud” is a computer scheme in which the perpetrator of the crime, illegally accessing the e-mail account of a manager of a company, or using a false e-mail on their behalf, or of other employees, sends one or several false e-mail messages to recipients with whom the victims had commercial relationships, inducing them, by mistake, to carry out bank transfers to recipients chosen by the authors of the crime, without the knowledge of the legitimate beneficiaries of the operations, causing high financial losses.

Companies with foreign suppliers are often targeted with this tactic, in which the attackers pretend to be suppliers requesting transfers of funds for payments to an account belonging to the attackers.

The truth is that in the most frequent cases of phishing or pharming, with no international transfers, case-law has come to understand that the risks of failure of the computer system used, as those of websurfers’ attacks, are to be borne by the Bank under article 796 of the Civil Code, provided that the guilt of the customer/user is not proven.

It should also be noted the called “Legal Framework for Payment and Digital Currency Services” (DL 317/2009, as amended by Decree 242/2012 and DL 157/2014), which transposed into the internal legal order Directive no. 2007/64/EC of the European Parliament and the Council, which provides a set of reciprocal obligations on payment service provider and the user of such services and also regulates, in articles 67 to 72, liability for unauthorised payment transactions.

Under the aforementioned law, liability for unauthorised payment transactions belongs, in principle, to the payment service provider (article 71), and to the customer in the cases provided for in article 72 (1-3), particularly in the event of gross negligence of the customer.

Said legal framework also makes clear that it is the financial institution that bears the burden of proving that the unauthorised payment transactions is not caused by any technical malfunction or other deficiency, and must also demonstrate that there was a fault by the customer/author in using the available services, contributing to the damage caused.

So, even though each case requires individual and detailed analysis, in general, the bank is only exempted when it can prove dereliction of duties of care by the user (for example, when there is disclosure to a third party, although supposedly in trust, of the data entered in the matrix card).

A more complex issue arises in a situation of “CEO Fraud”, increasingly frequent in Portugal and occurring primarily in the case of international bank transfers.

These operations involve, in addition to the originator and the beneficiary, a bank issuing the transfer order (issuing bank) and a bank that receives it (beneficiary bank), located in different countries, so there is a possibility that liability of the latter will be established, creating the obligation to compensate the damaged party when involved in the scam.

This matter is governed by Regulations (EU) no. 260/12 of the European Parliament and the Council of May 14th, 2012, as amended by Regulation (EU) no. 248/2014 of February 26th, 2014 in respect of transfers made within the European Union, and Regulation (EU) no. 2015/847 of the European Parliament and of the Council of May 20th, 2015, which regulates the information that must be provided in transfers of funds, also outside the European Union, which has as its corollary the prevention of the crime of money laundering.

Under EU Regulations, the beneficiary’s bank shall implement effective procedures, comprising, where transferring, retrospective or real-time supervision to detect possible lack of information or incomplete or contradictory information on the payer or the beneficiary.

Where transfers of funds exceed € 1,000, before provisioning the beneficiary’s account or making the funds available to them, the bank must prove the accuracy of the information concerning it, based on documents, data or information obtained from reliable and independent sources.

European standards only require indication of the payer’s and the beneficiary’s IBAN for transfers made in Europe.

For transfers of funds where the payer bank is established outside the European Union, the following information, in particular, must be confirmed: name of the beneficiary and number of payment account.

In Portugal, Law no. 83/2017, of August 18th establishes preventive and repressive measures to combat money laundering and terrorist financing and, to this extent, also implements the measures required for the effectiveness of Regulation no. 2015/847.

Regarding the duty of verifying the accuracy of information relating to the beneficiary this legislation clarifies that it is deemed accomplished if:

- the client’s identity has been checked or updated in accordance with the duty of identification and diligence described in the text, which consists of registration of individual or legal person identification data in detail and based on valid identification documents;

- the information obtained is protected according to the procedure set forth therein, which involves the preservation of copies and records of the documents provided by the customer or other at the time of identification, as well as documentation from the process or files relating to customers and their accounts, including business mail sent.

Finally, as regards the issue of bank responsibility for the maintenance of active fraudulent accounts, one should bear in mind that banking institutions have alerts set up to detect, namely, situations of suspicious indicators of money laundering and terrorist financing, which alerts are triggered only when the suspected conduct is carried out, whether the execution of a banking operation, lack of activity for a long time, accumulation of a large number of bank accounts or other identified as such.

In short, contrary to what happens in the most common cases of “phishing,” in situations of “CEO Fraud” bank responsibility is more difficult to attribute.

 Teresa Lopes Ferreira Teresa Lopes Ferreira 

Departamento de Derecho Procesal y Arbitraje | Portugal

 

Belzuz Abogados SLP

La presente publicación contiene información de carácter general sin que constituya opinión profesional ni asesoría jurídica. © Belzuz Abogados, S.L.P., quedan reservados todos los derechos. Se prohíbe la explotación, reproducción, distribución, comunicación pública y transformación total o parcial, de esta obra, sin autorización escrita de Belzuz Abogados, S.L.P.

Madrid

Belzuz Abogados - Despacho de Madrid

Nuñez de Balboa 115 bis 1

  28006 Madrid

+34 91 562 50 76

+34 91 562 45 40

Esta dirección de correo electrónico está siendo protegida contra los robots de spam. Necesita tener JavaScript habilitado para poder verlo.

Lisboa

Belzuz Abogados - Despacho de Lisboa

Av. Duque d´Ávila, 141 – 1º Dtº

  1050-081 Lisboa

+351 21 324 05 30

+351 21 347 84 52

Esta dirección de correo electrónico está siendo protegida contra los robots de spam. Necesita tener JavaScript habilitado para poder verlo.

Oporto

Belzuz Abogados - Despacho de Oporto

Rua Julio Dinis 204, Off 314

  4050-318 Oporto

+351 22 938 94 52

+351 22 938 94 54

Esta dirección de correo electrónico está siendo protegida contra los robots de spam. Necesita tener JavaScript habilitado para poder verlo.

Asociaciones

  • 1_insuralex
  • 3_chambers_global_2022
  • 4_cle
  • 5_chp
  • 6_aeafa