We will study the possibility of claiming from the banks for the refund of the defrauded amounts when it is not possible to identify the offender.

The criminal operation is as follows: offenders infect a company’s server by accessing its invoice and customer data. They then send the real invoices to the company to which their payment corresponds, from a simulated email account and providing a bank account where the payment is made that does not really belong to the supplier but to the fraudster. The company subject to fraud pays the amount of that actual invoice to the fraudster’s bank account under the belief that it is paying its supplier.

Without a doubt we are facing the commission of a crime of fraud that allows us to initiate criminal proceedings against the offender. However, it is sometimes difficult to obtain the identity of the fraudster and to recover the amounts paid through deception. That is why we are going to study below the possibility of claiming the return of the amounts from the bank that operated the transfer. We will see how this responsibility can be determined when the banking entities do not collaborate sufficiently with the defrauded company, facilitating the identification of the holder of the bank account where the illegal payment was made. It is understood that the bank cannot serve as an obstacle and favor the offender.

[fusion_highlight color=”rgba(0,144,142,0.3)” rounded=”no” class=”” id=””]You may be interested in: “Digital scams: Bank’s responsibility for Phishing”

First of all we will explain how the responsibility of banking entities in cases such as the one contemplated does not operate in any case. Secondly, we will discuss formulas to provoke the declaration of responsibility when the banking entities do not provide the requested information.

Responsibility of the banking entities in the fraud committed

The Payment Services Law (RDL 19/2018) determines that the bank will not be responsible when the transfer has been made to the account number identified by the user (art. . 59.1), even when the beneficiary indicated in the transfer does not coincide with the true owner of the account (art. 59.3).

Article 59 Incorrect unique identifiers

1. When a payment order is executed according to the unique identifier, it will be considered correctly executed in relation to the beneficiary specified in said identifier.

2. If the unique identifier provided by the payment service user is incorrect, the provider shall not be liable, in accordance with article 60, for the non-execution or defective execution of the payment transaction.

However, the payer’s payment service provider will make reasonable efforts to recover the funds from the payment transaction. The payee’s payment service provider will cooperate in these efforts by also communicating to the payer’s payment service provider all relevant information for the collection of funds.

In the event that it is not possible to recover the funds in accordance with the first subparagraph, the payer’s payment service provider shall provide the payer, upon written request, with all the information available to it that is relevant for the payer to file a legal claim in order to recover the funds.

If so agreed in the framework contract, the provider may charge the user of the payment service for the recovery of funds.

3. When the user of payment services provides additional information to that required by his provider for the correct initiation or execution of payment orders, the payment service provider will only be responsible, for the purposes of its correct execution, of the execution of payment transactions according to the unique identifier provided by the user of payment services.

In banking terms, the IBAN is known as a “unique identifier”, as described in art. 3 of that same law and his ownBank of Spain on its website.

Case law

The jurisprudence has ruled with this same criteria. The judgment of the Provincial Court of Zaragoza of March 25, 2019 studied a matter identical to the one analyzed in this case, where the user reproached the bank for its negligent action for not verifying that the holder of the bank account did not coincide with the beneficiary of the same. The sentence resolved considering that the transfer was made in accordance with the unique identifier (IBAN), being exonerated from responsibility:

“In our case, in accordance with the aforementioned precept, we agree that the payment order was executed in accordance with the unique identifier (IBAN). In accordance with number 3 of the aforementioned precept, the payment service provider is only responsible for the execution of operations in accordance with the unique identifier, even if additional information is provided.”

This thesis is reinforced by the 2016 Bank of Spain Claims Report, on page 250 of which it refers to article 44 LSP in force on that date (The The previous LSP included in its article 44 a text equivalent to that of article 59 of RDL 19/2018) that:

“in File NUM002, no banking malpractice was detected for the payment of a transfer by the Tax Agency that was paid to the account corresponding to the unique identifier that the payer had indicated, although the beneficiary of the transfer was not matched with the account holder“.

Page 254 of the Report says:

“As regards errors committed in the execution of payment orders initiated by the payer, the LSP establishes, in article 45.1, the applicable liability regime: when a payment order is made in According to the unique identifier (IBAN) entered by the payer, it will be considered correctly executed. Until February 1, 2016, additionally, the BIC could be required, a code that identifies the entity of the transfer beneficiary. It is important to remember in At this point, the transfer is directed to an IBAN number automatically, without further verification by the payment service providers, nor by the payer, nor by the beneficiary. Likewise, it should be remembered that the other data entered in the transfer order ( among them, the concept consigned in this) are messages destined to the beneficiary of the funds, and not to the entity. Therefore, if the payer intends to allocate payment or issue an instruction for the beneficiary entity regarding the transferred funds, he must send said entity a communication unrelated to the same transfer order and outside the automatic interbank clearing channel, by physical mail, electronic mail or in person, not serving as an instruction the data entered in the “concept” field of the transfer for these purposes“.