Digital scams: Paying invoices to the fraudster pretending to be a real supplier
In this article we analyze a case that is being defended by our firm due to the high number of frauds committed over the Internet against companies in recent times< /strong>, according to which the offender deceives the defrauded party into issuing a bank transfer under the belief that he is paying an invoice to a supplier.
We will study the possibility of claiming from the banks for the refund of the defrauded amounts when it is not possible to identify the offender.
The criminal operation is as follows: offenders infect a company’s server by accessing its invoice and customer data. They then send the real invoices to the company to which their payment corresponds, from a simulated email account and providing a bank account where the payment is made that does not really belong to the supplier but to the fraudster. The company subject to fraud pays the amount of that actual invoice to the fraudster’s bank account under the belief that it is paying its supplier.
Without a doubt we are facing the commission of a crime of fraud that allows us to initiate criminal proceedings against the offender. However, it is sometimes difficult to obtain the identity of the fraudster and to recover the amounts paid through deception. That is why we are going to study below the possibility of claiming the return of the amounts from the bank that operated the transfer. We will see how this responsibility can be determined when the banking entities do not collaborate sufficiently with the defrauded company, facilitating the identification of the holder of the bank account where the illegal payment was made. It is understood that the bank cannot serve as an obstacle and favor the offender.
[fusion_highlight color=”rgba(0,144,142,0.3)” rounded=”no” class=”” id=””]You may be interested in: “Digital scams: Bank’s responsibility for Phishing”
First of all we will explain how the responsibility of banking entities in cases such as the one contemplated does not operate in any case. Secondly, we will discuss formulas to provoke the declaration of responsibility when the banking entities do not provide the requested information.
Responsibility of the banking entities in the fraud committed
The Payment Services Law (RDL 19/2018) determines that the bank will not be responsible when the transfer has been made to the account number identified by the user (art. . 59.1), even when the beneficiary indicated in the transfer does not coincide with the true owner of the account (art. 59.3).
Article 59 Incorrect unique identifiers
1. When a payment order is executed according to the unique identifier, it will be considered correctly executed in relation to the beneficiary specified in said identifier.
2. If the unique identifier provided by the payment service user is incorrect, the provider shall not be liable, in accordance with article 60, for the non-execution or defective execution of the payment transaction.
However, the payer’s payment service provider will make reasonable efforts to recover the funds from the payment transaction. The payee’s payment service provider will cooperate in these efforts by also communicating to the payer’s payment service provider all relevant information for the collection of funds.
In the event that it is not possible to recover the funds in accordance with the first subparagraph, the payer’s payment service provider shall provide the payer, upon written request, with all the information available to it that is relevant for the payer to file a legal claim in order to recover the funds.
If so agreed in the framework contract, the provider may charge the user of the payment service for the recovery of funds.
3. When the user of payment services provides additional information to that required by his provider for the correct initiation or execution of payment orders, the payment service provider will only be responsible, for the purposes of its correct execution, of the execution of payment transactions according to the unique identifier provided by the user of payment services.
In banking terms, the IBAN is known as a “unique identifier”, as described in art. 3 of that same law and his ownBank of Spain on its website.
The jurisprudence has ruled with this same criteria. The judgment of the Provincial Court of Zaragoza of March 25, 2019 studied a matter identical to the one analyzed in this case, where the user reproached the bank for its negligent action for not verifying that the holder of the bank account did not coincide with the beneficiary of the same. The sentence resolved considering that the transfer was made in accordance with the unique identifier (IBAN), being exonerated from responsibility:
“In our case, in accordance with the aforementioned precept, we agree that the payment order was executed in accordance with the unique identifier (IBAN). In accordance with number 3 of the aforementioned precept, the payment service provider is only responsible for the execution of operations in accordance with the unique identifier, even if additional information is provided.”
This thesis is reinforced by the 2016 Bank of Spain Claims Report, on page 250 of which it refers to article 44 LSP in force on that date (The The previous LSP included in its article 44 a text equivalent to that of article 59 of RDL 19/2018) that:
“in File NUM002, no banking malpractice was detected for the payment of a transfer by the Tax Agency that was paid to the account corresponding to the unique identifier that the payer had indicated, although the beneficiary of the transfer was not matched with the account holder“.
Page 254 of the Report says:
“As regards errors committed in the execution of payment orders initiated by the payer, the LSP establishes, in article 45.1, the applicable liability regime: when a payment order is made in According to the unique identifier (IBAN) entered by the payer, it will be considered correctly executed. Until February 1, 2016, additionally, the BIC could be required, a code that identifies the entity of the transfer beneficiary. It is important to remember in At this point, the transfer is directed to an IBAN number automatically, without further verification by the payment service providers, nor by the payer, nor by the beneficiary. Likewise, it should be remembered that the other data entered in the transfer order ( among them, the concept consigned in this) are messages destined to the beneficiary of the funds, and not to the entity. Therefore, if the payer intends to allocate payment or issue an instruction for the beneficiary entity regarding the transferred funds, he must send said entity a communication unrelated to the same transfer order and outside the automatic interbank clearing channel, by physical mail, electronic mail or in person, not serving as an instruction the data entered in the “concept” field of the transfer for these purposes em>“.
Based on this regulation, the interpretation of it made in the Bank of Spain Report and localized jurisprudence, we conclude that it would be difficult to obtain an approving ruling in a legal claim before the bank involved.
[fusion_highlight color=”rgba(0,144,142,0.3)” rounded=”no” class=”” id=””]You may be interested in: “Types of works protectable as intellectual property”
Liability of banking entities for denial of information
As we saw in the previous section, the payment service provider is obliged to cooperate with the user when the identification of the bank account number is incorrect or does not match the ownership of who should be the true beneficiary.
Specifically the art. 59.2 LSP previously reproduced indicates that the bank should provide the payer with all the information available to facilitate the corresponding legal claim:
The payee’s payment service provider will cooperate in these efforts by also communicating to the payer’s payment service provider all relevant information for the collection of funds.
In the event that it is not possible to recover the funds in accordance with the first subparagraph, the payer’s payment service provider shall provide the payer, upon written request, with all the information in its possession that is relevant for the payer files a legal claim in order to recover the funds.
Any legal claim requires identification of the debtor or offender, so we interpret this provision as an exception to the general data protection regime that protects the bank to not provide data of account holders.
Following the provisions of the aforementioned art. 59.2 LSP, the bank that does not provide the identification of the beneficiary in an incorrect transfer order could incur liability against the payer, to the extent that its behavior would be an obstacle to making the legal claim that appropriate.
Therefore, we recommend preparing a letter addressed to the bank requesting all the information in its possession about the person responsible for the fraud, warning of liability in case of responding to the request. In case of refusal by the bank, it would be possible to determine its responsibility for breach of a legal provision, opening the way to claim the return of the defrauded amounts.
- In our opinion, there are no legal and jurisprudential grounds to claim the return of the amounts from the banking entities that provide the service, even if the account number and beneficiaries indicated in the payment order do not match. In this case, the interpretation made by our most authoritative doctrine on other matters of “phishing” would not be applicable, where the law allows holding the bank responsible when it is the fraudster who intercepts the bank passwords of the victim and accesses their accounts to issue payment orders.
- The banking entities that provide the service could incur liability if they do not provide the information in their possession to be able to identify the account holder who is the beneficiary of the payment order.
- We recommend requesting that the bank send sufficient information to identify the person responsible for the scam committed, warning of their responsibility in case of not meeting the requirement.
- Although in this study we only analyzed the responsibility of the bank against this type of bank transfers made under deceit, there is no doubt that it is possible to study the responsibility of the provider whose data was seized by the fraudster.
It may interest you: “Cybercrime and abuse in criminal investigation”