Case Study
Ruling in favor of a customer victim of phishing that forces IBERCAJA BANCO, S.A. to return the stolen amount.
We inform of a favorable ruling dictated by the Court of First Instance No. 57 of Madrid resolving about a claim for damages and prejudices formulated against IBERCAJA BANCO, S.A. under the so-called Payment Services Law, by which said banking identity is ordered to compensate the client, victim of phising, for the amount of the defrauded amount, amounting in this case to 69,000 € and, in addition, to pay the legal costs.
The aforementioned amount of 69,000 € had been illegitimately stolen from the client by a third party, the affected party not having authorized any of the transfer operations by which his accounts were emptied in a matter of minutes in favor of foreign individuals and legal entities. Furthermore, our client did not provide his passwords to third parties, nor did he lose or misplace them, nor did he commit any serious negligence, imprudence or fraud that could determine his responsibility in the events that occurred, which is why it was incumbent upon IBERCAJA to reimburse his client the totality of the defrauded amounts as required by the Payment Services Law.
Read: “Banks will have to repay amounts defrauded by Phishing“
On the contrary, it was IBERCAJA who failed to comply with its security obligations in the use of electronic means of payment, since, as the lower court ruling itself acknowledges, someone executed the transactions, but it was not the customer. In addition, the client is a retired person who does not use online banking on a regular basis, much less to carry out transactions of such a high amount to third countries, all of which should have made IBERCAJA immediately suspect the fraudulent nature of the transaction and stop it immediately, which it did not do.
Therefore, and as rightly provides the Juzgadora a quo in the referred Judgment, al “correspond to the bank, according to art. 44 of RDL 19/2018, of November 23, 2018, to prove that the user of the payment service committed fraud or gross negligence in the case of unauthorized transactions” and, “as no indication of this has been proven in this case”, it is entirely reasonable that the duty to act is attributed to the entity;“with the required diligence, which is not only that provided by regulation but also that appropriate to the circumstances of persons, place and time”, being therefore the bank responsible for adopting the security or control measures necessary to prevent the types of risks that the electronic banking system entails and who, in the absence of adoption of such measures, must suffer the economic consequences of the fraud perpetrated.
You may be interested in: “Smishing, computer scam by SMS“
Particularly relevant is the reflection that the lower court judge makes on the impact that the banking online has had on consumers and society as a whole, stating that it has been precisely the bank the main beneficiary with the generalization of management systems online to the detriment of personal attention in branches “allowing them [with] their use to reduce costs by means of the system whereby it is the clients who materially carry out the operations that were previously carried out by their employees in the bank offices or branches”.Therefore, it is only fair that IBERCAJA and other banking operators should be responsible for the margin of risk that they themselves have introduced through the use of new technologies, which previously, when transactions were carried out in person, was non-existent.
Thus, we have the satisfaction of having been able to recover the money stolen by third parties from our client through the due accreditation by the legal management of the firm of the breach of the duty of vigilance that fell on IBERCAJA, achieving that this has been sentenced by court judgment to pay the affected person the 69,000 € that should never have disappeared from his bank account. And the fact is that, as pointed out by the lower court, “it is not the customers who must prevent or find out the types of risks that the electronic banking system entails”, but rather it is the entities that must bear the strict liability for the malfunctioning of the services of the same.
