Bank liability in phishing cases.

Royal Decree Law 19/2018 of the 23th  of November 2018 on payment services, in force since the 25th of November 2018, in its Article 45, concerning the payment service provider’s liability in the event of unauthorised payment transactions, states the following in its first point: “… in the event that an unauthorised payment transaction is executed, the payer’s payment service provider shall immediately refund to the payer the amount of the unauthorised transaction or, at the latest, at  the end of the following business day on which the transaction was notified, except when the payer’s payment service provider has reasonable grounds to suspect the existence of fraud and does a written communication on those grounds  to the Bank of Spain. It will be made in the form, content and within the deadlines that the Bank determines. Where appropriate, the payer’s payment service provider shall restore the payment account to which the debit was made to the state, where it would have been found if the unauthorised transaction had not taken place…”.

The Judgment of the Provincial Court of Alicante of the 12th of March 2018 established that: “…the online banking services provider’s liability is risky. Consequently, the law establishes that entity should prove that the ordered transaction was authentic and that it was not affected by a technical failure or by another deficiency. Such as a fraudulent computer attack on the banking system that would have allowed access to the customers’ accounts and unlawfully disposed them ordering operations.

The security measures are not only intended to protect the payment security orders issued by customers, their effectiveness exonerates credit institutions from their responsibilities against payment orders not issued by their customers, in such a way that failure to comply with this specific vigilance duty rises to liability for “culpa in vigilando” or strict liability for the malfunctioning of electronic banking services. “.

Therefore, we can consider the online banking service owner’s liability to be almost objective in nature, derived from the requirement for the entity owning the online service to adopt necessary and renewable security measures against different forms of computer fraud, in such a way that, unless serious negligence by the electronic banking user is proven, the financial entity must be liable for the amounts reimbursement that have been obtained fraudulently.


Sebastián Crespo

Partner and lawyer in charge of the Litigation area at Devesa y Calvo Abogados

Rate this post
← Go back to blog