Bank liability in unauthorised online payment transactions
Royal Decree-Law 19/2018, of 23 November, on payment services, in force since 25 November 2018, provides in Article 45, concerning bank liability in the event of unauthorised payment transactions, as follows in its first paragraph:
“…where an unauthorised payment transaction is executed, the payer’s payment service provider shall refund the amount of the unauthorised transaction immediately and, in any event, no later than the end of the following business day after having become aware of or being notified of the transaction, unless the payer’s payment service provider has reasonable grounds to suspect fraud and communicates those grounds in writing to the Bank of Spain, in the manner and within the time limits established by it. Where appropriate, the payer’s payment service provider shall restore the debited payment account to the state in which it would have been had the unauthorised transaction not taken place…”.
Bank liability in case law: approach of the Provincial Court
The Judgment of the Provincial Court of Alicante of 12 March 2018 held that:
“…the liability of the provider of online banking services is risk-based and, consequently, it is incumbent upon the institution by law to prove that the transaction ordered was authentic and was not affected by a technical failure or by any other deficiency, such as, for example, a fraudulent cyberattack on the banking system that may have enabled access to customers’ accounts and the unlawful disposal of funds therefrom by initiating transactions to their detriment… Security measures are not only intended to protect the integrity of payment orders issued by customers, but their effectiveness also exempts credit institutions from liability in respect of payment orders not issued by their customers, such that failure to comply with this specific duty of supervision gives rise to liability for ‘culpa in vigilando’ (failure of supervision) or strict liability arising from the malfunctioning of online banking services.”.
Nature of bank liability in cases of online fraud
Accordingly, bank liability in respect of online banking services may be regarded as quasi-strict in nature, stemming from the requirement imposed on the provider to adopt appropriate and continuously updated security measures against evolving forms of cyber fraud.
Thus, unless gross negligence on the part of the online banking user can be established, the financial institution must bear liability for reimbursing amounts fraudulently obtained.
Do you need advice? Access our area related to bank liability:
