Who is liable for banking phishing? Key points on liability and restitution
Burden of proof, user negligence and the European configuration of the liability regime
The rise in digital fraud and, in particular, banking phishing has profoundly altered the landscape of financial institutions’ liability. We are no longer dealing with rudimentary scams. Contemporary phishing attacks combine emails, SMS messages and web pages that are almost indistinguishable from legitimate ones. The outcome is clear: more fraud and, consequently, more litigation.
However, the real debate goes beyond identifying who should bear the loss. The key issue lies in how risk is allocated and, above all, how that liability is constructed in legal terms. This is where Royal Decree-Law 19/2018 and Directive (EU) 2015/2366 come into play. Their interpretation by the courts has produced a distinctive model: not strictly one of strict liability, but closely resembling it, with a clear pro-consumer orientation.
Risk allocation in payment services: an imbalanced distribution in practice
The system is based on a division of responsibilities which, on paper, appears balanced. In practice, this is not always the case.
On the one hand, the financial institution must ensure that the payment system is secure. This is no minor obligation. On the other hand, the user has a duty to safeguard their credentials with due care.
That said, when an unauthorised transaction occurs, the general rule is unequivocal: the bank must refund the amount. It may only avoid doing so if it proves something further. Specifically, either that the customer acted fraudulently or that they were grossly negligent.
In other words: restitution is the rule; exoneration is the exception.
Supreme Court doctrine on banking phishing: authentication is not consent
In cases involving banking phishing, Supreme Court case law introduces a decisive nuance that shifts the analytical framework.
The mere use of correct credentials does not, in itself, imply that the customer authorised the transaction. While this may seem self-evident, it was not always treated as such. Nor is it sufficient to demonstrate that the authentication system functioned properly. Technical authentication does not equate to actual authorisation.
This requires financial institutions to go a step further: it is not enough to defend the robustness of their systems; they must prove that the customer genuinely authorised the transaction. This is a stringent evidential requirement and, in many cases, difficult to satisfy.
Burden of proof in banking phishing: the core of the dispute
In phishing cases, the burden of proof lies, in essence, with the financial institution. The bank must establish three elements: that the transaction was correctly authenticated, that the system was functioning without fault, and that there was fraud or gross negligence on the part of the customer.
By contrast, the user occupies a more favourable procedural position. They are not required to prove fraud in the strict sense; it is sufficient for them to deny having authorised the transaction.
The practical effect is clear: there is, in substance, a reversal of the burden of proof.
Gross negligence of the user in phishing: a restrictive judicial interpretation
One of the most contested issues is that of gross negligence. When does it truly arise?
The courts have adopted a restrictive interpretation. Not every mistake or lapse by the user is sufficient.
To establish gross negligence, something more is required: clearly imprudent conduct, an obvious disregard of warning signs of fraud, or a serious breach of the duty of care. This threshold is not easily met.
Moreover, the reality of modern phishing must be taken into account. These scams are increasingly sophisticated, credible and difficult to detect. For this reason, courts frequently rule out the existence of gross negligence on the part of the user.
Enhanced duty of care of financial institutions in the face of digital fraud
In the context of phishing attacks, the legal framework does not merely require banks to have security measures in place. It requires those measures to be effective.
This entails several obligations: implementing appropriate tools, but also monitoring transactions, analysing them, and identifying anomalous behaviour. It is not only about prevention; it is about timely response.
Where indicators of fraud arise, unusual movements, repeated transactions within a short period, and the institution fails to act, the issue ceases to be attributable to the customer and instead constitutes a failure in the provision of the service.
A quasi-strict liability regime in digital banking
When the various elements of the legal framework governing banking phishing are considered as a whole, the result is revealing.
The obligation to refund, the enhanced evidential burden placed on banks, and the restrictive interpretation of customer negligence together outline a model that closely approximates strict liability. While not formally categorised as such, in practice it operates in a similar manner.
Ultimately, the risk of fraud is shifted towards the financial institution, which assumes the role of guarantor of the payment system.
Conclusion: banks as guarantors of the system in phishing cases
The legal regime governing banking phishing, built upon Directive (EU) 2015/2366 and Royal Decree-Law 19/2018, has resulted in a system in which financial institutions occupy a central position. They do not merely operate the system: they are accountable for it.
Supreme Court case law has consolidated this approach, strengthening user protection and placing the evidential burden squarely on the bank.
Although it cannot be described as strict liability in the strict sense, the model reflects a risk-based liability framework in which restitution is the rule and the bank’s exoneration remains the exception.
FAQ: Frequently asked questions on banking phishing and liability
What happens if I am the victim of an unauthorised phishing transaction?
The general rule is that the bank must refund the amount. It may only refuse if it proves that you acted fraudulently or with gross negligence. Restitution is the rule; exoneration is the exception.
Is it sufficient for the bank to prove that its authentication system functioned correctly?
No. The Supreme Court has made it clear that technical authentication does not equate to actual authorisation. The bank must prove that you genuinely authorised the transaction, not merely that correct credentials were used.
Who must prove what in a banking phishing case?
The burden of proof lies with the financial institution. The bank must demonstrate that the transaction was correctly authenticated, that the system was functioning properly, and that there was fraud or gross negligence on your part. The user need only deny having authorised the transaction.
When is a user considered to have acted with gross negligence?
Courts apply a restrictive interpretation. Not every error suffices. There must be clearly imprudent conduct or an obvious failure to heed signs of fraud. Given the sophistication of modern attacks, courts often rule out gross negligence on the part of the user.
What obligations does the bank have beyond implementing security measures?
The bank must not only implement security systems but also monitor transactions, detect anomalous behaviour and respond promptly. If indicators of fraud exist and the institution fails to act, this constitutes a failure in service provision rather than a customer issue.
Which regulations govern this liability?
The legal framework is based on Directive (EU) 2015/2366 and Royal Decree-Law 19/2018. Their interpretation by Spanish courts has established a liability regime closely aligned with strict liability, in which the bank acts as guarantor of the payment system.
Do you need advice? Access our area related to banking phishing:
