Fraud, phishing and duties of the bank

Natália Garcia Alves
SRS Legal, Lisbon
natalia.alves@srslegal.pt

Technological progress has brought greater convenience to customers, as they can now carry out their banking transactions online, without the need to visit their branch. This has also been favourable to the banks, as they have been able to reduce their service costs, both in terms of premises and staff. The implementation and expansion of electronic means of communication, which are usually considered reliable, require security mechanisms subject to constant monitoring and updating because the platforms on which they are located are vulnerable to attacks aimed at illegitimately accessing the customer's bank account in order to misappropriate their funds.

Home banking is a service provided by a bank through which it gives its customers the ability to carry out banking operations via the internet and telephone, including through the provision of consultation services, payments, subscription to financial products and transfers. In doing so the bank must ensure that in all activities carried out, it maintains high levels of technical competence among its staff, to ensure that the business operates with the appropriate human and material resources to provide quality and efficient services to its customers.

On the one hand, since home banking is a service provided to the customer by the bank, the bank must ensure that its systems are secure and that the customer can trust it; on the other hand, the customer must ensure that they use home banking services in accordance with the security rules communicated to them by the bank, in addition to observing general internet security practices. For example, by ensuring that they do not disclose secure access codes and passwords.

The democratisation of this type of banking service led to the publishing of EU Directive 2015/2366, which was transposed into Portuguese law by Decree-Law 91/2018 of 12 November and replaced the former Decree-Law 317/2009 of 30 October.

Over time, more and more customers have filed judicial actions demanding that banks are held responsible, in cases where money transfers are ordered by fraudsters and not the ‘real’ customer.

In Portugal, two common fraudulent schemes include: (i) the phishing of customers’ data on home banking platforms; and (ii) the hacking of customers’ e-mail addresses.

The Portuguese Supreme Court of Justice has recently handed down two key decisions regarding these two kinds of fraud.

On 12 December 2023[1], the Supreme Court decided that it is the bank’s responsibility to repay the losses suffered, as a result of fulfilling payment operations that were not performed or authorised by the user of the home banking service, but instead by a fraudulent third party. However, the Court found that no liability is attributed to the bank if the bank can demonstrate the existence of fraud, wilful misconduct or gross negligence on the part of the customer.

According to the judgment, it does not constitute gross negligence for a customer of a home banking service:

• to try to update the service in response to a request made by text message;
• where that text message appears to have been sent from the bank providing the service;
• to access a website mentioned within that text message, which is in all respects the same as the official page of the bank’s service; and
• to provide their account number, PIN and credit card number,in order to re-activate a service that was inactive, as the bank had previously informed the customer on two occasions.

In fact, the provision of data by the customer can only be considered reprehensible and exempt the bank from liability, if it is voluntarily provided by the customer in deliberate and reckless disregard of the duties to which the customer was bound.

Gross negligence constitutes an inexcusable fault in failing to meet the duties to which one is obliged. The Court determined that gross negligence did not occur when the customer with the attention that is required, and of which the customer was capable of exercising in the circumstances of the case, was unable to recognise the complex electronic tricks used by third parties who posed with apparent credibility as the bank. This being particularly so in these circumstances where the fraudsters requested a solution to a problem that the bank had on two previous occasions informed the customer should be resolved.

As such, the Supreme Court decided in favour of the customer (the plaintiff to the action), holding that:

‘Such gross negligence cannot be ruled out if access to the link, which was provided by text message and which was presented as having been sent by the bank, with the elements provided therein by the injured party, did not in itself allow any account movement operation, which would have required confirmation by a text message code, which the third parties only accessed the following day and via duplicates of the injured party's mobile phone card, without the customer realising that she was providing or had provided any of the elements necessary to obtain it.’

The second key decision of the Portuguese Supreme Court of Justice dated 2 May 2024, relates to a case where the e-mail account held by the bank’s customer was hacked, a falsified new e-mail address was created, and through it the fraudsters demanded that the bank transfer the genuine customer’s funds in order to misappropriate them.[2]

In this case the bank and customer had previously agreed that whenever there was a need to make a transfer from the customer’s account, the customer or his representative would send an e-mail to the account manager at the bank requesting a payment order. This e-mail would always be accompanied by a transfer request signed by the customer. Here, the transfer orders and instructions attached to the e-mails sent by the fraudsters had also been falsified by digital tampering.

As a starting point in these circumstances, the bank is presumed to be at fault. In order to exclude its liability, the bank must prove that the customer was at fault, that the bank had acted in a diligent and non-reprehensible manner, and that it was not required to act otherwise in accordance with its duties.

Accordingly, the bank must check that the e-mail (containing the transfer instruction) comes from its customer and cannot claim to seek to exclude liability, that it was difficult for it to recognise (given the similarity between the e-mail addresses) that it was not the e-mail address known and regularly used by the customer.

There is no doubt that while communication via e-mail does not offer the same security as communication through a bank's own platform, responsibility for the security of the customer’s e-mail account cannot be passed to the bank. However, these circumstances cannot be ignored by the bank when it expressly agrees to receive instructions to carry out banking operations via e-mail.

Further, since a bank cannot be unaware of the existence of this type of fraud, it remains part of its duty of information, as an ancillary duty to the permanent and lasting contractual relationship with its customers, to warn them of the existence of this type of fraud and of the need to maintain effective e-mail security systems. The diligence required of a bank is not only that of a bonus pater familiae but that of a qualified professional with the technical and human resources especially suited to banking activity, which is guided by the principles of banking competence, banking security and banking abstraction.

All considered, the Supreme Court decided that the bank was not diligent enough, that it did not comply with its duty to verify and check the origin of the e-mails and transfer orders received, and thus did not prove (as was mandatory) that the customer had in fact authorised it to proceed with the transfer orders.

Notwithstanding this, given that the fraud originated from the interference of third parties in the customer’s own e-mail communications, the Supreme Court also decided that the customer partially contributed to the ‘damaging result’, as he was responsible for properly guarding access to his e-mails and/or for ensuring that an effective security system was in place.

The Supreme Court therefore decided that both parties – the customer and the bank (the plaintiff and defendant, respectively) – were responsible for the damages suffered by the customer and should share in the responsibility, although in different proportions.

While in the first case the Portuguese Supreme Court of Justice decided that there was no gross negligence on the part of the customer and that liability rested wholly with the bank, the verdict of May 2024 decided that the customer was also partly responsible for the ‘damaging result’. This was a novel decision of the Portuguese courts and in my opinion, without ignoring the bank’s general duties as mentioned above nor undermining the trust that customers place in banks, it should be pondered whether customers (particularly corporates as opposed to consumers) should now also be held accountable for maintaining online security systems to protect the users of online banking platforms, as well as the use of e-mail correspondence to communicate with banks.

We will be curious to find out if this will become a new trend relieving banks of ultimate responsibility and finding that customers are also partly responsible for maintaining their own cyber security systems.