When the bank warns that personal keys cannot be delivered, the notice can have legal implications, even when the customer is convinced that they have entered them into a secure system. That is what is happening to people affected by the recent wave of frauds such as phishing, in which the bank's telephone numbers, its website or SMS messages are impersonated. The judges understand, at least for now, that the responsibility lies with the user, and not with the banks.
The Asufin banking users association, which channels a good part of the complaints, indicates that the first sentences respond to this criterion. The rulings recognize that clients have been defrauded, but understand that the bank's attitude "cannot be classified as a breach of contract." The entity, they say in some cases, "is not responsible for the operating system of the plaintiff's telephone identifying a call as being sent by the bank when it comes from a third party."
These first sentences mark a milestone for thousands of defrauded people, who may now see the margin to recover the money very reduced. When the amounts are less than 3,000 euros, there is no challenge, in accordance with the provisions of article 455.1 of the Civil Procedure Law.
"The consumer is left at the mercy of banking phishing and the rest of the increasingly frequent cybercrimes," says Asufin. "The judicial system is not giving an adequate response to a network of security gaps that fundamentally harm the banking user, due to the theft of funds that it causes," he adds.
The wave of customer fraud is no small matter. The latest Complaints Report of the Bank of Spain, from 2022, shows that one in every three complaints presented to the institution, or 10,361, had to do with digital or card charges in which the client does not recognize the charge or says there was no charge. authorized. In 47% of the cases, the Bank of Spain could not do anything because the matter was beyond its competence.
The problem has already been reported by the National Cybersecurity Institute (Incibe) and has the banks themselves on guard, demanding that telecom companies address the problem. They also want the Ministry of Digital Transformation to get involved. The message from the banks is that it is necessary to look for a "holistic" solution because these scams are beyond their scope of action.
A sentence from a Barcelona court sent as an example by Asufin shows the most widespread pattern of fraud and judicial decision. The affected person gave the keys because a telephone operator who had his personal data urged him to act quickly in the face of possible fraud.
"If the plaintiff, nervous about the situation, provided the codes even though the message indicated that it was to confirm the purchases, and not to cancel them, he must assume the consequences of his actions," the ruling says. The money he lost amounts to almost 2,000 euros.
Asufin criticizes the ruling and highlights that the ruling does not give relevance to aspects such as that the SMS that reached the client was placed in the line of authentic messages that he had previously received from the entity or that the call he received came from a number that His phone number was directly identified as being from the bank. The interlocutor, he indicates, addressed the client by his first and last name, giving him certain information that made him believe that he was speaking with his bank. The bank, according to the association, is the one that has the means to protect the consumer.
Article 41 of Royal Decree-Law 19/2018 says that it is the user who has the obligation to "take all reasonable measures in order to protect their personalized security credentials", but does not specify what is meant by reasonable.
The entity is obliged to prove that there has been negligence on the part of the client. "It will be up to the payment service provider, including, where applicable, the payment initiation service provider, to prove that the payment service user committed fraud or gross negligence," it says. "In the event that an unauthorized payment transaction is executed, the payer's payment service provider will return the amount of the unauthorized transaction to the payer immediately," he adds.
