Introduction

Cyberfraud is an increasingly frequent and serious problem that affects both customers and financial institutions. It involves a set of illegal techniques used by cybercriminals to obtain personal and banking information from users, access their accounts, carry out unauthorized transactions, or extort them by locking their electronic devices. Some of the most common types of banking cyberfraud include phishing, vishing, smishing, spoofing, malware, and SIM swapping.

Given this situation, the question arises as to what responsibility banks and telecommunication companies have in cases of cyberfraud, and what rights affected customers have to claim back the money that has been stolen or compensation for the damages and losses caused by this cyberattack.

Responsibility of Banking Entities

According to Spanish law, banks can be held responsible for cases of cyberfraud, especially when it involves phishing, a technique used by criminals to obtain personal and banking information from users by sending false messages that impersonate a legitimate entity.

The Law 16/2009 on payment services states that payment transactions not authorized by the account holder must be automatically reimbursed to them, provided that the customer has not acted fraudulently or with gross negligence, or has immediately reported the unauthorized transfer to the bank.

In addition, Regulation (EU) 2015/847 on information accompanying fund transfers imposes a series of obligations on payment service providers regarding control and monitoring of payments, such as verifying the identity of the beneficiary and refusing to execute the transfer in case of discrepancies. Therefore, if the bank fails to comply with these obligations, it can be responsible for the damages and losses caused to the customer by cyberfraud and must return the stolen money plus accrued interest.

However, the responsibility of the bank is not limited to phishing but can extend to other types of cyberfraud that also involve unauthorized access to customers’ accounts, such as vishing, smishing, spoofing, or malware. These types of cyberfraud can cause damage to both the customer and the bank, so it is important that both adopt security and prevention measures, such as verifying the authenticity of messages or calls received, not sharing their data or access keys with anyone, using antivirus and firewalls, updating their operating systems and applications, and reporting any incidents or suspicions of fraud.

Assessing User Responsibility and Bank Liability in Online Banking Security Breaches

Decisions from various Spanish courts address the issues of negligence and liability in the context of online banking security.

The courts have highlighted the significant negligence on the part of plaintiffs in safeguarding their online banking credentials, with a particular focus on the failure to adequately explain how fraudulent transactions were executed or how fraudsters managed to maintain control over their mobile devices.

The rulings emphasize the user’s imperative duty to protect their personalized security credentials and to avoid sharing them with third parties. Reckless sharing of such sensitive information is considered gross negligence, absolving the bank from any liability.

Furthermore, the judgments note that payment service providers may be exempt from liability if it can be shown that the incident occurred due to the customer’s intentional or grossly negligent actions.

Discussions within these rulings include the methods by which criminals may clone SIM cards through various cybercrimes, such as pharming, hijacking, or by installing malware-ridden apps that capture comprehensive data from the compromised device.

These cases underscore the essential need for user diligence in protecting personal data and access credentials in online banking environments, setting forth the conditions under which banks may be absolved of responsibility, contingent on the proven negligence of the customer.

Responsibility of Telecommunication Companies

Another type of cyberfraud that has become significant in recent years is SIM swapping, which involves duplicating the SIM card of a person’s mobile phone to impersonate their identity and access their bank accounts or other services that require SMS verification.

In this case, the responsibility of the bank may be reduced or excluded if it has complied with the security and prevention measures established by the regulations, such as sending unique and random confirmation codes to the customer or rejecting suspicious operations.

However, the responsibility of the telecommunication company can be increased or aggravated if it has not guaranteed the confidentiality and security of its customers’ data and has facilitated the SIM duplication without the consent or verification of the holder.

The Spanish Data Protection Agency (AEPD) has imposed multimillion-euro fines on the main mobile operators for this reason. Moreover, the courts have sentenced some telecommunication companies to compensate customers who have suffered this type of fraud, in cases where their SIM card was duplicated, and money was stolen from their bank account.

Joint and Several Liability of Banks and Telecommunications Companies (Including Internal Recourse Actions): Addressing SIM Swapping Cases in Spanish Courts

In SIM swapping cases, Spanish courts have established that entities, such as banks and payment service providers, may be held responsible under data protection laws if their actions, or lack thereof, facilitated financial fraud.

If a SIM card is illegally duplicated and used in fraudulent activities, not only the telecommunication company that carried out the duplication but also financial institutions that failed to implement adequate security measures might be implicated.

These entities can be deemed jointly and severally liable for the resulting damages to the affected parties.

However, the courts also recognize the right of these entities to pursue internal recourse actions against each other to recover contributions to any compensation paid to the victim. This legal principle acknowledges the complex interplay of responsibilities among different service providers in protecting against and responding to data breaches and fraudulent acts.

Conclusion

The multifaceted nature of banking cyberfraud, encompassing phishing, vishing, smishing, spoofing, malware, ransomware, and SIM swapping, necessitates a collaborative and vigilant approach from both financial institutions and telecommunication companies.

Spanish case-law has established a framework of responsibility where banks and telecom companies are accountable for ensuring the security of their customers’ data and transactions. In cases of negligence or failure to adhere to regulatory standards, these entities face the possibility of being held liable for the damages suffered by the victims of cyberfraud.

Particularly in SIM swapping incidents, the courts have underscored the concept of joint and several liability, where both telecommunication companies and financial institutions can be held responsible if their actions have directly or indirectly facilitated the fraud. This approach not only emphasizes the need for stringent security measures and compliance with data protection laws but also highlights the importance of customer awareness and precaution in safeguarding their personal and financial information.

Ultimately, these rulings serve as a critical reminder of the shared responsibilities in the digital age, urging banks, telecom companies, and customers to remain proactive and cooperative in combating the evolving threats of banking cyberfraud.