Fraud cases in online banking - updates from case law and legislation

Payment service providers must be prepared for an increasing number of cases of fraud in online banking and ever higher loss amounts. In addition, there is a growing litigation risk for payment service providers due to increasing demands on the security systems used as part of strong customer authentication. Furthermore, new legislation is planned to strengthen user protection and trust in payments. We would like to present the most important developments in case law and legislation in the following:

Increasing professionalism of fraudsters

The days of poorly formulated and easily recognizable scams are long gone thanks to rapidly developing technology. Fraud scams are becoming more and more professional and are causing ever-increasing numbers of victims and amounts of damage. Current examples include the eBay classifieds scam or the sending of fraudulent pishing messages in the name of banks under the pretext of a pushTAN renewal. The trend of rising numbers of cases of online banking fraud (there was an increase of 22% in 2022) is therefore likely to continue and intensify further.

Reactions from the courts

If a case of fraud leads to a legal dispute between the payment service provider and the payment service user, the issue of gross negligence on the part of the payment service user is regularly raised. In view of increasing professionalization, the scope for a grossly negligent breach of duty is becoming ever smaller. Payment service providers can rely on prima facie evidence in accordance with Section 675w sentence 3 of the German Civil Code (BGB) when arguing gross negligence, provided it is established on the basis of current knowledge that the security system used is impregnable.

This presents the courts with the time-consuming and costly task of checking the impregnability of every security system used. Referring to sources on misuse risks is often not sufficient due to the time lag that often exists between publication and the case of damage in the rapidly developing technology market.

The Heilbronn Regional Court recently ruled on May 16, 2023 that the PushTAN procedure, which was previously classified as impregnable, should not be classified as an impregnable security system if the banking app and the TAN-generating PushTAN app are installed on the same smartphone.

Even if the Heilbronn Regional Court's ruling cannot be agreed with in its sweeping nature, it shows the tendency of the courts to be more restrictive in their acceptance of insurmountable security systems and the associated prima facie evidence.

Innovations through PSD3 and PSR?

On June 28, 2023, the European Commission presented the drafts of the third Payment Services Directive (PSD3) and a supplementary Delegated Regulation (PSR). In line with the findings presented at the beginning, the PSD2 regulations from 2019 identified a need for action to strengthen user protection and trust in payments, among other things. However, the proposed changes are not accompanied by any significant changes to the content; rather, individual issues are to be clarified. In future, two factors in the same category would be sufficient for strong customer authentication. Wallet operators (e.g. ApplePay, GooglePay, SamsungPay) that provide and check individual or several elements of strong customer authentication for payment service providers would also have to comply with the qualified requirements for strong customer authentication as outsourcing companies in future. Ultimately, the possibility of strong authentication should also be opened up to people without smartphones or disabilities.

Outlook

The constantly evolving technical requirements present payment service providers with the enormous task of designing their security systems in such a way that they effectively minimize the risk of misuse. Even if the prevailing case law adheres to its guidelines on gross negligence, legislative clarification on the adaptation of payment service software and the necessary risk warnings is required. Otherwise, payment service providers are threatened with the denial of prima facie evidence and a significantly increased risk of litigation in cases of fraud. The incentive to bring security systems up to date and keep them up to date is therefore not the result of the planned legal innovations, but of the increasing sophistication of fraudsters and the trend in case law towards this.