Liability Allocation for Unauthorized Account Debits Due to the Disclosure of Sensitive Banking Information – Decision of the Regional Court of Lübeck
In its recent decision dated 23 August 2023 (Case No.: 3 O 153/23), the Regional Court of Lübeck clarified that a credit institution is not obliged to compensate for damages sustained by a bank customer as a result of unauthorized debits, if the customer has disclosed their personal account information to third parties. This decision sheds light on key questions regarding the allocation of liability in payment transactions and provides important guidance on risk assignment in cases of misuse of access data.
Facts and Background of the Decision
In the underlying case, a bank customer asserted claims against their bank after payment orders were executed from their account without authorization. Previously, the customer had made their personal account access data available to a third party, enabling the latter to make payments from the customer’s account.
The credit institution refused to refund the debited amounts on the grounds that the provision of sensitive access information to external persons constitutes a grossly negligent breach of contractual duties.
Legal Assessment: Duties Regarding the Handling of Authentication Features
Relevant Contractual Foundations
When using cashless payment services, most bank customer contracts as well as the legal provisions in the Payment Services Supervision Act (ZAG) and the German Civil Code (BGB) stipulate that the account holder must handle access data (e.g., PIN, TAN) carefully and confidentially. This obligation serves to protect the payment service user and the integrity of payment transactions.
Standard of Liability: Negligence and Gross Negligence
According to Section 675u BGB, the bank is generally liable to refund the amount of money in cases of unauthorized payment transactions. However, this liability is limited if the customer contributed to the damage through gross negligence or intent, for example by failing to observe the due diligence obligations set out by law (Section 675l BGB).
In the present case, the Regional Court of Lübeck regarded the conscious disclosure of sensitive account data as a classic case of gross negligence. The bank was therefore entitled to rely on the exclusion or limitation of its compensation obligation.
Distinction from Other Scenarios and Additional Implications
Different Scenarios: Phishing and Technical Manipulation
Not every unauthorized debit falls within the scope of liability exclusion. In cases where third parties gain access to authentication data without the account holder’s involvement – for example, through fraudulent methods, deception (“phishing”), or technical manipulation – liability usually remains with the payment service provider. However, the conscious and independent disclosure of access data by the customer represents a situation in which the risk sphere of the bank customer is triggered.
Requirements for Presentation and Evidence
In court proceedings, the bank customer bears the burden of presentation and proof that they complied with their due diligence obligations and that the fraudulent transaction occurred without any contributory negligence on their part. The decision of the Regional Court of Lübeck underscores the importance of these obligations: demonstrable disclosure of authentication features to third parties, in any case, significantly hinders the enforcement of compensation claims.
Implications for Payment Transactions and Preventive Measures by Credit Institutions
Banks and payment service providers have implemented additional measures to enhance the security of digital payment transactions following the European Payment Services Directive (PSD2). Consumers are regularly informed about the risks of disclosing sensitive data, but cannot rely on the credit institution’s liability if such warnings are ignored.
Assessment in the Context of General Jurisprudence
The decision of the Regional Court of Lübeck is in line with the prevailing case law regarding Section 675u BGB: For the consequences of grossly negligent conduct, the customer is personally liable, whereas in cases of manipulation without the customer’s involvement, there is usually a claim for reimbursement from the bank. The facts assessed by the Regional Court of Lübeck specify the expectations for the responsible handling of personal banking data and thus provide practical certainty in the area of tension between consumer protection and fraud prevention.
Conclusion
The decision of the Regional Court of Lübeck once again highlights the necessity for bank customers to handle sensitive account data conscientiously. Credit institutions cannot be obligated to provide compensation in cases of grossly negligent disclosure of authentication data.
For businesses and individuals seeking clarification of legal issues or claims related to payment transactions and account security, it is advisable to seek expert assistance. The team at MTR Legal Rechtsanwalt offers in-depth experience in banking and capital markets law.
