No entitlement to compensation against banks after phishing losses in cases of gross negligence – Key clarifications made by the Munich District Court
In March 2024, the Munich District Court, with its ruling (Case No.: 222 C 15098/24), further clarified key principles on the allocation of liability in the context of phishing attacks under payment services law. Central to the decision was the question under which circumstances bank customers can assert claims for compensation against their bank if unauthorized payment transactions occur on their account as a result of phishing.
Background of the legal dispute
In the circumstances underlying the case, a bank customer received an email designed to closely resemble official communication from his bank. The message requested him to disclose his personal login details and a TAN, which he did under the belief that he was undergoing a genuine security check. Subsequently, several withdrawals were made from his account that he had not authorized himself. The affected customer then demanded that his bank refund the unauthorized amounts, arguing that as a bank customer, he was entitled to protection.
Legal assessment: The standard of gross negligence
The court emphasized that, according to the regulations of the Payment Services Framework Contract Act (§§ 675c et seq. BGB), the bank is generally obliged to reverse unauthorized payment transactions. However, there is an exception if the bank customer significantly breaches their duty of care, particularly through so-called gross negligence.
What constitutes gross negligence in online banking?
Customers’ obligation to protect access data and personalized security features—such as PIN or TAN—from unauthorized access and never to disclose them to third parties is a fundamental part of the contractual relationship between customer and bank. According to established case law, gross negligence typically applies if a customer discloses sensitive information to unknown third parties despite clear warnings from their bank, especially when such disclosures are prompted by conspicuous and unusual requests for this information.
The Munich District Court determined that the conduct of the plaintiff bank customer was to be qualified as grossly negligent, since the design of the email was such that an average attentive user should have had doubts, and banks repeatedly and publicly communicate that confidential data will never be requested via email.
Consequences for risk allocation in payment services
Recourse to the bank excluded
In this specific case, the court rejected the bank’s liability, as the customer’s grossly negligent conduct meant that even in the case of objectively unauthorized transactions, the customer had no claim against the bank for reimbursement. The court arrived at this conclusion with explicit reference to § 675v para. 3 BGB, which excludes liability in cases of grossly negligent breach of duty by the account holder.
Significance for further proceedings
Apart from the significance for the individual contractual relationship, the decision sets an important legal standard for similar cases and increases awareness for the importance of data security in digital payment transactions. The prevailing judicial trend to restrict the protective intent in favor of bank customers when elementary precautions are ignored is thereby confirmed.
Reservations and ongoing case law
It should be noted that the facts relate to a judgment at first instance. Further legal remedies are generally possible against this decision; therefore, the proceedings cannot be considered final. At the time this information was prepared, no final and binding decision was known. The press coverage is based exclusively on the published judgment and the publicly available reasoning (Source: urteile.news).
Significance for bank customers and institutions
The decision highlights the importance of careful handling of sensitive banking data in digital payment transactions. It also emphasizes customers’ responsibility in preventing losses from phishing and other types of fraud in online banking. In turn, banks are required to maintain clear and transparent security and information standards and to regularly inform their customers about potential risks and necessary precautions.
Given the complexity and scope of these fundamental legal issues, it is advisable to seek legal counsel in cases of doubt or uncertainty in order to assess your individual options and rights. For further questions or legal assessments regarding payment services, online banking security, or potential liability issues, the lawyers at MTR Legal are available to provide you with competent advice.
Sources: District Court of Munich, judgment dated 27.03.2024, Case No.: 222 C 15098/24; www.urteile.news.
