Lübeck Regional Court decides on allocation of liability in online banking phishing cases
On January 18, 2024 (Case No.: 3 O 83/23), the Lübeck Regional Court issued a fundamental decision regarding the conditions under which financial institutions are obliged to provide refunds following a successful phishing attack. The central question was whether a payment service provider is still liable even when the account holder has acted with gross negligence. This article highlights the essential reasons for the judgment and places the decision in the context of the current legal situation regarding online banking.
Facts: Phishing attack and unauthorized payment order
The underlying legal dispute involved payments triggered in connection with a phishing incident. The claimant, who held a checking account, received a deceptively genuine-looking message that appeared to be from her bank. By clicking a link within it, she was redirected to a fraudulent website where she subsequently entered both her login details and a transaction authentication number (TAN). As a result, transfers were initiated that the claimant had not authorized.
After noticing the incident, the claimant revoked the relevant transactions and demanded reimbursement from the bank. The bank refused reimbursement, citing the claimant’s grossly negligent conduct. The matter was then brought before the Lübeck Regional Court.
Legal Assessment: Duty of Care and Allocation of Liability
Fundamental liability of payment service providers
According to § 675u of the German Civil Code (BGB), payment service providers are generally obliged to compensate their customer for damage arising from unauthorized payment transactions. However, there is an important exception: if it is determined that the account holder acted with gross negligence, the claim for reimbursement lapses. The decisive factor is to what extent the customer complied with the essential security rules required in connection with online banking.
Gross negligence in the context of online banking
According to established case law, gross negligence occurs when the diligence required in transactions is violated to a particularly serious degree. In phishing scenarios, such severe breaches of duty typically occur when sensitive login data (PIN, TAN) are entered on websites without sufficiently verifying their authenticity.
In the present case, the Regional Court found that the claimant had entered her login data and a one-time TAN on a fraudulent website that differed from the bank’s actual website only in minor details. The fact that the general terms and security notices of the payment service provider explicitly highlighted the dangers of phishing and the paramount importance of care when handling login credentials further supported the finding of gross negligence.
No claim for compensation in case of grossly negligent conduct
Given these circumstances, the court clarified that the bank was not obliged to refund the debited amounts in this particular case. The claim for reimbursement does not apply pursuant to § 675v (3) no. 2 BGB, as the claimant significantly neglected her duties of care and thus materially contributed to the occurrence of the damage.
Significance of the decision and recent developments in payment services law
Consequences for payment service users
The judgment underscores the now prevailing view that the responsibility for protecting login credentials lies primarily with account holders. However, this does not mean that banks are entirely free from liability: if damage occurs despite proper care having been taken, the payment service provider is still generally obligated to provide reimbursement. What matters is a careful assessment of each individual case — especially considering existing security measures and the warning signs of a phishing attack.
Strengthening preventive mechanisms
The judgment also demonstrates the increased requirements placed on online banking users. Technical developments such as two-factor authentication and continuous awareness campaigns are becoming standard among providers — but do not relieve users of their responsibility to diligently use the security mechanisms provided and to stay informed about current risks.
Legal framework and outlook
Given the constantly evolving methods of fraud in digital payments, courts are continuously refining the standards by which (gross) negligence can be established. The Lübeck Regional Court’s decision aligns with a line of rulings that clearly distinguish between minor errors and serious breaches of duty.
Conclusion and notes for affected account holders
The Lübeck Regional Court’s decision reaffirms that the right to reimbursement for unauthorized transactions is excluded in the event of gross negligence. In practice, thorough examination of the specific circumstances is crucial. Account holders in particular are well advised to remain alert to new types of fraud and to continue handling their login credentials with utmost care.
In case of uncertainties or for complex issues related to phishing incidents, claims for damages, or the interpretation of current payment service regulations, the attorneys at MTR Legal, with extensive experience in banking law and related legal fields, are available as competent contacts.
