Bank’s Liability in Phishing Cases: Grounds and Implications of the OLG Frankfurt am Main Decision
The Higher Regional Court (OLG) of Frankfurt am Main recently had to evaluate a case that, in light of increasing digital attacks on banking customers, is likely to have far-reaching significance for the practice of payment services law (judgment of 19.02.2024, Ref. 3 U 323/22). The issue was whether a credit institution is obligated to reimburse a customer for an amount of money that was transferred from their account as a result of a so-called phishing attack—and where the customer had fallen for malware. After a thorough legal examination, the OLG decided that the bank is not liable if the banking customer can be accused of gross negligence.
Initial Situation and Facts
At the heart of the case was a transfer authorized by a bank customer after receiving a deceptively genuine-looking email. This directed him to a fake website where he disclosed sensitive authentication data. Subsequently, a substantial amount of money was transferred to a foreign account without proper authorization.
The account holder subsequently claimed that the bank had unlawfully debited the amount from his account without valid payment authorization. Under §§ 675u, 675y BGB, he demanded reimbursement of the full transfer amount.
Standard for Gross Negligence
The OLG Frankfurt am Main first reviewed whether contractual or statutory grounds for claims existed. The focus was on the issue of authorization pursuant to § 675j BGB. For refunds of payments clearly initiated by the account holder, it is decisive whether there was gross negligence in safeguarding authentication credentials (§ 675v Para. 3 No. 2 BGB).
No Claim for Compensation in the Event of Grossly Negligent Conduct
In its judgment, the court made it clear that the bank customer must bear the losses suffered if their conduct is deemed grossly negligent. It is sufficient to violate basic duties of care when handling authentication tools. This includes, among other things, not irresponsibly disclosing sensitive security data.
In the case at hand, the plaintiff should have heeded the bank’s personalized warnings against phishing attacks and critically examined suspicious links or websites. Ignoring such warnings and carelessly disclosing TAN numbers and passwords despite the bank’s urgent advice is not simply negligence, but must be regarded as gross negligence.
No Liability on the Part of the Bank
In the opinion of the panel, the payment service provider has no liability if the damage results from a breach of protective and due diligence obligations. The bank’s obligation to reimburse incorrect transfers ends when the customer has inadequately protected or even disclosed their authentication credentials to third parties.
Significance for Bank Customers and Credit Institutions
Practical Implications for Payment Service Users
If the bank’s security warnings are disregarded and this leads to successful phishing, according to the decision of the OLG Frankfurt am Main, the customer fundamentally bears the risk. The legal framework of § 675v BGB does protect consumer rights, but fails in cases of grossly negligent conduct.
Requirements for Security Awareness
The decision clearly shows that banks must fulfill their duty to inform and regularly warn about fraud schemes and risks. Furthermore, bank customers are expected to diligently follow security advisories and technical requirements. Anyone who discloses authentication data despite repeated warnings puts their claim for reimbursement at risk.
Legal Policy and Strategic Classification
Significance for Banks’ Prevention Efforts
For credit institutions, this results in a strengthened legal position—provided that comprehensive and transparent warning mechanisms are in place and grossly negligent conduct can be demonstrated. The judgment underscores the principle that proper customer education is essential for preventing payment fraud.
Development of Case Law
This decision is part of a growing number of rulings in which the courts further define the criteria for gross negligence under § 675v BGB. However, individual case examination remains key, as each phishing scenario presents its own characteristics that must be considered in the legal assessment.
Burden of Proof and Duty of Disclosure
The Higher Regional Court emphasized that in the event of a dispute, the bank bears the obligation to provide information by granting unrestricted access to security-relevant advisories and to demonstrate its preventive measures. In return, the customer must explain during the proceedings to what extent the bank’s recommendations have actually been followed.
Conclusion
As a result, the OLG Frankfurt am Main has set new markers for the allocation of liability in phishing attacks. Bank customers are required to take the protection of their authentication data seriously and to heed the warnings issued by credit institutions. Only then can the bank’s liability be considered in an emergency. The decision strengthens the position of payment service providers, provided that grossly negligent conduct of the bank customer can be proven.
Bank customers, companies, and payment service providers continue to face complex legal challenges in connection with digital financial transactions. Particularly in the area of tension between technical security requirements and the duty to prevent damage, numerous detail questions can only be answered on a case-by-case basis. For questions of finance and banking law relating to liability risks and payment services, the Rechtsanwälte at MTR Legal are available as your contact partners.
