The Munich Local Court recently had to decide whether a bank customer is entitled to a refund from her credit institution after an unauthorized payment transaction, when she passed on an SMS-TAN required for transaction approval to unknown third parties (Case No.: 271 C 16677/24, judgment of May 14, 2024). This decision underscores the crucial significance of due diligence standards in online banking as well as the central principles of the regulatory framework for payment services contracts.
Facts and Background of the Legal Dispute
A client lost a substantial sum through her online banking account to previously unknown third parties. The transfer was executed after receiving an SMS-TAN, which the client had passed on to a person outside her household. Shortly thereafter, she noticed the unauthorized payment and demanded compensation from the bank, arguing that she was the victim of a deceptive phishing attack and could not have recognized the fraudulent nature of the contact. In the customer’s view, the bank bore the risk of such sophisticated manipulation attempts.
Key Aspects of the Court’s Decision-Making
Relevance of the Payment Services Supervision Act (ZAG) and § 675u BGB
In its reasoning, the court made it clear that, pursuant to § 675u BGB, in connection with electronic payment transactions, the bank must generally reimburse the customer for the payment amount if the transaction was unauthorized. However, this requires that the customer neither authorized the transaction themselves nor contributed to the misuse of their authentication instruments through gross negligence.
Definition and Importance of Authentication in Online Banking
Within modern banking systems, two-factor authentication—such as combining personal identification (e.g. PIN) and a single-use transaction code (TAN)—is standard practice. Passing these access credentials on, especially the TAN, to third parties is explicitly prohibited and violates the duty of care required of every account holder. The plaintiff had forwarded the SMS-TAN to a third party despite the bank’s necessary warnings and clear instructions regarding its confidentiality.
Grossly Negligent Behavior as a Reason for Excluding the Right to Reimbursement
The court regarded the customer’s actions as grossly negligent behavior, which according to § 675v para. 3 BGB precludes any entitlement to compensation. The judges stated that banks regularly inform their clients with clear warnings and security information that TANs must never be passed on to third parties, even when requested by telephone or electronically. Anyone who disregards these protective measures and discloses such sensitive access data knowingly and significantly assumes the risk of a fraud-related transaction. In such situations, the right to claim reimbursement from the bank lapses.
Consequences for the Contractual Relationship Between Account Holder and Bank
Allocation of Risk in Payment Transactions
The judgment confirms that, in modern online banking models, a partial shift of risk to the account holder occurs when contractually agreed safeguarding measures are negligently disregarded. In the absence of grossly negligent conduct, however, the burden of proof and risk under § 675u BGB would still remain with the bank.
Relevance for Consumer Protection
Although the provisions regarding the payment services framework contract are intended to comprehensively protect consumers, decisive importance—emphasized by the court—is placed on the customer’s active participation. In this case, the bank had fulfilled all regulatory and contractual disclosure and protection duties; the client, by contrast, breached her contractual duty to handle authentication measures with due care.
Classification Within the Overall Context and Further Guidance
The decision of the Munich Local Court makes it clear that, when TANs are passed on to third parties, there is virtually no prospect of successful reimbursement claims against the bank—regardless of how sophisticated the underlying fraud scheme may have been. The contractual relationship in online banking is based on the mutual exercise of due diligence duties by both contracting parties.
Especially in practice, the issue of phishing and other fraud methods constitutes a recurring risk for bank customers. The complexity of evaluating individual cases requires careful examination in order to adequately consider both the bank’s interests and the concerns of customers.
Conclusion
The legal situation concerning unauthorized payment transactions and the obligations of contracting parties remains the subject of judicial and legal discussion. For specific legal questions regarding online banking, liability issues, or payment transaction law, the lawyers of MTR Legal Rechtsanwälte are available as reliable contacts.
