Haku

FINE-047497

Tulosta

Asianumero: FINE-047497 (2022)

Asiaryhmä: Tilinkäyttö ja maksaminen

Ratkaisu annettu: 15.06.2022

How are responsibilities divided between the customer and the bank in the case of payments done online and confirmed with the bank’s mobile application? Unauthorised use of a payment instrument. The payer’s authorisation for a payment transaction.

Account of the case

On 15 March 2022 at 14.24-14.44 16 payments from the customer´s account 6.649 euros in total were confirmed in the bank´s mobile application. The mobile application in question was activated on that same day at 14:21 using customer´s online bank username, password and access code table as well as a confirmation code that the bank had sent via SMS to the customer´s mobile phone number on 15 March 2022.

Customer’s complaint

Someone hacked customer´s online banking and used all her money 6.649 euro in total from salary account, savings account and credit card. Customer went to the bank within one hour and told them to freeze that amount and try to find where it goes and who did it but the bank does nothing. The bank gave a decision they will not refund the customer and said it is totally customer´s responsibility. They have not done any investigation. They had much time to catch the criminal because it´s online purchase.

About the bank´s decision customer wants to say:
1. Customer´s phone is Iphone 12 pro max and that phone is Samsung. Customer was at that time working in her workplace.
2. The SMS came to customer´s phone but she didn´t open it. When she went to the bank after one hour on that day the bank wanted to see her phone. Then they opened the phone and the SMS. If the bank doesn´t have technical problem or bank is not involved how can other user open customer´s mobile bank. Bank checked her phone, but did not find any link or website she clicked.
3. When the customer went to the bank at 15.20 she told the bank to freeze that amount. Bank didn´t do anything. The bank just sent one email to Trustly, that’s it. How can they say it’s not possible, if they don´t even try to get the money back. The bank told the customer she has to contact Trustly. The bank ignores and blames the customer. When the customer talked about her matter to other banks they told that if any transaction has gone within 24 hours it’s possible to stop the transaction.
4. Customer got 1.543 euro back. She asked the bank how can she get the the rest back from Trustly. Bank said again she has to contact trustly. Trustly replied they will not tell the customer any information. If bank or police can contact them then they will give the information where the money goes and from where it comes back. Bank doesn´t take any proper initiative and customer feels bank is involved with them. As a customer of the bank she pays charge for banking safety and the bank should help to get the money back.
7. Hacker took money from credit. Normally credit has insurance. Bank increased the amount of credit what the hacker took.
8. Bank should do a little bit of investigation. Because of this type of bank irresponsibility general people do not get the money back. Bank does not do anything to find the person who did it. Other banks told the customer it’s possible to find the person.

Bank´s reply

Customer complains about 16 credit transfers made on 15.3.2022. All credit transfers have been confirmed in bank´s mobile application. The mobile application in question has been activated for device Samsung SM-A325F on 15.3.2022 at 14:21:38.

Customer´s identification means ie. customer´s online bank username, password and a code from the access code list as well as a confirmation code sent via SMS, has been needed to activate the application on that day. Bank sent the confirmation code that has been used to activate the application via SMS to customer´s mobile phone number on 15.3.2022.

Customer admits getting 15.3.2022 a SMS from the bank but denies opening the SMS message and using the codes herself or giving them to anyone or anywhere. Customer suspects that some technical problem was involved when the fraudster managed to activate the bank´s mobile application for device Samsung SM-A325F with her strong electronic identification codes. The bank has inspected the bank´s application and there were no technical errors or problems 15.3.2022.

It is possible that fraudster got customer´s online bank username and password in some earlier occasion, but the fraudster needed one recent code from the access code list and the confirmation code sent to customer´s mobile phone at the time of mobile application´s activation at 14:21.

If the customer did not use the SMS message, then someone else must have had her phone on her/his possession because it is impossible to activate the bank´s mobile application without returning the code that was sent to customer´s phone number.

If customer did not herself give these codes to anyone or anywhere, then someone must have had her mobile phone and the whole access code list in his/her possession at 14:21. The security system asks access codes randomly and a single code got in some earlier occasion would not work.

This means that someone has managed to take the access code list and mobile phone and return them back without the customer noticing. The bank considers that the customer has stored her online banking IDs and her phone grossly negligent.

The bank´s mobile application in question was activated using customers strong electronic identification (elD). According to the law (laki vahvasta sähköisestä tunnistamisesta ja sähköisistä luottamuspalveluista 27 §) the customer is responsible for the use of her strong elD if her elD is lost, stolen or misapproprianted due to her own negligence.

SEPA credit transfers are irrevocable once they have been accepted. The bank doesn't know what customer has asked and what she has been told by other banks, but SEPA credit transfers don't have any 24 h or 48 h time frames. Payments made at 14:24-14:44 have been send to EBA Clearing at 15.00 and by the time at 15.20 when customer contacted the bank there was nothing the bank could do to "freeze" the money transfer.

The bank could only make a refund request to the recipient´s bank and that the bank has done to the other bank as well as to the recipient itself Trustly Group Ab. But the refund requests were declined. Bank believes they were declined because the payments were already transfered to the final recipient.

Therefore the payments will remain on customers responsibility.

Customer asks following clarifications:

  1. Who is the recipient of the credit transfers?
    The recipient is Trustly Group AB as stated in the 15.3.2022 bank statement. Trustly Group Ab is a payment institution and only Trustly knows who is the final recipient of the payments.
  2. Why bank has not asked Trustly Group Ab return the payments?
    Bank always makes a refund request to the recipient bank. Bank has asked Trustly Group AB to refund the payments, but Trustly has refused. Trustly Group AB is a Payment institution, and bank assumes that it has on 15.3. transferred the payments to its own customer.
  3. Why bank did not freeze the payments when customer contacted bank at 15:20?
    SEPA Credit transfers are processed very fast and they cannot be revoked once they have been confirmed in mobile application. Disclaimed 16 payments were made in the bank´s mobile application at 14:24-14:44 and by the time customer contacted the bank they were already transferred to the recipient bank.
  4. Who returned and why 1.543,91 € to the customer´s bank account?
    Trustly Group AB returned one payment, but the bank doesn't know why. Customer has to ask Trustly Group AB for more information.

Reports

In addition to the communications between the parties, the Banking Complaints Board was provided with the following documents:

  • Notice of the investigation (Date of notice: 16 March 2022)
  • E-mails between the customer and Trustly
  • General terms and conditions of the banking codes and online services

Recommended solution

Formulation of question

In order to resolve the division of responsibilities between the customer and the bank, the Banking Complaints Board first needs to determine whether the customer can be considered to have given his authorisation, as referred to in the Finnish Payment Services Act (maksupalvelulaki), Section 38, for the relevant transactions, or whether the transactions must be considered to have been unauthorised. If the case is considered to involve the unauthorised use of a payment instrument, the Banking Complaints Board will have to assess whether the customer can be considered to have given his payment instrument to a person not authorised to use it, in the manner referred to in the Payment Services Act, Section 62(1)(1), or whether the unauthorised use of the payment instrument can be attributed to the customer having, through carelessness, neglected his obligations under Section 53(1) of the Act and the terms and conditions governing online bank, as well as assessing the degree of any carelessness on the customer’s part.

The applicable norms of law and policy terms

The provisions applicable in the case are Sections 38, 53, 54, 62, 63 and 72 of the Payment Services Act. In addition to the Payment Services Act, the bank’s general terms and conditions of the banking codes and online services are applicable.

Evaluation of the case

The Banking Complaints Board notes that under the Payment Services Act and the Act on Strong Electronic Identification and Electronic Trust Services (tunnistuslaki) as well as under the terms and conditions of the online bank, the responsibility for the careful storage and use of the banking codes lies with the holder of the codes. This is natural in view of the fact that it is ultimately only the holder of the codes who can influence how and in what circumstances they keep and use their codes, regardless of e.g. the instructions given by the grantor of the codes or the terms and conditions of the relevant agreements.

As a general rule, in situations where a payment instrument has been used without authorisation, the decisive factor for the division of responsibilities between the holder and the grantor of the payment instrument is the degree of carefulness with which the payment instrument holder can be considered to have acted in handling their payment instrument. In order to assess the carefulness of the payment instrument holder, information is needed on the circumstances and manner of the storage and use of their payment instrument and the way a third party was able to possess or use it or have information on it. As a general rule, the payment instrument holder is in the best position to provide this information, and if they demand that the grantor of the payment instrument should bear the responsibility for its unauthorised use, the payment instrument holder can be required to give their own report of the events and their own actions. It is not always possible to obtain detailed information on the course of events, and this cannot be required of the payment instrument holder either, but they can be required at all times to give a report of the events and their own actions.

In this case, the bank has presented a detailed technical report on the events and the manner in which the relevant bank transfers were done and confirmed with the bank’s mobile app. The mobile application in question had been activated on 15.3.2022 at 14:21:38 and in order to activate the application one has needed the customers online bank username and password, a specific code from the customers access code list and a confirmation code sent via SMS to the customer´s mobile phone number. The Banking Complaints Board has no reason to doubt the veracity of the report presented by the bank and based on the bank’s log data.

The customer has not given any explanation on how someone could have obtained all the aforementioned information. According to the customer she received the SMS but did not herself open it.

In the view of the Banking Complaints Board, the course of events in the case has been established with regard to the technical points, but in other respects, the course of events remains essentially unclear on the basis of the reports presented in the case and especially the account received from the customer. Based on the information received, it is not possible for the Banking Complaints Board to reliably assess the most likely course of events and to determine whether the case even concerns an unauthorised use of the banking codes, let alone determining the contribution of any careless actions by the customer to the course of events in such a case.

Final outcome

Under its Regulations, the Banking Complaints Board may decide for a particular reason that it will not issue a resolution recommendation on a case submitted to it. The Board considers that based on the reports presented in this case, the course of events remains essentially unclear, and the means available to the board thus do not allow it to reliably determine in the first place whether this was a case of unauthorised use of a payment instrument, as referred to in the Payment Services Act, and whether any unauthorised use of the payment instrument was the result of the customer’s carelessness, these questions being crucial for the division of responsibilities between the customer and the bank. Since the essential course of events thus remains unclear, the Banking Complaints Board decides that it will not issue a resolution recommendation in this case.

The Banking Complaints Board’s decision was unanimous.

BANKING COMPLAINTS BOARD

Chairman Sillanpää                                     
Secretary Hidén

Members:
Ahlroth
Aspelund
Atrila
Piilo