Account of the case
On 9-10 July at 21:31-14:45 three payments from the customer´s account 4.450 euros in total were confirmed in the bank´s mobile application. The mobile application in question was activated on an iPhone 7 on that same day at 20:10 using customer´s online bank username, password and access code table as well as a confirmation code that the bank had sent via SMS to the customer´s mobile phone number at 20:09.
On saturday at about 8 pm the customer received a message from the bank with a link. He opened the link and there they asked him for card detail. Customer just closed the link. The next day he was in a grocery store to buy food with his card when he found out he had only 3 euros in his account. He called the bank to inactivate his account. On monday morning the customer went to the bank and found out that someone had made 3 major transfers from the customer´s account. He wrote a complaint but is not satisfied with bank´s response.
The customer demanded the Bank the refund of unauthorized wire transfers made in the total amount of 4500 euros. The transfers are indicated as following, however only 4450 euros in total:
10.07.2022 14:45 1250,00 euros
10.07.2022 11:22 2000,00 euros
09.07.2022 21:31 1200,00 euros
Chain of events according to Customer
The customer received an SMS message to his mobile phone number which included a link to a third-party website asking for an input of payment card details. After receiving the message the customer clicked on the link proceeded to the aforementioned website. After seeing the website, the customer claims leaving the website immediately. The next day while trying to pay by payment card in a store, the customer noticed there are insufficient funds on the account.
Bank's Response to the claims
According to the Bank's records it has sent a confirmation code that was used to authorize the installation of the bank´s mobile application on a new mobile device via SMS to the customer's mobile phone number at 20:09 EET. The content of the message was as follows:
"Hei! Tällä numerolla ollaan ottamassa käyttöön [the bank´s mobile application]. Jos olet ottamassa [the bank´s mobile application] käyttöön, anna vahvistuskoodi 4288 [in the the bank´s mobile application]. Älä ikinä anna tässä viestissä olevaa koodia toiseen sovellukseen tai verkkosivulle. Jos et ole ottamassa [the bank´s mobile application] käyttöön, ota yhteyttä [the bank]. Terveisin [the bank]."
The bank's electronic records indicate that the bank´s mobile application was activated on an iPhone 7 on 9.7.2022 at 20:10 EET immediately after the authorization SMS was sent by the bank to the customer's phone number. According to electronic records, the customer used an iPhone 13 for his personal banking activities.
Whenever a new instance of the bank´s mobile application, which constitutes a payment instrument under the Finnish Payment Services Act, is installed on a new mobile device, such payment instrument on the new device can be used to verify and accept new payments with the username and password provided already earlier by the customer.
To download and install the mobile application on a new device, a user needs to have the customer's personal online banking username, password, access code table and a confirmation code via SMS.
Therefore it is technically impossible to activate the bank´s mobile application on a new device without the aforementioned credentials having been leaked to a third party due to the actions of the customer. The bank considers that the customer actions constitute grossly negligent conduct in accordance with the Finnish Payment Services Act Section 62. This follows from the fact that the customer has provided the credentials to a third party. Bank's SMS for authorizing the installation of the mobile application states that the code should not be given to any third-party applications or websites, special care, according to the SMS, should be taken in the event whereby the customer is not installing a new instance of the bank´s mobile application to a mobile phone. The customer disregarded instructions provided by the bank.
Finally, the bank´s mobile application in question was activated using the customer's strong electronic identification (eID) credentials. Pursuant to the Finnish Act on Strong Electronic Identification and Electronic Trust Services Section 27 (laki vahvasta sähköisestä tunnistamisesta ja sähköisistä luottamuspalveluista) the customer is liable for any and all unauthorized use of strong electronic identification credentials if the said credentials are lost, stolen or misappropriated due to the user's negligent conduct.
Therefore, the bank is not liable for refunding or reimbursing the amounts claimed by the customer.
In addition to the communications between the parties, the Banking Complaints Board was provided with the following documents:
- General terms and conditions of the banking codes and online services
Formulation of question
In order to resolve the division of responsibilities between the customer and the bank, the Banking Complaints Board will have to assess whether the customer can be considered to have given his payment instrument to a person not authorised to use it, in the manner referred to in the Payment Services Act, Section 62(1)(1), or whether the unauthorised use of the payment instrument can be attributed to the customer having, through carelessness, neglected his obligations under Section 53(1) of the Act and the terms and conditions governing online bank, as well as assessing the degree of any carelessness on the customer’s part.
The applicable norms of law and policy terms
The provisions applicable in the case are Sections 38, 53, 54, 62, 63 and 72 of the Payment Services Act. In addition to the Payment Services Act, the bank’s general terms and conditions of the banking codes and online services are applicable.
Evaluation of the case
The Banking Complaints Board notes that under the Payment Services Act and the Act on Strong Electronic Identification and Electronic Trust Services as well as under the terms and conditions of the online bank, the responsibility for the careful storage and use of the banking codes lies with the holder of the codes. This is natural in view of the fact that it is ultimately only the holder of the codes who can influence how and in what circumstances they keep and use their codes, regardless of e.g. the instructions given by the grantor of the codes or the terms and conditions of the relevant agreements.
As a general rule, in situations where a payment instrument has been used without authorisation, the decisive factor for the division of responsibilities between the holder and the grantor of the payment instrument is the degree of carefulness with which the payment instrument holder can be considered to have acted in handling their payment instrument. In order to assess the carefulness of the payment instrument holder, information is needed on the circumstances and manner of the storage and use of their payment instrument and the way a third party was able to possess or use it or have information on it. As a general rule, the payment instrument holder is in the best position to provide this information, and if they demand that the grantor of the payment instrument should bear the responsibility for its unauthorised use, the payment instrument holder can be required to give their own report of the events and their own actions. It is not always possible to obtain detailed information on the course of events, and this cannot be required of the payment instrument holder either, but they can be required at all times to give a report of the events and their own actions.
In this case, the bank has presented a detailed technical report on the events and the manner in which the relevant bank transfers were done and confirmed with the bank’s mobile app. The mobile application in question had been activated on 9.7.2022 at 20:10 and in order to activate the application one has needed the customers online bank username and password, a specific code from the customers access code list and a confirmation code sent via SMS to the customer´s mobile phone number. The Banking Complaints Board has no reason to doubt the veracity of the report presented by the bank and based on the bank’s log data.
The customer has not given any explanation on how someone could have obtained all the aforementioned information. According to the customer he received at about 8 pm an SMS with a link which he opened. He was asked for card detail but just closed the link.
In the view of the Banking Complaints Board, the course of events in the case has been established with regard to the technical points, but in other respects, the course of events remains essentially unclear on the basis of the reports presented in the case and especially the account received from the customer. Based on the information received, it is not possible for the Banking Complaints Board to reliably assess the most likely course of events and to determine whether the case even concerns an unauthorised use of the banking codes, let alone determining the contribution of any careless actions by the customer to the course of events in such a case.
Under its Regulations, the Banking Complaints Board may decide for a particular reason that it will not issue a resolution recommendation on a case submitted to it. The Board considers that based on the reports presented in this case, the course of events remains essentially unclear, and the means available to the board thus do not allow it to reliably determine in the first place whether this was a case of unauthorised use of a payment instrument, as referred to in the Payment Services Act, and whether any unauthorised use of the payment instrument was the result of the customer’s carelessness, these questions being crucial for the division of responsibilities between the customer and the bank. Since the essential course of events thus remains unclear, the Banking Complaints Board decides that it will not issue a resolution recommendation in this case.
This decision was issued by the Chairman on the presentation of the Secretary.
BANKING COMPLAINTS BOARD