FINE-055623

Information about the event

The customer received a text message claiming his account is frozen due to suspicious account activity. The text message seemed to originate from the same phone number as previous official messages sent by the bank. The customer used his banking credentials on pages that appeared to be the bank's website opened through the link in the text message.

On 13.7.2022 at 14.40 the bank sent to the customer a text message containing the confirmation code required to activate the bank’s mobile application. The content of the message was as follows:

Hei! Tällä numerolla ollaan ottamassa käyttöön [the bank´s mobile application]-sovellusta. Jos olet ottamassa [the bank´s mobile application] käyttöön, anna vahvistuskoodi 8684 [on the bank´s mobile application]. Älä ikinä anna tässä viestissä olevaa koodia toiseen sovellukseen tai verkkosivulle. Jos et ole ottamassa [the bank´s mobile application] käyttöön, ota yhteyttä [to the Bank]. Terveisin [the Bank].

The mobile application in the name of the customer was activated on an iPhone 11 on that same day at 14.40 p.m. using customer´s online bank username, password and access code list as well as a confirmation code sent by the bank via SMS to the customer´s mobile phone number.

4 000 euros was transferred from the customer’s account to the account connected to the customer’s card. Four unauthorised card payments were made from the customer´s account at 14.47-14.59. The payments were confirmed with the bank´s mobile application. The amount of damage incurred to the customer was 3 232 euros.

The customer sent a message to the bank asking for assistance and additionally went physically to the bank’s service location to close down the active banking credentials and card. The customer’s card was deactivated on 13.7.2022 at 15.01 and personal online banking credentials at 15.05.

Customer’s complaint

The customer claims the reimbursement of 3 232 euros.

The customer received a text message in the name of the bank. It appeared that the message was sent by the bank as it appeared to came from the same number as the bank's previous messages. It was claimed in the message that the customer´s account is frozen and asked to click the link to prevent. The customer clicked the link and gave information as it was asked. Later he found out that 3 232 euros was charged. He reported this scam and the bank insists that it was the customers fault and refused to pay compensation.

The bank failed to prevent the scammers sending the scam message through the same channel the bank uses. The bank failed to warn customers about this (such as in-app message, or text message to warn about it). The bank is responsible for the damage.

The customer has send FINE the police report, the message exchange with the bank and screenshots of the text message he received on 13.7.2022 and screenshot of the fraudulent website.

Bank’s reply

The bank states that the bank is not liable for reimbursing the amounts claimed by the customer.

The customer demands the reimbursement of unauthorised card payments. The payments are indicated as following:

13.07.2022 at 14.47 CRO 505,00 euros
13.07.2022 at 14.49 CRO Topup 909,00 euros
13.07.2022 at 14.50 CRO 909,00 euros
13.07.2022 at 14.59 CRO 909,00 euros.

According to the bank’s records it has sent a confirmation code that was used to authorize the installation of the mobile application on a new mobile device via SMS to the customer’s mobile phone number at 14.40.

The bank’s electronic records indicate that the mobile application was activated on an iPhone 11 on 13.07.2022 at 14.40. immediately after the authorization SMS was sent by the bank to the customer’s phone number. According to electronic records, the customer used an iPhone XR for his personal banking activities. To download and install the mobile application on a new device, a user needs to have the customer’s personal online banking username, password, access code table and a confirmation code via SMS. The unauthorized card payments were confirmed with the bank´s mobile application.

Therefore it is technically impossible to activate mobile application on a new device without the aforementioned credentials having been leaked to a third party due to the actions of the customer, which actions the customer also confirms. The bank considers that the customer’s actions constitute grossly negligent conduct in accordance with the Finnish Payment Services Act Section 62. This follows from the fact that the customer has provided the credentials to a third party. The bank’s SMS for authorizing the installation of the mobile application states that the code should not be given to any third-party applications or websites, and according to the SMS, the customer should take contact with the bank in the event whereby the customer is not installing a new instance of mobile application to a mobile phone. The customer disregarded the instructions provided by the bank.

Additionally, the fact that the messages sent by the third parties appeared in the same message thread as the bank’s official SMS messages has no legal bearing. This is a feature inherent in SMS technology in use with telecommunications operators in Finland and Europe, meaning that such third parties could send SMS messages claiming to originate from another phone number fairly easily. The bank is not legally liable for flaws in technology which is commonly in use, and in any case it is not liable for any fraudulent acts of third parties.

The bank’s general terms and conditions for digital services also states that customer may not at any time or in any case enter or give his/her banking credentials in response to a message the customer may have received by SMS, email or other means. The customer has in this case acted in direct contravention to this contractual requirement and based on the contractual terms he has accepted, he should know or should have known not to enter or give such information to third parties.

Finally, the mobile application in question was activated using the customer’s strong electronic identification (eID) credentials. Pursuant to the Finnish Act on Strong Electronic Identification and Electronic Trust Services Section 27 (laki vahvasta sähköisestä tunnistamisesta ja sähköisistä luottamuspalveluista) the customer is liable for any and all unauthorized use of strong electronic identification credentials if the said credentials are lost, stolen or misappropriated due to the user’s negligent conduct.

The customer’s card was deactivated on 13.7.2022 at 15.01 and personal online banking credentials at 15.05 pm.

The bank has provided FINE Bank’s General Terms and Conditions for Digital Services (Pankin digitaalisten palvelujen ja tunnistusvälineiden yleiset ehdot), effective 7 October, 2021.

Legislation and policy terms

The provisions applicable in this case are Sections 9, 53, 54, 62, 63 and 85 c of the Payment Services Act. In addition to the Payment Services Act, the bank’s general terms and conditions of the bank’s Digital Services (effective 7 October, 2021.) are applicable.

Decision

Formulation of the question
In order to resolve the division of responsibilities between the customer and the bank, FINE needs to determine whether the unauthorised use of an instrument of payment can be considered to have been caused by the customer’s negligence in failing to follow Section 53, Subsection 1 of the Payment Services Act, and what was the degree of the negligence, if any, showed by the customer.

The course of events
On the basis of the documents presented in the case FINE finds that it has been established that the customer received a text message sent in the bank’s name and containing a link that led to a fake website created by criminals, on which the customer entered his online banking codes in the belief that he was in contact with his bank. With the customer’s banking codes thus acquired, the criminals started to activate the bank’s mobile application in the customer’s name with their own iPhone 11 -device. Because of this, on 13.7.2022 at 14.40, the bank sent the customer a text message containing the confirmation code required to activate the mobile application. The contents of the text message were as follows:

FINE considers it established that the customer also entered the code he received in the text message on the website opened through the aforementioned link. Once the criminals received the code, they were able to activate the bank’s mobile application on their own device in the customer’s name. The unauthorised payment transactions in question were made by the criminals, who confirmed them through the aforementioned mobile application of the bank.

Evaluation of cautiousness
The Bank’s General Terms and Conditions for digital services prohibit the use of online banking codes for logging in on the bank’s website, for identifying oneself or for doing any other business with the bank in cases where the link to the login page was sent through email or any other electronic means. Since the customer used his online banking codes for logging in on the website that opened from a link he received in a text message, FINE considers that the customer neglected his duties under the terms of the banking codes.

However, many different operators, from delivery services to healthcare services and grocery stores – including operators within the same group with a bank – nowadays send their customers text messages concerning their relationship and containing links with very diverse domain names, which has made communications of this kind quite common and may have contributed to the fact that even a cautious bank customer may not think to question the appropriateness of a text message arriving in the name of a bank and a link in the text message. In addition, since the use of banking codes for e.g. authentication purposes is very common and it occasionally takes place through a link received by electronic means, it can be difficult to comply with the bank’s aforementioned condition without exception.

In the case at hand, FINE takes particular notice of the fact that on the customer’s phone, the text message sent by the criminals looks as if it came from the bank, based on the sender details, and is located in the same message thread as the messages sent by the bank. It has not been demonstrated in this case that the bank had warned the customer about such scams, and no other elements of the case suggest that the customer should have known to question the authenticity of a message arriving in the same message thread. FINE finds that it cannot be required that the customer should have understood that the text message was not sent by the bank because of its formatting and contents or the domain name/network ID of the link in the message.

Considering also the fact that in this case, the link in the text message led to a website looking like the bank’s website and so the customer had the impression he was dealing with the bank and used his banking codes for this purpose, FINE finds that the customer’s failure to follow the terms of the banking codes only shows slight negligence as far as the elements mentioned above are concerned.

However, contrary to ordinary online banking or authentication situations, the customer also received a text message from the bank containing an activation code for the mobile application. In this respect, FINE considers that – especially in view of the contents of the text message – the customer should have known to question the appropriateness and purpose of the communication he received, to interrupt the contact and to not enter the activation code on the fraudulent website. At that point, if the customer had contacted the bank himself, for example, as recommended in the message, and asked whether the action was appropriate, the damage caused by the unauthorised use of the customer’s instrument of payment could have been avoided.

In its resolution practice, the Banking Complaints Board has considered that the basic caution required of a holder of banking codes includes the requirement that when the customer uses the banking codes, he/she reads the messages received from the bank in the course of his/her customer contacts and acts accordingly. The bank, in turn, has the responsibility to ensure that the messages it sends to the customer are comprehensible in their content.

In the case at hand, the bank sent the customer a text message containing the confirmation code for activating the mobile application. The message explained appropriately where to enter the code and warned against entering the code in any other application or on any other web page. Since the customer entered the code contained in the bank’s text message on the website opened through the link and did not take into account the contents of the text message, FINE considers that the customer’s actions as a whole constitute serious carelessness.

In the resolution FINE-051121, concerning a similar case (resolution on 31 January 2023), the Banking Complaints Board considered that, in particular with regard to the contents of the text message containing the confirmation code, the customer’s actions show a clearly negligent attitude towards the security risks related to the control and use of his banking codes, used also as an instrument of payment, and differ clearly and essentially from the careful action that is required of a holder of banking codes. In the aforementioned case, the text message containing the activation code had the same contents as in the case at hand. FINE thus has no reason to assess the case at hand in a different way. FINE finds that the customer’s actions constitute grossly negligent conduct in accordance with the Payment Services Act and that in the customer-bank relationship, it is thus the customer who is fully responsible for the damage caused by the unauthorised use of the card and the banking codes.

Final outcome

FINE does not recommend compensation in this case.

FINE
The Finnish Financial Ombudsman Bureau FIN

Head of Division Hidén
Presenting official Tykkä

Haku