Account of the case
On 14 July 2024, the customer received an email message through the Tori.fi platform from a person posing as a buyer and fell victim to a scam, which resulted in the criminals successfully activating a new mobile app of the bank opened under the customer’s name. One unauthorised bank transfer was made from the customer’s account through the app at 18:57, and two unauthorised card payments were made online using the customer’s card information at 18:43 and 18:45 and confirmed with the bank’s mobile app. The customer contacted the bank’s customer service requesting them to freeze the payments and locked his card on 14 July 2024 at 18:58. The customer contacted the payees and asked the bank to contact the payees. Efforts to obtain refunds for the aforementioned payments failed. The customer deactivated his online banking credentials on 29 July 2024 at 17:19.
Customer’s complaint
As a bank customer, the customer believes his rights were not adequately protected. Customer expects the bank to take full responsibility and compensate for all the losses, 10.916,16 €.
On July 14th, customer received a fraudulent email from a buyer on Tori, a second-hand trading site. Customer unknowingly completed identity verification and logged into his bank account using his phone and computer. Shortly after, customer discovered unauthorised transactions from his account: £6257.36 to Turkish Airlines at 18.43, £3,130.90 to VERKKOKAUPPA.COM at 18.45, and £1,554.90 to VERKKOKAUPPA.COM at 18.57. Alarmed, customer called 112 at 18.48 and was advised to contact the bank. At 18.55, customer reported the incident to the bank's customer service, requesting them to freeze his account and halt all transactions. They confirmed the account was frozen and advised him to visit a branch for a new card.
The next day customer visited bank branch at 9.00 reporting the incident and requesting the teller to stop the two pending transactions. The teller was unsure how to proceed, directing him to report the issue through the bank mobile app and to call a specific number for further assistance. Customer promptly followed these instructions, requesting the cancellation of the pending payments and the retrieval of the completed one. Customer was assured the matter would be handled. Meanwhile, customer directly contacted the recipients of the fraudulent transactions. On July 16th, customer emailed Turkish Airlines about the £6,257.36 transaction, but they stated on July 17th that only the bank could request a cancellation. By July 30th, they confirmed no contact from the bank and noted that the purchased tickets had been used.
Similarly, customer contacted VERKKOKAUPPA.COM on July 14th about the transactions. They found the £1,554.90 transaction but not the £3,130.90 one, which was pending. They advised the customer to go through bank to stop the transaction. By July 16th, the £3,130.90 transaction was completed, and despite customer´s request to block shipment, VERKKOKAUPPA.COM indicated on July 17th that the transaction was processed, and they had informed the police. By July 30th, they confirmed the transactions were complete and mentioned no contact from bank.
Bank has assumed that the payees would not refund the money, whereas customer had already communicated with both payees in a timely manner. They were more than willing to assist with the refund, but they required the bank to actively reach out to them. Customer has repeatedly informed the bank to immediately communicate with the payees, and the customer attached the emails exchanged between himself and the payees. However, the bank's response indicates that they have not communicated with the two payees. In summary, customer believes that the bank has shown severe negligence in handling this matter, and they should be held responsible for the full amount of the loss.
The customer is deeply dissatisfied with bank's response. First, he was a victim of three fraudulent transactions, yet the bank only investigated the smallest transaction on July 17, taking no action to intercept or address the other two. It is clear that the bank did not submit a refund request to VERKKOKAUPPA.COM or Turkish Airlines. Both explicitly stated that the bank did not proactively communicate with them, initiate recovery, or request the merchants to halt the transactions. In particular, for the largest transaction of Turkish Airlines clearly stated: "Kindly contact your bank for chargeback. They will cancel the transaction." Customer has shared this information with the bank; however, no action has been taken. Bank’s failure to act allowed the ticket to be used and the goods to be collected, compounding customer´s losses. It is clear that bank only contacted the recipient bank and did not engage with the merchants VERKKOKAUPPA.COM or Turkish Airlines. Therefore, the bank should bear the primary responsibility for this issue and compensate for the entire loss.
Bank´s reply
Customer has filed a complaint regarding the below bank transfer and card purchases made using his Visa Credit card
14.07.2024 clock: 18:57 bank transfer VERKKOKAUPPA.COM 1 554,90 euros
14.07.2024 clock: 18:45 card purchase VERKKOKAUPPA.COM 3 103,90 euros
14.07.2024 clock: 18:43 card purchase TURKISH AIRL 6 257,36 euros
Bank's Response to the claims
The claimed transaction are card payments and a bank transfer. The payments have been confirmed in the Visa Secure authentication service with the bank´s mobile app authentication. The card purchases also require card information. The bank´s mobile app with which the transaction has been confirmed has been downloaded to iPhone XR on 14.07.2024 at 18:26. Customer has said he has iPhone 12 Pro device.
To download and install the bank´s mobile application on a new device, a user needs to have the customer's personal online banking username, password, access code table and a confirmation code via SMS. The customer has admitted to providing the aforementioned information to a fraudulent website.
Bank has sent the customer a verification code to activate client's application via SMS on 14.07.2024 at 18:25:
TÄRKEÄÄ! [pankin] verkkopankkitunnuksillasi ollaan ottamassa käyttöön [pankin mobiilisovellus]-sovellusta uudessa laitteessa. VARO HUIJAUKSIA! ÄLÄ ANNA VAHVISTUSKOODIA KENELLEKÄÄN TAI MILLEKÄÄN VERKKOSIVUILLE. HUIJAUSSIVUSTOT VOIVAT NÄYTTÄÄ [PANKIN] SIVUILTA. Koodia käytetään vain [pankin mobiilisovellus]-sovelluksen käyttöönottoon. Jos et ole itse ottamassa [pankin mobiilisovellusta] käyttöön, älä käytä koodia ja poista tämä viesti. Jos olet itse ottamassa käyttöön [pankin mobiilisovellusta], anna vahvistuskoodi 5722 laitteesi [pankin mobiilisovellus]-sovellukseen. Jos epäilet antaneesi verkkopankkitunnuksesi huijaussivulle, soita heti sulkupalveluun xx xxxx xxxx (pvm/mpm). Terveisin [pankki].
The content of the message informing about downloading the bank´s mobile application sent by the bank clearly states that the confirmation code is related to downloading the bank´s mobile app and that the code should not be entered anywhere else but the application. However, the customer has entered the confirmation code on a phishing website contrary to the explicit prohibition in the message. If the customer had contacted the bank upon receiving the message to ensure the legitimacy of the communication, the damage would have been completely avoided.
If the customer had understood the content of the message, he should have understood that the confirmation code should not be entered on a phishing website. The customer must read and understand the messages received from the bank.
The customer has admitted that he provided his card's payment information to the phishing site, even though he has been selling products. Thus, the customer has acted in violation of bank's general card terms by providing his card's payment information to a fraudulent website, even though he was the recipient of the payment. The customer has acted in violation of the General Terms of Digital Services by disclosing all parts of their online banking credentials to a fraudulent website.
Therefore, the bank considers that the customer's actions constitute grossly negligent conduct in accordance with the Finnish Payment Services Act Section 62. Thus, the bank is not liable for reimbursing the amounts claimed by the customer.
The cancellation of payments
About bank transfer VERKKOKAUPPA.COM 1 554,90 €: In this case, the bank has sent the recall on July 16, 2024 and has received a rejection on the same day. The request for the return of funds has been automatically denied.
About the card payments: Card payments are Verified by visa. Bank has answered to the customers question about cancelation of payments Via e-bank message:
“Customers should always first be in touch with the merchant, and request for a refund of purchase they don't recognize.
In case merchant isn't willing to refund the transaction, card issuing bank ([bank]) will always handle the reclamation and investigate if there is a possibility to claim funds back from the merchant.
Based on Payment Service Directive and domestic regulation in Finland, liability of the transactions will be shifted from the merchant, if transaction is carried out using strong customer authentication.
Since all these fraudulent transactions have been made using strong customer authentication methods, merchants aren't required to provide a refund, and are not willing to do so voluntarily.
Card networks (Visa and MasterCard) are responsible for setting up the chargeback-program, which allows card issuers to seek for refunds from merchants on behalf of customers.
When transaction is submitted to a chargeback-program, card networks are validating the eligibility of transaction and if transaction doesn't meet the eligibility-requirements, chargeback-request will be declined.
In this situation, where transactions have been approved by using the strong customer authentication and liability of potential fraud isn't no longer with merchant, chargeback-request cannot be initiated by [bank], and therefore chargeback-requests have not been initiated. Hope this answer helped!
We will be pleased to help in case you have any questions. You can contact us by sending a message in the online banking system or by phoning the number below.”
The bank has made refund requests to the payment recipients, but the payment recipients have not returned the funds.
Turkish Airlines has informed that the tickets have been used, and therefore, a refund cannot be processed. The bank has fulfilled its regulatory obligations based on the grounds stated in the above letter.
Reports
In addition to the communications between the parties, the Banking Complaints Board was provided with the following documents:
- The customer’s email exchange with the scammer
- The customer’s email exchange with Verkkokauppa.com
- The customer’s email exchange with the airline
- Screenshots of the customer’s phone call data
- Screenshots of payment transactions
- Screenshot of an SMS sent by the bank to the customer on 14 July 2024
- The bank’s card terms and conditions
- The bank’s General Terms and Conditions for Digital Services
Recommended solution
Formulation of question
The case concerns the question of whether the bank is liable for any loss eventually incurred to the customer as a result of the bank’s failure to contact the payees of the unauthorised payments in order to obtain refunds. In order to resolve the case, it must be assessed whether the bank neglected its duties to contact the payees, and if the Board considers the bank to have neglected its duties, it must be assessed whether the required loss was incurred as a result.
The applicable norms of law and policy terms
The provisions applicable in the case are Section 40, subsections 1 to 4, and Section 81 of the Payment Services Act, as well as Chapter 15, Section 1 of the Act on Credit Institutions.
Evaluation of the case
In the case at hand, the customer was scammed through an online platform for selling used goods, and the criminals used the information obtained from the customer to activate the bank’s mobile app under the customer’s name; with the app and with the help of the card information obtained from the customer, they were able to confirm unauthorised card payments made to two different payees, a Finnish retail chain and a foreign airline, on 14 July 2024 at 18:43 and 18:45, and after this, to confirm a bank transfer to the aforementioned retail chain at 18:57.
In the case, it is disputed whether the bank acted in accordance with its duties within the contractual relation to limit the loss incurred in the case and to return the aforementioned funds and whether the efforts to return the funds to the customer might have succeeded without the bank’s eventual negligence.
The customer has claimed that he contacted his bank on 14 July 2024, as soon as he realized what had happened, and then contacted the aforementioned payees, one on 14 July and the other on 16 July, and based on the replies he received from them, he contacted the bank again so that the bank would contact the payees in order to freeze the payments and return the funds. The customer considers that the failure to return the funds was due to the bank’s inaction and that the bank should accordingly refund the customer for the loss incurred from the payments.
Regarding the bank transfer, the bank states that it made a payment refund request on 16 July 2024 and received a negative reply on the same day. Regarding the card payments, the bank has stated that in this situation, where transactions have been approved by using the strong customer authentication and liability of potential fraud isn't no longer with merchant, chargeback-request cannot be initiated by the bank, and therefore chargeback-requests have not been initiated. The bank has fulfilled its regulatory obligations.
It has not even been claimed in the case that the bank had an explicit contractual duty to contact the payees in order to refund the payments. However, the Banking Complaints Board considers that within the contractual relation between the bank and the customer concerning the customer relationship, and on the basis of good banking practice, the contractual obligation to cooperate in good faith and the bank’s position as a payment service provider, the bank has a duty to inform the customer on the actions he should take to prevent the loss of funds, in order to limit any losses due to the crime, and also to take action to limit any losses due to the crime. The Board further considers, however, that based on the aforementioned duty, the bank cannot be required to directly contact random payees with whom it may not necessarily have any kind of relationship; the bank’s internal actions aside, the active steps to be taken by the bank under the aforementioned duty are primarily limited to contacting, at the customer’s request, other service providers in payment schemes and international card schemes, i.e. the banks of the payees, which receive the payments on behalf of the final payees and transfer the funds onward to the payees. In the case of bank transfers, the above-mentioned can chiefly mean making a payment refund request to the payee’s bank on grounds of fraud, and in the case of card payments, doing a so-called chargeback. A chargeback means a procedure based on the rules of international card schemes and related to dispute resolution between members of such schemes, in which the cardholder’s bank makes a compensation claim to the payee’s payment service provider through a card scheme (Visa, Mastercard) at the cardholder’s request.
Regarding the card payments, the bank has claimed that it cannot make a chargeback request in a situation where strong identification was required. However, the bank has not provided any evidence in support of this claim. In the view of the Banking Complaints Board, it is possible to do a chargeback in case of a fraudulent payment even in situations where the payment was confirmed using strong electronic identification, even though the chargeback is unlikely to succeed in situations where there was no fault on the payee’s part.
The bank transfer and card payment to the retail store
Based on the evidence presented by the customer, the retail store that was the payee in the bank transfer and in one card payment answered the email message that the customer had immediately sent on 14 July 2024, day of the event, on 15 July 2024 and stated that if the orders related to the payments had not been shipped yet, they would try to cancel the shipments and if they succeeded in preventing the shipments of the products bought, they would refund the sums charged. Contrary to what the customer stated in the case, the retail store did not advise the customer to ask his bank to contact the store in order to freeze the payments or to return the funds, but to contact the card issuer/bank in order to lock the card and regain control of the bank account. After sending a message to the payee on 30 July 2024, the customer received the payee’s reply on the same day, according to which the funds could not be returned because the shipment of the products bought had already started, the store was unable to stop the shipment, and the perpetrators had picked up the products.
Based on the above and on the retail store’s replies to the customer, the Banking Complaints Board finds that the payee already took action to cancel the fraudulent transactions after being contacted by the customer and that, even if the bank had contacted the bank of the retail store in the matter of the bank transfer earlier than it did and/or, in the matter of the card payment, through the card scheme at any time, this would have had no effect on the final amount of the loss. The Board thus does not need to assess whether the bank, as the customer’s payment service provider, would have been duty bound to contact the bank of the retail store earlier or by other means.
The card payment to the airline
The customer contacted the airline company that was the payee in the other card payment by email on 16 July 2024, and on the following day, 17 July, the airline advised the customer to contact his bank: ”Kindly contact your bank for chargeback. They will cancel the transaction.” The airline told the customer on 18 July that the matter had been transferred to the company’s credit card department, that the card had been used to buy a flight ticket and that this information was also given to the police, who had contacted the company in the matter as well. After the customer contacted the airline company again on 30 July, the company informed him that the sum could not be refunded, as the tickets had already been used. The company also stated that their actions were not in error, since the payment had been confirmed with online banking credentials. Based on the evidence received in the case, it remains unclear at what time the aforementioned flight tickets were used. The airline said they had given the detailed information to the police.
For the sake of clarity, the Banking Complaints Board notes that in the customer’s case, the airline did not advise the customer to ask his bank to contact them, as the customer stated, but to ask the bank to do a chargeback, which means making a compensation claim to the payee’s payment service provider through the card scheme as explained above.
Taking into account the policies of international card schemes and the fact that in situations where there is no error on the payee’s side, payees are in principle not duty bound to refund payments done using strong electronic identification, as well as the fact that in the case at hand, soon after the unauthorised payment transaction, both the customer and the police contacted the airline whose credit card department was handling the payment reported as fraudulent, the Banking Complaints Board finds that in spite of the airline’s short reply received by the customer on 17 July 2024 referring to the chargeback procedure, it remains unproven in the case that if the bank had contacted the payee’s bank, this would have had an effect on the final amount of the loss. It is thus not necessary for the Board to assess whether the bank, as the customer’s payment service provider, was duty bound to contact the bank of the airline through the chargeback procedure.
Final outcome
The Banking Complaints Board does not recommend compensation.
The Banking Complaints Board’s decision was unanimous.
BANKING COMPLAINTS BOARD
Chairman Sillanpää
Secretary Hidén
Members:
Atrila
Piilo
Punakivi
Tervonen