Haku

FINE-72060-P1L4P9

Tulosta
Takaisin ratkaisuihin

Asianumero: FINE-72060-P1L4P9 (2025)

Asiaryhmä: Tilinkäyttö ja maksaminen

Ratkaisu annettu: 19.06.2025

What is the division of responsibility between the customer and the bank in relation to unauthorized transfers from the customer’s account that were confirmed with a new identification app of the bank? Unauthorized use of online banking credentials. Phishing. Gross negligence of the holder of a payment instrument.

Information on the event

The customer was selling her coat on the TISE app. She received a message in the app saying that the coat had been sold. The message contained a link that must be used for receiving the payment. After the customer entered her online banking credentials on the website accessed through the link, her credentials ended up in an outsider’s possession. The criminal activated the bank’s identification app on their own device in the customer’s name by using the customer’s online banking credentials (username, password and an access code from the list issued by the bank) and the code sent by the bank in an SMS message to the customer on 2 November 2024 at 11:48. The content of the message was the following:

IMPORTANT! [The bank’s mobile app] is being activated on a new device with your [bank] online banking credentials. BEWARE OF SCAMS! DO NOT GIVE THE CONFIRMATION CODE TO ANY PERSON OR WEBSITE. FAKE WEBSITES MAY LOOK LIKE [the bank’s] WEBSITE. The code is only used for activating [the bank’s mobile app]. If you are not activating [the bank’s mobile app] yourself, do not use the code, and delete this message. If you are activating [the bank’s mobile app] yourself, enter the confirmation code xxxx in [the bank’s mobile app] on your device. If you suspect that you have entered your online banking credentials on a fake website, you should immediately call the deactivation service at xx xxxx xxxx (local network charge/mobile call charge). Kind regards, [the bank]”

With the activated mobile app of the bank, the criminal has applied for a loan of €9,600 in the customer’s name and made 14 unauthorized transfers from the customer’s account, together totalling €11,000. The bank has refunded the loan sum to the customer, and the customer’s loss thus amounts to €1,400 in total. The bank blocked the customer’s online banking credentials on 6 November at 13:04. The unauthorized transactions were carried out before the blocking, between 04:32 and 11:47 on 6 November 2024.

The customer’s demands

The customer demands that the bank should refund €1,400.

The customer denies having entered the identifying data on any fake website and claims that she only entered the confirmation code in the bank’s identification app. Even though the SMS message sent by the bank for activating a new device included a warning about scams, according to the customer the message was too long and furthermore was not in the language of the customer’s choice, so it was difficult for her to recognise the immediate risk. The customer also justifies her demands with the fact that the bank sent her a message in Finnish even though she had chosen Swedish for her communication language. The customer has asked the bank many times to change the communication language into Swedish, but according to the customer the bank has not respected her choice of language. This is not due to any actions on her part but to the fact that the bank has ignored her wish to choose her communication language.

The customer explained that she has set a daily withdrawal limit of €1,400, but the bank has still allowed withdrawals of larger sums than this from her account. Furthermore, the loan taken in the customer’s name was transferred to the account without any further verification. All the mentioned transactions are inconsistent with the customer’s earlier payment behaviour. The customer found it strange that the scammer was able to download and activate the identification app so quickly even though the customer’s own identification app has been functioning normally all the time. As an example, the customer tells how she changed phones after this incident and had to activate the identification app on her new phone, which was difficult and slow, and according to her she could not use both apps at the same time but had to wait several days to be able to activate the new app. This required the deactivation of the old app and several confirmation phases.

Opinion of the service provider

The bank contests the customer’s claim for the sum of €1,400. The bank has refunded the loan taken in the customer’s name, of €9,600 in total.

The bank justifies its contestation with the fact that the customer herself gave the online banking credentials and the confirmation code received by SMS to a third party, contrary to terms and conditions and security instructions, and considers that the customer has violated the duty of care under the terms and conditions of the bank’s digital services. The bank has referred to the fact that a customer should not use his or her online banking credentials for logging in to the online banking service, to external services or to other bank transactions if they accessed the login page from search engine results or if the link to the login page was sent by email, SMS, via social media or by other electronic means.

In order to activate the bank’s identification app under the customer’s name, the criminals had to know the customer’s digital service credentials (username, password and access code) as well as the password required for activating the bank’s identification app. According to the bank’s log data, the customer was sent an SMS at the number she had given to the bank, on 2 November 2024 at 11:48, with the following content:

“IMPORTANT! [The bank’s mobile app] is being activated on a new device with your [bank] online banking credentials. BEWARE OF SCAMS! DO NOT GIVE THE CONFIRMATION CODE TO ANY PERSON OR WEBSITE. FAKE WEBSITES MAY LOOK LIKE [THE BANK’S] WEBSITE. The code is only used for activating [the bank’s mobile app]. If you are not activating [the bank’s mobile app] yourself, do not use the code, and delete this message. If you are activating [the bank’s mobile app] yourself, enter the confirmation code xxxx in [the bank’s mobile app] on your device. If you suspect that you have entered your online banking credentials on a fake website, you should immediately call the deactivation service at xx xxxx xxxx (local network charge/mobile call charge). Kind regards, [the bank]”

In response to the customer’s complaint about the communication language, the bank has stated that between 2010 and 2018, different services were opened for the customer in Finnish, for example, the online banking credentials agreement was opened in Finnish in 2012. The mobile app and the associated identification function were activated in 2019, and the language of the agreement at that time was Swedish. The bank has noted that the online banking credentials agreement was originally concluded in Finnish and the service language was later changed to Swedish. The service language for the identification app and online banking was changed back to Finnish on 5 November 2024, apparently by the criminal. This is why the confirmation message sent by the bank to the customer was in Finnish. The bank comments that the customer should have contacted the bank when the confirmation message was in a different language from the communication language chosen by the customer. The customer has to understand and read the messages she receives from the bank. The customer should not have given the confirmation code to the website, since she did not understand the content of the message.

Regarding the customer’s claim about the maximum daily payment limit, the bank has observed that the customer’s maximum daily payment limit in online banking has been €50,000.00.

According to the bank, the customer’s actions have constituted gross negligence under the Payment Services Act and the bank’s terms and conditions concerning its online services.

Terms and conditions and legislation

Under Section 53 (Protecting the payment instrument), subsection 1 of the Payment Services Act,
The holder of the payment instrument shall use it in accordance with the terms and conditions governing the issuance and use of the payment instrument. In particular, he or she shall take reasonable steps to protect the payment instrument and the associated personalized security credentials. The terms and conditions governing the issuance and use of the payment instrument shall not be unjustified, unreasonable or discriminative.

Under Section 62 (The responsibility of the payment service user for the unauthorized use of a payment instrument) of the Act,
A payment service user who has entered into an agreement with a service provider on a payment instrument is liable for its unauthorized use only if the loss of the payment instrument, its theft or misappropriation by another person or its unauthorized use is due to:
1) his or her having given the payment instrument to a person unauthorized to use it;
2) his or her negligence and failure to fulfil his or her obligations under Section 53 (1); or
3) his or her failure to report his or her discovery of the loss of the payment instrument, its theft or misappropriation by another person or its unauthorized use to the service provider or another party designated by the service provider without undue delay.
The liability of the payment service user for the unauthorized use of a payment instrument in the cases referred to in subsection 1, paragraph 2, is at most 50 euros. This maximum does not apply if the user of the payment service or another holder of the payment instrument has acted with intent or with gross negligence.
The payment service user shall not be liable for the unauthorized use of the payment instrument:
1) to the extent that the payment instrument has been used after the loss of the payment instrument, its theft or misappropriation by another person or its unauthorized use was reported to the service provider or another party designated by it;
2) if the service provider has neglected to ensure that the holder of the payment instrument has the opportunity to make the report referred to in paragraph 1 at any time;
3) if, at the time of use of the payment instrument, the payee has not appropriately verified that the payer was authorized to use the payment instrument; or
4) if the service provider has not required strong electronic identification of the payer.

The provisions of subsection 3 notwithstanding, the payment service user is liable for unauthorized use of the payment instrument if he or she or another holder of the payment instrument has intentionally made a false report or otherwise acted in a fraudulent manner.

Under Section 63 (Liability of the service provider for an unauthorized payment transaction), subsection 1 of the Payment Services Act,
If the payment transaction was performed without authorization, the service provider whose customer’s funds were used to perform the payment transaction shall, immediately and no later than the following business day after the discovery or report of the payment transaction, return the sum of the payment transaction to the customer or restore the customer’s payment account to the state it would have been in without the debiting, Section 62 notwithstanding.

According to point 8.1 of the general terms and conditions of the bank’s digital services and dentification instruments, effective 7 January 2021:
[…]
You may not use the online banking credentials for logging in to the bank’s website, for authenticating your identity in external services or for handling other banking business, if you have accessed the login page via a search engine’s results or if the link to the login page was sent to you in an email or SMS, on social media or by other electronical means.
[…]

Resolution recommendation

In order to determine the distribution of responsibilities between the customer and the bank, it must be assessed whether the unauthorized use of the payment instrument has been caused by the customer’s negligence in ignoring her responsibilities under Section 53, subsection 1 of the Payment Services Act and what, if any, was the degree of the negligence shown by the customer.

The customer has denied having entered her online banking credentials or the confirmation code of the bank’s identification app on a fake website and has said that she only entered them on the bank’s own website. In any case, the bank has presented an account of the events and the information the criminals needed to have in order to activate a new identification app of the bank on their own device in the customer’s name, based on the bank’s system data. FINE has no reason to doubt the veracity of the report based on the bank’s system data.

FINE considers it established in the case that the customer has received a message from a previously unknown person posing as a buyer and opened the link in the message. In view of the customer’s account of the course of events and the fact that the activation of the bank’s identification app necessitated the customer’s online banking credentials and the confirmation code contained in the SMS message sent to the customer by the bank, FINE finds that there is no other alternative but that the customer has accessed, through the link she received, a fake website created by the criminals and looking like the bank’s website, on which she has misguidedly used her online banking credentials. With the customer’s online banking credentials obtained through the fake website, the criminals have started the activation of the bank’s identification app on their own device in the customer’s name. Because of this, the bank has sent the customer an SMS message in Finnish concerning the activation of an identification instrument on 2 November 2024 at 11:48.

Since the activation of the bank’s identification app necessitated not only the online banking credentials but also the confirmation code in the SMS message sent to the customer by the bank, FINE considers on the basis of the account received that also the confirmation code in the SMS must have become known by the criminals, and on the basis of the reports received in the case, there is no other possibility but that the customer has received the message containing the confirmation code and entered the code on the aforementioned fake website, possibly under the impression that she was confirming her identity. After the criminals obtained the confirmation code for the identification app sent by the bank, they were able to activate the bank’s identification app on their own device in the customer’s name and use the app to confirm the payment transactions under complaint. In this case, the bank has referred to its terms and conditions, under which the online banking credentials must not be used for logging in to the bank’s online services if the link to the login page was sent to the customer by email or other electronic means. Since the customer entered her online banking credentials on a website accessed through a link sent by a person previously unknown to her, FINE considers that the customer neglected her responsibilities under Section 53 of the Payment Services Act and the terms and conditions of the online banking credentials.

FINE further finds that having received an SMS message concerning the activation of the bank’s identification app in a manner differing from the situations of identification by online banking credentials or logging in to the bank’s website, the customer should, especially considering the contents and attention-grabbing formulation of the SMS, have known to question the appropriateness of the action and refrain from entering the code she had received on the website. If the customer had at that point checked the address bar of the website, for example, or contacted the bank herself and asked whether the action was appropriate, the damage caused by the unauthorized use of the customer’s banking credentials in the case could have been avoided.

According to the established resolution practice of the Banking Complaints Board, the basic diligence required of the holder of online banking credentials includes the requirement that when using the online banking credentials, the customer reads the messages received from the bank in the course of his or her actions and acts accordingly. On the other hand, it is the bank’s responsibility to ensure that the messages it sends to its customers are comprehensible, so that a diligent holder of online banking credentials, for example, would not remain in doubt about the purpose of the code received in the bank’s message.

On the subject of messages sent in a language different from the agreed and normally used communication language, the Banking Complaints Board has found in its resolution practice (e.g. FINE-057082, issued on 6 June 2024) that if a language barrier prevents the customer from understanding or being certain about the purpose of e.g. a code sent by the bank in an SMS message, a customer acting with due care should interrupt his or her actions and, for example, contact the bank in order to verify the purpose and appropriateness of the action.

In the case under consideration, the customer has received an SMS message in Finnish from the bank, containing the activation code for the bank’s identification app. The SMS was informative in content, and it explained appropriately what was being done with the customer’s online banking credentials and what purpose the activation code in the message was being used for. The message also said that if the customer was not activating the bank’s identification app him- or herself, he or she should contact the bank. The message warned the customer about fraud and warned against entering the code unless the customer him- or herself was activating the new app.

FINE considers that after entering her online banking credentials through a link sent by a person previously unknown to her, the customer should, in the following stages of her actions, have paid special attention to any messages received from the bank and the purpose of the code in the message. FINE thus finds that after entering not only her online banking credentials but also the code in the bank’s SMS message on the website accessed through the link, possibly without reading the contents of the SMS or at any rate without paying attention to its contents, the customer’s actions as a whole must be deemed to differ clearly and essentially from the diligent action that is required of the holder of a payment instrument. FINE accordingly considers that the customer’s actions as a whole are evidence of gross negligence in the meaning of the Payment Services Act and that in the relationship between the customer and the bank, the customer is thus fully responsible for the damage that was caused by the unauthorized use of the payment instrument.

The customer has referred to the daily spending limits. According to the account given by the bank, the daily maximum limit for payments made by the customer on the bank’s website has been €50,000. Regarding the daily spending limits, FINE notes that the unauthorized payments made using the customer’s online banking credentials were made as bank transfers, not as card payments. The bank transfers under complaint are not subject to the maximum daily limit for card payments but to the maximum daily limit for bank transfers made on the bank’s website as stated in the bank’s account. On the basis of the above, it remains unproven that the bank did not observe the agreed maximum daily limits in the case.

Final outcome

FINE does not recommend compensation in the case.

FINE
The Finnish Financial Ombudsman Bureau

Chief of department Hidén
Presenting official Haapsaari

Tulosta
 Takaisin ratkaisuihin

Etkö löytänyt etsimääsi?

Ota yhteyttä
Usein kysyttyjä kysymyksiä