banks are not liable for scams to customers – Corriere.it

If the customer falls into the phishing trap and is scammed, it is his responsibility and not the bank’s, which therefore is not required to compensate him. This was established by the Court of Cassation, with sentence number 7214 of 13 March 2023, with which it introduced a principle which represents, for banks, a shield against claims for damages made by defrauded account holders following attempts to phishing. The behavior of the account holder who enters his personal codes via a fraudulent e-mail sets in motion a behavior that qualifies as imprudent and negligent, reads the sentence.

What happened

The story concerned an online Bancoposta account jointly owned by a man and a woman. At a certain point, the two account holders had realized that 6,000 euros had disappeared from their account following a fraudulent wire transfer operation carried out electronically to their account by a third person and had sued Poste Italiane to obtain the refund of the amount. In the first instance ruling, the Court of Palermo had sentenced the intermediary to reimburse the current account holder for the sum that had been stolen, considering that he had not taken all the security measures necessary to prevent damage such as that in question. But in the second instance, the account holder’s claim for compensation was rejected. This decision was later also confirmed by the Cassation, which recalling the arguments of the Court of Appeal, declared the appeal inadmissible, excluding the liability of the intermediary.

The circular of the Abi

In a recent circular to its associates, the ABI recalled the sentence, highlighting some aspects: the behavior of the account holder to be considered imprudent and negligent as the customer entered his personal codes (requested with a fraudulent e-mail), thus allowing the scammer to use them. Furthermore, the ABI underlines that according to the judges of the Court of Appeal, the intermediary had adopted a security system such as to prevent access to the account holder’s personal data by third parties as the security levels of the computer systems are have been certified by specific certifying bodies, according to the most rigorous and reliable international standards and from the content of these documents it emerges that the use of the online service can only take place through the insertion of various secret codes in the user’s possession and unknown to the same intermediary staff.

The reasons of the judges

The judges also highlighted how on the intermediary’s website, which can be easily consulted by the account holder, there was a special space where the necessary information is provided to avoid computer fraud in particular, phishing, with the caveat, in particular, that the intermediary never requests, through e-mail messages, letters or telephone calls, to provide the personal codes and with the information necessary to distinguish the authentic and protected internet site of the intermediary from the cloned ones, in which the account holder is induced to enter the own personal codes. With reference to the burden of proof, the ABI points out in the circular, the Court of Cassation concluded that the intermediary was not required to prove that the debit had been approved by the account holders, as the security features of the computer system of the ‘intermediary for the execution of banking transactions electronically, there was proof, derived from presumptions, that these usernames, pins and passwords, which the applicants claimed they had not used to issue this order, were used by a third party, after their illegal collection.