SPAIN Trends and Developments Contributed by: Alfonso López-Ibor, Pablo Henriquez de Luna, Virginia Jover and Carmen Serrano, López-Ibor DPM
Lopez-Ibor DPM López de Hoyos 35, 3rd Floor 28002 Madrid Spain
Tel: +34 91 52 17 818 Email: info@l-ia.com Web: www.lopez-iborabogados.com
Shift in Spanish Judicial Trend in Favour of Banking Institutions in Phishing Cases Introduction Although phishing scams have significantly increased in recent years, there has been a change in the pro- file of phishing victims. These attacks are no longer limited to so-called boomers, as now millennials and Generation Z – digital natives par excellence – are also being targeted. In this context, victims often seek to hold financial institutions civilly liable, given that these scams are typically carried out through electronic means, which inevitably and unintentionally involves banks. Traditionally, Spanish case law has recognised a quasi-strict liability on the part of banks in favour of consumers. However, through several cases handled by López-Ibor DPM Abogados, the firm has identified a shift in this trend, particularly in decisions issued by the Provincial Courts ( Audiencias Provinciales ). Legal and regulatory framework In Spain, the regulation of these transactions is gov- erned by Royal Decree-Law 19/2018, of 23 November, on payment services and other urgent financial meas- ures (hereinafter “RD Law 19/2018”). Specifically, Arti- cles 41 to 49 of RD Law 19/2018 are of particular relevance, as they establish the criteria for determin- ing the liability of intermediaries in electronic payment operations. This Law transposes Directive (EU) 2015/2366 on pay- ment services (PSD2), which introduced the concept of strong customer authentication. This requirement forms the legal basis for assessing the level of security
implemented by financial institutions and whether the user has acted negligently. According to these provisions, financial institutions that provide payment services must establish the necessary conditions to ensure secure electronic transactions. Thus, the general rule is that banks are the ultimate guarantors of transactions carried out through elec- tronic payment gateways, except in cases of unau- thorised transactions. The problem lies in the fact that, in most phishing cases, the transactions appear formally authorised from the bank’s perspective, as fraudsters use various techniques to obtain victims’ personal access creden- tials, effectively impersonating them before the bank’s security systems. In such cases, the burden of proof is reversed. According to Article 44.1 of RD Law 19/2018: “Where a payment service user denies having authorised an already executed payment transaction or claims that it was executed incorrectly, it shall be for the payment service provider to prove that the payment transaction was authenticated, accurately recorded, and account- ed for, and that it was not affected by a technical fail- ure or other deficiency in the service provided by the payment service provider.” This provision has been interpreted by the courts, which are now starting to lower the standards of responsibility previously imposed on financial institu- tions under this Article, recognising consumer liability in cases of manifestly negligent conduct.
1061 CHAMBERS.COM
Powered by FlippingBook