SPAIN Trends and Developments Contributed by: Alfonso López-Ibor, Pablo Henriquez de Luna, Virginia Jover and Carmen Serrano, López-Ibor DPM
Criteria for shifting liability to the consumer Accordingly, financial institutions must focus their evidentiary efforts on demonstrating the existence of robust security and strong authentication systems, to establish that it was the consumer’s negligent behav- iour that led to the loss. Given the technological developments and increase in electronic transactions, nearly all financial institu- tions – at least the larger ones – have sophisticated security systems that require manual authorisation by users for all online transactions. All such manual validations leave digital footprints, which banks must provide as proof of the reliability of their security systems. Additionally, it is crucial to assess how the consumer executed the transaction, including: • whether they received an SMS alert prior to the scam; • whether fraudulent websites were accessed through spoofed links; • whether the consumer received impersonation calls from individuals claiming to be bank repre- sentatives; • whether the consumer contacted the bank’s cus- tomer service immediately or within a reasonable time; and • most importantly, whether the consumer recklessly shared crucial personal and non-transferable bank- ing information (eg, card number, expiration date, CVV, or account number). Therefore, while a robust security system alone may not always exempt the bank from supervisory liability ( responsabilidad invigilando ), a combination of factors may lead courts to determine that it was the consum- er’s negligence that caused the loss being claimed from the bank. As a result, it is increasingly important for banks to provide verifiable records of each step in their authen- tication processes. This has become essential for addressing the burden of proof reversal established in Article 44.1 of RD Law 19/2018.
Practical examples of consumer negligence Below are several examples illustrating the above points. Receiving alert messages and manually authorising transactions In most phishing cases, consumers receive alerts from their banks before the scam is carried out. These mes- sages, often sent via the bank’s app, notify the user that a transaction is being attempted using their cre- dentials, which must be manually authorised through biometric or password-based authentication. Transactions unrelated to the consumer’s usual activity In some cases, the warning messages pertain to transactions that are entirely unrelated to the con- sumer’s activity (eg, an investment in private funds when the messages refer to online shopping), or the user receives alerts for transactions they are not per- forming. Repeated authorisation of suspicious operations Many scams involve multiple fraudulent transactions, with the consumer authorising each one despite red flags. When consumers approve three, five, or even ten suspicious transactions, it becomes difficult to prove diligence on their part, making it easier for banks to defend themselves. Obvious spoofing of official websites In some cases, fake websites include glaring spell- ing errors, blurry or missing logos, or poor formatting. This supports the argument that the consumer acted recklessly. Urgency and pressure tactics Victims are often contacted by impostors posing as staff from the impersonated company, using personal email accounts and applying pressure to act quickly. These requests typically involve small money transfers or transactions. Illogical transactions Scammers often lure consumers with appealing offers that lack any legitimate basis (eg, fake job offers from Booking that require upfront deposits, or fake buyers on Wallapop asking sellers to make payments before
1062 CHAMBERS.COM
Powered by FlippingBook