Cybercrime-liabilities of banks to victims

The number of cyberattacks on online banking constantly increases. Financial institutions put more and more effort into protection of money entrusted to them, but they are still unable to eliminate extortion of data and cybertheft completly. Money which flows illegally out of the accounts of banks customers should often be returned by the service provider. However, not everyone is aware of that.

Cybercriminals use more and more sophisticated methods of unauthorized transfer from other people’s accounts. One of them is sending of viruses and malicious software. It is enough to accept a licence of a free, inconspicuous program or to click on an untrusted link to infect software. Its unintentional installing allows for the interception of data by unauthorised persons.

Phishing, that is theft made by false websites is also popular. Links hiding false websites – in fact not different from the original ones – are sent by electronic post to online banking customers. Thanks to that, the hacker intercepts a full set of information that allows him to make an unauthorised transfer. A form of phishing that is even more dangerous for the user and more difficult to detect is pharming. In this case the customer is redirected to a false bank website even after entering a valid web address.

The traps of this kind set by cybercriminals are more and more frequent. Their number will probably increase with development of new technologies. But it is worth to know that responsability for this type of crimes falls not only on the victims’ shoulders, but is a result of deficient protection or the warnings appearing too late. In accordance with Article 50 of the banking law, banks are obligated to ‘show due diligence with the view to ensure the security of the money they hold’.

Financial Institutions very often try to evade financial liability and reject their own customers’ requests for the return of the money lost as a result of cybercrimes. These can however enforce their rights taking legal action.

In such cases the court rules in favour of the bank, if only it proves a flagrant neglect by the customer. Then, if a victim of a cyberattack gave their credentials to third persons, sent them out as non-encrypted messages or left them in a public place on an external data carrier, they will not be able to receive the return of the money lost. Gross negligence is not only a situation in which the customer falls victim to phishing or pharming. Additionally, if the customer realizes that something is wrong, gives up the attempts to log in, informs the bank or makes a complaint, it may be assumed that the authorisation of the performed payment transaction was not planned says Katarzyna Kosicka-Polak, partner, legal advisor in the law firm MKZ Partners.

It should also be noted that it is banks that have to prove the authorisation of transaction by the customer, failure to comply with obligations or gross negligence.

On noting that from an account of a customer who usually performs operations on small amounts, suddenly a much larger sum flows out, the bank should additionally confirm the transaction by telephone before its final execution. This process is however still very rare. Additionally, banks still dont want to return to customers the money that was stolen from them. Our firm is currently running numerous cases of this kind. We recover the amounts in the range between 1,000 and 100,000 PLN. Recently, after a few months of negotiations, we managed to recover more than 80,000 PLN, and this before the cases reached the court adds legal advisor Katarzyna Kosicka-Polak.

In this context, it is also worth to remember that in accordance with Art. 46 of the Payment Services Act in case of an unauthorised payment, the bank is obligated to immediately return the money to the account from which the transaction was made.


For more information:

Valkea Media, Anna Augustyniak-Hoffman, tel. (+48) 530 683846