background
Banks only pay compensation for online banking fraud under certain conditions. That should change: The European banking supervisory authority wants to strengthen customer rights.
When Claudia P.’s cell phone rang on June 27, she had no idea that she was being targeted by cyber criminals. It’s a man’s turn, pretending to be an employee of your savings bank. He knows her data: address, date of birth and much more, P. remembers: “Then I thought it could only be a real employee, because: who else would have my account number and all the other data about me?”
The caller asks why P. hasn’t updated her Push-Tan access data. In fact, the Sparkasse had sent her an update request. The caller warns that P. must update immediately, otherwise she will no longer be able to do online banking. “He could help me right now, straight away, right away,” remembers the Sparkasse customer.
During the phone call, he texted her. What P. doesn’t know: by clicking on the link in the SMS and entering new data, she gives the criminal access to her online account. The SMS looks exactly as if it had been sent by the Sparkasse. The real savings bank even confirms the change in their access data by email. P. doesn’t suspect anything.
Scammers plunder the account
In no time at all, the fraudsters book several expensive trips and pay via Claudia P.’s online account: “It was over 4,600 euros. A huge shock! And I immediately asked myself: ‘Will you get it back? Who is there anyway? responsible?'” P. wants her money back. In fact, her Sparkasse manages to retrieve two bookings. But P. is left with the remaining damage of more than 2000 euros. Not an isolated case.
Although the current EU Payment Services Directive (PSD2) states that it is appropriate in the case of online payments that the burden of proof for alleged negligence lies with the bank; the corresponding options for the customer are very limited in such cases.
However, with the implementation of the EU Directive 2018 in German law, the burden of proof in the event of fraud often remains with the customer. It is about that, according to the Federal Ministry of Justice and the Federal Ministry of Finance ARD requestQuote: “…that the payment service user (i.e. the customer, editor’s note) can present a substantiated and credible presentation of the course of events that he did not authorize the payment transaction despite recorded authentication.”
Authorization as a sticking point
The crux of the matter when it comes to negligence is whether the customer has authorized the payment: for example, approval with a mouse click. According to the Ministry of Finance, the banks only check whether a transfer has actually been made with a PIN and TAN, the so-called authentication components.
At the Federal Association of Consumers in Berlin, this is sharply criticized. Because: How is the customer supposed to prove that he did not initiate the authorization of a payment himself, according to Dorothea Mohn from the Federal Association of Consumer Organizations. If the bank says everything is fine with them, says Mohn, “then the burden of proof suddenly shifts to the consumer, who has to prove that he has not acted with gross negligence. And as a rule, it is very difficult for the consumer to provide this proof lead – with the consequence of being left with the damage.”
opaque processes
The Munich lawyer Marc Maisch, who represents Claudia P., thinks it is wrong that the Sparkasse does not want to compensate for the remaining damage. He assumes that his client cannot be accused of negligence. The analysis of the case shows for the lawyer that the incoming SMS came from the Sparkasse.
“The case is so complicated. And gross negligence – between us – these are cases where you slap your forehead with your hand because they are so stupid.” He doesn’t see it that way here, according to lawyer Maisch. “I therefore assume that the client has a repayment claim against her bank. And we would then continue to do so.”
The Sparkasse Niederbayern-Mitte sees the case differently. When we asked, we were told that P. had sent the SMS to the scammers and not the other way around. As is so often the case, the customers lose out when it comes to providing evidence.
Payment Services Policy should protect better
The EU Commission has recognized that the current Payment Services Directive (PSD2) does not adequately protect bank customers and is working on a new directive. She has obtained the opinion of the European Banking Authority, EBA for short. The EBA has made numerous recommendations on how the directive should be improved, explained authority spokesman Dirk Haubrich, because of “a lack of clarity and different interpretations in the member states.
Also because of the different interpretations of the banks. The definition of gross negligence was one of these 200 recommendations that we proposed to the Commission.” In a study, the EBA points out that almost 70 percent of the damage caused by online banking fraud is borne by customers. Germany did not have any for the study data delivered.
On request, the Sparkasse recently announced, Quote: “We are currently examining intensively what options there are for goodwill arrangements in this case.” Although Claudia P. would be happy if she got the money back, she is bothered by this procedure: “It is goodwill the smallest or the goodie, if you will. I think that the consumer simply has to be protected a lot more.” The fact that the paths of the hackers are often difficult to prove shouldn’t be a problem for customers.