In the Court of Cassation decision made on March 28, 2018 a special attention is given to serious negligence and responsibility of a victim of a bank fraud operation. According to the article L 133-18 of the French Monetary and Financial Code, “in the event of an unauthorized payment transaction reported by the payer (..), the payment service provider of the payer shall refund the payer the amount of the unauthorized operation immediately after becoming aware of the transaction or after having been informed (…), unless it has a good reason to suspect a fraud”.
To assess the responsibility of the bank as well as the account holder (victim of fraud), an assessment of three different sources of fraud is necessary:
- In case where the credit card was intercepted when it was sent by the issuer to its legitimate holder;
- In case where the fraudster used the credit card recovered as a result of a loss or theft;
- In case where the credit card number was obtained by different fraud techniques and was then used for fraudulent payments, especially on the Internet.
In the first case, the bank would incur liability in the absence of sufficient security measures preventing interception of personal data. According to the Article L133-15 of the French Monetary and Financial Code: “the payment service provider who issues a payment instrument must ensure that the personalized security data (…) are not accessible to other persons authorized user to use this instrument ». In addition, under the Article 34 of the French Data Protection Act, the bank, as a controller, is required to provide all appropriate technical and organizational measures to effectively guarantee the security of bank data. Failure to comply with this obligation can now be penalized by fine of up to 4% of the global turnover of the establishment as of May 25, 2018, the date of implementation of the European regulation on personal data protection. In the second case, given the fact that the credit card was no longer in the possession of the holder and provided that the conditions under the Article L133-19 of the French Monetary and Financial Code are respected, a deductible of 50 euros is applied by the bank. In the third case, the credit card would normally remain in the possession of the cardholder.
Different cases of bank data fraud are:
– Cloning (or skimming): in this case, the bank data is captured using a camera or by means of a diversion of a numeric keypad.
– Hacking automated data systems, servers or networks: represents a fraudulent intrusion into computer systems.
– Phishing (or phishing): in this case, fraudsters recover personal data of a credit card holder mainly through unsolicited emails directing users to fraudulent web sites.
In the first two cases, the cardholder cannot be bound and liable because it is not in a serious negligence. Moreover, the bank data is collected without the cardholder’s knowledge. Thus, the bank must fully refund the amount debited especially when computer system hacking occurred due to a low security level of banking computer system. The case of phishing is more delicate because it represents a fraudulent collection of bank data directly from the customer and not through the bank. In this case, the bank is required to refund the amount debited, even if the cardholder has fallen into the trap (judgment n ° 15-18102 issued by the commercial chamber of the French Court of Cassation on January 18, 2017) unless the bank can demonstrate cardholder’s “serious negligence”. The question that arises is how to evaluate whether or not there was a “serious negligence” in personal banking data protection by a cardholder? It should be indicated that the cardholder has a contractual obligation to take all reasonable measures to preserve the security of their bank information. In addition, regarding the Articles L. 133-16 and L. 133-17 of the French Monetary and Financial Code, it is the responsibility of the user of payment service to take all reasonable measures to preserve the security of his or her personal data and inform promptly the payment service provider of any unauthorized use of payment method or related data. In the court decision from October 25 2017, the French Court of Cassation points out that the victim “could not have been aware of the fact that the email she had received was fraudulent and if, consequently, the fact of having communicated his name, his credit card number, the expiry date thereof and the cryptogram on the back of the card, as well as information relating to his account SFR allowing a third party to take note of the 3D Secure code did not characterize a breach by serious negligence of his obligations mentioned in the Article L. 133-16 of French the Monetary and Financial Code, the local court deprived its decision of legal basis “
However, the French Court of Cassation, in its decision dated from March 28, 2018 gives a wide scope to the term “customer negligence”. The French Court of Cassation decision can provide banks with opportunity to refuse the refund on fraudulent transactions by demonstrating the existence of indications that allow the customer detecting fraud such as a vigilant examination of the correspondent’s changing internet addresses, misspelled words in email messages, or any other indication of suspicion of fraud. The decision implies that a guarantee of a non-failing security of computer systems, would serve as a leeway for banks to refuse reimbursement of the amount acquired by fraud. In this respect, as stated in the court decision dated from March 28 2018, “a payment service with a security device was used for purchases on the internet by use, in addition to data relating to its bank card, a code sent directly to the customer on his mobile or landline phone, allowing the user to authenticate the payment using confidential data not found on the payment card itself, is at least presuming the failure to keep confidential payment instrument data and the gross negligence of its user in preserving the confidentiality of his personal data“.
In the era of the digital economy and the proliferation of online transactions, social engineering is considered to be a growing threat. The technique exploits the human factor, and is widely used in bank fraud. Thus, credit card holders must be more vigilant while keeping up-to-date with various social engineering techniques and the instructions given by their bank to avoid any serious negligence leading to reimbursement refusal.