When it comes to phishing and bank smishing, complain to your bank
The vulnerability of older people to the digitalisation of banking services. “I’m old, but I’m not an idiot”, the onus is on the bank.
1. Proliferation of different types of crime involving money deposited in banks
There are various types of crime perpetrated in the banking world, from the theft of card data to card cloning, the taking of passwords to access online banking, the subscription of unauthorised banking products such as loans or new cards linked to the bank account or, among many others, the ordering of unauthorised transfers.
In any case, consumers should be aware that the current legal framework allows them, a priori, to reclaim the stolen funds from their bank.
This type of cybercrime is increasing every day. Complaints are piling up in the offices of the security forces and in the Courts of Instruction, and the victims feel powerless, blaming themselves, in most cases, for having allowed themselves to be deceived.
But the truth is that the increase in this type of crime, with some exceptions, is not usually the fault of a lack of knowledge, age, or diligence on the part of the deceived, but an inevitable consequence of the business model on which banks are betting. This model is based on a digitalisation of banking services that leads to an increase in the risk of illicit theft of funds deposited by the consumer.
Traditional banks, whose main function is to safeguard the money given to them by their customers for safekeeping, had branches on every street corner and within five minutes of their customers’ homes. The bank teller knew his customers and even their relatives personally, knew what their usual operations were and controlled the transactions that were made. Today, however, a large number of branches have been closed and face-to-face services have been centralised and reduced. There are few branches, and although they have a modern and relaxed image, they are impersonal. The majority of transactions are carried out through online banking and the control that used to be exercised by bank employees has been replaced by security controls based on passwords and data that do not guarantee the verification of the real identity of the payer.
2. The operational risks of banking digitalisation
Despite the new possibilities offered by technology and its obvious advantages (immediacy, automation, ubiquity, etc.), online banking and new technologies inevitably entail a greater risk for the security of the money held by banks.
The digitisation of banking services suffers from structural weaknesses that allow third parties who, by whatever means, have taken possession of passwords or access data, to pass through the bank’s digital doors and withdraw the money deposited by their customers fraudulently and undetected. These weaknesses are known to criminal organisations, who exploit them and build their trade on them. This risk is also known to banks, which assume the cost-benefit ratio and try to pass on the risk of these losses to their customers by making them responsible for the safekeeping and custody of the access keys provided by the institution, thus evading their obligation to safeguard the money given to them by their customers.
3. Who owns the money in bank deposits?
It is common for consumers’ first reaction to a phishing scam to be that they have been robbed of their deposited funds, but this reaction assumes that they are the owner of the stolen funds. However, in case law, it is unanimously considered that, when a bank deposit of money is made, the depositor (consumer) loses ownership of the money deposited and instead acquires a claim against the bank. This means that, when a bank deposit is made, the ownership of the money becomes the property of the bank, which is not obliged to return the same money that has been deposited in its accounts by the consumer, but to guarantee the availability of funds in favour of the consumer when claiming restitution.
4. Who is the victim of bank fraud, the institution or the customer? Distinction between those offended and those harmed by the offences committed.
The above qualification has, in our opinion, a direct consequence for determining who is the offended party or victim of the crime. In the offences of theft and fraud, it is understood that the victim of the offence is the owner of the property affected. Therefore, in cases of phishing or smishing, according to the above, the offended party should be the depository financial institution rather than the customer.
Therefore, when phishing or bank smishing is committed, by which the electronic keys used to access the funds that a consumer has deposited in a bank account are obtained, the victim of the crime is not, a priori, the consumer but the bank, as it is the legal owner of the money deposited.
In addition to the figure of the victim of the offence, there is also the figure of the injured party, who is the one who suffers the economic consequences of the offence. Normally, the offended party and the injured party coincide, but in some cases they do not. Consider the case of a homicide, in which the victim of the crime is the deceased, as it is the person whose life is taken (the protected legal right), but the person who suffers the damages is the family, and for this reason they are recognised as having standing to act as private prosecutors.
In certain types of banking crime, such as phishing or smishing, the majority of the bank’s position is to shift these economic damages derived from the crime to the consumer and, therefore, to attribute the status of injured party to the consumer. In our opinion, this position is not in line with the law because the damages arising from these unauthorised transfers should be borne by the financial institutions in accordance with current legislation.
5. Possibility of reclaiming capital losses from the bank
In the regulatory sphere, the operational and security risks deriving from payment instruments (any device or procedure that makes it possible to initiate a payment order), are shifted to the providers of this type of service in an almost objective manner by mandate of RD Law 19/2018, of 23 November, on payment services and other urgent measures. We have already referred to this in the article “I have been the victim of bank phishing, can I complain to my bank (addvante.com)“. In short, this regulation obliges the bank to reimburse the defrauded amounts unless there has been fraud or gross negligence on the part of the customer when using the payment instrument.
6. The elderly as vulnerable consumers and their special protection
An important group of bank customers who are affected by phishing or bank smishing are the elderly, for whom the era of smart phones and banking applications has caught them in the middle of retirement.
They find it very difficult to be served in person, a situation denounced in the campaign “I’m old, but I’m not an idiot”. But even when this group adapts to technological innovations and ends up using banking apps to carry out their transactions, the lack of practice and knowledge of the use of these devices makes them more susceptible to being tricked by fraudsters. Age and generational habits are factors that influence the ability to distinguish between fraud and reality, between a fake SMS and an official website.
The special vulnerability of this group, when they act as consumers in the financial sphere using new technologies, makes them, in our opinion, vulnerable consumers in the terms of art. 3 of Royal Legislative Decree 1/2017, of 16 November. As such, they should be subject to the reinforced protection that this regulation provides for this group. Specifically, this regulation with the status of law obliges the employer to adopt protective measures against risks that may affect their safety, and also provides for the basic right to be compensated for damages suffered.
Therefore, we understand that this regulation imposes on financial institutions providing payment services the obligation to adopt active mechanisms to avoid the specific risks of online banking and, in particular, to protect the elderly, adopting specific and special measures to prevent them from becoming victims of this type of crime.
7. Conclusion
In short, in our opinion, in most cases, financial institutions are the victims of banking crimes and should suffer the financial consequences of these crimes. We emphasise that current legislation is aligned to guarantee consumer protection in the financial sector, and this, in the face of phishing or bank smishing, translates into a quasi-subjective liability on the part of the institutions for unauthorised payment transactions, which means that they must assume the financial losses. In addition, institutions are legally obliged to adopt appropriate consumer protection measures to prevent this type of crime, and are obliged to give special consideration to vulnerable consumers, including the elderly, and to adopt special and reinforced measures for their protection.
From the procedural department of AddVANTE we can provide from the outset the advice required by any person who has been the victim of phishing, smishing or any fraud or banking crime, offering a comprehensive and coordinated response from the different legal and technological areas of the firm, analysing the viability of their claim and formalising the same before their institution and before the Courts and Tribunals of Justice.