Financial institutions must reimburse the losses of customers who have not acted negligently and who warned about unauthorized access to their account, according to a decision made by the Spanish Supreme Court. The specific case involved a phone service that was hijacked by SIM swappers leading to EUR83,692 (USD94,200) being stolen from the victim’s account with Ibercaja Banco. The bank was able to recover EUR27,218 (USD30,600) which they refunded to the customer’s account, but the customer was forced to sue for the remainder. The Supreme Court denied Ibercaja Banco’s appeal, confirming that the bank owed EUR56,475 (USD63,600) in damages to fully compensate their customer for all the unauthorized withdrawals from his account.
This decision is of great significance to the comms sector because of a worldwide tug-of-war concerning who should be held liable when a financial firm pays out to fraudsters because of a scam that also involved the abuse of comms services. This has become a common scenario because of the overreliance on one-time passwords (OTPs) sent by SMS, which then encourages gateway frauds such as SIM swaps and voice phishing.
Banks and payment providers would prefer that comms providers stop the gateway frauds. Some comms providers are now responding by selling anti-fraud services to the financial sector. Either way, there will continue to be arguments about how to split the cost of consumer protection. This ruling could shift the balance across the whole of the European Union as it is based on the court’s interpretation of the EU payment services directive 2015/2366.
Per the details of the case before the court, Ibercaja Banco had already been told about suspicious SMS messages and notifications from Google stating somebody had tried to gain access to the victim’s accounts. Several days earlier Google had applied multiple Google Play and Google Ads charges to the victim’s Visa card for services that he had not requested. The victim warned the bank about the charges to his Visa card while simultaneously contesting the charges with Google.
His wife later received a Google notification indicating somebody had tried to access her Google account. This prompted her to visit the bank in person to inform them of what had happened and to request the cancellation of her own card. The following evening her SIM was swapped. That night Ibercaja Banco processed 15 separate withdrawals during hours when most customers would be sleeping.
The court ruled that the bank had not shown the SIM swap was due to any negligence by their customer or his wife, and that the burden of proof rested with the bank. The decision noted the bank’s responsibility for implementing anti-fraud systems and process. The court also criticized the bank for permitting such large and unusual transactions to be processed at strange hours. The emphasis is on financial institutions to have systems that detect anomalous and high-risk transactions so additional verification can be obtained before they are processed.
The court’s judgment is available here.



