1. Introduction
With the widespread use of digital banking services, disputes arising from unauthorized transactions conducted through internet and mobile banking channels have significantly increased. In such cases, the core legal issue concerns the scope of a bank’s liability and whether the customer may be deemed contributorily negligent.
The main challenge lies in striking a balance between the bank’s heightened duty of care as a trust institution and the customer’s obligation to safeguard personal data and devices.
2. Banks as Trust Institutions and the Duty of Care
Banks are institutions entrusted with customers’ deposits and are obliged to return such funds upon demand or at maturity, either in kind or by equivalent value. Deposit agreements therefore bear the characteristics of both a loan for consumption and irregular bailment, forming a sui generis contractual relationship.
Accordingly, banks are required to:
-
Implement state-of-the-art security measures in online and mobile banking services,
-
Establish monitoring mechanisms to detect unusual or suspicious transactions,
-
Suspend transactions and obtain effective customer confirmation once a suspicious activity is detected,
-
Go beyond formal authentication steps and apply additional safeguards where necessary.
This obligation stems from the aggravated liability regime applicable to banks, under which they are liable even for slight negligence.
3. Customer Obligations and Contributory Negligence
Customers using online banking services are also subject to certain duties, including:
-
Protecting usernames, passwords, and authentication credentials from third parties,
-
Using their devices in a reasonably secure manner,
-
Exercising caution against phishing attacks and suspicious links or messages.
However, contributory negligence can only be established if the customer’s breach of these duties is proven by clear, concrete, and conclusive evidence. The mere presence of malware on a device or the compromise of personal data does not automatically justify attributing fault to the customer.
4. Proceeding with Transactions Without Effective Confirmation
One of the most critical issues arises where a bank identifies a transaction as suspicious yet proceeds with the transfer despite failing to obtain actual confirmation from the customer. In such cases:
-
The inability to reach the customer should be treated as a reason to halt the transaction,
-
Mere SMS verification or notification emails do not suffice to discharge the bank’s duty of care,
-
Failure to implement additional available security measures plays a decisive role in fault assessment.
Unless the customer’s contributory negligence is proven beyond doubt, the loss must remain within the bank’s sphere of liability.
5. Conclusion
In disputes involving mobile banking fraud, the decisive factor is whether the bank effectively managed the security process after identifying a suspicious transaction and whether the customer’s fault has been clearly established.
Relying solely on minimum security standards is insufficient. Banks must adopt a proactive and dynamic security approach in line with technological developments. Otherwise, attributing contributory negligence to the customer will not be legally justified.