The XI Civil Senate of the Federal Court of Justice, responsible for banking law, ruled on January 26, 2015, that Section 675w Sentence 3 of the German Civil Code (BGB) does not prohibit the application of the principles of prima facie evidence in online banking when a payment order is issued using the correct PIN and TAN. However, it must be established that the security system employed at the time of the disputed payment transaction was generally practically insurmountable and was properly applied and functioned without error in the specific case. In the event of fraudulent use of online banking, there is no prima facie evidence of grossly negligent conduct on the part of the account holder.
The defendant GmbH maintained, among other things, a business current account with the plaintiff Sparkasse, through which it participated in online banking since March 2011. The defendant's managing director received a Personal Identification Number (PIN) for this purpose, which allowed him, among other things, to access the business current account. For the authorization of individual payment transactions, the smsTAN procedure (transmission of the transaction number via SMS) was agreed upon using a mobile phone number of the defendant's managing director. After disruptions occurred in the plaintiff's online banking system, on July 15, 2011, amounts of EUR 47,498.95 and EUR 191,576.25 were erroneously credited to the defendant's business account under unclear circumstances. The plaintiff initiated corresponding reversals on July 15 and 17, 2011, which were executed only on Monday, July 18, 2011, due to the weekend. On Friday, July 15, 2011, at 11:29 PM, a transfer of EUR 235,000 from the defendant's account to the benefit of the plaintiff's intervener – an attorney – was entered into the plaintiff's online banking system, using the correct PIN and a valid smsTAN. The transfer was executed on Monday morning, July 18, 2011, with the first booking run. Since the erroneous credits were corrected simultaneously, a debit balance resulted on the defendant's business account.
After the plaintiff unsuccessfully demanded that the defendant settle the account, it terminated the business relationship without notice and is now claiming the final balance of €236,422.14 plus interest with the present lawsuit. It was successful in both lower instances.
The XI Civil Senate, upon the defendant's appeal, overturned the appellate court's judgment and remanded the case to the appellate court for a new hearing and decision. The following considerations were essentially decisive in this regard:
If the account holder's consent (authorization) to a payment transaction is disputed, the executing credit institution (payment service provider), when using a payment authentication instrument (here, the online banking procedure), must prove, according to Section 675w Sentence 2 of the BGB, that this instrument, including its personalized security features (here: PIN and smsTAN), was used and verified by means of a procedure. The plaintiff bank provided this proof according to the binding findings of the appellate court. However, according to Section 675w Sentence 3 of the BGB, this is "not necessarily" sufficient to provide the proof of authorization of the payment transaction by the payment service user (here: the account holder) incumbent upon the payment service provider. This does not preclude the payment service provider from invoking prima facie evidence. The wording of Section 675w Sentence 3 of the BGB is satisfied because the principles of prima facie evidence establish neither a mandatory rule of evidence nor a presumption of evidence.
However, a prerequisite for applying the principles of prima facie evidence to the authorization of a payment transaction using a payment authentication instrument is the general practical security of the authentication procedure employed and its adherence in the specific individual case. Furthermore, rebutting prima facie evidence does not necessarily require the account holder to assert and, if necessary, prove technical errors in the documented authentication procedure.
Despite generally known successful attacks on online banking security systems, in the Senate's view, a basis for applying prima facie evidence is not lacking in every case, as corresponding findings are not available for all authentication procedures used in online banking.
The appellate court misjudged these prerequisites and failed to make the necessary findings regarding the practical impregnability of the specific security system used, as well as the circumstances presented to rebut any potentially applicable prima facie evidence, which is why the appellate court's judgment had to be overturned.
The appellate court's judgment is also not correct for other reasons.
The principles of apparent authority do not apply to the detriment of the defendant. In any case, there is a lack of discernibility of the alleged representative's actions by the payment service provider and, in a single instance of online banking misuse, a lack of the required duration and frequency of the ostensible representative's actions.
Also, prima facie evidence for a grossly negligent breach of a duty under Section 675l of the BGB by the defendant, and thus a claim by the plaintiff under Section 675v Paragraph 2 of the BGB, are ruled out based on the current findings. In the case of online banking misuse, given the numerous authentication procedures, security concepts, attacks, and associated conceivable breaches of duty by the user, there is no empirical rule pointing to a specific typical misconduct of the payment service user.
Judgment of the Federal Court of Justice (BGH) of January 26, 2016 – XI ZR 91/14
Lower Courts:
Lübeck Regional Court – Judgment of June 7, 2013 – 3 O 418/12
Schleswig-Holstein Higher Regional Court in Schleswig – Decision of January 22, 2014 – 5 U 87/13
Source: Press Release of the Federal Court of Justice
Goldberg Attorneys at Law 2016
Attorney at Law Michael Ullrich, LL.M. (Information Law)
Specialist Attorney for Information Technology Law
Email: info@goldberg.de
