The XI Civil Senate of the Federal Court of Justice, which is responsible for banking law, ruled on 26 January 2015 that section 675w sentence 3 BGB does not prohibit the application of the principles of prima facie evidence in online banking when a payment order is issued using the correct PIN and TAN. However, it must be clarified that the security system used was generally practically insurmountable at the time the disputed payment transaction was made and that it was properly applied in the specific individual case and functioned without error. In the case of misuse of online banking, there is no prima facie evidence of gross negligence on the part of the account holder.
The defendant GmbH maintained, among other things, a business current account with the plaintiff savings bank, with which it had been participating in online banking since March 2011. The managing director of the defendant received a personal identification number (PIN) for this purpose, with which he could access the business current account, among other things. For the release of individual payment transactions, the smsTAN procedure (transmission of the transaction number by SMS) was agreed via a mobile phone number of the managing director of the defendant. After malfunctions occurred in the plaintiff's online banking system, amounts of EUR 47,498.95 and EUR 191,576.25 were incorrectly credited to the defendant's business account on 15 July 2011 due to unexplained circumstances. The plaintiff initiated corresponding cancellations on 15 and 17 July 2011, which were not executed until Monday 18 July 2011 due to the weekend. On Friday, 15 July 2011, at 11:29 p.m., a transfer of EUR 235,000 from the defendant's account in favour of the plaintiff's intervener - a lawyer - was entered into the plaintiff's online banking system using the applicable PIN and a valid smsTAN. The transfer was executed on Monday morning, 18 July 2011, with the first booking run. As the erroneous credits were corrected at the same time, a debit amount resulted in the defendant's business account.
After the plaintiff had unsuccessfully requested the defendant to balance the account, she terminated the business relationship without notice and, with the present action, demands the final balance of € 236,422.14 plus interest. She was successful in both factual instances.
The XI Civil Senate overturned the appeal judgement on the defendant's appeal and referred the case back to the Court of Appeal for a new hearing and decision. The following considerations were essentially decisive:
If the account holder's consent (authorisation) to a payment transaction is disputed, the executing credit institution (payment service provider) must prove, when using a payment authentication instrument (in this case the online banking procedure) pursuant to section 675w sentence 2 of the German Civil Code (BGB), that it was used including its personalised security features (in this case PIN and smsTAN) and that this was verified by means of a procedure. According to the binding findings of the court of appeal, the plaintiff bank provided this evidence. However, according to section 675w sentence 3 of the German Civil Code, this is "not necessarily" sufficient to prove the payment service provider's obligation to authorise the payment transaction by the payment service user (here: account holder). This does not preclude the payment service provider from relying on prima facie evidence. The wording of Section 675w sentence 3 of the German Civil Code (BGB) is in fact satisfied, since the principles of prima facie evidence establish neither a mandatory rule of evidence nor a presumption of evidence.
However, the prerequisite for applying the principles of prima facie evidence to the authorisation of a payment transaction when using a payment authentication instrument is the general practical security of the authentication procedure used and its compliance in the specific individual case. In addition, the shaking of the prima facie case does not necessarily require the account holder to allege and, if necessary, prove technical errors in the documented authentication procedure.
Despite generally known, successful attacks on security systems of online banking, the senate is of the opinion that there is not always a basis for the application of the prima facie evidence, since corresponding findings are not available for all authentication procedures used in online banking.
The court of appeal failed to recognise these prerequisites and did not make the necessary findings on the practical impregnability of the security system that was actually used and on the circumstances that were presented to shake a possible prima facie case, which is why the judgment of the court of appeal had to be set aside.
The judgement of the court of appeal is also not correct for other reasons.
The principles of prima facie power of attorney do not apply at the expense of the defendant. In any case, the payment service provider cannot recognise the actions of the alleged representative and, in the case of a one-off case of abuse in online banking, the required duration and frequency of the actions of the bogus representative are lacking.
A prima facie case for a grossly negligent breach of an obligation under section 675l of the German Civil Code by the defendant and thus a claim of the plaintiff under section 675v para. 2 of the German Civil Code is also ruled out on the basis of the previous findings. In the case of misuse of online banking, in view of the numerous authentication procedures, security concepts, attacks and related conceivable breaches of duty by the user, there is no principle of experience that points to a certain typical misconduct on the part of the payment service user.
Judgment of the BGH of 26 January 2016 - XI ZR 91/14
Lower courts:
Lübeck Regional Court - Judgment of 7 June 2013 - 3 O 418/12
Schleswig-Holstein Higher Regional Court in Schleswig - Order of 22 January 2014 - 5 U 87/13
Source: Press release of the BGH
Goldberg Attorneys at Law 2016
Attorney at Law Michael Ullrich, LL.M. (Information Law)
Specialist lawyer for information technology law
E-mail: info@goldberg.de
