Reimbursment after Wrongly Wiring Money Online

Sammy made a wrong payment via online banking and only after having sent off his transfer order to the bank, did he notice that the request was illegitimate. The AG Neuköln (re 18 C 292/07) determined if Sammy's account was to be reimbursed or not.


Sammy has had an account with his bank for some time and uses online-banking. Mid January he received an eMail, allegedly from his bank but in reality a phishing eMail. This eMail looked astonishing real and read something like this: You have applied for online banking and we need a confirmation with your PIN and TAN. Following this request, Sammy entered his PIN and TAN in two different windows. A few days later his bank account was debited with € 3,700. Sammy, however, did not wire this money and noticed this deduction one day later and immediately went to his bank. His bank consultant told him that a refund is not possible immediately after noticing an illegal transfer because the money has already been sent.

In court Sammy did not deny that his bank had instructed him that they never request sensible details, like PIN and TAN. Upon suggestion of his bank, he filed a report to the police for fraud. Sammy however insists that the bank is liable for an organizational fault because his bank is using an outdated TAN system - while all other banks are using a modern safety program. Such system only allows a maximal transfer of € 1,000 per day and wire. Further Sammy had only received insufficient information on this kind of banking. Especially, the bank's homepage did not publish any security warnings. They went online only in the next year - this is what Sammy argues. He was never instructed on the risk of "phishing".

And of course, the bank had a different opinion. With regard to its STC, the bank is not at all liable because Sammy in contrast to his part in keeping the system secure published his PIN and TAN. Its website does contain relevant information with the necessary warnings -for years already. Even with the version they have running, be it outdated or not, it is secure when the customer acts in accordance to his instructions. The amount taken out of his account was within the agreed amount.

What do you think the court held? Against Sammy. Sammy was sentenced to reimburse the bank with € 3,700 pursuant to §§675, 280 BGB. The bank correctly followed the client's order after having received valid numbers to verify the order. The bank is only then responsible for the risk of misuse when its customer has obeyed all reasonable safety measures. The bank has expressly mentioned and instructed its customer to keep sensitive data (PIN and TAN) secret because anybody who has such data can use all online banking opportunities offered. Sammy negligently disobeyed this clear instruction from the bank as he gave the crooks his online details. As long as the customer does not disclose his PIN and TAN, the bank's online banking system is safe. Therefore, Sammy has to refund the bank.


Additional information