The possibility of seeking reimbursement of money lost as a result of an unauthorised transaction through civil law

Legal basis and nature of liability of the payment service provider

The liability of the payment service provider is regulated in Article 46(1) of the Payment Services Act of 19 August 2011 (hereinafter: “u.u.p”) and is of a guarantee nature and based on the principle of risk. The general provisions on liability for damages in civil law do not apply to claims based on Article 46 of the u.u.p. Thus, the payer does not have to prove the damage and the causal link between the breach of duty and the damage.

If funds have disappeared from a bank account against the will of the payer and the payee remains unknown, the first step is to file a complaint with the bank. One of the first steps is also to file a notice of suspicion of a criminal offence. In practice, however, criminal proceedings extremely rarely lead to the recovery of any lost funds. The civil action is the most effective.

Unauthorised transaction – definition

The liability of the supplier arises when an unauthorised payment transaction occurs. An unauthorised transaction means a payment transaction to which the payer has not given his consent in the manner provided for in the contract between the payer and his provider. The payer’s consent is his/her declaration of intent accepting the execution of a specific payment transaction.

Example of online fraud

An example of the occurrence of an unauthorised transaction could be clicking on a link sent by email or SMS by a cybercriminal impersonating a courier service, insurance company, postal service or public institutions such as the Sanitary and Epidemiological Station, Tax Office, etc., as a result of which the user is redirected to a fictitious online banking website that deceptively resembles the real website, and all the data necessary to log into the bank and perform banking operations, including the transfer of funds, are then intercepted by the cybercriminal. This mechanism describes the phishing, which is one of many methods of committing online fraud.

Distribution of the burden of proof in proceedings against the bank

In favour of the bank’s customer, i.e. the claimant, it is the provider – the defendant – that bears the burden of proof that the payment transaction was authorised by the payer (Article 45(1) u.u.p).

The plaintiff therefore benefits from the presumption of the bank’s liability for having carried out an unauthorised payment transaction.

Planned changes in the law

A draft amendment to the u.u.p is currently under way, which is intended, inter alia, to limit the bank’s liability in this respect. The definition of an ‘authorised payment transaction’, crucial from the perspective of the claim in question, is to be changed. The burden of proof is also to be altered in favour of banks, so that payment service providers will only have to prove that they have checked identity and the authentication process, but will no longer have to prove that the user consented to the transaction in question. If the changes come into force, it will essentially be the bank’s customer who will have to prove that the transaction was not authorised by them. The draft is at the opinion stage for the time being, following a public consultation, and has not yet been referred to the Sejm.

Summary

Despite the implementation of newer cyber-security measures by banks, the number of victims of online fraud is unfortunately increasing. There are more and more proceedings in the courts to recover money lost from bank accounts. Hacking attacks are also increasingly focusing on corporate bank accounts. Banks are reluctant to accept complaints in these cases and to acknowledge their responsibility and settle the dispute out of court. A civil lawsuit against the bank in such a case is often the only way to recover money and, although it is not the simplest, lawyers from our Law Firm manage to successfully obtain a favourable settlement for the Client.