Who should bear the economic consequences—the client or the bank—in the case of apparently valid and authentic transactions that turn out not to be, since they were neither carried out nor authorized by the client?
That is, what happens if a third party has used the user’s credentials obtained by any means, generally technical, impersonating their identity and accessing their account without their consent? Should the bank reimburse the amount to the client’s account? Is the bank liable?
In these cases, banking entities usually reject their responsibility on the grounds that the system did not detect any anomaly since the correct username and password were entered; or that the client did not exercise due diligence in the care and protection of these keys or passwords; or that the client does not notify the payment service provider of any anomaly.
The regulations to answer this question are set out in Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market; Commission Delegated Regulation (EU) 2018/389 of 27 November 2017, which supplements the aforementioned Directive regarding regulatory technical standards for strong customer authentication and common and secure open communication standards; and by Royal Decree-Law 19/2018, of 23 November, on payment services and other urgent financial measures (which transposes the aforementioned European Directive into the Spanish legal system).
The First Chamber of the Supreme Court, in its Judgment No. 571/2025, of 9 April, resolved the issue affirmatively, finding the banking entity liable. Thus, in its Second Legal Ground, it reasoned: “The liability of the payment service provider, in cases of unauthorized or incorrectly executed transactions, is quasi-objective, in the dual sense that, first, once notified of the existence of an unauthorized or incorrectly executed transaction, the provider must respond unless it proves the existence of fraud; and, second, when the user denies having authorized the transaction or claims that it was incorrectly executed, it is up to the provider to prove that the payment transaction was authenticated, accurately recorded and accounted for, and that it was not affected by a technical failure or other service deficiency, with the mere recording of the transaction not being sufficient to demonstrate that it was authorized or that the user acted fraudulently or breached their obligations deliberately or through gross negligence.”
On this basis, the First Chamber of the Supreme Court dismissed the appeal filed by the bank, confirming the judgment issued by the Provincial Court, which in turn had confirmed the judgment at First Instance, in which the defendant banking entity was ordered to compensate for the damage caused to its client, consisting of the amount of the fraudulent transfers.
