Banks' liability for digital fraud: new ruling by the Tribunal Supremo

By Vanesa Fernandez

El Tribunal Supremo strengthens the protection of payment service users against digital fraud. In a key ruling (STS 571/2025 of April 9), which sets a precedent, the High Court requires banks to assume liability for unauthorized transactions resulting from identity theft, even if the customer's credentials were used, when they fail to prevent suspicious transactions such as multiple transfers at unusual times for large amounts. This case underscores the importance of bank due diligence, the validity of consent, and the invalidity of unfair terms. Below, we analyze the facts, the Court's decision, and its implications.

Assumption of fact

An Ibercaja customer was the victim of a cyber fraud that combined phishing techniques and SIM card duplication. In a single night, the criminals made 15 unauthorized bank transfers totaling more than €83.000. The bank only managed to recover €27.218,10. The attack occurred after the fraudsters accessed the customer's email and duplicated his wife's SIM card. This allowed them to receive the SMS codes necessary to confirm the banking transactions.

Weeks before the fraud, the customer had already alerted the bank about suspicious messages and unrecognized charges. However, the bank's security system detected no anomalies and allowed the fraudulent transfers to be completed.

The client filed a claim against the bank demanding payment of €56.474,63 plus corresponding interest, arguing that the bank had failed to fulfill its contractual obligations. In both the first and second instance cases, the courts ruled in his favor and ordered the bank to pay the requested amount.

Ibercaja then resorted to Tribunal SupremoIn his defense, he argued that the transfers were made with a valid authentication system (two-factor authentication), that it was the customer's responsibility to protect their devices, and that the signed contract exempted him from liability in the event of unauthorized access.

What did he say? Tribunal Supremo?

 El Tribunal Supremo has rejected Ibercaja's appeal and confirmed that the stolen money must be returned to the user. These are the 10 key points of the ruling:

1. User protection, even if they use their passwords: Even though SMS codes were used, this does not prove that the customer authorized the transfers. The bank must demonstrate that there was consent, that its system worked correctly, and that the customer acted with gross negligence or fraud.
2. It is not enough to have security, you have to apply it well:The bank's system was legal, but it did not detect suspicious transactions such as multiple transfers at unusual times for large sums.
3. The client acted with diligence: He notified the bank, changed his passwords, and requested security measures. He also reported the fraud immediately. He wasn't negligent.
4. Quasi-objective liability of the bank: According to Royal Decree-Law 19/2018 and Directive (EU) 2015/2366, the bank must return the money if the customer denies having authorized the transaction, unless fraud or gross negligence is proven.
5. Authentication does not replace consent: Using valid codes does not mean that the customer has given their approval if they deny having authorized the transactions. Consent must be express and conscious.
6. The bank must prove that everything was correct: Ibercaja failed to demonstrate that the transactions were legitimate, that its system operated flawlessly, or that the client acted with gross negligence or fraud.
7. Deficiency of banking service: Ibercaja failed to respond to clear signs of fraud, such as prior customer alerts and unusual transfers, resulting in inadequate service delivery, even though there was no technical failure.
8. The client was diligent: He warned the bank in advance and acted quickly after the fraud, requesting the cancellation of his card and a change of password. He filed a complaint immediately upon discovering the transfers, which rules out gross negligence.
9. Contracts cannot override legal rights: Clauses exempting the bank from liability are invalid if they contradict mandatory regulations.
10. The bank must have a high level of due diligence: sThe expectation that the bank will act as an expert professional, not as a “good family man”, implies having systems capable of automatically detecting suspicious transactions, and in this case the bank did not react in time.

What does this mean for payment service users?

The ruling is important for consumers because it strengthens their protection against sophisticated digital fraud that successfully circumvents bank authentication systems.

The use of passwords or codes does not automatically imply that the customer has given their consent; this must be genuine and conscious. If the customer denies having authorized the transaction, the bank has the obligation to prove otherwise.

It also establishes clear limits on user liability, as customers are only liable if proven to have acted fraudulently, with gross negligence, or willful misconduct.

The ruling emphasizes the invalidation of contractual clauses that release the bank from liability in the event of unauthorized access.

Finally, it requires financial institutions to improve their security systems, requiring them to detect suspicious transactions, activate automatic alerts and block unusual transactions to better protect their customers.

Conclusion

In short, if you are a victim of fraud and have acted responsibly, the bank is obligated to refund your money. They can't blame you just because your passwords were used: your consent to the transactions must be real, not assumed.

Furthermore, financial institutions must have effective systems in place to detect suspicious and unusual transactions and react quickly. Contractual clauses that exempt the bank from liability are invalid if they contradict the law.

In a context where digital fraud is increasingly common, this ruling strengthens your rights as a user of payment services.