Online financial fraud targeted at consumers through phishing attacks and identity theft, for example, is a growing problem. The increased risk of fraud is linked with digitalisation of financial services, and in particular the development of new identification technologies. With the information needed to authenticate or sign in another person’s name, the fraudster can empty the victim’s account, or obtain credit cards and loans in the victim’s name. Financial-services fraud exists in the offline world as well. However, it was more difficult, for example, to sign a credit agreement in another person’s name when such agreements had to be signed physically at the office of the local bank branch. The fraudster will of course be liable for the resulting loss. However, because it can be difficult to recover losses from the person who committed the fraud, in practice the loss will often remain with either the financial services provider or the consumer. Hence, liability issues and the allocation of losses between these parties is a challenging issue. In a recent paper, I look into these issues by posing the question of who pays when things go wrong. The paper attempts to answer this question by reviewing the relevant Scandinavian legal systems (Danish, Swedish and Norwegian) and European law.

The paper analyses how losses are allocated between financial service providers and consumers after a payment transaction fraud and a fraud related to credit contracts, respectively. Directive (EU) 2015/2366 on payment services in the internal market [hereinafter, PSD 2] establishes a detailed regime for loss allocation between the payment service provider and the consumer following unauthorised payment transactions. The main rule under PSD 2 is that the payment services provider is liable for loss after an ‘unauthorised payment transaction’. However, the payer shall bear all of the losses if they were incurred by the payer acting fraudulently or with gross negligence. The liability regime provides for important consumer protection in cases of fraud related to payment services. However, it also gives rise to important challenges. PSD 2 leaves the term ‘gross negligence’ undefined, leaving it up to national traditions and decision-makers to determine its interpretation on a rather ad hoc basis. In particular, the liability regime seems to provide rather limited protection against some of the most common methods of consumer-targeted online financial fraud, including authorised push payment scams. 

For other financial services, questions of liability and loss allocation following fraud are not regulated under European law. In Scandinavian countries, these questions are resolved by applying general rules of contract and tort. The paper focuses on credit agreements because the case law indicates that fraud is widespread in this area. My analysis shows that consumers are often held responsible for credit agreements concluded in their name by fraudsters. In January 2019, the Danish Supreme court found that the victims of identity theft are bound on contract law grounds to credit agreements concluded by others in their name. According to general rules on tort, applied in all Scandinavian countries, a person can be held liable for loss resulting from his or her negligent action. The consumer typically enables the resulting fraud by making security mistakes. For example, a consumer clicks a link in a phishing email and hands over his or her security information, despite warnings not to do so, or fails to keep an electronic banking password safe from his or her partner. The question is whether this implies negligent action resulting in liability under tort. In contrast to the regulation of unauthorised payment transactions, gross negligence is not required in order to make the victim liable under general rules on tort. In Norway, in particular, there is plenty of case law from the district courts and the courts of appeal on this matter. The bar for constituting liability under law on tort is, in some cases, extremely low. For example, it is considered grossly negligent to write down a BankID password, even when suffering from Alzheimer’s, and negligent to use an electronic bank account when sitting on a sofa beside your spouse.  

In the last section of the paper, the focus turns to the de lege ferenda question, that is, whether financial institutions should shoulder a larger part of financial losses due to online fraud. It is argued that the digitalisation of the financial services industry has in practice led to a shift in who bears the risk for attacks against financial institutions, and that the consequences of this shift conflict with the policy goal of strong consumer protection for victims of cybercrime in the EU. The analysis of the liability regime for unauthorised payment transactions based on PSD 2 compared to the national regulation of liability for fraud in credit agreements shows how the lack of an overall EU-based regulatory framework can lead to dramatic inconsistencies in how losses resulting from fraud are allocated for different financial services. While losses related to unauthorised payment transactions are allocated from the customer to the financial services provider under the rules in PSD 2, losses related to the execution of a credit agreement are borne by the consumer under national rules on tort. Hence, the paper concludes that the European lawmakers should take a coordinated approach to the regulation of liability and loss allocation, where larger parts of loss after online financial fraud should be allocated from consumers to financial institutions.

Until then: Consumers foot the bill when things go wrong—oftentimes.

Marte Eidsand Kjørven is Associate Professor of Law at the University of Oslo’s Faculty of Law.