On the gross negligence of the payer in online banking - judgment of the OLG Dresden of 13.10.2022

Banks have been plagued by fraudsters for quite some time. In particular, participation in online banking offers a suitable "playground" for this, which has been occupying the courts for years now. The main focus of the legal disputes relates primarily to the issue of whether the respective payment was "authorized" within the meaning of Section 675j of the German Civil Code (BGB); the case law relies here on established principles of prima facie evidence, cf. BGH, ruling dated January 26, 2016, Ref.: XI ZR 91/14. In addition, banks and savings banks also hold their customers responsible for breaches of due diligence. Insofar as these are grossly negligent breaches of the duty of care, they can lead to a claim for damages by the institution against the customer under Section 675v (3) No. 2 BGB.

What exactly is to be understood by grossly negligent conduct in this context is often the subject of bitter dispute in court proceedings: many details are disputed. In the meantime, however, some fundamental decisions have already been made.

Accordingly, gross negligence is affirmed if the care required in traffic has been violated to an unusually gross degree and even very obvious considerations have not been taken into account, or if what should have been obvious to everyone in the specific case has not been taken into account, see also BGH, judgment of 23. In contrast to simple negligence, which is assessed on the basis of an exclusively objective standard of duty, gross negligence must also take into account subjective circumstances that are rooted in the individuality of the person acting in each case. The participant in online banking must therefore also be subjectively affected by a purely inexcusable failure to comply with duties that are recognizable to him.

In this context, the judgment of the Dresden Higher Regional Court (OLG) of 13.10.2022, Ref.: 8 U 760/22. In addition to statements on the authorization of an ultimately unintentional payment transaction, the judgment also contains statements on the requirements for the assumption of gross negligence within the meaning of Section 675v (3) No. 2b of the German Civil Code (BGB).

In these proceedings, the plaintiff demanded from the defendant savings bank, among other things, the crediting of a sum of money amounting to EUR 7,572.60, which was erroneously transferred from her current account to the account of an unknown third party. The plaintiff used online banking with the ChipTAN procedure, which requires her to log in to her account with her login name and PIN. However, on Nov. 2, 2020, when logging into the plaintiff's online banking account, an intermediary box appeared asking her to "verify now" by transferring a penny amount that was supposedly not to come out of the account, which the plaintiff did. One month later, she then discovered that an amount of EUR 7,572.60 had been transferred to a third-party account in the process.

The defendant refused to credit the amount, arguing that the plaintiff had authorized the transfer herself. The plaintiff had entered her user data, received the TAN and entered it into the transfer mask. There was no evidence that the defendant's system had been defeated or faulty. Instead, there was malware on the plaintiff's computer that created a fake page for the savings bank. The plaintiff had also acted with gross negligence because she had not checked the displayed data and had not suspiciously questioned the unusual payment process.

After the Chemnitz Regional Court dismissed the claim, the decision was also confirmed by the Dresden Higher Regional Court. In contrast to the Regional Court, the appellate court assumes that the plaintiff is entitled to a claim against the defendant for the amount of EUR 7,572.60 to be credited to her current account pursuant to Section 675u sentence 2 of the German Civil Code (BGB), since the plaintiff did not consent to the transfer to an unknown third party and thus did not authorize the payment.

The Dresden Higher Regional Court also ruled that the defendant was entitled to a claim for damages against the plaintiff pursuant to Section 675v (3) No. 2b of the German Civil Code (BGB) due to a grossly negligent breach by the plaintiff of several conditions for the issue and use of the payment instrument. The defendant may hold this against the plaintiff in the same amount and in good faith.

According to the Dresden Higher Regional Court, at least two objectively serious breaches of duty by the plaintiff can be identified for gross negligence, which, taking into account the plaintiff's individual knowledge and skills as well as her experience and expertise in the field of online banking, can no longer be regarded as excusable even from a subjective point of view.

An objectively serious breach of duty by the plaintiff lies in the fact that the plaintiff - contrary to clause 7.3 of the contractual conditions for online banking included in the contract with the defendant - did not check, before confirming the payment order, that the data displayed to her on the chip card reader (TAN generator), namely the IBAN of the payee's account and the transfer amount, corresponded to the data provided for the order. This is an objectively objectively justified and at the same time proportionate obligation. This is because in authentication procedures in which, as in the ChipTAN procedure used in the present case, the authentication element (regularly a TAN) with which the payment order is finally released is linked to its content, the final check of the payment data represents the central protection against compromise of the payment order.

The OLG Dresden emphasizes that the

"final check of the (payment) data before their final release belongs - just like the check before signing a previously completed transfer form - to the basic obligations in payment transactions known to everyone. (...) With the ChipTAN procedure, the account can only be debited by a person who is in possession of the bank card".

The plaintiff was grossly negligent in neglecting to check the data (IBAN of the recipient and amount) displayed to her by the TAN generated with her original savings bank card before releasing the order, since she was unable to provide any specific information on the question of what data was shown to her on the display of the TAN generator before the TAN was generated and entered on the computer. 

In the view of the Dresden Higher Regional Court, the aforementioned serious breach by the plaintiff of the duties of care imposed on it is all the more serious because it also constitutes a breach of Section 7.2 of the contractual terms and conditions for online banking. According to this clause, the plaintiff must observe the defendant's security instructions on its online banking website. On this website, the defendant expressly warns against entering the PIN and TAN for "test transfers" or other alleged "checks", as shown by the printout submitted as Annex B2.

Further constellations of gross negligence have already been decided. If you have any questions, please do not hesitate to contact us.

Az.: 8 U 760/22