By judgment of 28 January 2025 (Case No. 7 O 114/24), the Regional Court of Itzehoe dismissed an action seeking re-crediting of unauthorized debits from the claimant’s credit card and current accounts. The decision underscores the strict duties of care incumbent upon bank customers when using online banking services and rejects any notion of an “individual monitoring duty” on the part of banks.
Background
The claimant fell victim to a phishing attack while attempting to sell a baby carrier on the platform kleinanzeigen.de. After receiving what appeared to be a payment confirmation email, he clicked on an embedded link that led him to a fraudulent website. There he entered his online banking cre-dentials, enabling the fraudsters to arrange for his credit card to be registered in the defendant bank’s dedicated app. Subsequently, three credit card payments were executed from Dubai.
The claimant demanded reimbursement from his bank on the grounds that he had not authorized the transactions. The bank refused, citing grossly negligent conduct on the claimant’s part, par-ticularly because he approved the registration via facial recognition despite a phishing warning appearing on his mobile device. This step enabled the registration of the credit card in the first place.
Court’s Reasoning
The Regional Court of Itzehoe acknowledged that the payments had not been authorized and that, in principle, the bank would have been obliged to reimburse the amounts under § 675u sentence 2 BGB. However, the court found that the claimant had acted with gross negligence in breach of his duties of care under § 675v (3) No. 2 BGB, thereby giving rise to a damages claim by the bank, which could be set off against the claimant’s reimbursement claim.
The court based its finding of gross negligence on several factors: the uncritical disclosure of sen-sitive login credentials on a fraudulent website, the disregard of security warnings, and the care-less registration of the credit card in the app. The claimant’s conduct amounted to an objectively serious and subjectively inexcusable violation of the level of care required in payment transac-tions.
No Contributory Negligence by the Bank
The court rejected the notion of contributory negligence on the part of the bank. Banks are not subject to an “individual monitoring duty” in the sense of real-time analysis of specific transactions. In this respect, the court aligned itself with the approach of the Hanseatic Higher Regional Court of Bremen (decision of 15 April 2024, Case No. 1 U 47/23), which held that the relevant EU law pro-visions governing electronic payment services oblige payment service providers to maintain fraud prevention systems only for regulatory supervisory purposes, but not to monitor or pre-approve individual payment transactions.
The transaction monitoring mechanisms required under Article 2 of Delegated Regulation (EU) 2018/389 are not designed to actively block conspicuous transactions in the customer’s interest. Accordingly, the court rejected the claimant’s argument that his bank should have intervened be-cause of the unusual nature of the transactions—specifically, high-value payments from Dubai executed immediately after a new app registration. The bank had sufficiently contributed to cus-tomer awareness through general security warnings published on its website.
Conclusion
The judgment forms part of the differentiated case law on liability in cases of online banking fraud and highlights the increasing demands placed on all parties involved in digital payment transac-tions. It emphasizes the necessity of prudent and responsible use of online banking services and calls for a high degree of personal responsibility from users. At the same time, it makes clear that banks are not obliged to monitor individual transactions.
'/%3e%3c/svg%3e){kind=small}
'/%3e%3c/svg%3e){kind=small}
