By decision dated 29 September 2025 (Case No. 5 U 27/25), the Schleswig-Holstein Higher Re-gional Court dismissed the appeal of a bank customer who had sought reimbursement from his payment service provider after unauthorized credit card transactions. The proceedings concerned the same facts I had already reported on in my blog post of 5 February 2025 regarding the dis-missal of the claim by the Regional Court of Itzehoe (judgment of 28 January 2025 – 7 O 114/24; available at No Monitoring Duty for Banks – Recent Judgment of the Regional Court of Itzehoe in the Context of Online Banking Fraud Cases).
1. Gross Negligence of the Customer
The Senate confirmed the lower court’s assessment that the claimant had acted with gross negli-gence in several respects. Decisive was that he followed a link sent outside the “Kleinanzeigen” communication system and entered personal credit card details there, despite being in the role of payment recipient. This alone should have raised strong suspicion of fraud.
In addition, he registered his credit card in the S-ID-Check procedure using Face ID/PushTAN. According to the court, the claimant ignored clear warnings that pointed to the misuse of his data. Disclosing sensitive authentication credentials under such circumstances constituted an objectively serious and subjectively inexcusable breach of the duty of care under § 675l (1) BGB as well as of the relevant contractual online banking terms and conditions.
2. No Exclusion of Liability under § 675v (4) BGB
The Senate also denied an exclusion of liability under § 675v (4) No. 1 BGB. Contrary to the claimant’s view, the savings bank had required strong customer authentication for the transaction. This was carried out—in conformity with EU law—based on two-factor authentication comprising knowledge (online banking credentials), possession (credit card data), and inherence (Face ID). Accordingly, the requirements for a liability exclusion were not met.
The claimant’s argument that there was a dispute between the parties as to whether strong cus-tomer authentication was required merely for logging into online banking was deemed immaterial by the Senate and therefore disregarded.
3. No Contributory Negligence on the Part of the Bank
Finally, the Higher Regional Court rejected any reduction of the claim due to contributory negli-gence of the defendant pursuant to § 254 BGB. There were neither indications of inadequate sys-tem security nor had any contractual protective or warning duties been breached. According to the consistent case law of the Federal Court of Justice, banks only have warning obligations in excep-tional circumstances, e.g., where objectively obvious indications of misuse are present. No such exceptional case existed here.
Conclusion
With its decision, the Schleswig-Holstein Higher Regional Court confirmed the first-instance as-sessment that the claimant’s conduct must be classified as grossly negligent, thereby excluding his claims for reimbursement. The ruling underscores that bank customers bear a high degree of personal responsibility when disclosing security credentials, whereas banks are not required to scrutinize every potentially suspicious transaction individually.
It is also noteworthy that the Senate considered the claimant’s disputed allegation—that strong customer authentication had already been required for mere login to online banking—to be irrele-vant to the decision and therefore disregarded it (cf. the related discussion in OLG Dresden, judgment of 5 May 2025 – 8 U 1482/24, BKR 2025, 850 with my annotation, and most recently BGH, judgment of 22 July 2025 – XI ZR 107/24, BKR 2025, 843).
'/%3e%3c/svg%3e){kind=small}
'/%3e%3c/svg%3e){kind=small}
