In what is a significant judicial development in banking law, the High Court of Uganda has ruled that the risk of loss for an unauthorized transaction lies with a customer who negligently allows a third party access to their device and security information. A bank will not be held liable once it shows that the security procedure it has in place is a commercially reasonable method of providing security against unauthorized payment orders.

This is the legal position set by the judgement in Aida Atiku versus Centenary Rural Development Bank Limited, Civil Suit No. 0754 of 2020 issued on 18th July 2022 by Hon. Justice Stephen Mubiru.

Facts

Ms. Atiku opened up a personal savings account with Centenary Bank on 2 January 2020 and deposited a total of UGX56,320,000 between 4 and 10 January 2020. She claimed that she made one withdrawal thereafter of UGX700,000 on 13 January 2020, but when she subsequently returned to the bank on 27 August 2020 to withdraw the rest of the money, her account had been depleted. She was informed by the bank staff that over time, different sums of money had been withdrawn electronically from the account using the “CenteMobile” platform. Ms. Atiku claimed that she never applied for that service and demanded a refund of her money.

Centenary Bank, however, showed that at the opening of her account, Ms. Atiku registered for the “CenteMobile” service offered by the bank. It also showed that all the transactions on Ms. Atiku’s account were initiated and concluded using her officially registered mobile phone number.

The questions before the court were whether Ms. Atiku’s account was fraudulently or negligently debited by the bank, and whether the bank is liable for the fraudulent or negligent withdrawals that were made on the account.

Decision

The Court examined a number of key principles on contract, fraud, and the banker-customer relationship in the sphere of digital banking.

Account opening, contract, and the question of undue influence

The Court first reaffirmed the supremacy of the written terms of a contract over any extrinsic evidence. A party that signs a contract (in this case the account opening application standard form) is bound by its terms whether they were understood or not unless it is shown that the party was misled into signing a document fundamentally different from that which he or she intended to sign.

Therefore, although Ms. Atiku had sight impairemment, she was accompanied to the bank by her daughter to help her fill out the form. Her daughter testified that she read the contents of the form to her and filled in the information on her behalf.

The bank had no knowledge of Ms. Atiku’s impairment, and in any case, the form was not shown to be fundamentally different from what she intended to sign. Additionally, there was no evidence that her consent had been obtained by fraud, duress, misrepresentation or undue influence on the part of the bank, which in fact gives customers the opportunity to obtain independent legal advice before executing a document. On this basis, the Court concluded that Ms. Atiku was bound by her signature on the form including the “CenteMobile Services Declaration” section that she duly signed.

The risk of fraud and the bank’s duty of care

Despite the efficiency and convenience of mobile banking, the risk of fraud has been intensified by digitizing money transfer. With increased automation, financial institutions are specifically targeted by fraudsters due to their immediate access to and ability to transfer funds.

This risk imposes a duty on banks to put in place robust fraud detection and prevention solutions to protect their assets, systems, and customers. Banks have a duty to take reasonable measures to ensure that their digital banking systems are secure and are regularly reviewed and updated. They should know when a suspicious transaction or withdrawal takes place, and to this extent, must ensure that transactions on their digital banking services and received by their systems can be checked and traced.

Obligations of the bank to the customer

The duties above create corresponding obligations to the customer for the security measures to be effective. The bank should provide the customer with regularly updated information on how to access digital banking services, including details about their customer ID, selection of appropriate passwords, the availability of additional authentication or security options, how to maintain security, and what their liability for unauthorized transactions will be. Education and awareness in digital banking should exist for all age groups, but emphasis should be made when dealing with senior citizens who are more vulnerable to issues like account takeovers.

Additionally, banks should inform the customer of the applicable terms and conditions relating to the use of digital banking services including any fees, charges and the current transaction limits that apply to digital services. The customers should also be informed of the procedures they must follow to report unauthorized access to their confidential personal information, accounts or disputed transactions using digital banking services and be provided with effective and convenient means including easily accessible contact points to notify the bank of security incidents as soon as they become aware of suspicious or unauthorized activity.

Obligations of the customer

The customer has a corresponding responsibility to always keep their banking information, user IDs, passwords, and PIN numbers confidential. Because account takeover fraud often begins with compromised credentials that have been stolen or obtained through trickery, digital bank customers have a duty to prevent fraudsters from gaining access to their personal login details.

The risk of fraud grows exponentially because customers reuse and share their PINs and passwords. If a customer gives his or her online credentials to anyone, that customer loses whatever protection the bank has put in place against unauthorized transactions. This may result in the customer being responsible for any unauthorized transactions on his or her account, and in such cases the customer cannot be refunded for any resultant loss. In fact, failure to take such reasonable precaution may be construed as negligence by the customer.

Finding

In Ms. Atiku’s case, one of the protective measures made available to her was registration for SMS notifications so that she could receive alerts once there was a transaction on her account. Her sms log showed that she was sent an sms alert upon each transaction on her account whenever it occurred. Whereas she claimed to have received only one alert for the first withdrawal, she admitted that her daughter had access to her phone and is the one that normally read the messages for her. In effect, Ms. Atiku compromised the security features put in place by the bank for her protection by granting unrestricted access to her phone and security information to her daughter.

On this basis, the Court concluded that whereas there was a transfer of funds from Ms. Atiku’s account to a phone number that did not belong to her, the transfer was initiated by her or by a person with access to her PIN, phone and corresponding SIM card. As such, the most probable explanation is that the transactions on her account were either undertaken by her, with her authorization, or due to her negligence. All these are circumstances for which the bank cannot be held responsible.

This article is intended as a case digest and is only a discussion of the issues dealt with. This information is not intended to be, and should not be used by any person as legal advice. S&L Advocates is not responsible for any actions taken or not taken on the basis of this article.