Italian banks may be held liable for damage suffered by their customers in case they are stolen identity for accessing home banking services, without any customer’s willful or grossly negligent behavior. According to a recent report by the Italian Postal and Communications Police, online frauds attributable by unknown criminals greatly increased in 2021. We currently refer to it as spoofing, phishing, mishing, vishing … depending on the the way they are perpetrated. Anyway, most of the times it’s a well-conceived criminal plan to deceive the unfortunate, and steal confidential information or sensitive data (usernames, email address, passwords …) that allow access to online services (such as home banking), and ultimately to siphon money away.
Usually, all starts with an email, text message, or even a phone call the victim receives from a phoney financial institutions such as banks, or credit card companies. Sometimes contact information are simply gathered by apparently respectful websites that require a sign-in registration. The fraudulent request for personal data is often motivated by (inexistent) technical problems. The user is invited to access a portal that looks like the official one of the targeted service provider. In reality, it’s a fake site. Once the user enters the credentials that open the doors to his/her bank, or credit card account, it’s done! With the data obtained, the defrauder has no further obstacle to have access to the user’s accounts.
Clearly all these schemes are built on the user’s belief he’s actually dealing with a real bank, or other service provider. Trust building is often further enhanced by the fact that confirmation SMSs are sent from the official provider’s number, or confirmation calls are made from what appears to be the provider’s customer service desk. The problem is that providers (especially banks…), once fronted with a request of reimbursement, often reject it, by claiming they were not part of the scheme (this is undeniable) and that it was user who should be more careful, and refrain to give away his precious credentials so gullibly. Until recently, this has been the prevailing attitude shared also by the Italian courts, and by ABF (a bank-backed ADR institute, whose mission is to release opinions in case of disagreement between banks and their customers). For the banks, it was sufficient to give evidence to have an effective authentication system put in place. In that occurrence, users were deemed responsible for any adverse events, either for not having adequately protected, or – worse – for having voluntarily communicated their credentials.
However, this way of reasoning has recently been reverted. In fact, it does appear as inconsistent with the EU directive for Payment Services Directive (PSD), which has been implemented in this country by the legislative Decree no. 11/2010. Under these norms, users do not need to give any evidence about the fact that credentials have been properly protected; they are simply required to report abusive use of payment tools. Moreover, it is the financial operator which, in order to go free from any responsibility must give evidence of their client’s intentional, or grossly negligent behavior. So, in order to avoid reimbursement of money transferred thanks to a fraudulent operation, a bank can no longer claim that said operation was formally ok (i.e. made by using the right credentials). Recent caselaw (e.g. Court of Appeal Bologna, no. 1352/2020; Civil Cassation no. 9158/2018), so allocates the risks of fraudulent operations to the banks, as a rule. Users’ confidence in electronic payment system must be preserve (also to the interest of the banks, in the end). As stressed above, in order to be exempt from liability it is the bank’s responsibility to provide proof that the transaction is the result of the user’s willful, or grossly negligence.
 Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC (OJ L 319, 5.12.2007, p. 1–36)
 (Italian) Legislative decree no. 11 of January 27, 2010 (It. OJ no. 36 of 13.02.2010 – Suppl. 29)
 Bologna Court of Appeal, judgement no. 1352 of May 25, 2020, upholding a 1° Instance Court of Modena decision.
 (Italian) Court of Cassation, order no. 8158 of April 12, 2018.