You receive a notification on your cell phone, see a payment you don’t recognize and realize, within seconds, that the money has left your account without apparent authorization. The impulse is immediate: contact the bank and demand a refund. But there is a decisive detail that can influence the outcome: the way the transaction was carried out and whether the bank can prove that the customer acted with fraud, deliberate default or gross negligence.
The difference between recovering the money or ending up bearing the loss may lie in an expression little spoken of outside the financial sector: gross negligence. Recent jurisprudence has reminded us that it is not presumed and that it requires manifestly careless behavior, contrary to the most elementary common sense.
The point that separates protection from loss
Not all fraud is treated the same. But the relevant legal distinction is not just between “fraudulent” transactions and “validated” transactions: a payment transaction is only considered authorized if the payer consents to its execution. In the absence of such consent, the operation is unauthorized.
In the first case, the legal regime, as a rule, obliges the payment service provider to immediately reimburse the value of the unauthorized transaction, at the latest by the end of the first business day following the knowledge or communication of the case. The immediate exception provided for by law is the existence of reasonable grounds to suspect the customer of fraud, communicated in writing to the judicial authorities.
But the scenario becomes more complicated when there is user intervention. Still, the law is also clear on one decisive point: the simple fact that the system records the use of the payment instrument, or that the transaction has been authenticated, is not sufficient, in itself, to prove that the customer authorized it or that he acted with gross negligence. This burden of proof lies with the bank.
When “yes” was given without realizing it
If the user clicked on a link, entered data or validated an operation in the banking application, the bank may claim gross negligence. But this is not automatic. According to the Legal Framework for Payment Services and Electronic Currency, it is up to the provider to present elements that demonstrate the existence of fraud, intent or gross negligence on the part of the user.
In other words, even if the customer has been deceived, the technical record of the transaction is not enough, in itself, to close the discussion. This is precisely why these cases depend so much on how the scheme occurred and the evidence that each side is able to present.
The frequent case of digital scams
Most of these situations arise through increasingly sophisticated schemes. The alert for false contacts via email, SMS, telephone or social networks, in which scammers pretend to be the bank, use spoofing and create urgent scenarios to get the victim to disclose credentials, codes received by SMS or other authentication data.
In one of the most common scenarios, the victim believes they are receiving money and ends up validating a sending operation or associating a cell phone number that is not connected to MB WAY. Banco de Portugal precisely describes this type of schemes on buying and selling platforms, where the user thinks they are receiving a payment when, in practice, they are opening the door to access the account or sending money.
Why the bank may refuse to refund or try to pin the loss on you
The law establishes several levels of responsibility. In certain situations, the customer may bear up to 50 euros of losses related to unauthorized operations. If there is fraud or deliberate failure to comply with security duties, you will bear all losses. And, if there is gross negligence, you can bear losses up to the limit of the available balance or the credit line linked to the account, even if it exceeds 50 euros.
But there is also an important counterpoint: if the payment service provider does not require strong customer authentication, the customer should not bear any losses related to unauthorized transactions, unless they acted fraudulently. Therefore, not every scam with apparent validation automatically ends up on the customer’s side.
There are exceptions, but they have to be proven
There are cases where the customer, despite having been deceived, did not act with gross negligence. And there are others where courts have concluded otherwise. What Portuguese jurisprudence has highlighted is that this qualification always depends on the specific case and the evidence produced, not on an automatic presumption in favor of the bank.
Also for this reason, the idea that the system only needs to register a “yes” for the bank to be released from having to return the money is too simplistic. The legal issue is more demanding than that.
What should you do if this happens
In a situation like this, acting quickly is essential. Banco de Portugal recommends that you contact the bank immediately and ask to cancel your homebanking or app access credentials and, if applicable, your card. It also recommends reporting to the PSP, the GNR, the Judiciary Police or the Public Ministry.
Saving messages, emails, call logs, screenshots and receipts can make a difference. And there is a legal point that should not be forgotten: the operation must be communicated to the provider as soon as it becomes known and without undue delay, within a maximum period of 13 months from the date of debit.
If the bank maintains the refusal, the customer can complain in the complaints book, directly with Banco de Portugal or resort to alternative dispute resolution means and the courts. Banco de Portugal itself clarifies, however, that it does not have the authority to impose compensation on the customer.
How to avoid falling into this type of scam
Prevention remains the best defense. Banco do Portugal recommends being suspicious of urgent requests, not clicking on suspicious links, never disclosing credentials or authentication codes by phone, email or SMS and not trusting strangers to join MB WAY or confirm transactions.
Even when there is strong authentication, the decisive question remains whether there was true consent and whether the bank can prove, when the customer denies authorization, that there was fraud, deliberate default or gross negligence. In the end, this is the detail that can make all the difference between recovering the money or ending up bearing the loss.
Also read:
