Neograf S.A. filed a damage lawsuit against a bank after suffering a fraudulent transfer of ARS 1,450,200 from its checking account. The company claimed that the bank had failed to fulfill its security duty, allowing third parties to access its funds.
It was established that a representative of the company accessed the bank’s online banking service through a fraudulent website that closely resembled the bank’s official site. The representative entered her username and password. Subsequently, she received a phone call from individuals posing as bank employees, who informed her that her account had been blocked for security reasons and that she needed to provide a security token to reactivate it. Following these instructions, the plaintiff provided the authentication code, thereby enabling the fraudsters to access the account and execute the disputed transfer.
Later, the company detected the suspicious transaction and contacted the bank to report the fraud. The bank launched an internal investigation and concluded that there had been no breach of its security systems; instead, the transaction was carried out using credentials that the account holder had voluntarily provided to third parties. Consequently, the bank denied liability, arguing that the plaintiff had failed in its duty of care by disclosing sensitive data.
In the first instance, the Court held that the bank had an enhanced security obligation and found it liable for not preventing the suspicious transaction. A judgment was issued against the bank, ordering the reimbursement of the stolen amount plus interest. However, the bank appealed the decision, arguing that the transfer had been executed in compliance with the applicable security measures and that Neograf S.A.’s loss was solely due to its own negligence.
In December 2024, the Court of Appeals overturned the first-instance ruling and dismissed Neograf S.A.’s lawsuit, holding the bank harmless, considering that the damage was due to the company’s lack of diligence in handling its banking credentials.
The Court determined that the relationship between the parties did not constitute a consumer transaction, as the bank account was used for commercial purposes, meaning that consumer protection laws did not apply. Furthermore, it concluded that the bank had not breached its security obligations, as the transfer had been carried out with legitimate credentials provided by the plaintiff.
The Court emphasized that the company had failed to take the minimum precautions required to avoid being victim to a fraud, particularly given the numerous public warnings about such scams. The ruling underscored that a bank’s responsibility for transaction security has a limit in the actions of its customers, who are responsible for safeguarding their credentials and personal data. In this case, the plaintiff’s disclosure of sensitive information broke the causal link between the bank’s actions and the resulting loss.
As a result, the Court overturned the judgment against the bank and ordered the plaintiff to bear the costs of the proceedings.
