In a recent judgment dated 14 March 2017, the Qatari Court of Cassation established a new principle regarding the responsibility of banks’ customers to ensure the safety and protection of their accounts from hacking and/or fraudulent use by third parties.
It was established that a customer’s negligence in failing to notify the bank of possible fraudulent or suspicious use of a debit card, after receiving numerous automated SMS messages from the bank indicating a suspicion of such use, must be considered when determining liability for the losses resulting from fraud.
The case passed through the Court of First Instance and the Court of Appeal in favour of the customer and against the bank, where neither of the lower courts considered the responsibility or fault to be that of the customer. The lower courts’ decision was eventually overturned by the Court of Cassation on the basis that the customer’s negligence or mistake must be considered. The Court of Cassation ordered the case to be remitted back to the Court of Appeal.
The case relates to a claim filed by a customer against a renowned international bank present in Qatar. The customer’s bank account was allegedly hacked from a foreign country and several transactions of large amounts of Qatari Riyals were carried out on the customer’s debit card over a period of approximately one month.
During this time, the customer received hundreds of individual automated SMS messages from the bank regarding such transactions. Such messages are required to be sent to each customer as part of a security system introduced by the Qatar Central Bank (“QCB”). Every time a transaction is made on a customer’s debit or credit card, an automated message is sent to the customer containing the date and amount of the transaction and the place where the transaction was made, as well as a helpline number for enquiries and suspicions.
The customer acknowledged that he received all of the messages from the bank, but took no action immediately upon receipt of the messages. Instead, at the end of the one month period, the customer contacted the bank when he received his monthly account statement. Upon such notification, the bank immediately froze the account, cancelled the card, and commenced an investigation. The customer refused to accept a settlement offer from the bank and filed a case in the Qatari Courts seeking compensation from the bank for the full value of the fraudulent transactions.
Court of First Instance
The Court of First Instance found that the bank was fully liable for the customer’s losses and therefore was obliged to reimburse the customer for the full value of the fraudulent transactions. The Court did not provide any reasoning for such a conclusion. From this decision, it was inferred that banks were responsible to protect their customer accounts and debit/credit cards from fraudulent use, regardless of the customer’s omission to notify the bank of such transactions.
Court of Appeal
The bank filed an appeal on the basis that it had fully adhered to all of its duties and obligations under Qatari law and QCB regulations. The bank also argued that the customer had failed to inform it of the suspicious transactions at an early stage, despite being notified of such transactions. The bank argued that should the customer have notified it at the outset of the fraudulent use, his losses would have been minimal as the bank would have taken immediate preventive measures.
The Court of Appeal did not agree with the defence put before it by the bank and upheld the Court of First Instance’s decision, affirming that the bank was solely responsible for the losses incurred by the customer and was obliged to compensate the customer for the full amount of the fraudulent transactions.
Court of Cassation
The case was subsequently challenged before the Court of Cassation. At this stage, the arguments made before, and dismissed by, the lower courts had to be demonstrated before the Court of Cassation in the form of flaws in the application of the law by the lower courts, as opposed to incorrect findings of fact.
The Court of Cassation accepted the appeal on the basis that the lower courts did not consider or address the legal impact of all the facts and issues involved in the case. Accordingly, the case was remitted to the Court of Appeal to be reheard in light of the customer’s failure to notify the bank of the fraudulent transactions, after having received several automated SMS notifications over an extended period of time.
Significance of the Judgment
The Court of Cassation’s ruling reflects a contemporary approach taken by the judges. It is pleasant to see that the impact of technology and the important role it can play in our daily lives has been recognised. By acknowledging the SMS security system implemented by the banks, and bringing attention to the significance of a customer’s acting on the same, the Court of Cassation has set a principle that protects the efficiency and workability of this security measure. In our opinion, the decision appropriately balances the interests of the banks and the customers in the context of hacking and fraudulent transactions. Furthermore, the approach taken by Court of Cassation is in concert with the QCB regulations.
Should the Court of Cassation have rejected the notion that it was the responsibility of customers to act upon such SMS messages, the SMS security system would have been a waste of public funds and efforts of the QCB to introduce the system. A judgment to the contrary would have created a discrepancy between the Qatari Courts’ stance and the QCB’s intention in this regard. The judgment is a welcome step in paving the way for a similar contemporary approach in future cases.