In a landmark decision (BGE 4A_9/2020), the Federal Supreme Court has specified the due diligence obligations of banks and other financial companies. This concerned the duty of care of a finance company in connection with transaction orders from a customer via e-mail. The following facts formed the basis of the ruling:
A customer opened a numbered account with a finance company to which he transferred an amount of CHF 850,000. For this purpose, the client authorized the finance company to receive instructions by e-mail. These instructions are to be executed without any request or written confirmation. The authorization contained a risk transfer clause, which shifts the risk associated with the e-mail transactions to the client, unless the bank is grossly at fault. In this case, hackers then ordered eight transactions within one month. Later, the hackers used a slightly modified e-mail, after which the bank reacted and stopped the transactions. Prior to these eight transactions, the customer only made two transactions within a year.
The lawsuit for repayment of the eight abusive transactions eventually reached the federal court. In its ruling[1], the Federal Court decided that the following criteria limit the bank’s liability in such a case. By the risk transfer clause, the bank is in principle only liable for gross negligence. The customer is therefore responsible for taking the necessary measures to ensure the security of his e-mail orders. The Federal Supreme Court provides for force majeure in the liability of the customer himself. The customer is not obliged to take measures to prevent misuse, but is fully responsible if his efforts fail.
In the above-mentioned case, the Federal Court has consequently ruled that the Bank has not had any evidence to accuse it of gross negligence. The bank responded directly to the detection of the modified e-mail and the more timely transactions are not grounds for a breach of due diligence.
[1] 4A_9/2020
Associate
buehler@stach.ch
+41 (0)71 278 78 28
