In its recent decision of 19 February 2025, the Supreme Court of Hungary (‘Curia’) overturned the second-degree verdict that held fraud victims solely liable and ruled that financial institutions cannot automatically reject compensation claims. This landmark decision might open the doors for customers to claims against their banks in similar cases.
Background
A consumer filed a complaint with the Financial Arbitration Board after the rejection of their reimbursement claim against a bank. The dispute arose when the consumer attempted to sell a product on an online marketplace but was misled by a fake potential buyer to an internet phishing page resembling the bank’s official website. As a result, the consumer became a victim of fraud, leading to an unauthorized transfer of a significant amount from his bank account to an unknown domestic account. The Conciliation Board recommended that the bank reimburse the consumer for the unauthorized payment transaction.
The bank challenged the recommendation in court. A legally binding judgment overturned the Financial Arbitration Board’s recommendation, reasoning that the bank’s liability depended on whether the consumer had acted with due diligence in safeguarding their authentication credentials. The court examined whether the consumer had provided their credentials to an unauthorized party and, if so, whether they exhibited culpable negligence. The second-degree court ruled that the consumer’s actions constituted gross negligence, thereby exempting the bank from its statutory reimbursement obligation.
Curia’s verdict
The Curia, however, emphasized that the second-degree court had incorrectly equated gross negligence with a breach of duty. It clarified that negligence must be assessed individually and with the damage (not the default), considering whether the consumers were subjectively aware of the consequences of their actions and whether they displayed recklessness or indifference toward potential damages. The court also underscored that gross negligence should be evaluated not only based on default but also in terms of the foreseeability of harm. The Curia concluded that the consumer could not have anticipated the damage resulting from the second unauthorized transfer and had not acted with significant negligence. As a result, the Curia reinstated the initial court decision, which had dismissed the bank’s claim, thereby affirming the consumer’s right to reimbursement.
The above implies that banks cannot automatically pass on the liability for fraud to the consumers based on the objective default of a task, but the general and more subjective clause of foreseeability should be assessed on a case-by-case basis. The judgment also lays down, however, in general terms, the conjunctive conditions under which a bank may be exempted from the obligation to reimburse a consumer for the execution of an unauthorised payment transaction as follows: (i) the customer does not behave in a manner which is normally expected in the circumstances of the case to keep the bank card and the personal identification data secure, and (ii) the failure to comply with the obligation constitutes gross negligence as regards the damage caused.
Afterlife of a decision
The decision of the Curia is certainly a step forward in the direction of more effective protection of consumers’ rights, but it also establishes a stricter framework for the banks to avoid liability. This decision, and the ones to follow based on this landmark ruling, may spur financial institutions to enhance their security protocols, taking greater responsibility in preventing financial abuse, since the volume and sophistication of online scams just keep increasing.
By Balint Zsoldos, Head of Tax, KCG Partners Law Firm
