A scammed customer and Bank of Valletta (BOV) have been deemed jointly responsible following a fraudulent email that triggered a payment of €12,345 from a savings account.

Following a complaint received and analysed by the Arbiter within the Office of the Arbiter for Financial Services – Malta, it was determined that the customer should bear 70 per cent of the loss, while the bank should bear the remainder. This resulted in the bank being ordered to pay €3,703.50 in compensation.

The money was taken when the customer clicked on a fraudulent email link that appeared to be from BOV, requesting signature verification.

According to the report, the customer claimed that they were busy with their wedding planning business at the time and didn’t receive the usual SMS notification from the bank about this transaction.

When questioned by the Arbiter, the bank defended its position and stated that the transaction was authenticated using the two-factor authentication system.

“They argued that the customer must have been grossly negligent in sharing their credentials, as the payment was authorised using the customer's own token and security measures,” said the office.

Additionally, the bank stated that, since the payment was within the customer’s authorised limit and processed through legitimate channels, they had no obligation to reimburse the funds.

The Arbiter considered various factors prior to reaching his decision, noting that while the email was received through a channel typically used by the bank, it came from a suspicious Japanese domain, “which should have raised red flags.”

Therefore, the Arbiter considered that the customer had to actively participate in the payment authorisation process by entering the amount and IBAN details.

On the other hand, he also noted that banks need to protect customers from increasingly sophisticated fraudsters, especially in terms of unauthorised access to savings accounts with large sums of money.

In light of this, the Arbiter recommended to the Malta Financial Services Authority and the Central Bank of Malta that the banks should implement systems to allow customers to restrict online payment capabilities on savings accounts to transfer their own current accounts only.

“This would provide better protection for customer’s savings while maintaining convenient access to their funds when needed,” the Arbiter concluded.