Man-in-the-middle fraud and the limits of banks' liability

In an increasingly digitalised environment, banking scams have evolved significantly in terms of complexity and sophistication. One of the scams that has gained prominence in recent years is the so-called "Man-in-the-Middle" attack.

This type of fraud involves the unauthorised interception of communications between two devices connected to a network, allowing the attacker to alter and divert messages exchanged between users.

One of the most frequent scenarios involves the interception of a communication requesting a payment, whereby the fraudster modifies the IBAN of the bank account to which the transfer is to be made in order to get the money. The process generally unfolds as follows:

• A company receives an e-mail from a supplier, requesting payment of an invoice for the provision of services.
• Unbeknownst to the company, an attacker intercepts and manipulates the email, changing the IBAN number of the account to which the payment is to be made.
• The cybercriminal impersonates the provider, sending the message from an email address almost identical to the original, but with a slight alteration that is almost unnoticeable.
• The receiving company, trusting the authenticity of the message, makes the transfer to the fraudulent account.

In this way, a computer alteration is carried out with the aim of achieving a financial transfer to the detriment of the originator of the transfer, as provided for in Article 249.1 (a) of the Criminal Code.

When the originator notices the error, its first reaction is to try to contact the receiving bank in the hope that the funds can be blocked in time. However, in most cases, the cybercriminal has been quicker: the money has already been transferred to another account or withdrawn, leaving little room for manoeuvre, so the only alternative is to file a complaint.

However, identifying the perpetrator is not a simple task. Cybercriminals operate complex mechanisms to hide their identity and make it difficult to trace the money, making the possibility of recovering the money directly from the offender increasingly remote.

Faced with this situation, many people affected are looking for another way forward: claiming the subsidiary civil liability of the bank that executed the transfer. But can the bank be held liable for processing the transaction?

The answer to this question is to be found in Article 59 of the Payment Services Act, which regulates the liability of banks in situations where incorrect identifiers have been used. According to this regulation, when a payment order is executed in accordance with the unique identifier (IBAN) it is considered to be validly processed with respect to the payee associated with that identifier. Moreover, the third paragraph of this Article states that, if the payer provides additional information to the IBAN, such as the name of the payee, the bank is not obliged to check its correspondence.

This criterion has been endorsed by different Courts in the civil sphere, as stated, for example, in the Judgment of the Provincial Court of Zaragoza no. 87/2019 of 25 March 2019, which confirms that the bank's responsibility is limited to executing the order in accordance with the unique identifier, without having to consider other additional data.

In the same vein, the 2018 Complaints Report of the Market Conduct and Complaints Department of the Banco de España reinforces this interpretation, recalling that transfers are automatically processed according to the IBAN indicated, without banks carrying out additional checks. In other words, any other information included in the payment order, such as the concept of the transfer, is merely informative for the beneficiary and does not represent a binding instruction for the institution.

Therefore, the rules seem clear: if there is an error in the unique identifier (IBAN) when ordering a transfer, the receiving bank should not be liable. Its only obligation should be to credit the funds to the indicated account, without carrying out additional checks on the ownership of the recipient account.

However, the scenario becomes more complicated for banks with the entry into force of Regulation (EU) 2024/886 of the European Parliament and of the Council of 13 March 2024 on immediate credit transfers in euro. In the specific case of immediate credit transfers, banks will be obliged to implement a system of verification of the beneficiary before executing the transaction. This new requirement sets a higher standard of diligence for financial institutions and will imply a significant change in the way in which responsibilities are distributed in cases of fraud or error.

This new regulatory framework responds to the need to reinforce security in a context where instant payments have become increasingly common with the aim of providing greater user protection against unintentional errors and fraud. Thus, as of 9 October 2025, payment service providers will be legally obliged to check that the name of the beneficiary matches the IBAN provided and to alert the payer in case of discrepancies.

Notwithstanding the above, taking into account that the new provisions are still in the implementation period and will not be mandatory for banks until October 2025, it is essential that, during this transition period, both banks and users take the utmost precautions. On the one hand, financial institutions must continue to improve their systems for detecting suspicious transactions and reinforce security mechanisms to prevent fraud. On the other hand, users should be especially careful when making transfers, verifying the authenticity of the recipients and paying attention to warning signs that could indicate a possible scam, such as urgent requests for payment, unexpected changes in bank account details or e-mails attempting to impersonate identities.

Article written by Marta Coro, Economic Criminal Law and Compliance lawyer at ECIJA Madrid.