AIDA ATIKU vs CENTENARY BANK, HCCS 754 of 2020 (Uganda)
Recently, High Court in Uganda ruled that the risk of loss for an unauthorized transaction lies with a customer who upon proof, negligently allows a third-party access to their device and security information. Further, the court opined that a bank will not be held liable once it shows that the security procedure it has in place is a commercially reasonable method of providing security against unauthorized payment.
This ruling comes against the backdrop of negligent cases against the banks that have been filed seeking compensation for the money lost through fraud. In the suit, the Plaintiff opened a personal savings account with the Defendant where she deposited UGX56,320,000. She alleged to have made one withdrawal amounting to UGX700,000. Upon her return to the bank, the account had been depleted and the bank informed her that over time, different sums of money had been withdrawn electronically from the account using the ‘CenteMobile’ Platform, of which she refuted having applied for.
During the hearing, it became apparent that she had registered for the services which only permitted her to initiate and conclude all her transactions using her officially registered mobile number with a unique PIN. An in-depth interrogation of the evidence revealed that the bank had put in place a protective mechanism which was made available to her. Whenever there was a transaction on her account, she would receive SMS notifications which acted as protective alerts. Her SMS log showed that she was sent an SMS alert upon each transaction on her account whenever it occurred. Whereas she claimed to have received only one alert for the first withdrawal, she admitted that her daughter had access to her phone and is the one that normally read the messages for her. This was an admission that she compromised the security features put in place by the bank for her protection by granting unrestricted access to her phone and security information to her daughter.
The court held that whereas there was a transfer of funds from the Plaintiff’s account to a phone number that did not belong to her, the transfer was initiated by her or by a person with access to her PIN, phone, and corresponding SIM card. Consequently, the bank cannot be held responsible.
Impact
With an increase in the use of mobile banking which are targeted by fraudsters, banks are under an obligation to put in place robust fraud detection and prevention solutions to guarantee maximum protection to their assets, systems, and customers. This requires them to be able to detect any suspicious transaction or withdrawal and make such information known to their clients.
It is important to note that this creates a corresponding obligation to the customers for the security measures to be efficient. Customers should be taken through the security features which include inter alia:
Once these obligations are discharged by the bank, it will not be possible to claim negligence on the side of the bank. Therefore, the customer bears the sole responsibility of guarding their personal details jealously to avoid invitation of unauthorized transactions. As a matter of fact, failure to take such reasonable precaution may be construed as negligence by the customer.