In recent months, the fake bank slip scam has become a frequent practice in Brazil, which raises concerns for banking institutions and affected companies.
Many doubts arise about who is responsible and whether the client should be reimbursed.
Therefore, see below 4 guidelines taken from Brazilian case law, which are indicative of risk exposure and can help guide the company’s conduct in similar cases:
1. The company is responsible for the leakage of the consumer’s confidential personal data, relating to operations and services, obtained by criminals to commit fraud. However, in a recent judgment, the Brazilian Superior Court of Justice (STJ) determined that it must be proven that the leak of personal data that culminated in the facilitation of fraud originated in the company’s system. In the case judged, the scammer was aware that the victim was a customer of the financial institution, knew that she sent an email with the purpose of paying off her debt and also had data relating to the financing operation.
2. The company is not responsible when the fraud was noticeable or evident, that is, when the customer should have done due diligence and identified that it was a scam. For example, when paying a fake invoice received via “WhatsApp” application and not issued via the company’s website, a person outside the financing contract appears as the beneficiary.
3. The company’s liability may be limited to the amount paid for the false invoice (i.e., compensable by the declaration of non-existence of debt), but compensation for moral damages is usually also fixed, due to the customer’s frustration and annoyance.
4. If there is more than one company involved in the operation, it is necessary to identify in which system the failure or data leak occurred, which allowed the scam to take place. Even though all companies involved may be held responsible to the customer, there may be compensation between them if the failure can be, for example, attributed to the financial institution responsible for issuing the invoices.
To avoid liability and reputational exposure, it is important that companies invest in security and adopt measures to protect confidential or operational data stored in their systems. The most common origin of such scams is improper access to personal data of customers and operations, which allows the data contained in the fake invoice to be, in fact, true – which induces the customer to believe in its veracity and carry out the payment to the scammer.
For companies that work with banking partners, it is important to investigate the data chain to identify where the failure occurred. This measure is important not only to limit liability, but to correct any flaws in the flow and prevent new occurrences of leaks or improper access to data, which are improperly accessed with the intention of committing scams.