-
On CEO Fraud: Concept and Features
With the recent surge in the use of digital tools in business, warnings about the potential to fall victim to scams or fraud via the internet have become increasingly common. This post addresses the so-called “CEO fraud”, which, although a relatively novel concept, has already been legally defined through case law.
In this regard, Judgment 74/2022 of the Madrid Provincial Court, Section 11, dated 28 February, defines CEO fraud as a “type of fraud that combines techniques of social engineering and phishing to deceive an individual with access to a company’s accounts into believing that their superior is instructing them to transfer funds in connection with a particular transaction. Alternatively, they may be asked to provide the company’s banking details.”
Equally relevant is Judgment 530/2023 of the Las Palmas Provincial Court, Section 1, dated 5 October, which states that CEO fraud “consists of an employee with access to the company’s accounts and the ability to make bank transfers receiving, allegedly from their superior, an email requesting their assistance in carrying out a confidential and urgent financial transaction. Once deceived, the employee not only discloses confidential company data but may also make one or more transfers to other bank accounts held by third parties associated with the perpetrators of the fraud.”
It is also important to note that, in addition to the preparatory research carried out by fraudsters to make their deception credible, electronic media serve as the main tool for this type of fraud. As such, it is usually committed via email accounts and, in some cases, through instant messaging applications such as WhatsApp.
-
On the Nature of Banking Liability
Beyond any criminal liability that may arise for the perpetrators of such fraud, there is also a degree of civil liability attributable to the bank involved in the fraudulent transaction.This is because, as clarified by recent case law, the bank responsible for processing the transfer bears a quasi-strict liability (as established in Judgment 178/2015 of the Madrid Provincial Court, Section 9, dated 4 May, and Judgment 107/2018 of the Alicante Provincial Court, Section 8, dated 12 March). This is due to the heightened standard of diligence expected of any bank, as a payment services provider that must assume the operational risks inherent in its sector.
Of particular note is Judgment 107/2018 of the Alicante Provincial Court, which states: “The liability framework applicable to unauthorised or incorrectly executed payment operations by service providers is one of quasi-strict liability, as derived from the specific regulations governing this area.”
In this regard, the quasi-strict liability of payment service providers, due to the nature of the operations they carry out and the inherent risks, may be mitigated by the implementation of internal protocols, or within the framework of “Know Your Client” (KYC) procedures. As will be explained further below, the burden of proof regarding the absence of error in the contested transaction lies with the banking institution. Thus, the existence of internal protocols may play a mitigating role in determining the extent of liability ultimately attributable to the payment service provider.
-
On the Reversal of the Burden of Proof
Finally, and as consistently stated by case law (see Judgment 244/2020 of the Madrid Provincial Court, Section 9, dated 8 June), in addition to the heightened duty of care that underpins banking liability in such cases, it is legally established that it is the payment service provider who must prove the accuracy and validity of the contested payment transactions when faced with a user claim. This results in a clear reversal of the burden of proof, placing the evidentiary obligation on the bank, rather than the user.
A paradigmatic example is Judgment 289/2021 of the Seville Provincial Court, Section 6, dated 30 July, which ruled: “It is for the service provider to prove that the payment order, which the customer denies having authorised, was duly authenticated. Failure to do so results in liability and an obligation to reimburse the funds disbursed.”
-
Conclusions
In summary, CEO fraud is a sophisticated form of deception that combines social engineering techniques and the use of electronic media to induce employees with access to corporate accounts to carry out transfers under the false impression of receiving legitimate instructions from their superiors. In such situations, recent case law recognises the potential civil liability of the banks involved, based on a quasi-strict liability regime. This regime is grounded in the heightened duty of diligence imposed on payment service providers, who must bear the risks inherent in their business activity.
Furthermore, this leads to a reversal of the burden of proof, meaning that it is the banking entity that must demonstrate the payment operation was duly authorised and authenticated. Failing this, it must bear the civil consequences of the fraud and refund the affected customer. Nevertheless, such liability may be mitigated if the bank can prove it implemented appropriate internal protocols, such as verification procedures or KYC mechanisms. However, the mere existence of such protocols is insufficient to exonerate the institution unless their effective application is also demonstrated.
