13.1.2022 – The VKI has sued against several formulations in the conditions of an internet banking insurance offered by Bank Austria and has now been ruled by the Supreme Court. It was suggested to the customer that he would be liable in the event of improper use of a payment instrument, but in fact this is only the case to a very limited extent.
The Association for Consumer Information (VKI), as an institution entitled to bring an injunction under the Consumer Protection Act, has filed a lawsuit against several clauses in the Internet banking protection package “Just-in-Case” from Unicredit Bank Austria AG.
After the first court upheld the complaint and the appellate court dismissed the complaint but allowed an appeal, the case landed at the Supreme Court.
The revision only concerned the omission of the joint use of five sentences in the conditions, which were summarized by the VKI as “Clause 1”.
Internet banking insurance
The insurance is offered to customers of Bank Austria for a monthly, value-secured fee.
For this purpose, there is a group insurance contract between Bank Austria and Ergo Versicherungs AG, which customers can sign up to. Bank Austria is the group policyholder and head of the group.
According to the decision of the Supreme Court, it is an insurance policy against disadvantages resulting from the improper use of a payment instrument and, according to Bank Austria, should “repair damage caused by phishing, Trojans or malware”.
Insurance cover exists for all private accounts, savings accounts, securities accounts including the associated clearing accounts (“products”) of the joined product owner and begins immediately after signing the declaration of membership or subscription via TAN.
iVm (in connection with, note)
Insurance cover for the products also exists if the insured event was caused by gross negligence, be it by the joined product owner himself, other product owners or authorized product signatories in the course of using their respective internet banking.
For example, it is grossly negligent to pass on the PIN and TAN in full on the phone or to enter the user number and personal data on a phishing website.
Insurance cover exists
• In the case of phishing, if the joined product owner himself, other product owners or authorized product signatories have used a laptop / PC, another mobile device or another internet-enabled device (TV, game console, set-top box, etc.) , or through malware that was used on one of these devices, the access data and authorization data of the joined product owner himself, other product owners or authorized product signatories, e.g. the user number, the personal identification number (PIN), the transaction number (TAN), fingerprint and all future access and authorization methods used in Bank Austria, spied out and then misused and if so
• this has led to damage in the products of the product owner who has joined.
The maximum compensation per insured event is: EUR 50,000.
Arguments of the VKI
According to VKI, it is “in the end” a liability insurance for financial losses for which the customer is for the most part not liable and for which there is no insurable risk from the customer’s point of view.
It is suggested to the consumer that without the insurance he alone and without restriction bears the risk of cybercrime. The clause is therefore “at least grossly misleading and non-transparent” within the meaning of Section 6 (3) of the Consumer Protection Act.
Since the customer has to pay insurance premiums to insure a risk that largely affects the group policyholder himself, the clause is also immoral, according to the VKI.
It also violates the mandatory provisions of Sections 56, 67 and 68 of the Payment Services Act 2018 (ZaDiG) and is grossly disadvantageous within the meaning of Section 879 (3) ABGB.
Payer’s right to reimbursement
As the so-called “top group”, Bank Austria is the contracting partner of the insurance company and thus the policyholder, but not the insurer, the Supreme Court found in its legal assessment.
It is undisputed that it is a payment service provider and that the members of the insurable group of people are payment service users within the meaning of the Payment Services Act.
According to Section 67 (1) ZaDiG 2018, in the event of an unauthorized payment transaction, the payment service provider must reimburse the payer for the amount of the unauthorized payment transaction, unless there are legitimate reasons for suspicion of fraud, according to the Supreme Court.
The payer is thus entitled to a correction or reimbursement claim against the payment service provider, which does not require the payment service provider to be responsible for the misuse.
Risk shift to the payment service provider
In principle, the payer is liable according to § 68 ZaDiG for the entire damage if he has acted with fraudulent intent or has violated his duty with intent or gross negligence. In the case of slight negligence, he is only liable up to a maximum of 50 euros.
In addition, § 68 ZaDiG provides for five exceptions, in which the payer is completely released from his liability despite breach of his duty, provided he can not be accused of fraudulent behavior.
This provision thus reduces the payer’s liability to general civil law and shifts the risk from the payment service user to the payment service provider.
When clauses are ineffective
According to the Austrian Supreme Court, clauses in general terms and conditions or contract forms are ineffective under the Consumer Protection Act if they are unclear or incomprehensible.
The content and scope of the provisions must be transparent for the consumer, the economic scope and future costs must not be concealed. The standard for transparency is the understanding of the typical average customer.
It is conceivable that only the synopsis of several sentences makes it clear that a general terms and conditions clause is ultimately non-transparent, so that these sentences are to be assessed as a unit.
A non-existent risk is suggested to the customer
In the present case, the VKI, as the plaintiff, created an inseparable connection between the five individual sentences of the General Terms and Conditions by using the abbreviation for “in connection with”, which makes it clear that it considers the parts of the clause to be unlawful in their context.
It does not matter whether the individual sentences of this “Clause 1” are clearly understandable in themselves and are neither grossly disadvantageous nor opaque. A synopsis of the individual parts of “Clause 1” turns out to be intransparent.
The description of the insurance product as a whole suggests that the Internet banking customer bears the risk of improper use of a payment instrument, but this is only the case to a very limited extent.
In addition, the defendant Bank Austria benefits economically from its customers joining the insurance because it receives part of the premiums for the insurance brokerage and the insurance also covers risks that actually affect the defendant himself.
Grossly misleading details would increase the lack of transparency in this clause, according to the Supreme Court. This gives the erroneous impression that the customer is always and indefinitely liable for slight negligence.
The claim that the complete disclosure of PIN and TAN on the phone or the entry of user number and personal data on a phishing website is grossly negligent is also misleading.
This is not necessarily a grossly negligent breach of an obligation under the ZaDiG. The highest judges also criticize the maximum compensation of 50,000 euros per claim, although in many cases the defendant has unlimited liability for the reimbursement.
Thus, “Clause 1” proves to be inadmissible because of a violation of the transparency requirement; further violations of the law therefore no longer need to be dealt with. The Supreme Court restored the judgment of the first court as a whole.
The decision in full text
The full text of the Supreme Court decision 8Ob108 / 21x of October 22, 2021 is available on the VKI website.