On a trip in South Africa, the clients drove in their rental car to a roadblock at an intersection. There they were informed by persons claiming to be traffic service employees that the passage through the next town was not possible due to an accident. They were told to turn right and buy a ticket at the petrol station to bypass over a bridge. The customers followed the instructions. They entered the petrol station of a large, internationally known fuel brand together with other concerned motorists. They wanted to use the ATM of a nationally known bank standing there to pay the ticket. After inserting the card and entering the PIN code, an error message appeared and the card was withheld. They tried to withdraw money with a second card, which also failed. They realised shortly afterwards that they had probably become victims of fraud and had their cards blocked immediately at their bank in Switzerland. At the next opportunity, they filed a criminal complaint with the local police authorities.
Due to internet research, they later realised that they had apparently fallen victim to a well-known fraud pattern in South Africa. Even the specific petrol station that was the scene of the fraud was mentioned in reports. They were surprised that no one seemed to be doing anything about the fraud, even though both the petrol station and the ATM in question bore the logo of well-known brands.
It turned out that the unknown perpetrators succeeded in making transactions totalling CHF 8,900 immediately after the customers had used the ATM with the card data they had obtained by fraud. Since the perpetrators were, as usual in such cases, beyond reach, the question arose as to who had to bear the damage from the incident, the customer or the card issuer. As a rule, credit card contracts stipulate that the card issuer bears the damage resulting from misuse of the card if the customer has complied with the duties of care stipulated therein and has not been guilty of any other breaches of contract.
The bank argued that the transactions had been made with the original cards and the PIN codes that were correct right away. The customers had violated a central duty of care by not keeping the PIN code secret. The PIN code must not be disclosed to third parties.
The customers were of the opinion that they had complied with all due diligence obligations. The ATM appeared to be a standard machine of a well-known national bank in a standard location for such machines in that country. They had merely followed the steps necessary to use the credit card to withdraw money. These steps necessarily included inserting the card into the machine and entering the PIN code. They could not have realised that the device had been manipulated in such a way that the information transmitted could be recognised and misused by unauthorised third parties. As soon as they could conclude from the circumstances that fraud had taken place, they would have blocked the card immediately and then filed a criminal complaint as soon as possible.
The Ombudsman found the card issuer’s argumentation problematic in light of the incident described. It is undoubtedly the case that customers should exercise the necessary caution when using their credit card and should, for example, make sure that they are not spied on when entering the PIN code. The use of a credit card for a perfectly normal transaction, which necessarily involves inserting the card into a device and entering the PIN code, is not per se careless. In the Ombudsman’s view, if this is done on an outwardly inconspicuous device at a usual location, where only an expert could detect a manipulation after opening the device, a customer cannot be accused of a breach of duty of care simply because the card information and the PIN code reach unauthorised third parties with the help of the manipulated device. Furthermore, the Ombudsman was able to understand that the customers did not immediately think of fraud when the transaction could not be successfully completed, since, according to general life experience, malfunctions of cash dispensers can occasionally occur. It was therefore not apparent to the Ombudsman in the present case what duty of care or other breach of contract the customers could be accused of.
The bank was not persuaded by these arguments, but informed the Ombudsman during the mediation procedure that it was prepared, as a gesture of goodwill and without acknowledging any legal obligation, to compensate the customers for the entire loss. The case was thus resolved to their satisfaction.