Disputed card charges for activities on game apps
Unfortunately, the documents submitted by the customer were very incomplete. In several conversations he was asked for explanations and asked to complete his complaint. In these conversations it emerged that the customer could not rule out the possibility that his ten-year-old son had triggered the charges. The customer also explained that he had previously deposited his credit card in the provider’s so-called Play Store for payments and was not sure whether he had actually deleted it correctly and completely. However, he was of the opinion that it could be ruled out that his son had had access to chargeable services while playing on the apps. In addition, the bank should have recognised that the transactions would deviate from his usual usage behaviour and should have had them confirmed via two-factor authentication in order for them to be valid. Finally, the bank had failed to inform him that the debits had only been provisionally cancelled. This made it impossible for him to clarify the differences directly with the provider. The client was therefore of the opinion that the bank had breached its duty of care and had to pay for the damage he had suffered as a result.
In its statement to the client, the bank explained that the clarifications within the framework of the chargeback procedure had shown that all transactions had been made from the same IP address, which could be assigned to him. Moreover, the transactions were not new to him. He had repeatedly and frequently carried out such transactions with the provider in question in the past and had never complained about them until the end of June 2020. In addition, he had breached his duty of care in handling the card. It apologised for having inadvertently omitted to inform him that the disputed transactions had only been provisionally cancelled, but refused to compensate him, referring to its general terms and conditions and the liability and due diligence provisions contained therein.
Two questions arose for the Ombudsman in this case. Firstly, were the client or his son actually victims of fraud? And second, who had to pay for the disputed transactions, the bank or the client?
To answer the first question, the facts of the case had to be clarified. The Ombudsman does not conduct any actual evidentiary proceedings. However, on the basis of the documents, he found that the 67 transactions complained of did not seem unusual for the customer. Past credit card invoices and the provider’s investigations showed that the customer’s credit card had already been charged frequently for such transactions and that they always originated from the same device, which could be assigned to the customer. Despite corresponding requests, the customer had never explained in more detail which apps or websites his son had used. He also did not explain why he assumed that his son could only use free games, and which specific actions in his opinion could possibly have triggered the credit card charges, or how he or his son had been deceived about the obligation to pay. The acts of fraud alleged by him were therefore not tangible.
However, the Ombudsman’s own investigations revealed that it was clear from the websites mentioned by the provider in the chargeback proceedings that certain services were subject to a charge. It was therefore not possible for the Ombudsman to counter the bank’s arguments with valid counter-arguments from the client, which at least made it seem possible that the transactions had a fraudulent background.
For the second question, it was decisive whether the transactions in question could be attributed to the customer on the basis of the applicable credit card conditions. They were apparently made by someone who had access to the customer’s device, which was connected to his account with the provider for which he had deposited his credit card for the payment of corresponding services. According to the bank’s general terms and conditions, the customer had to bear the charges resulting from such card use. If these actually came from an unauthorised person, the bank would only be liable for them if he had complied with all the duties of care listed in the aforementioned terms and conditions. It was not stipulated there that the corresponding card transactions had to be confirmed by means of a two-factor authentication.
The relevant contractual provisions in this case followed the principle that the party responsible for the actions was the one who could also influence them. In the present case, it was not apparent how the bank could have prevented the transactions disputed by the client by taking reasonable and appropriate measures. Rather, it would have been up to him to ensure that no unauthorised persons had access to his device with which the transactions were made that were charged to his card deposited on the corresponding account with the provider. The Ombudsman was therefore also unable to counter the bank’s argument that the transactions could be attributed to the customer and that he had breached his duties of care in handling the card. He regretted the bank’s admitted mistake in not informing the customer until late about the merely provisional cancellation of the transactions. However, it was not comprehensible to him that this would have prevented the customer from also complaining about the transactions directly to the provider.
The Ombudsman therefore considered further mediation efforts futile and closed the case.