The 70-year-old client had advertised ski boots for sale on a classified ads website. She was then contacted by a person who claimed to be interested in buying her shoes. The alleged buyer got the client to send him certain personal information by claiming that it was necessary in order to arrange payment of the money for the ski boots. According to the client’s recollection, she merely told the alleged buyer the IBAN of her account at the bank and her telephone number. The client also acknowledged having entered a code received by text message from the bank into her card reader and then forwarded the resulting information to the alleged buyer, which enabled him to activate the TWINT app on his phone. Almost immediately thereafter, nine transactions were made for a total of CHF 4,750 using TWINT and charged to the client’s account. As the bank later found out, these transactions were used to purchase digital TWINT vouchers. These vouchers can be used to shop at the retailers that issued them. They can also be forwarded directly via TWINT or by e-mail to third parties.

The client complained to Bank B about the fraudulent transactions. However, the bank refused to cancel even part of this amount. In its statement to the client, the bank essentially argued that the client had entered her bank details, the identification number on her bank card, and other personal information into a form that the fraudsters had sent her. According to the bank, the client then entered a code into the card reader in her possession, which the fraudsters had previously communicated to her by telephone. The information provided and the information calculated by the card reader on the basis of the code allowed the fraudsters to download the TWINT app onto a mobile device available to them and to link it with the client’s personal account. They then carried out the transactions complained about. In the Bank’s view, the client had breached her duty of care by disclosing confidential information to a third party, thereby violating the contractual provisions applicable to their business relationship and the use of the TWINT app. The bank therefore refused all liability in this case and refused to pay compensation to the client.

Since the client was not satisfied with the bank’s response, she submitted a request for mediation to the Ombudsman. In her opinion, the text message she received from the bank only contained a code but no accompanying text. She was therefore unable to understand that it was a code for activating the TWINT app, which was unknown to her and which she did not use. The client also claimed that the TWINT daily limit was CHF 5,000 by default. This limit was therefore significantly higher than the daily limit of CHF 1,000 provided for cash withdrawals with their bank card. She added that she had reported the fraudulent transactions to the bank by telephone very quickly. She was surprised that the bank was unable to reverse the transactions and demand the money back despite the immediate notification. She believed that she had fulfilled her duties of care by reporting the incident immediately.

The Ombudsman then contacted the bank and asked it to state its position on the various aspects of the case, in particular on the question of why the code sent by SMS was not accompanied by any explanatory text indicating its intended use. He also believed that the applicable TWINT Terms of Use had only been accepted by the fraudsters when activating the TWINT application and therefore had no validity for the client.

In its response to the Ombudsman, the bank admitted that the SMS sent to the client to send the code did not contain any text or warning. However, it pointed out that it had since changed the SMS used to send activation codes and added a note to the effect that the recipient would be able to recognise the intended use of the code. The newly introduced accompanying text indicated that the code was treated as confidential and could only be used to activate the TWINT app. The bank also acknowledged that the terms and conditions of use for TWINT had only been accepted by the fraudsters. However, this was made possible by the client’s breach of due diligence, who had disclosed the confidential data required for this purpose.

The bank also pointed out that the standard limit of CHF 5,000 for transactions via the TWINT app was based on the limit for goods purchases with their debit cards. In this context, it pointed out that TWINT transactions cannot be compared with cash withdrawals. The bank also pointed out that TWINT transactions are carried out immediately and cannot be reversed. Regarding the client’s request to reverse the nine transactions, the bank stated that it generally waited 24 hours before initiating a search for a TWINT payment on a telephone number. In fact, the processing could take up to 24 hours due to delays at the recipient bank. In the present case, its requests for recovery had been unsuccessful.

In the bank’s opinion, the decisive factor in this case was that the client had disclosed information that she should have treated as confidential to third parties. Referring to the technical details of the activation process, the bank argued that the client’s breach of due diligence had made the disputed transactions possible and therefore caused the loss. Nevertheless, the bank decided to pay the client a sum of CHF 2,000 as a gesture of goodwill in order to settle the dispute amicably and without acknowledging any legal obligation. The client decided to accept the settlement offer. The case could be closed on this basis.