Legal Liability of Banks in Credit Card Fraud

Legal Liability of Banks in Credit Card Fraud. With the impact of digitalization, credit cards have become a critical payment tool for both personal finance and the national economy. Despite this, fraudulent activity is constantly evolving into sophisticated cyberattacks. This raises the question of which party will legally bear the responsibility for losses incurred as a result of unauthorized transactions. Turkish law, in addressing this issue, subjects banks to an aggravated liability regime. This regime is regulated by the Consumer Protection Law and the Payment Services Law. Due to the principle of interpretation in favor of the consumer, compensation liability may arise even if the bank is not at fault. Therefore, banks’ technological security and operational diligence obligations are of paramount importance.

IDENTIFICATION OF THE LEGAL ISSUE

A. Importance, Scope, and Legal Issue of the Subject

In the digitalized financial ecosystem, credit cards have become an indispensable payment instrument for both individuals and the national economy. Parallel to this, fraudulent acts are also evolving from traditional methods toward sophisticated attacks carried out via information systems. In this context, the question of which party should bear the loss arising from unauthorized transactions due to credit card fraud constitutes a vital legal problem for maintaining the bank-customer trust relationship.

The core of the legal issue lies in whether the determining factor in the occurrence of unauthorized payment transactions is a security vulnerability in the bank’s system or the consumer’s personal negligence (gross negligence). Turkish law mandates that banks be examined not under the general provisions of the agency contract (Turkish Code of Obligations – TCO) but under an aggravated liability regime defined by special laws (Law No. 5464 on Bank Cards and Credit Cards, and Law No. 6493 on Payment and Securities Settlement Systems, Payment Services, and Electronic Money Institutions). This aggravated liability, driven by the principle of consumer protection, points to a regime close to strict liability, where the bank may be held liable for compensation even if it is not at fault for the loss.

B. Classification of Credit Card Fraud Types

Fraudulent acts are subjected to different legal assessments depending on the method used:

1. Physical Card Fraud: This type commonly includes Skimming (copying card information at ATMs or POS devices) and the use of lost/stolen cards. In Skimming incidents, deficiencies in the bank’s obligation to ensure ATM security directly lead to the bank’s liability.
2. Information System Fraud (Bilişim Yoluyla Dolandırıcılık): This is the most common type that leads to legal disputes. Phishing, Vishing, or the acquisition of the consumer’s personal and financial information through malicious software (Trojan, Spyware) and subsequent counterfeit card production are covered in this scope. A perpetrator obtaining card information through these means and carrying out a transaction can be prosecuted under Turkish Penal Code (TPC) Article 245.
3. Internet and Mobile Banking Fraud: These frauds typically point to situations where the bank’s security systems are inadequate against dynamic threats. As addressed in a Supreme Court ruling, the withdrawal of money from an account via internet banking without the customer’s consent brings the bank’s security vulnerability onto the agenda. Broader bank fraud methods, such as fraudsters opening accounts with forged documents or using counterfeit checks/bills, are also present.

C. Legal Nature of the Bank-Customer Relationship

The credit card contract is a consumer contract under Law No. 6502 on the Protection of the Consumer (LPC) and a payment services contract under Law No. 6493. The LPC introduced significant regulations to protect consumers in consumer loan and credit card contracts. This dual legal nature necessitates the application of the principle of interpretation in favor of the consumer in resolving disputes, elevating the bank’s liability standard above the general diligence standard in commercial life.

II. FOUNDATIONS OF THE LEGAL LIABILITY REGIME: SPECIAL LAWS

The bank’s liability for unauthorized transactions is primarily addressed within the framework of three main laws: Law No. 5464, Law No. 6493, and the TPC due to the penal dimension of fraud.

A. Framework of the Law on Bank Cards and Credit Cards (Law No. 5464)

Law No. 5464 determines the primary obligations of card-issuing institutions (banks). The law imposes upon banks the obligation to take necessary measures to keep confidential any information, such as a code number, password, or other identity-determining method, required for the use of the cards. This provision has prepared the legal ground for precedents that recognize banks have an aggravated liability stemming from the law to ensure credit card security. The bank is obligated to ensure not only the physical security of the card but also the protection of card information in the digital environment.

B. Law on Payment Services and Electronic Money Institutions (Law No. 6493) and Unauthorized Transaction Liability

Law No. 6493 contains the most specific provisions regulating the liability of banks for unauthorized transactions in payment services. This law establishes a liability regime that mandates the payment service provider (the bank) to compensate the loss immediately, even if it is not at fault.

The law regulates that the consumer must notify the loss within a certain period (usually 13 months) and stipulates that the bank must immediately compensate the loss unless it can prove that the payment transaction was authorized. This is the statutory basis for the principle that the burden of proof rests with the bank. Furthermore, Law No. 6493 highlights the priority of system security, stating that banks even conduct the supervision of electronic money institutions and that unauthorized activities are subject to penal sanctions.

C. The Penal Law Dimension: TPC Article 245 and its Importance

Fraudulent acts constitute a crime under the special provisions of the Turkish Penal Code (TPC). TPC Article 245 is regulated under the heading “Misuse of Bank or Credit Cards Crime.” Using another person’s card without consent (TPC 245/1), producing, selling, or accepting counterfeit cards (TPC 245/2), and obtaining benefit by using a counterfeit card (TPC 245/3) entail severe penalties.

Credit fraud can also be assessed as “qualified fraud” crime under TPC 158, which may foresee imprisonment between 3 to 10 years. The consumer’s application to law enforcement (filing a criminal complaint with the prosecutor’s office) is a mandatory step in the legal process. The determination of the perpetrator’s penal liability does not eliminate the bank’s legal liability, but it affects the course of the legal process and the requirements for proof.

III. BANK’S AGGRAVATED DUTY OF CARE AND TECHNOLOGICAL SECURITY OBLIGATION

A. Scope of the Duty of Loyalty and Diligence

Banking is a sector based on high trust. Pursuant to Article 506 of the Turkish Code of Obligations (TCO), banks, as agents, must exercise a high degree of diligence in protecting their customers’ interests. In the context of banking law, this includes not only fulfilling contractual obligations but also the duty of loyaltyaimed at protecting the customer’s financial security. Therefore, the bank’s duty of care is determined by the highest security level required by the risks in the market.

B. Technological Security Standards and the Supreme Court’s High Expectation

Current precedents have elevated the banks’ duty of care from mere static regulatory requirements to a dynamic and technology-based standard. This situation has transformed the definition of the bank’s fault directly into a technological competency issue.

1. Electronic Signature and Security Vulnerability

The landmark decisions of the 11th Civil Chamber of the Supreme Court have ruled that banks should initiate the use of more secure electronic signatures instead of just passwords or passcodes in risky transactions like internet banking. Failure by the bank to notice security vulnerabilities, such as an account remaining open for a long time, proves the bank’s fault. In this context, the money withdrawn through an unauthorized transaction is deemed to be the bank’s own loss resulting from the inadequacy of the bank’s security system. If a more secure authentication method available in the sector is not used by the bank due to cost or another reason, this is directly considered a cause for legal negligence and fault.

2. BDDK Audit Trail Obligation

The Banking Regulation and Supervision Agency (BDDK) mandates banks and payment institutions to keep strict audit logs in their information systems. According to these communiqués, institutions are obliged to record details about the application, communication network protocol, time, and source, as well as the target port and IP information where the access or transaction occurred.

This technical obligation, combined with the legal burden of proof, is vital for banks. Since the burden of proving that the unauthorized transaction was approved by the consumer rests with the bank pursuant to Law No. 6493, the bank must present complete and unadulterated audit logs kept in compliance with these BDDK requirements. If the bank cannot present impeccable audit logs to prove the unauthorized transaction, liability under Law No. 6493 automatically arises. This indicates that non-compliance with technical regulations simultaneously leads to a failure of proof in the civil court.

C. Risk Monitoring (Fraud Monitoring) and Notification Obligation

The bank’s aggravated duty of care is not limited to protecting the technical infrastructure; it also encompasses operational risk management. The bank is obligated to actively detect the customer’s unusual spending patterns or attempts to exceed limits and notify the customer instantly.

Supreme Court has sentenced the bank to pay compensation in a lawsuit filed by a customer who set a credit card limit because the bank failed to notify the customer despite the spending limit being exceeded. This decision confirms that the bank’s effective use of operational risk monitoring systems is a primary legal requirement, as much as technical security. The inadequacy of risk monitoring systems (Fraud Risk Scoring) directly leads to legal fault if it allows the unauthorized transaction to take place.

D. Legal Consequences of the 3D Secure Application

The use of additional security mechanisms like 3D Secure aims to reduce the risk of fraud in card payment systems. When these systems are used, it is accepted that the liability in case of chargebacks shifts from the merchant to the card-issuing bank. This reinforces the bank’s obligation to provide a high-security payment infrastructure to the customer and increases the legal cost of the bank choosing not to implement the security mechanism despite the customer.

Bank’s Core Security Obligations and Legal Basis

IV. EXEMPTION FROM LIABILITY AND REVERSAL OF THE BURDEN OF PROOF

A. Principle of the Burden of Proof Resting with the Bank in Unauthorized Transactions

It is extremely difficult for the bank to be exempted from liability for losses arising from unauthorized transactions. The basic rule is the obligation of the payment service provider (the bank) to prove that the payment transaction was approved by the authorized user and that the personalized security measures (password, passcode, etc.) used during the transaction were correctly employed. This principle has been codified by Law No. 6493 and reinforced by Supreme Court rulings. To be exempted from liability, the bank must conclusively prove either that the transaction was executed by the customer in person or that the customer was in gross negligence. If the bank fails to provide this proof, it is obliged to compensate for the resulting loss.

B. Concept of Consumer Gross Negligence and the Supreme Court General Assembly of Law Standard

The only escape route the bank relies upon to be exempted from liability is proving that the consumer had gross negligence in the occurrence of the fraud. Consumer gross negligence, differing from mere simple negligence, refers to behaviors far below the diligence expected of an average person, such as intentionally or with great indifference disclosing card information to third parties or writing the password on the card.

1. HGK’s Landmark Decision and the Rejection of Fault Based on Probabilities

The General Assembly of Law (HGK) set an extremely strict standard for proving consumer gross negligence in a case where unauthorized transactions occurred. In one case, the expert report suggested that the plaintiff might have had their personal information stolen from their computer or might have caused a redirecting program to be installed on their phone, concluding that the plaintiff was contributorily negligent at a rate of 40% based on probabilities. However, the HGK rejected this deduction of fault based on probabilities.

The HGK mandated that for the bank to be exempted from liability, the consumer’s fault must be conclusively and concretely linked to the specific incident, and the bank’s own system deficiencies must be investigated. This landmark decision largely prevented the acceptance by courts of general and probabilistic defenses frequently used by banks, such as “the customer’s computer was infected with a virus” or “the customer failed to protect personal information.”

2. Application of the Comparative Security Standard

A critical finding was made in the same HGK ruling: it was understood that other banks, excluding the defendant bank, prevented the outflow of money from the customer’s accounts by notifying the customer during the same malicious attempt. This indicates that the bank’s potential operational or technical fault outweighed the customer’s potential minor fault. This assessment reveals that the bank’s security standard is determined not only by minimum legal requirements but also by the current security level applied by other banks in the sector. If a bank fails to prevent an attack that rival banks could prevent, it faces the risk of being deemed operationally at fault legally.

C. Application of Contributory Negligence and Apportionment of Loss

The Supreme Court may rule for the apportionment of loss according to the fault ratios (contributory negligence) even in cases where the consumer’s gross negligence is conclusively proven, provided that the bank is also at fault (e.g., due to inadequacy in risk monitoring or notification). However, this situation rarely occurs due to the high standard of proof set by the Supreme Court. Furthermore, Law No. 5464 and Law No. 6493 have limited the consumer’s liability prior to notification in case of card theft or unauthorized use (usually a low limit like 150 TL), ensuring that the majority of the risk is borne by the bank.

Supreme Court Criteria for Liability in Unauthorized Transactions

V. LEGAL APPLICATION PROCESSES AND COMPENSATION CLAIMS

A. Mandatory Steps the Victim Must Follow

Victims of credit card fraud must immediately take steps to protect their rights and initiate the legal process:

1. Immediate Written Objection to the Bank: Prompt notification of the unauthorized nature of the transaction to the bank is mandatory to activate the reimbursement mechanism under Law No. 6493. The objection petition submitted to the bank is considered the start of the legal process.
2. Criminal Complaint to Law Enforcement: The consumer must simultaneously apply to the Chief Public Prosecutor’s Office to lay the groundwork for a public prosecution under TPC 245 after learning of the unauthorized transaction.
3. Chargeback Application (Ters İbraz): Especially for credit card transactions, applying for a chargeback to the bank within the rules of international payment systems (Visa, Mastercard) creates the potential for rapid recovery of the loss.

B. Civil Compensation Lawsuit and Authorized Court

Disputes arising from unauthorized transactions between the bank and the consumer are heard in Consumer Courts (or Civil Courts of First Instance or Commercial Courts acting as Consumer Courts in non-specialized locations) because the relationship between the parties is considered a consumer contract under Law No. 6502. The subject of the lawsuit is the claim for the reimbursement (compensation) of the amount withdrawn from the account via the unauthorized transaction.

Bank’s liability in compensation lawsuits is examined under the aggravated regime determined by special laws. The bank will be liable for the entire loss incurred as long as it fails to fulfill the burden of proof.

VI. CONCLUSION AND FORWARD-LOOKING ANALYSIS

A. Summary of Key Findings

Turkish Law, while regulating the liability of banks in credit card fraud, implements a legal regime that is aggravated and close to strict liability, centering the principle of consumer protection. Law No. 6493 places the burden of proving the authorization of the unauthorized transaction on the bank, thus protecting the consumer at a high level.

The precedents of the Supreme Court and the General Assembly of Law have set a strict standard by tying the banks’ attempts to evade liability, particularly the requirement to fulfill the burden of proof, to conclusive, concrete, and unquestionable evidence. The bank’s liability is not limited to taking minimum legal security measures; it also includes the obligation to implement risk monitoring, instant notification, and the most up-to-date technological security standards in the sector. A vulnerability in the bank’s security system leads to the bank being considered operationally at fault in situations where other banks could prevent the attack. This situation mandates banks to invest in security.

B. Improvements Needed in Legislation

It is important for legislation to remain dynamic in the face of rapidly evolving cyber threats.

1. Codification of Dynamic Security Standard: High technological expectations, such as the Supreme Court’s electronic signature mandate and the HGK’s comparative security standard, should be supported by clearer and more dynamic provisions within BDDK communiqués and Law No. 6493. This will encourage banks to adopt best practices not only retrospectively but also proactively.
2. Legal Use of BDDK Audit Logs: Establishing standard formats and certification procedures so that the audit logs mandated by the BDDK can be evaluated by courts in legal proof processes without requiring technical expertise will ensure that the burden of proof is fulfilled transparently by banks.
3. Balance Between Consumer Education and Risk Sharing: Providing clear guidelines for identifying rare situations where even simple consumer negligence could constitute gross negligence will contribute to consumer awareness and increase legal predictability for banks. However, the current Supreme Court approach establishes this balance in favor of the bank’s high duty of care.