Court leaves clients on their own over bank account fraud

Bank clients are to blame for digital fraud on their accounts, a judge in the Commercial Division of the High Court has ruled.

Justice Stephen Mubiru said digital fraud is a result of clients’ carelessness with bank details.

“The customer’s responsibility is to always keep their banking information, user IDs, passwords, and PIN numbers confidential. Account takeovers happen when fraudsters acquire the login details of a legitimate user, and then use the account as their own,” Justice Mubiru said on July 18 while making a ruling in case in which a woman, sued Centenary Bank for withdrawals made to her account allegedly without her knowledge.

In the case, Ms Aida Atiku sought court orders to compel Centenary Bank to refund more than Shs50m, which she claimed was fraudulently withdrawn electronically from her account over an undisclosed period .

According to Ms Atiku, she opened an account with the bank in 2020, where she deposited Shs56.3m. She added that she withdrew only Shs700,000 of the money.

She said eight months later, she returned to the bank to withdraw the rest of the money but there was no money in the account.

“She was informed by the bank staff that someone had over time, been withdrawing diverse sums of money electronically from the account using the CenteMobile platform, yet she had never applied for such service,” court documents read in part.

However, Justice Mubiru absolved the bank of any liability of fraud occasioned to Ms Atiku’s account.

Justice Mubiru reasoned that Ms Atiku was in the best position to detect any fraud done on her bank account.

 “I have not found any situation created by the defendant in the management of its two-factor authentication buffer and that allowed third-party fraudsters to interfere with and compromise the plaintiff’s bank account, yet the plaintiff was in a better position to avoid the loss. Therefore, the suit fails and it is dismissed with costs to the defendant (bank).”

The judge relied on the testimony of Mr Andrew Ssebunya, the bank’s systems analyst, who told the court that one of the security features put in place by the bank is that the customer’s mobile phone USSD code used at the time of the account opening, is pegged to the sim card so that the customer can transact with only one phone number that is registered with them.

“When performing any transaction, if the serial number of the phone and the one pegged to the account do not match, the account will be blocked. Reactivation is required if access is blocked. In this instant case, there was a reactivation of the account which occurred on February 5, 2020,” the Judge said.

Justice Mubiru also observed that one of the interventions made available to Ms Atiku to enhance her level of protection of deposited funds was sending her SMS notifications whenever there was a transaction on her account.

 “She (Ms Atiku) admitted having received only one such SMS alert. However, the plaintiff testified that her daughter had access to her phone and it is her daughter who normally read the messages on her phone,” Justice Mubiru said.

He added: “In effect, the plaintiff (Ms Atiku) compromised some of the security features put in place by the defendant (bank) for her protection and instead reposed her trust and confidence in her daughter. Unfortunately, the plaintiff could not tell whether or not her daughter transacted on her account using that phone. She as well could not tell whether or not money from her account was transmitted from her bank account to her mobile money account using that phone,” he added.

The Judge held that Ms Atiku in her testimony told the court that she had never lost her phone but she was not able to read the messages on the phone because of her poor eyesight.

Court documents also showed that on February 6, 2020, there was a transfer of funds from Ms Atiku’s account to a phone number that does not belong to her but the same transfer was initiated by a customer or a person with her PIN.

[email protected]