The burden of proof in the nullity of electronic bank transfers

Wire transfers are services widely used by users of financial services as they are a convenient and fast instrument to make payments from one bank account to another, even between accounts of different banks through systems such as SPEI (Interbank Electronic Payment System), which is operated by Banco de México.

However, the systems used by banks to provide electronic payment services may be violated by persons seeking to obtain an undue economic benefit by making electronic payments without the consent of the holder of the corresponding bank account.

In this regard, Articles 77 and 96 of the Credit Institutions Law provide that banks must establish basic security measures to protect the public, the bank’s assets and its factors and dependents, in addition to carrying out practices that ensure adequate attention to their customers and the security of the transactions in which they are involved.

In accordance with the General Provisions Applicable to Credit Institutions compiled by the National Banking and Securities Commission (the “General Provisions“), credit institutions are required to use authentication factors to verify the identity of their users and the authority they have to perform transactions through electronic banking services, in addition to generating records, logs and audit trails of the transactions performed by electronic means.

Among the information that must be registered by the credit institutions are: (i) the date and time of the transaction, (ii) the number of the origin and destination accounts, (iii) the identification data of the access device used by the customer to perform the transaction, (iv) the addresses of the Internet protocols, and (v) the numbers of the cell phone line used to perform the transaction.

The General Provisions also provide that banks must have mechanisms that prevent third parties from interfering with sessions initiated by a user when using the electronic banking service, such as: (i) terminating the session when the credit institution identifies changes in the range of addresses of the communication protocols or geographic location, or (ii) preventing simultaneous access by a user to more than one session.

In accordance with the foregoing, the First Chamber of the Supreme Court of Justice of the Nation has established that in cases in which a user demands the nullity of electronic bank transfers, the credit institution must demonstrate that it complied with all the security measures set forth in the General Provisions to guarantee the certainty of the disputed transactions and that there were no incidents that compromised the customer’s data. According to the Supreme Court, only in the event that the bank has demonstrated that it complied with the above, the user will be obliged to disprove what was provided in the trial by the credit institution in order to justify the validity of the nullity claim.