/ Consumer awareness as a defense against frauds

May 23, 2023

Court of Appeals’ ruling sets an unprecedented precedent with respect to the liability limits for the care of access credentials to a platform in the context of a consumer relationship.


Jaime Urzúa
Associate Attorney
Alessandri Abogados


At the end of March 2023, the Puerto Montt Court of Appeals (CoA) issued an interesting ruling on the security duties of banks with respect to fraudulent conduct against their clients.

The case dates back to 2020, when a client of Banco Estado was the victim of a telephone scam, by means of which the client gave her access credentials to the bank’s private website to unknown subjects, who pretended to be executives of said institution. She was affected by approximately eleven million pesos in electronic fund transfers, purchases and loans requested by the individuals.

The affected party initiated proceedings before the Second Local Police Court of Puerto Montt (JPL), where she argued that the bank violated the duties required by Law No. 19,496 on Consumers Rights Protection (LPDC) and Law No. 20,009 (Fraud Law).

In summary, she stated that the bank would have:

  • Failed to comply with the duty of safety in the consumption of goods and services (Article 3 of the LPDC).
  • Acted negligently due to failures or deficiencies in the quality and safety of the service (Article 23 of the LPDC).
  • Infringed with the adoption of safety measures necessary to prevent the commission of fraud in electronic transactions.
  • The JPL issued a judgment and established the infringement liability of the provider, for having breached the security obligation and acted negligently in the provision of the service.

However, the bank appealed the judgment and finally the CoA overturned the client’s claim in its entirety. The appellate court considered that the background information provided by the plaintiff was not sufficient to prove any degree of negligence or lack of security on the part of the bank.

This change was mainly due to the fact that the bank accredited in the appeal the realization of several security campaigns to avoid bank frauds, in which it constantly recommended the clients not to give their personal passwords to third parties and that the bank will never ask for them, a matter that leads to discard the concurrence of a violation of the consumer’s law.

This ruling sets an unprecedented precedent with respect to the limits of liability for the care of access credentials to a platform within the framework of a consumer relationship.

Article 3 of the LPDC refers to a requirement towards suppliers that goods or services do not cause damages other than those that simply derive from defects in quantity or performance (the so-called “consumer safety” right). Both doctrine and case law have understood that this duty is limited to the physical and psychological integrity of the consumer, in the sense that the good or service consumed does not damage or injure his health (for example, that the facilities of a store or premises are safe or that the product does not cause injuries to the consumer in its use).

As a counterpart to the aforementioned right, there is the consumer’s duty of safety, by virtue of which the consumer must avoid the risks that may affect him. This means that the customer must observe self-care and prudence in the use of the product and service, which translates into the responsibility to know and follow the instructions and warnings that have been communicated by the supplier. Therefore, if the consumer breaches this duty, the damage caused can be charged to his own conduct and does not generate either infringement penalties or civil liability for the supplier.

In addition, Article 23 of the LPDC requires a subjective analysis (contrary to the strict liability regime) to determine the infringement. In other words, the bank’s actions must have been negligent, a matter that cannot be imputed according to the facts.

Thus, it can be seen that the security measures employed by the bank to safeguard its assets and protect the products contracted by the users (basic obligations of the bank as analyzed) are not precisely those that were violated in this case. In the process it was recognized that the victim was the one who gave his credentials and coordinates, a matter that the bank in question has repeatedly instructed not to do through awareness campaigns.

Unfortunately, this case is in line with the increase in the number of telephone scams and crimes such as vishing. It is unfortunate that despite the measures taken by both public and private actors (especially financial institutions) people continue to be victims of this type of illegal activities. On the other hand, the ruling is a warning call not to lower our guard against new forms of fraud by electronic means, increasingly present in our daily lives.