Table of Contents
- Introduction
- What Do the Statutes Say?
- Mexican Supreme Court of Justice’s Criteria
- What Must the Banking Institution Prove in Court?
Introduction
Due to technological advances, traditional banking has evolved, and now, financial institutions provide banking and credit services digitally. Thanks to these advances, today, a digital bank system allows immediate financial interaction between financial institutions and users through a tool that provides agility in carrying out operations and, above all, —supposedly— while maintaining the security of their assets.
On the other hand, financial security is not a new problem in the digital age. Wherever commerce has flourished, and money has circulated, it has always spawned scoundrels and grifters who wait for the proper opportunity to, with the most refined techniques of social engineering, profit from the assets of third parties. Whether by extorting, forging signatures, altering documents, taking advantage of their naivety, etc. In sum, there have always been those who take advantage of people’s inexperience and trust. Digital banking is no exception, and its illicit abuse by third parties is a reality.
This is why the Mexican federal lawmakers, the Bank of Mexico, and the Mexican Banking and Securities Commission (Comisión Nacional Bancaria y de Valores) issued very clear obligations that banking institutions must comply with regarding cybersecurity. Provisions issued in favor of financial users are mostly unknown to the average person, but those, in practice, are key to helping them recover their assets in commercial lawsuits. Legal provisions that stand out The General Provisions applicable to Credit Institutions issued by the National Banking and Securities Commission.
Thus, once a user of a banking institution notices that through the electronic banking service, he suffered a loss in his assets without his consent and wants to recover it, he has mainly two legal options: 1) file a complaint with the criminal authority to carry out a professional investigation and seek punishment for the criminal offense; or, 2) directly sue the banking institution for the absolute nullity of commercial bank transfers and recover the amount of the transactions plus six percent as an annual interest.
In this entry, I will address the second path, pointing out its procedural background, judiciary precedents, and rules that plaintiffs must consider during the trial, such as who has the burden of proof.
What Do the Statutes Say?
First off, you should know that in Mexico, the scope of the electronic banking system is regulated mainly by the baking institution’s contract. Contract that is conducted pursuant to article 52[1] of the Credit Institutions Law, in which the lawmaker grants banking institutions the possibility to carry out operations with their users through an advanced electronic signature or any other form of digital authentication (like face and voice recognition, or fingerprint, etc.) Contract that also emphasizes the user’s responsibility to safeguard their digital authentication information.
Safeguarding is critical due to the fact that it’s not the same to try to impose legal responsibility on the banking institution for transfers that were authorized when the security systems of its electronic banking were violated than those authorized and used for the benefit of a third party based on an abuse of trust or naivety of the financial user. In the first case, the responsibility of the banking institution is clear. In contrast, in the second case, the financial user would have to bear the consequences of their lack of care and, in any case, file a civil or criminal complaint against the third party involved.
In this way, for the purposes of protecting the financial user in terms of cybersecurity, the Bank of Mexico and the National Banking and Securities Commission have issued several legal provisions to guarantee the reliability of electronic banking orders. Regulations that imply that no bank employee may know the method of authentication of users. Hence, when an authentication method is used in the digital world, it is presumed that its legitimate owner used it.
Legal presumption that becomes relevant in commercial matters and that applies to the commercial trial against a banking institution in terms of article 6 of the Credit Institutions Law, since pursuant to articles 89 and 90[2] of Mexico’s Commercial Code when a data message is received—such as an instruction through electronic banking to carry out an operation—and identification means such as keys or passwords that only their owners should know have been used for its transmitter; it is assumed that, for that sole reason, the transmitter consented it.
Moreover, this legal presumption in commercial trials was enough for the banking institution to prove that those challenged transfers were made after using means of identification in electronic banking, and with this, it was presumed that the transfers were authorized by the rightful owner: the transmitter. Consequently, if the legitimacy of such transfers was still disputed in court, the judge had to impose the burden of proof about the electronic baking system’s security on the plaintiff.
The above implied that plaintiffs had to offer an expert witness—which in some cities is difficult to find— to analyze the electronic baking system’s data and security according to the rules issued by Mexico’s National Banking and Securities Commission to support plaintiffs’ nullities. Namely, to reveal the electronic system’s lack of security during the transaction or that it had suffered intervention by third parties, which, of course, was—and continues to be—extremely difficult.
Due to the difficulty mentioned before—and of course, its huge cost— some Federal Collegiate Circuit Courts[3] interpreted the regulations on banking cybersecurity issued by the National Banking and Securities Commission, concluding that commercial lawsuits in which were challenged monetary transfers from baking users, could not be resolved based on mere presumptions. In contrast, other courts concluded the legal presumption mentioned above was enough. Such discordant criteria brought uncertainty to the banking users until the Mexican Supreme Court solved the issue.
Therefore, given this contradiction in criteria, the Supreme Court of Justice of the Nation ruled on the matter in the contradiciones de tesis 128/18 and 206/20, which now serves as a guide for corporate attorneys while filling claims of nullity about unrecognized banking transactions.
Mexican Supreme Court of Justice’s Criteria
According to the contradicciones de tesis mentioned above, our highest court concluded that in commercial trials where the nullity of bank transfers for unrecognized amounts of money is challenged, the commercial court must consider the following:
1.- There was an asymmetry in the consumer relationship between the banking institution and the financial user since the former has the knowledge, human, technological, and financial resources to provide the important and suitable information in the case to resolve its merits.
2.- It was not enough to broach up the presumption contained in article 90 of the Commercial Code if, during the trial, the facts that founded the presumption were not proven in terms of article 1280[4] of the same code.
3.- Pursuant to articles 77 and 96 of the Credit Institutions Law in relation to the General Provisions applicable to credit institutions issued by the National Banking and Securities Commission and published in the Official Gazette of the Federation on December 2, 2005, specifically from articles 308 to 316 bis 22, there are clear obligations regarding cybersecurity in the use of electronic banking that judges cannot ignore during trials.
4.- In this way, to prove the fact on which the presumption contained in article 90 of the Commercial Code is based, it is necessary that during the trial, the banking institutions certify that each one of the electronic banking cybersecurity standards issued by the National Baking and Stock Commission were met.
5.- Once the banking institution proves that the cybersecurity regulations were followed during the challenged banking operations, then the reliability of the methods could be assessed in terms of article 1298-A[5] of the Commercial Code.
6.- Finally, only when it is verified that the banking institution complied with the provisions regarding cybersecurity during the electronic transaction should the court impose the burden of proof about the validity of said transactions on the financial user.
What Must the Banking Institution Prove in Court?
With the precedents summarized above, banking institutions now have the burden of proof to reassure commercial courts that their banking systems worked according to the rules issued by the National Banking and Securities Commission (General Provisions applicable to credit institutions) at the moment of the issuance of the challenged transaction. Therefore, its burden of proof now covers the following:
1.- In terms of article 308 of the said general provisions, prove that for the start of the electronic banking session, the system requested an identifier (category 1) and at least one authentication factor from categories 2, 3 and that they were validated.
Categories that, for purposes of illustration and as defined by the National Banking and Securities Commission itself, are the following:
Category one: which is made up of the financial user identifier obtained through the bank’s information request process, whether through questionnaires, in-person visits, or telephone and which must be assigned individually for each user (customer number, card number)
Category two: information that is generated and only the user should know, such as a password, personal identification number (PIN), etc.
Category three: dynamic single-use passwords generated without prior knowledge of the banking institution through devices generated from passwords whose duration will be valid for two minutes (token)
Category four: biometric data such as fingerprints, hand geometry, iris or retina patterns, facial recognition, etc.
2.- Prove in terms of article 313 that when money was transferred to third-party accounts, the electronic banking system required a category 3 or 4 authentication factor.
3.- That the operation’s receipts were issued and generated, indicating the exact date of instruction and its issuance pursuant to article 316.
4.- That the financial user was notified as soon as possible and through the agreed-upon means of communication (telephone, mail, etc.) of the monetary transfers to third-party accounts made through electronic banking in terms of article 316 bis 1.
5.- Prove if when the electronic banking session was authenticated, there were no failed attempts that could cause an automatic blocking at the start of the session, considering that the maximum number of attempts is five, according to article 316 bis 3.
6.- Prove that the deadlines and follow-up periods between the authorization and issuance of banking operations and the duration of electronic banking were met in accordance with article 316 bis 4.
7.- Prove that during the electronic operations an encrypted means of communication was used to avoid its knowledge by third parties in terms of article 316 bis 10.
8.- Prove that no information extraction, attack, electronic sabotage, system failure, or unusual event occurred during the banking transaction in terms of article 316 bis 13.
9.- That banking institutions preserve (at least for five years) the claim made by the financial user of an unrecognized operation, where the folio of the claim, its date, cause or reason for the claim, date of the operation, and account are reflected, origin, type of product, electronic banking service in which the operation was carried out, amount, claim status, amount breached and, if applicable, the internal resolution in terms of article 316 bis 14.
10.- Prove that the records, logs, and audit trails of banking operations and services carried out electronically were generated in terms of article 316 bis 15.
By Omar Gómez
Partner
beLegal Abogados S.C
Abogados en Ciudad Juárez, Chihuahua, México
Mexican Administrative and Tax Attorney
Visit my personal website at: www.ogomezabogado.com
Contact the firm at: [email protected]
Call us at (656) 774-75-73 for English assistance or (656) 271-41-43 for Spanish assistance.
[1] Article 52.- Credit institutions may allow the use of advanced electronic signature or
any other form of authentication to agree on the execution of its operations and the provision of services with the public through the use of equipment, electronic, optical or any other technological means, automated data processing systems and telecommunications networks, whether private or public, and shall establish in the respective contracts the bases to determine the following: […].
[2] Article 89.- […]
In commercial acts and in their execution, electronic means may be used, optical or any other technology. For the purposes of this Code, the following must be taken into account: following definitions: […]
Transmitter: Any person who, in accordance with the data message, has acted in his or her own name or in whose name that message was sent or generated before being archived.
Article 90.- A data message shall be presumed to come from the transmitter if it has been sent:
I.- By the transmitter itself.
II.- Using means of identification, such as keys or passwords of the transmitter or by any
person authorized to act on behalf of him with respect to that data message.
III.- By an Information System programmed by the transmitter or on its behalf to operate
automatically.
[3] Federal highest courts have the power to issue jurisprudencias or precedents that lower courts (including local courts) must comply with.
[4] Article 1280.- He who has a legal presumption in his favor is only obliged to prove the fact in that the presumption is founded.
[5] Article 1298-A.- Data messages are recognized as evidence. To assess the evidentiary scope of said messages, the reliability of the method in which it was generated shall be primarily estimated, archived, communicated, or preserved.