Liability for pushTAN Misuse: Recent Rulings Shift the Balance

Posted on: Last updated on: Written by:

Anyone who authorizes a payment via pushTAN in online banking legally agrees to a specific order – at least, that’s the banks’ ideal scenario. In practice, however, perpetrators exploit security vulnerabilities to push through transactions. The question then is no longer whether phishing occurred – but who bears the loss.
The latest rulings show: Banks must prove more and can themselves be held liable.

The Current Landmark Decisions 2024/2025

Federal Court of Justice, March 5, 2024 (XI ZR 107/22)
Mere technical logs do not prove authorization. If the customer disputes consent, the bank must conclusively demonstrate that the payment was legally validly authorized.

Higher Regional Court Dresden, May 5, 2025 (8 U 1482/24)
Login without strong customer authentication (SCA) is a security flaw. Consequence: Contributory negligence of the bank, liability share of 20% in favor of the customer – despite their own misconduct.

Higher Regional Court Oldenburg, August 8, 2025 (8 U 103/23)
Anyone who ignores clear warning signs and authorizes TANs without checking the purpose acts with gross negligence – and loses their claim. In this case: Loss of approximately €41,000.

The Three Core Questions in Liability Assessment

  1. Authorization – Was the payment legally validly authorized or merely technically confirmed?
  2. Bank’s Security Architecture – Was SCA correctly implemented and the transaction clearly displayed?
  3. Customer Behavior – Is there gross negligence, and if so, to what extent?

My Approach in Cases

  • Deconstruct the Bank’s Chain of Evidence – Do not accept blanket assertions, examine every technical record in detail.
  • Identify Security Gaps – Is SCA missing, are TAN texts unclear, have limits been changed?
  • Assert Contributory Negligence – Even with customer errors, this can shift liability.
  • Refute the Accusation of Gross Negligence – Minutely detail the deception process, from call spoofing to manipulative transaction display.

Conclusion:
Legally, PushTAN fraud is no longer reduced to “the customer simply wasn’t careful”. The courts are looking more closely – at the authorization question, the bank’s security architecture, and the behavior of both sides.
Anyone who specifically examines and proves these points has realistic chances of full or at least partial reimbursement.

Further Reading:
In many pushTAN cases, the attack begins with a precisely orchestrated message – often as a supposed security warning or delivery notification.
I have explained how perpetrators proceed and which deception patterns are particularly dangerous in the article “Underestimated Danger: Smishing”.