In a ruling considered the first of its kind, the Dubai Court of Appeal upheld the ruling of the first degree in which the Commercial Court ordered the obligation of a local bank to pay about five million dirhams to a client with him, after confirming the responsibility of one of his employees for penetrating the victim’s account, and embezzling the amount, after extracting the “allowance” Lost »from the customer’s phone and used to log in to his account through the banking application, and to make transfers, taking advantage of his knowledge that it is a dormant account.
The case papers stated that the victim opened a savings account with the bank in 2015, and his balance reached four million and 677 thousand dirhams in 2016, but he was surprised in 2017 that the account was closed, after its balance decreased to zero.
Investigations into the incident revealed that an employee of the bank working in the credit card sales department entered the customer’s account several times, and in light of his penetration of the account, he was subjected to a fraudulent operation, which ended in the embezzlement of the entire balance.
Ghassan Al Dayeh, the agent of the defense of the client, said that the victim was residing in the country, then left to settle abroad, and left his savings account, but was surprised upon his return that the account is closed and completely free of The money, and went a long way in the criminal court until he filed a civil lawsuit, which ended with a judgment for him after confirming the bank’s responsibility for stealing the money.
Al-Dayeh explained that the bank insisted on shirking responsibility, claiming that the customer had received text messages on his phone number regarding financial transfers from his account. He was entitled to object within 30 days according to the procedures in place, but he did not do so, and the bank evaded the presentation of the results of the internal investigation on the process of leaking the data that was done by his employee.
For his part, the defendant bank appealed against the ruling of the commercial court, so the court of appeal at a previous session ordered the appointment of an expert committee composed of two experts, one of whom is a banker and the other a technician.
The prosecutor’s agent, legal advisor Ghassan Al-Dayeh, said that the committee examined the availability of the bank’s tort liability, resulting from negligence in not supervising and monitoring the plaintiff’s account, and examining how the breach occurred, seizing the amounts through withdrawals, bank purchases and transfers without the knowledge of the account holder, and ensuring the integrity of the procedures Electronic security applied by the bank
He added that the committee’s report held the bank technically responsible for misappropriating the client’s money due to the lack of technical security precautions to protect his information, and the lack of safety of electronic procedures and investigations at the bank.
The report also revealed clear technical deficiencies in the extraction and delivery of a credit card to a customer who is primarily outside the state, in addition to the lack of strong and sufficient procedures by the bank to prevent penetration, as the bank employee who works in the credit card sales department intentionally entered the victim’s account several times over Its powers, which means the bank’s failure to supervise and monitor the absence of technical controls and the absence of a list that prevents employees from a non-concerned department from accessing customer accounts and data.
The report showed a breach of the account by a third party who was aware of the data and details of the victim’s account that he used to defraud to issue a SIM card instead of a lost phone number to the victim of the account registered in the bank’s database - indicating that there is no duplication of the safety factor (Two factor authentication) to ensure That the applicant is the authorized person.
The report clarified the account penetration through the issuance of an ATM card that resulted in cash withdrawals, 15 online transfers, six transfers from the account to another bank account in the Emirates, and purchases from the card of the victim’s account, which means that the monitoring and alert system on the movement of accounts is not activated Clients especially dormant if an abnormal movement occurs on them.
And based on the experience report, the Dubai Court of Appeal upheld the Commercial Court’s ruling that obliges the defendant bank to pay five million dirhams the value of its customer’s balance, and is considered a first-of-its-kind ruling according to - Al-Dayaa - in a fraud that affected many clients.