By Martín Elizalde
Senior Consultant at Foresenics
Much changes. Banks don’t.
Banking fraud targeting customers has grown exponentially. Complaints show an evolving landscape, as scammers develop new and increasingly sophisticated methods. Many rely on highly manipulative techniques known as social engineering to trick clients into handing over money or confidential information. In other cases, victims report that their payment-card or identity data was stolen and used without authorization. Sometimes, clients simply have no idea how fraudsters obtained such detailed personal information. This is precisely why banks’ monitoring duties—which we refer to later—are essential to preventing these crimes.
When banks respond to victims’ information requests, they typically deploy the same defense: if the customer shared sensitive data or approved a transaction that later turned out to be fraudulent, the bank assumes no responsibility. Knowing less about technology is not, in their eyes, a protected financial interest.
I protect you.
This paradigm is beginning to shift. There is a growing recognition that banks owe a duty of care to their clients in these situations. As authorized institutions entrusted with the public’s savings, banks must comply with strict cybersecurity standards governing how they operate.
This responsibility is objective in nature. Even outside consumer-protection frameworks, the ordinary rules of civil liability impose a duty of diligence and risk prevention. This means that not only consumers—but also businesses—can invoke this responsibility.
A bank operates a system that is inherently risky, and must safeguard the users who entrust it with sensitive personal data. What clients delegate is data handling—not the responsibility for maintaining a secure architecture and a general duty of care.
I must know you.
Beyond this general duty of care, banks have a specific obligation to monitor client activity, understand operational patterns and prevent incidents within the digital environment they control. Here are some common failures we see—scenarios in which many victims may recognize their own experience:
-
The bank cannot demonstrate a complete and secure record and traceability of electronic-channel activity, including generation, storage, transfer and recovery of data.
-
The bank fails to implement adequate know-your-customer controls, which require heightened scrutiny when activity appears inconsistent with a client’s profile.
-
The bank does not follow internal rules requiring it to verify that account movements are reasonable when compared to the client’s usual financial behavior, or fails to review broader circumstances surrounding atypical transactions.
If I monitor, I can prevent.
Many fraud schemes rely on banking services because digital payments, transfers and commercial operations still flow primarily through bank-managed platforms. This puts banks—and their employees—in a privileged position to detect, block or report suspicious activity. Failing to do so places their negligence squarely on the list of breaches.
It’s built into the contract.
As a result, an implicit term of every bank–client relationship is the obligation to act with due diligence—including refusing to execute an order if the bank knows it was issued dishonestly, turns a blind eye to clear red flags, or fails to investigate unusual circumstances. When banks neglect these duties, they incur responsibility for the losses that follow.
It is neither fair nor efficient for banks to automatically rely on a client’s lack of expertise or occasional misjudgment when it comes to sharing data. Multiple actors may contribute to an incident, but that does not relieve the bank of its cyber-security, monitoring and fraud-prevention obligations. Detecting unusual patterns is one of several tools that can stop scams before they occur. Prevention—not only compensation—must be the priority.
Conclusion
If a bank processes an atypical transaction or allows operations through unusual channels, it fails to uphold the foundation of the bank–client relationship: customers should never be presumed fully knowledgeable about technologies or aware of the risks they face. In a digital environment marked by increasingly sophisticated fraud, banks must adopt real oversight and proactive controls to protect the very users who rely on them.