The recent Judgment of the Spanish Supreme Court, Civil Chamber, No. 571/2025, dated April 9, provides a clear and consumer-friendly resolution to a very common dispute: the execution of unauthorized payment operations resulting from SIM swapping attacks—fraudulent duplication of SIM cards used to impersonate the customer. In this case, the bank was ordered to reimburse more than €56,000 to a user who suffered multiple unauthorized transfers within a few hours, despite having previously warned the bank of suspicious access to their account.

The ruling is based on Royal Decree-Law 19/2018 on payment services and other urgent financial measures, which transposes Directive (EU) 2015/2366 (PSD2) into Spanish law. This regulation establishes a very strict protection framework for payment service users.

Among its essential principles, the following stand out:
Near-strict liability of the bank: When the customer denies having authorized a payment operation, the financial institution is only exempt if it proves that there was no failure in its system and that the customer acted with gross negligence or fraud.
Burden of proof on the bank: It is not enough to allege that strong customer authentication (e.g., SMS code) was used. The bank must prove that the system was not breached and that the customer acted fraudulently or negligently.
Duty of custody and notification by the customer: The user must act diligently to safeguard their credentials and promptly report any suspicious access or misuse.

The Supreme Court confirms the bank’s liability based on the following key elements:

1. Lack of customer consent: The customer denied authorizing the transfers, and the use of strong authentication systems (password + SMS) does not in itself prove consent. The bank failed to demonstrate that the system was used by the actual account holder or that no identity theft occurred.

2. System deficiencies: Despite the customer having previously alerted the bank to suspicious activity, no additional security measures were taken, nor was access blocked or operations suspended. As a result, up to 17 high-value transactions were executed hours later, outside the customer’s normal usage pattern.
   The High Court concluded that the bank breached its duty of care and failed to act on clear signs of fraud.

3. Diligent conduct by the customer: The customer, for their part, proved to have acted appropriately by promptly reporting the incidents and requesting the blocking of affected products. There was no evidence of gross negligence or malicious behavior on their part, which strengthened their right to reimbursement.

This ruling reinforces the already established stance of various Provincial Courts. When a customer suffers electronic fraud and acts diligently, the bank must bear the financial consequences of its system's failure.

Therefore, we recommend all users to:

• Immediately report any irregular access, suspicious messages, or unauthorized transactions.

• Request the immediate blocking of compromised cards or accounts.

• Keep written records of all communications with their bank (email, certified mail, or burofax).

• Retain copies of bank statements and any logged incidents.

In the event that the bank refuses to refund the amounts, users may initiate an extrajudicial or judicial claim based on strong case law that supports their right to compensation.

At Summons Abogados, we assist individual and corporate clients who have suffered fraud in their bank accounts or cards, helping them claim against financial institutions effectively and with no upfront cost. There are clear precedents supporting the consumer’s position. Contact us if you’ve been a victim of similar fraud. We are here to protect your rights.