I. INTRODUCTION
Although Internet banking is at the forefront with its life-facilitating aspect, it became a current issue for its abusive use and fraudulent nature in these days1. In the decision of the Supreme Court Assembly of Civil Chambers which is examined below, notions such as “Bank’s responsibility”, “duty of care of the customer” and “contributory negligence” in a transaction made with internet banking and constituting a tort were handled with in the scope of relevant court decisions, doctrine, provisions of law of obligations and banking legislation.
II. SUMMARY
In the material dispute, which is the subject of the Supreme Court Assembly of Civil Chambers’s Decision that is Merits No: 2017/2224 and Decree No: 2018/1753, 9.788 TRY in the customer's account was transferred to another bank account via EFT transaction. The customer filed a lawsuit against the Bank, demanding compensation for the money with interest, while arguing that the customer became a victim as a result of the Bank’s failure to perform its objective duty of care and to take the necessary security measures. In the defending of the Bank, the Bank claimed that they gave notice to the customer about security within the scope of the contract signed between the parties and argued that the transaction in question was due to the plaintiff customer’s faulty act. The decision taken at the Trial Court was appealed by the plaintiff so the file was sent back to the Court of First Instance from the 11th Civil Chamber of the Supreme Court. Following the decision of persistence of the Trial Court, the file has been examined by The Supreme Court Assembly of Civil Chambers2 . The case has been evaluated in detail within the scope of legislation, in particular the Turkish Commercial Code, Banking Legislation, Turkish Code of Obligations and the Law of Obligations in force at the time of the case.
III. EXTENDED LIABILITY OF THE BANK
Transactions made via "trojan virus" which has infected Customer’s computer and carried out on behalf of the Customer, who deposits their money in three different banks with a trust mechanism, were blocked by two banks. However, this transaction which could have been prevented, was not prevented because the defendant Bank does not have advanced security mechanisms as much as the other banks. Therefore, it will become the current issue that the Bank has not taken any measures suitable for developing technology.
Additionally, the money which is the subject of the case was seized by a third party via internet banking security procedures being circumvented by the virus. Since the Money was entrusted by the Bank not the Customer, the person who gets scabbed with this illegal transaction is the Bank, not the Customer. It will be defended that the Plaintiff Customer's claim against the Bank continues.
In commercial life, banks should act with a higher care than the concept of "prudent trader"3 based on the Turkish Commercial Code. In this context, the existence of an "extended liability" is mentioned and banks are responsible for even their slightest faults to their customers4.
IV. DUTY OF CARE OF THE CUSTOMER
Access to internet banking is provided by the Plaintiff's credentials, password and smart password confirmation code that comes to their phone. Although it is controversial whether it is sufficient or not, from this point of view, it is seen that the Bank has taken many security measures. As a matter of fact, this unlawful EFT transaction, which is the subject of the lawsuit, was not due to the bank's systems, but to the "trojan virus" that infected the Plaintiff's computer. The Bank is not obliged to protect the Plaintiff’s personal information that is based on the Plaintiff's computer. Customers are obliged to protect their personal information against third parties with due diligence. As a result of the Customer's failure to fulfill this obligation, a tort was committed against the Bank and the Bank was damaged.
V. CONTRIBUTORY NEGLIGENCE OF THE PLAINTIFF
After hearing the claims and defenses of the parties in the case at the Court of First Instance, the expert opinion was applied. In the expert report, it is understood that the Plaintiff could not protect their personal information in some way, considering that the Plaintiff's accounts in other banks that are not subject to the case are also entered, probably the Plaintiff had their personal information stolen from the computer which they used and again from the statement given by the Plaintiff to the Office of Chief Public Prosecutor, it is understood that the Plaintiff was caused the router program to be installed on their mobile phone, for this reason, it has been understood that the Plaintiff has a contributory negligence.
In the formation of a tort committed against the person, the concept of "contributory negligence" is mentioned in case the person has a defect as well5. In the established Supreme Court case law, where the injured person has a share in the occurrence or increase of the damage, it is accepted that there is a "contributory negligence" state. However, in the doctrine, there are different opinions as to whether defective behavior means unlawful conduct6. According to the opinion arguing that they have the same meaning, “The concept of defect is one of the subjective elements of tort and nobody has an obligation to protect themselves from any damage. Those who defend this opinion have adopted the idea that the person cannot be held responsible for their own damage. According to Eren, it is not possible that defective behavior is not to be unlawful7."
In the concrete case, the First-Degree Court decided that the Plaintiff Customer was 40% defective by not taking the necessary care to protect their personal information and contact information and the Defendant Bank was 60% defective by not providing an electronic banking service that provides the highest level of security and therefore, finalized the case by partial acceptance. The Plaintiff appealed the decision of the First-Degree Court at the Supreme Court.
VI. EVALUATION UNDER THE LEGISLATION
A. The Code of Obligations No.818 and Turkish Code of Obligations No.6098
Article 386 of the Turkish Code of Obligations No. 6098 defines the consumption borrower (loan) as "The consumption loan agreement is a contract in which the lender undertakes to transfer some money or something consumable to the borrower and the borrower undertakes to return the same quality and amount." Therefore, the Bank that borrows the money by depositing of the money in the Bank, has an obligation to return it exactly or in multiples when it is requested8. In this context, according to an opinion in the doctrine, there is an "irregular deposit" in terms of banking transactions and in the case of an irregular deposit, the property passes to the depositor9. In accordance with Article 472 of the Code of Obligations No.818, which regulates the irregular delivery, the nave and the damage of the money will be transferred to the depositor (the Bank) absolutely and the Bank will be obliged to return the money in multiples if agreed10. Therefore, the Bank might use the money which is deposited to the Bank, from the moment it is borrowed to the moment it is returned. However, the Bank will be obliged to return it when it is requested by the Customer and if there has been a reduction in the money by then, the Bank will be held responsible for that11. On the other hand, pursuant to Article 306 of the Code of Obligations No. 818, “Loan is a contract that the lender has an obligation to transfer to a person who borrowed the property of a certain amount of the money or another equivalent thing and even this person is obliged to give back the same kind of things equal in quantity and qualification." it has been stated as a “loan contract” will arise for time deposit accounts or considering the scope of the services provided by the Bank to the Customer, in the context of Article 386 of the Code of Obligations No.818 stating “The proxy shall carry out the management of the work which was assigned to them in the contract office or the execution of the service which they have done in the contract office by a proxy agreement. The provisions of the proxy will be valid for the works which are not subject to the any provisions of the law on other contracts." it can be said that a “proxy agreement” will arise12. The Supreme Court and the Doctrine usually define this contract as a "sui generis contract" rather than putting it in a single mold13.
At the same time, under Article 96 of the Code of Obligations No.818 and Article 112 of the Turkish Code of Obligations No.6098, banks which have failed to fulfill their debts arising from the contract or evaluated within this scope, are obliged to repair the damage unless they prove their faultlessness14.
B. Evaluation of Banking Legislation
The contract between the parties is a unique contract which has the characteristics of the deposit loan and irregular deposit contracts. Pursuant to Article 61 of the Banking Law No.5411, except for legal cases, the right to recover the amounts which should be paid to the deposit and participation fund owners cannot be restricted in any way. Similarly, within the scope of the provisions of the Banking Law, Banks are obliged to return the money which was deposited to them when it is requested.
When the responsibility of the bank within this scope is examined within the framework of the legislation of the Banking Regulation and Supervision Agency (“BRSA”) Article 9 titled as "data privacy" regulated in the Regulation on Information Systems of Banks and Electronic Banking Services ("Regulation") will be important. While the obligation of the Bank to take measure is mentioned in the article, especially the necessities of “the use of algorithms that have not lost their reliability as of the current state and are compatible with the current technology", the encryption of customer data and the regular and safe storage of the encryption techniques are mentioned15.
At the same time, in accordance with Article 20 of the Bank Cards and Credit Cards Law No.5464, the customer cannot be held responsible for damages arising from illegal use in purchases of goods and services through various communication means without issuing an expense certificate16.
In the concrete case, according to the opposing votes in the 11th Civil Chamber of the Supreme Court, the Bank should keep security measures at the highest level and store customer’s information safely.
In Article 34 of the same regulation, the identity verification steps that should be used in electronic banking are explained in detail. Basically, an authentication system consisting of at least two independent authentication system must be implemented. According to the clause, these components are selected from the binary combination of components (i) known by the customer, (ii) owned by the customer, (iii) having a biometric characteristic to the customer17. In addition, Article 38 of the Regulation generally mentions the necessity of a "verification code" which must be forwarded to the customer online18. According to the decision of the Supreme Court Assembly of Civil Chambers in the concrete case, the amount of these security measures that have been provided to the Customer by the Defendant Bank should be examined in detail by obtaining a new expert report.
VII. BURDEN OF PROOF OF THE BANK
In accordance with Article 6 of the Civil Code, each of the parties must prove the fact on which they base their rights19. In order to be able to mention "contributory negligence" in irregular transactions, it is necessary to prove the fault of the depositor. Therefore, in the concrete case, the Bank claiming that the Customer is at fault must prove this claim at first, in order to be able to rely on contributory negligence. However, the Defendant Bank could not prove that the EFT transaction was realized due to the fault of the Customer.
Additionally, in accordance with the provisions of the banking legislation mentioned above, banks should keep their security measures at the highest level while providing internet banking services. Compared to the provisions of Article 99/2 of the Code of Obligations No.818. and Article 115/3 of the Turkish Code of Obligations No.6098, banks are held responsible for even their smallest faults, since they are a trust institution established by a special law, regularly audited by the state and granted privileges20. The 11th Civil Chamber of the Supreme Court ruled that the Defendant Bank was responsible for all the damages in the concrete case and the partial acceptance decision given by the Court of First Instance was reversed and the file was sent back to the Court of First Instance for a retrial. However, the Court of First Instance resisted in its decision.
VIII. REVERSE DECISION OF THE SUPREME COURT ASSEMBLY OF CIVIL CHAMBERS
As a result of the decision of resistance, it has become necessary to examine the dispute within the scope of the Supreme Court Assembly of Civil Chambers. In the examination made by the Supreme Court Assembly of Civil Chambers, the expert report, which was taken as the basis of the decision in the Court of First Instance, was found insufficient. Although it is stated in the report that the Customer had a failure to show due diligence regarding their obligation to protect their personal information, it has been ignored that the same transaction was tried from three different bank accounts which belong to the Customer, but these transactions were able to be prevented by the other two banks. Therefore, Supreme Court Assembly of Civil Chambers decided that it is necessary to obtain a new expert report, which will observe the general notifications of the Banking Regulation and Supervision Agency (“BRSA”) in force at that time on, to see whether the Defendant Bank has taken the most advanced security measures used in the internet banking sector at the time of the incident and thus, First Degree Court's decision to resist was reversed.
IX. OPPOSING VOTES
According to the opposing votes in parallel with the decision of the 11th Civil Chamber of the Supreme Court, the existence of any action that could constitute a criminal act and cooperation with malicious third parties has not been proven by the Plaintiff Customer. When this matter is evaluated within the scope of the above-mentioned provisions of the Code of Obligations No.818 and the Turkish Code of Obligations No.6098, the obligation of the Defendant Bank to return the money in kind cannot be ignored. For these reasons, the opposite votes argue that the fault is entirely in the Bank and they consider it is unnecessary to obtain a new expert report. Because obtaining a new expert report is an additional expense which will conflict with the procedural economy, and also this new expert report will have no effect on the result, since it is very clear that the defect is entirely in the Defendant Bank.
X. CONCLUSION
Bank customers, as they can perform many transactions such as credit card transactions, money transfers, deposit transactions, credit transactions, investment transactions via the internet from any environment, for example, they can transfer money from one account to another within seconds. Banks which has adopted to technology, besides providing general banking services to their customers, they also offer an internet banking service under the Banking Service Agreement signed between them.
The bank's responsibility for illegal transactions made by third parties using customers' internet banking accounts should be handled as the conditions of each concrete event being evaluated and determined separately. For example, whether the customer has a share in the occurrence of the unlawful transaction, whether the bank with the burden of proof could prove it and whether the bank applies the necessary and sufficient security procedures are important. In the concrete case subject to the dispute evaluated above, the Customer's personal information was stolen by a virus installed on their computer and the money in three different bank accounts was attempted to be transferred to the accounts of third parties using this information. Although banks other than the Defendant Bank could prevent the transaction, the Defendant Bank failed to prevent it and was inadequate in terms of security measures. First Instance Court claimed that there is a contributory negligence and ended the case with partial acceptance. Upon the application of the Plaintiff, the decision was examined in the 11th Civil Chamber of the Supreme Court, and it was decided that the Defendant Bank, which has the burden of proof could not prove that the Plaintiff was at fault, and therefore all defects were on the Defendant Bank. Following the reversal decision of the 11th Civil Chamber of the Supreme Court, although the file was sent back to the Court of First Instance, the Court of First Instance resisted in its decision. Upon this, the expert report received in this case was found insufficient by the Supreme Court Assembly of Civil Chambers and it was decided to obtain a new expert report.
Generally, in such cases, it should be taken into consideration whether the person who owns the account to which the money is transferred has a bond or a proxy relationship with the customer when money is transferred from the customer's account to a third party’s account. In addition, it is also important whether the customer uses internet banking regularly and how many different devices they access their internet banking account. Moreover, when the defect of the Customer is being measured, it is not disregarded whether the passwords were seized directly by the device being stolen or the seizure was arisen from the negligence of the Customer. In some cases, subject to the decisions of the 11th Civil Chamber of the Supreme Court, it is also examined how the "smart password" security was breached by third parties: such as whether the customer's sim card information was copied or their phone was seized. Finally, it is seen that banks offer optional security measures to customers in these days. For example, although almost every bank enables to access internet banking with a smart password requirement, some banks also provide their customers with the option to log into the system with an "electronic signature". However, this is an option offered to the customer and the customer decides on the security procedure to be applied. According to the characteristics of the concrete case, it is important how to act in such cases where the security procedures are determined by the customer. As a result, the fraudulent tort committed through internet banking should be examined in detail from many angles.
BIBLIOGRAPHY
Supreme Court Assembly of Civil Chambers’s Decision that 22.11.2018 dated and Merits No: 2017/2224 and Decree No: 2018/1753.
DOÇ. DR. SÜLEYMAN YILMAZ, Bilişim Hukuku Güncel Sorunlar, Ankara, 2020.
DOÇ. DR. YEŞİM M. ATAMER, İnternet Bankacılığının Üçüncü Kişiler Tarafından Hukuka Aykırı Kullanımı Nedeniyle Doğan Zararı Kim Taşır? Banka Hukuku ve Yargıtay Kararları Sempozyumu, 2007, p. 15-37
AV. YAŞAR KÖSTEKÇİ, Banka Ticari Kredi Sözleşmeleri Tacirin Hakları Bankanın Sorumluluğu, İstanbul, 2020.
DOÇ. DR. MURAT BALCI, Gerekçeli İçtihatlı Bankacılık Kanunu ve İlgili Mevzuat, Ankara, 2019. YRD. DOÇ. DR. KÜRŞAD NUR I TURANBOY, Tasarruf Mevduatı Sözleşmesinin Niteliği, Ankara, 1997.
İSTANBUL BAROSU DERGISI, V:93/2, 2019.
PROF. DR. ARIF B. KOCAMAN, Türk Borçlar Hukukunda Havale, 2nd Edition, Ankara, 2020.
11th Civil Chamber of the Supreme Court’s Decision that 11.09.2017 dated and Merits No:2017/2386 Decree No:2017/4206
11th Civil Chamber of the Supreme Court’s Decision that 23.02.2017 dated and Merits No:2016/2149 Decree No:2017/1048
11th Civil Chamber of the Supreme Court’s Decision that 13.12.2016 dated and Merits No: 2016/9916 Decree No:2016/9583
11th Civil Chamber of the Supreme Court’s Decision that 22.10.2020 dated and Merits No: 2020/5738 and Decree No:2020/4350.
15.03.2020 dated Official Gazette, Regulation on Information Systems and Electronic Banking Services of Banks No. 31069
Code of Obligations No. 818
Turkish Code of Obligations No. 6098
https://www.kazanci.com.tr/
FOOTNOTE
1 Doç. Dr. Süleyman YILMAZ, Bilişim Hukuku Güncel Sorunlar, Ankara, 2020, p. 198.
2 Supreme Court Assembly of Civil Chambers’s Decision that 22.11.2018 dated and Merits No: 2017/2224 and Decree No: 2018/1753.
3 Turkish Commercial Law No.6102, art.18.
4 11th Civil Chamber of the Supreme Court’s Decision that 22.10.2020 dated and Merits No: 2020/5738 and Decree No: , 2020/4350.
5 Doç. Dr. Süleyman YILMAZ, Bilişim Hukuku Güncel Sorunlar, Ankara, 2020, p. 197.
6 İstanbul Barosu Dergisi, V:93/2, 2019, p.113.
7 Ibid.
8 Turkish Code of Obligations No. 6098, art.386.
9 Yrd. Doç. Dr. Kürşad Nuri TURANBOY, Tasarruf Mevduatı Sözleşmesinin Niteliği, Ankara, 1997, p. 254
10 Code of Obligations No.818, art.472.
11 Ibid.
12 Doç. Dr. Yeşim M. ATAMER, İnternet Bankacılığının Üçüncü Kişiler Tarafından Hukuka Aykırı Kullanımı Nedeniyle Doğan Zararı Kim Taşır? Banka Hukuku ve Yargıtay Kararları Sempozyumu, 2007, p. 16.
13 Ibid.
14 İstanbul Barosu Dergisi, V:93/2, 2019.
1515.03.2020 dated Official Gazette, Regulation on Information Systems and Electronic Banking Services of Banks No. 31069, art.9.
16 Bank Cards and Credit Cards Law No.5464 art.20.
17 15.03.2020 dated Official Gazette, Regulation on Information Systems and Electronic Banking Services of Banks No. 31069, art.34
18 Ibid. art.38
19 Turkish Civil Code No.4721, art.6
20 Supreme Court Assembly of Civil Chambers’s Decision that 30.09.2015 dated and Merits No: 2013/2425 and Decree No: 2015/2022.
