In a recent and landmark decision, the Third Panel of the Superior Court of Justice (STJ), when ruling on Special Appeal No. 2.215.907 – SP, reaffirmed a crucial understanding regarding the civil liability of financial institutions in cases of fraud committed by third parties, specifically in the well-known “Fake Customer Service Scam.” The judgment, authored by Justice Ricardo Villas Bôas Cueva, denied the appeal of a bank account holder, consolidating the theory that the actions of fraudsters, when facilitated by the consumer’s own conduct, constitute an external fortuitous event, thereby breaking the causal link and excluding the bank’s strict liability.
The legal dispute originated from a declaratory action seeking the unenforceability of a debt, combined with a claim for restitution of amounts and compensation for moral damages. The plaintiff, now appellant, was the victim of a scam in which, after receiving a message, he contacted a phone number provided by a third party, believing it to be the customer service center of his financial institution. Misled by the supposed employee, the account holder voluntarily installed an application on his mobile phone, granting access to sensitive data such as passwords, which enabled the fraudsters to contract loans and carry out PIX transfers.
The core issue lies in the distinction between internal and external fortuity. Internal fortuity, as per STJ’s Precedent No. 479, refers to fraud and crimes committed within the scope of banking operations, being considered an inherent risk of business activity and, therefore, subject to the financial institution’s strict liability. However, in the case at hand, both the São Paulo State Court of Justice and the STJ concluded that the harmful event exceeded the boundaries of this objective relationship.
The decision was based on the fact that the breach of the security system was “preceded by the plaintiff’s voluntary actions.” By contacting an unknown number, following instructions from an unofficial interlocutor, and installing an external application, the consumer assumed a risk and compromised his own security system. Such conduct was classified as the victim’s sole fault (or that of a third party), one of the liability exclusions provided for in Article 14, §3, II of the Consumer Protection Code.
The STJ emphasized that the fraud originated outside the physical or virtual environment controlled by the bank, characterizing it as an event unrelated to the institution’s activities. The use of deceptive tools such as fake websites or call centers (known as mimicked services), through which consumers surrender their data, constitutes external fortuity, which breaks the causal link between the supplier’s conduct and the damage suffered.
Another relevant point in the judgment’s reasoning was the untimely communication of the fraud by the account holder. The Court noted that the plaintiff only reported the harmful event to the bank branch on August 15, 2023, that is, after the fraudulent transactions had already been fully carried out.
This lack of timely communication prevented the financial institution from taking measures to avoid or mitigate the loss. STJ jurisprudence has consistently held that the bank’s liability is excluded “especially when the account holder fails to report the fraud before it is fully consummated.” This Superior Court had previously ruled in the opposite direction, holding banks liable for fraudulent transactions occurring after the theft of a mobile device had been reported, for example, but not when the customer fails in their duty of care and communication.
The judgment of Special Appeal No. 2.215.907 – SP serves as an important warning to consumers. Although financial institutions have a duty to ensure security and are strictly liable for failures in their services (internal fortuity), this liability is not absolute. The decision reinforces that the duty of care is shared, and the consumer’s conduct is a key factor in the analysis of civil liability.
For the legal community, the decision solidifies the application of the external fortuity theory in cases of phishing and social engineering, where the victim’s collaboration, even if involuntary, is essential to the success of the scam. It is clear that a case-by-case analysis is indispensable, but the consumer’s voluntary disclosure of sensitive data and the failure to promptly report the fraud are elements that, together, have the power to break the causal link and exempt the financial institution from civil and moral liability.
Autor:
