Wire transfers are widely used by users of financial services as they are a convenient and fast instrument for making payments from one bank account to another, even between accounts of different banks through systems such as SPEI (Interbank Electronic Payment System), which is operated by Banco de México.
However, the systems used by banks to provide electronic payment services may be breached by persons seeking to obtain an undue economic benefit by making electronic payments without the consent of the holder of the corresponding bank account.
In this regard, Articles 77 and 96 of the Law of Credit Institutions provide that banks must establish basic security measures to protect the public, the bank’s assets and its factors and dependents, in addition to carrying out practices that ensure adequate attention to their customers and the security of the transactions in which they are involved.
In accordance with the General Provisions Applicable to Credit Institutions compiled by the National Banking and Securities Commission (the “General Provisions”), credit institutions are required to use authentication factors to verify the identity of their users and the authority they have to perform transactions through the electronic banking service, in addition to generating records, logs and audit trails of transactions performed electronically.
Among the information that must be recorded by credit institutions is: (i) the date and time of the transaction, (ii) the source and destination account number, (iii) the identification data of the access device used by the user to perform the operation, (iv) the addresses of the Internet protocols and (v) the numbers of the cell phone line used to carry out the operation.
The General Provisions also provide that banks must have mechanisms that prevent third parties from interfering with sessions initiated by a user when using the electronic banking service, such as terminating the session when the credit institution identifies changes in the address range of communication protocols or geographic location, or preventing simultaneous access by a user to more than one session.
In accordance with the foregoing, the First Chamber of the Supreme Court of Justice of the Nation has established in jurisprudence that in cases in which a user demands the nullity of electronic bank transfers, the credit institution must demonstrate that it complied with all the security measures set forth in the General Provisions to guarantee the certainty of the disputed transactions and that there were no incidents that compromised the customer’s data. According to our Supreme Court, only in the event that the bank has demonstrated that it complied with the above, the user will be obliged to disprove what was presented in the trial by the credit institution in order to justify the validity of the claim for annulment.