The Responsibility of Banks in Cases of Fraud: Analysis of a Recent Decision and its Impacts on Business Owners

In a context where companies extensively use electronic transactions — whether via corporate credit cards, PIX or other digital payment methods — the risk of fraud and scams against account holders increases. A recent case, in which a judge declared certain debts unenforceable after a consumer was victim of fraud and ordered the bank to partially reimburse the amount, highlights a matter of significant relevance for business owners and executives: to what extent are financial institutions liable for fraud, and what precautions should companies adopt to safeguard their assets?

Monitoring such decisions is essential to understand the civil liability regime for banks and to implement sound corporate governance practices.

Overview of the case and reasoning behind the decision

According to the report, a judge of the 2nd Vara of the JEC – Vergueiro, in São Paulo, ruled in favor of a consumer in an action for debt unenforceability combined with a claim for damages against a financial institution. The consumer alleged unauthorized charges on his credit card, and stated that after receiving what seemed to be a call from the bank, he was induced to make a PIX transfer of R$ 17,980 to a third party. In total, the contested charges and transfers corresponded to amounts inconsistent with his usual consumption profile. Consequently, the judge declared the debts unenforceable and ordered the bank to reimburse, at least partially, the PIX transfer, recognizing a failure in banking security.

The decision rested on the application of the objective liability regime under the Brazilian Consumer Protection Code (CDC), especially its Article 14, and on the consolidated jurisprudence of the Súmula 479 do STJ, which imposes on financial institutions the duty to be liable for frauds and crimes when there is a flaw in the banking security service.

Notably, the financial institution did not present technical reports or proof demonstrating the legitimacy of the challenged operations — such as system logs, evidence of authentication or any effective security mechanism. Therefore, it failed to sustain its defense of regularity regarding the disputed transactions.

Objective liability and the duty of security of financial institutions

For business executives and companies, the core lesson is evident: by offering banking services, financial institutions assume the inherent risk of their activity — which includes protecting clients against frauds and scams. The current jurisprudence, including recent decisions by the Superior Tribunal de Justiça (STJ), reaffirms this duty. For instance, in October 2025, the STJ’s 3rd Panel decided that banks and payment institutions must compensate clients victimized by social engineering scams when there are failures in data protection or incapacity to detect atypical transactions.

Practically, the objective liability regime requires the bank to prove the inexistence of service defects or exclusive fault of the consumer or third parties — a burden often difficult to satisfy in sophisticated fraud cases.

For a company, this means that if it uses banking services — for payments, receipts, transfers or other operations — it may have legal grounds to seek reimbursement or compensation, even in the face of fraud, as long as it is proven that the bank failed to implement adequate security measures.

Practical implications for companies and corporate managers

From a corporate perspective, this precedent brings several practical consequences. First, it underscores the necessity of adopting robust internal governance regarding the use of payment channels and control of access to accounts, credentials and authorizations. Although the bank holds the responsibility to prevent fraud, the company must adopt sound security practices — segregation of responsibilities, transaction confirmation procedures, multi-factor authentication, among others. Such posture not only mitigates risks, but also strengthens any judicial or administrative claims in case of fraud.

Secondly, companies that provide services to third parties or process large volumes of transactions should consider adopting contractual policies and specific clauses with banks or payment service providers, mandating minimum security standards, periodic audits and obligations to notify in case of atypical or suspicious transactions.

Moreover, the case shows that despite the prevailing trend in jurisprudence favoring the client, the outcome of each dispute may vary depending on the conduct of the account holder — especially if there is evidence of gross negligence or imprudence, such as voluntarily transferring large amounts to unknown recipients without verification. In the reported case, the judge found “concurrent fault” of the consumer, which led to partial reimbursement of the transferred amount.

Migalhas

Therefore, for companies, it is essential to document internal diligences — records of who authorized transactions, confirmation of data, internal communications, logs of control systems — to evidence that due diligence was observed even in the event of fraud. This can positively influence a court decision and reduce the risk of liability.

The recent jurisprudential panorama as a warning to the financial sector

The STJ’s 2025 precedent was emphatic in stating that in cases of fraud resulting from failures in security systems, it is not acceptable to reduce indemnities on the basis of concurrent fault of the victim — unless it is demonstrated that the victim consciously

This understanding consolidates a clear trend: courts assign to banks and payment institutions the duty to guarantee effective security for clients, being relatively reluctant to accept defenses based solely on the client’s fault. This imposes on the financial system — and thus on the companies that depend on it — the adoption of robust controls to mitigate risks.

For corporate managers, this means that the selection of financial partners should consider not only cost and convenience, but also the technical capacity for fraud prevention and detection. Contracts, service terms, audits and certifications become relevant in corporate risk management.