No 37

Ouch! Where is my money?


There’s a sum of money missing from your payment account that you did not transfer or release for payment. What do you need to bear in mind?

Picture of Sherlock Holmes style figure smoking a pipe and reading a bank statement trying to work out what has happened to his money.

What ways exist for initiating a payment?

Either directly in your online banking service, by using a credit or debit card, by using Apple Pay or Bluecode, in which case the bank uses a technical service provider, or by selecting Paypal as a contractual party

or if you store your card or account details there or if you authorise a payment initiation service provider (e.g. Klarna) to access your account via an interface and to initiate a payment for you.

What are banks required to do?

If you as the account holder claim that you have not authorised or approved a certain payment, the bank must prove that the payment was conducted in a secure and orderly manner. The bank must prove that the payment was correctly authenticated, correctly recorded and booked, and that it was not impeded by technical problems.

Strong customer authentication means determining that only you yourself have initiated the payment. To do so, you must prove your identity by means of two elements out of three categories:
Knowledge(e.g. PIN),
Possession(e.g. your mobile phone) and
Inherence(e.g. a fingerprint).


the payer’s consent for the payment transaction.

When is the bank required to refund money?

If the bank has not demanded strong customer authentication, then as an account holder you have no liability whatsoever, and the bank is required to correct this outgoing booking. If you have not

authorised a payment, i.e. approved it, the bank must reimburse the amount at latest by the end of the next business day.


procedure that helps the bank to be able to check the payer’s identity.

When are you liable as an account holder?

That depends on the cause of an unauthorised payment. If you have been grossly negligent, for example if you have kept your bank card and the accompanying PIN in the same place or made them available to a fraudster, then you are liable for the full amount. If you have only acted with slight negligence, then you are liable up to an amount of EUR 50. Whether gross or slight

negligence has occurred is up to a civil court to decide. Courts have already reached decisions that you have not breached your duty of care if you fail to cover the keypad with your other hand when making a cash withdrawal, if you don’t use an antivirus program on your mobile phone, of if your mobile phone’s operating system is not the most up-to-date version.


means that someone has failed to act with the necessary level of attention. Slight negligence is behaviour where such a mistake could also occasionally be made by a person who is generally careful. Gross negligence is behaviour that would not happen to an ordinary person in the same situation.

For how long can you request a correction to be made to your account?

As soon as you discover the incorrect outgoing payment, but at latest within 13 months, you must inform your bank that you did not authorise the payment, and request that your account balance is duly corrected.

Duty of care

means that you must either do or not do certain things in order to act is a conscientious and responsible manner.

Tip: Contact your bank without delay if anything is unclear. Under no circumstances should you ever give third parties access to your private devices e.g. via AnyDesk or TeamViewer. Keep your personal details safe and never disclose account details and passwords. Remain critical!