Decision of the Heilbronn Regional Court: The end for PushTAN apps

What is strong customer authentication?

With PSD2, the EU re-regulated the market for payment services. The central aim of the directive was to create a single market for payment services, to promote the security of payments in the EU and to better protect end customers.

The central element to promote the level of protection in favour of end customers was the obligation to introduce so-called strong customer authentication. This provides that access to online banking accounts and the initiation of payment orders should no longer be possible by simply entering an individual password. Rather, authentication was to take place by means of two or more elements that are independent of each other. The independence is to be ensured by the fact that the authentication is carried out by means of elements from at least two of the following three categories: Knowledge, Possession and Inherence.

This independence should ensure that a breach of one element (such as a password becoming known) cannot lead to an impairment of the reliability of the other elements. For example, if a bank uses passwords (category: knowledge) vis-à-vis its customers, another element is required that can be assigned either to the category possession (for example, in the form of a mobile phone uniquely assigned to the customer) or to the category inherence (for example, the fingerprint of the end customer).

The PSD2 definition of strong customer authentication was transposed into German law in Section 1 (24) of the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – “ZAG”), the obligation to implement strong customer authentication in Section 55 ZAG. A delegated regulation on regulatory technical standards (Delegated Regulation (EU) 2018/389 - "Delegated Regulation") further specified the requirements. Within the German market, the so-called pushTAN procedure has established itself as an option and is used by many banks. This works in such a way that the payment service user can only access their online banking or initiate a payment if they log into their online banking account using their password (category: knowledge) and legitimises the respective action with a TAN that they generate in a separate mobile application (app) (category: possession). Whether the pushTAN is an independent element regarding the password to be entered into in the mobile banking app was, among other things, part of a decision by the Regional Court (Landgericht) of Heilbronn.

Content of the decision of the Regional Court (Landgericht) of Heilbronn

On 16 May 2023 (Bm 6 O 10/23), the Regional Court (Landgericht) of Heilbronn had to decide, inter alia, whether the pushTAN procedure is suitable to authorise a payment transaction and thus meets the requirements of strong customer authentication.

The facts underlying the decision concern claims for reimbursement from a payment service contract in connection with a fraudulent call. The plaintiff concluded a payment service contract under special conditions for online banking with the defendant bank and used its online banking system. In the course of a fraudulent call, the plaintiff passed on several TAN numbers by telephone. As a result, two withdrawals from the plaintiff's account took place without him having initiated them according to the plaintiff's own statement. The plaintiff contacted the defendant and asked for compensation for the damage.

In the lead sentence, the Regional Court (Landgericht) of Heilbronn states that the so-called pushTAN procedure, in which the display of the TAN and the access to online banking are carried out through two different apps but on the same smartphone, does not meet the requirements for strong customer authentication within the meaning of Art. 4(30) PSD2 implemented into German law as Section 1 (24) ZAG. Instead of using separate communication channels, the authentication was only carried out via one device and therefore there was no authentication consisting of at least two independent elements.

Interestingly, the Regional Court (Landgericht) of Heilbronn also indicates that it has no concerns about the smsTAN procedure, as separate communication channels (computer and mobile phone) are used here. However, the ruling does not specify whether the Regional Court (Landgericht) of Heilbronn thereby also requires that banks do not offer online banking on smartphones (and how this is to be ensured).

The decision of the Regional Court (Landgericht) of Heilbronn was embedded in a problem of presentation and burden of proof and was issued as obiter dictum. The question of the burden of presentation and proof for the authorisation of the payment order lies with the defendant bank according to Section 675w German Civil Code (Bürgerliches Gesetzbuch – “BGB”). However, the bank as payment service provider is in principle entitled to prima facie evidence that payments made on the basis of a normal course of events were initiated by the payer and not by a third party. However, this requires that the authorisation procedure offers a very high level of security. Although the question of the burden of proof was not relevant in the case of the Regional Court (Landgericht) of Heilbronn, since the defendant admitted to the plaintiff that the plaintiff had not initiated the payment orders in question, but an unknown third party, the Regional Court (Landgericht) of Heilbronn commented on the "security" of pushTAN procedures. According to the Regional Court (Landgericht) of Heilbronn, the pushTAN procedure lacks the very high level of security required for prima facie evidence for the reasons listed above.

Statement

The decision of the Regional Court (Landgericht) of Heilbronn is surprising in some respects. First of all, it is surprising that the Regional Court (Landgericht) of Heilbronn comments on strong customer authentication at all. According to the Regional Court (Landgericht) of Heilbronn’s own statement, this question is no longer relevant to the decision due to the concession made by the defendant bank. The discussion of the requirements for secure authentication is correspondingly brief.

The judgement does not deal with the Delegated Regulation. This explicitly allows the use of "multi-purpose devices", i.e., devices that can be used both for issuing the payment order and for the authentication process (such as tablet or mobile phone). However, it is a prerequisite that the payment service provider provides for security measures to mitigate the risk that may arise from the misuse of a multi-purpose device. This includes, at a minimum, the use of separate secure execution environments by the software installed in the multi-purpose device, mechanisms to ensure that the software or device has not been modified by the payer or a third party, and mechanisms to mitigate consequences should modifications have occurred. The court decision of the Regional Court (Landgericht) of Nuremberg-Fürth dated 29 June 2023 (6 O 5996/22) shows that there is another way to assess the procedures by courts, by dealing specifically with the software environment and the technical implementation of strong customer authentication. The Regional Court Nuremberg-Fürth considers the independence of the elements of the PushTAN procedure to be ensured not only by the encrypted transmission, but also by the complete isolation of the Push-TAN app. According to the court, the risk of unauthorised access to the mobile phone as a possession element itself would not call into question the independence of the knowledge element of the access data for online banking.

A discussion of the Delegated Regulation by the Regional Court (Landgericht) of Heilbronn would have been welcome, as it is disputed in German legal literature whether the Delegated Regulation only affects supervisory law or is also relevant for civil law (and thus the liability of the payment service provider, which the Regional Court (Landgericht) of Heilbronn had to decide on).

Furthermore, the lack of security of the pushTAN procedure assumed by the Regional Court (Landgericht) of Heilbronn would not have changed the fact that the plaintiff was defrauded. Rather, the plaintiff would also have passed on the TANs on the phone with other TAN procedures (e.g. with the smsTan procedure, which the Regional Court (Landgericht) of Heilbronn found to be secure).

Finally, the reference to the supposedly "secure" smsTAN procedure is also surprising. The Federal Office for Information Security (BSI), which was cited by the Regional Court (Landgericht) of Heilbronn for the insecurity of the pushTAN procedure, had already classified the smsTAN procedure as insecure some time ago, as the SMS can be intercepted and diverted.

Consequences of the decision

The ruling is final, and it remains to be seen whether other courts will follow the ruling - and if they do, whether they will deal with the issue in greater depth. For banks, the ruling is a warning shot. The lawsuit at the Regional Court (Landgericht) of Heilbronn was not successful. However, the court did question the admissibility of pushTAN in its current form. Banks should therefore ask themselves whether they can prove the security of the pushTAN procedure in court. After the smsTAN procedure was abolished by some banks only a few years ago, the joy of customers over a new TAN procedure will be limited.

From a supervisory point of view, however, the decision will probably have less impact. The responsible supervisory authority, the Federal Financial Supervisory Authority ("BaFin"), is not bound by this decision. It will also refer to the Delegated Regulation for the supervisory assessment. Notwithstanding this, BaFin already issued a consumer warning in 2015 to generate the TAN on the same smartphone on which online banking takes place.

Outlook

The pushTAN procedure is widely used in online banking. Payment service providers should now check (again, if necessary) whether their pushTAN procedures have the necessary security. In the case of TAN procedures on multi-purpose devices, however, there is a risk that other courts will follow the Regional Court (Landgericht) of Heilbronn. This could lead to liability risks for payment service providers.

With the kind support of Franziska Breuer, research assistant.