Remote Loan to Account Affected by Voice Phishing, No Bank Responsibility?

[Financial News] The Supreme Court has ruled that a bank is not liable if a remote loan was granted to an account whose identity was stolen through voice phishing, provided that legal procedures were followed. The decision is based on the premise that there were credible reasons during the loan process and that the bank fulfilled its role in identity verification, thus absolving it of responsibility. This ruling is expected to set a precedent for defining the scope of responsibility between victims and financial institutions amid ongoing large-scale hacking incidents involving telecom companies.
According to the legal community on the 15th, the Supreme Court's 2nd Division (Presiding Judge Eom Sang-pil) ruled against the plaintiff in an appeal case filed by Mr. A against Bank B for confirmation of non-existence of debt, upholding the lower court's decision.
The incident occurred in July 2022. Mr. A was deceived by a voice phishing scammer impersonating his daughter, handing over a driver's license photo, account number, and password, and even installing a remote control app on his smartphone. The scammer then issued a joint certificate in Mr. A's name, opened an account with Bank B remotely, and took out a loan of 90 million won.
At the time, Bank B went through procedures such as submitting a driver's license photo, responding to a 1 won transfer verification code from another bank account, mobile phone identity verification, joint certificate authentication, and checking the health insurance qualification confirmation through credit information, to obtain Mr. A's electronic signature.
However, after Mr. A later discovered the loan, he filed a lawsuit claiming that the loan contract signed under identity theft was invalid.
The crux of the Supreme Court's judgment was the 'justifiable reason' under Article 7, Paragraph 2, Item 2 of the Electronic Documents Act. It questioned whether the bank had reasonable grounds to believe that the electronic document was in accordance with Mr. A's intentions.
The first trial ruled in favor of the plaintiff, stating that "the scammer signed the loan contract with B without authority by impersonating Mr. A." The court particularly noted the failure to verify whether the ID was directly photographed, deeming the identity verification process insufficient.
However, the second trial differed. The court determined that "the bank properly implemented the identity verification procedures required for non-face-to-face electronic financial transactions as stipulated by relevant laws." It concluded that the submission of a copy of the real-name verification certificate and the use of existing accounts, which are mandatory for non-face-to-face real-name verification, were fulfilled, and that the recommended actions of 'using joint certificates and mobile phones' and 'verifying multiple customer information' were also carried out, leaving ample room to consider the loan as based on Mr. A's intent.
The Supreme Court reached the same conclusion. Regarding the criteria for determining the adequacy of identity verification, the Supreme Court stated, "It should be comprehensively considered whether it was appropriate according to the technical standards at the time, whether identity verification measures or efforts to prevent damage were made in accordance with the methods prescribed by relevant laws and the characteristics of the transaction, and what the nature of the legal act intended by the statement in the electronic document is."
It further stated, "Bank B had justifiable reasons to believe that the electronic document, the credit loan application confirmation, was sent based on the intention of Mr. A or his agent," and ultimately ruled that the loan contract between Mr. A and Bank B was validly concluded.
Mr. A's side argued that 'submitting a pre-photographed license file is not an appropriate procedure,' but the Supreme Court did not accept this either. The Supreme Court stated, "The purpose of the procedure is to verify the consistency of the recorded information," and "there is no significant difference between submitting a file directly photographed from the original and submitting a pre-photographed file."
The legal community views this ruling as a benchmark for determining the extent of a bank's responsibility for identity verification when executing remote loans.
A Supreme Court official evaluated the ruling as "a judgment that presented criteria for determining 'justifiable reason' under the Electronic Documents Act."
Previously, the Seoul Central District Court recognized the non-existence of debt in a similar voice phishing insurance contract loan case in April 2023, ruling in favor of the plaintiff. However, if the Supreme Court precedent is applied as it is, the appeal result may be overturned.



scottchoi15@fnnews.com Choi Eun-sol Reporter