STJ Reinforces: Failures in Digital Security Mechanisms Generate Civil Liability for Banks and Payment Institutions

The Third Panel of the Superior Court of Justice (STJ) has ruled that banks and payment institutions must compensate customers who fall victim to social engineering scams when there are failures in security systems or in the detection of atypical operations.

The decision is based on an emblematic case known as the “fake call center scam,” where criminals, posing as bank attendants, induced a customer to authorize several transactions on a single day—values and operations totally inconsistent with their usage pattern.

Justice Ricardo Villas Bôas Cueva, rapporteur of the case, emphasized that, pursuant to Article 14 of the Consumer Defense Code and STJ Precedent 479, financial institutions have objective liability for damages caused by fortuito interno — that is, risks inherent to the banking and digital activity itself.

To avoid liability, the institution must demonstrate the absence of a defect in the service or the exclusive fault of the consumer or third parties. In this specific case, the STJ understood that the bank’s monitoring systems were not capable of identifying the atypical pattern of the transactions and preventing their completion. As a result, the service was considered defective for failing to offer the level of security the consumer reasonably expects.

It is important to note that the ruling expressly extends this understanding to payment institutions, based on Article 7 of Law 12,865/2013, reinforcing that the duty of security is identical to that of traditional financial institutions.

This standardization is relevant because the digital payments ecosystem, especially with the advance of fintechs, digital wallets, and instant payment methods, operates in an environment of high technological exposure where the line between innovation and vulnerability is tenuous.

The STJ decision:

• Reinforces the standard of diligence required of institutions that operate electronic transactions, imposing that they adopt robust mechanisms for prevention and incident response.
• Raises the evidentiary standard in legal proceedings: It is not enough to allege that the scam was committed by a third party; it is necessary to demonstrate the effectiveness of security and monitoring tools.
• Affects B2B contractual relations, especially when companies use integrated payment platforms or gateways, radiating liability and demanding a review of compliance and risk matrix.

In summary, the STJ makes it clear that it is not about holding the bank responsible for the scam itself, but about recognizing that the absence of adequate technological barriers, such as behavioral analysis, automated blocking, or double verification, is the basis for liability.

The precedent is another step in consolidating a “digital duty of diligence” for financial and payment institutions, the omission of which can generate not only civil liability but also regulatory and reputational repercussions.

In this context, the decision makes it clear that digital security is not an operational cost; it is a legal duty and a strategic asset.

Access the full text of the decision.

AUTHOR

• Ana Mancuso
• Leticia Moura