Portuguese 
English 
Spanish 
4 min of reading 
0 comments 
STJ Recognizes Failure in Security Systems and Reinforces That Financial Institutions Have Objective Responsibility in Social Engineering Frauds.
According to the Migalhas portal, the Superior Court of Justice (STJ) unanimously decided that a bank must compensate R$ 143 thousand to a customer who fell victim to the false call center scam, after recognizing failures in the security and transaction monitoring systems. The decision, made by the 3rd Panel, reinforces the objective responsibility of financial institutions in cases of fraud resulting from social engineering.
The decision creates relevant jurisprudence in the context of banking fraud in Brazil and signals that banks need to improve their mechanisms for detecting atypical transactions, especially when there are movements that completely deviate from the profile of the account holder.
Understand the Case That Led to Compensation
The customer claimed to have been a victim of the false call center scam, in which criminals impersonate attendants from financial institutions to obtain data and authorizations.
-
The Senate approves a bill that criminalizes misogyny, hatred, or aversion towards women, and includes the crime in the Racism Law with a penalty of up to 5 years.
-
Chamber Approves Bill That Allows Pepper Spray for Women Over 16 and Imposes Strict Rules for Purchase, Possession, and Use as Self-Defense
-
Chamber Approves Law to Combat Leucaena, Fast-Growing Plant That Dominates Land and Threatens Native Species in Various Regions of the Country
-
Asset Division: Know What Cannot Be Divided in Case of Divorce
According to the case, he suffered unauthorized transfers, loan contracts, and payment of bills totaling R$ 143 thousand in losses.
The account holder used the account merely as a type of savings, with monthly transactions of around R$ 4 thousand.
However, in a single day, 14 atypical transactions were made, totaling amounts far above the standard.
Despite the clear anomaly, the bank’s system did not block the transactions or issue any security alerts.
The first instance recognized the failure in service provision and ordered full restitution. The São Paulo Court of Justice (TJ/SP), however, overturned the decision and exempted the bank.
With the appeal, the case reached the STJ, which restored the conviction and ordered payment of compensation.
The Vote That Changed the Understanding
The rapporteur, Minister Ricardo Villas Bôas Cueva, emphasized that the scam falls under the so-called social engineering crimes, and that, in these cases, blame cannot be assigned to the consumer.
For him, the bank’s failure is evident when transactions outside the standard are validated without prior analysis or preventive blocking.
“The validation of suspicious transactions, unrelated to the account holder’s consumption profile, reveals the existence of a defect in service provision,” Cueva stated in his vote.
The minister also highlighted that technological risk is inherent to modern financial activity and cannot be passed on to the customer.
According to him, institutions must maintain monitoring mechanisms based on technical criteria, such as consumption profile, volume, location, time, and sequence of transactions.
STJ Reinforces Duty of Prevention for Banks
During the trial, the STJ cited data from agencies such as the Federal Senate, Febraban, and Serasa, which show significant growth in digital fraud in Brazil, with annual losses estimated at US$ 500 million.
In light of this scenario, the court emphasized that financial institutions engage in a high-risk activity and, therefore, must continuously invest in cybersecurity and fraud detection.
The rapporteur noted that the current case differs from previous decisions, such as in REsp 1.633.785 (2017), when the STJ dismissed the bank’s responsibility, considering that the transactions were carried out with valid card and password, with no sign of systemic failure.
In this new judgment, however, it was proven that the fraud resulted from psychological manipulation and omission of preventive measures, constituting operational failure and violation of the security duty established in the Consumer Protection Code.
Impacts and Precedents for the Financial Sector
In addition to the main case, the STJ also examined another similar case (REsp 2.229.519), involving the same type of scam, and reaffirmed the understanding that banks and payment institutions are responsible for losses when they fail to detect unusual transactions.
The decision reinforces the thesis that social engineering frauds are part of the risk of banking activity and that the costs of improving systems cannot be transferred to the customer.
Experts evaluate that the positioning of the STJ establishes a new standard of mandatory security for the sector.
For consumers, the ruling represents a step forward in protection against increasingly sophisticated scams, while for financial institutions, it brings pressure to modernize intelligence and rapid response systems.
With the decision, the STJ makes it clear that digital security is an non-negotiable duty of financial institutions.
The case of the R$ 143 thousand compensation not only restores justice to the injured customer but also establishes a relevant precedent regarding how banks should react in the face of modern frauds.
And you, do you think it’s fair for the bank to bear the loss in these cases? Or do you believe that the customer should also be held accountable for falling for the scam? Leave your opinion in the comments — we want to know what you think about the decision and the future of banking security in Brazil.
-
-
-
10 pessoas reagiram a isso.