Confirming transactions via OTP or the application exempts banks from compensating customers

Two bankers confirmed to “Emirates Today” that banks do not bear responsibility for any hacking attacks on the customer’s bank account, and do not compensate him if it is proven that he himself “confirmed” transactions or payments via the bank’s smart application, or entered the password and one-time verification code (OTP), noting that this case is one of the most common cases, as the customer may sometimes neglect and enter his data, or confirm the purchase operations without sufficient attention.

On the other hand, they explained that banks bear responsibility for compensating the customer in specific cases, most notably: the presence of a technical or technical defect in the bank’s systems, the bank’s failure to take sufficient measures to monitor and combat suspicious transactions, or the bank’s delay in responding to the customer’s report regarding the exposure of his account to a hacking.

It is noteworthy that banks operating in the country have recently switched to “confirming” electronic transactions and payments via the smart application, while the one-time verification code “OTP” remains optional. Both options are an additional security method adopted by banks to confirm the user’s identity when performing sensitive operations, such as financial transfers or logging in.

The OTP code is usually sent via text message to the customer’s phone number registered with the bank, emphasizing the need to maintain its complete confidentiality, while the process is requested to “confirm” through the application, by scanning a specific stock through the bank’s smart application window.

In detail, banker Tamer Abu Bakr told Emirates Today: “In accordance with applicable banking legislation and regulations, banks are obligated to provide advanced protection systems to ensure the security of transactions. However, this responsibility is not considered absolute, but rather is matched by a responsibility on the customer to maintain the confidentiality of his data.”

Abu Bakr explained: “The bank bears responsibility in specific cases, including the presence of a technical or security defect in the bank’s systems, or the bank’s failure to take sufficient measures to verify suspicious transactions, as well as the bank’s delay in responding to informing the customer of the existence of a fraudulent transaction.” On the other hand, Abu Bakr stressed that the customer bears responsibility if it is proven that he shared the OTP verification code with anyone, even if he believes he is a bank employee, or if he enters the code on an unreliable website or “link,” or ignores the bank’s repeated warnings not to share this data, indicating that in such cases banks are not obligated to compensate the customer, as long as investigations prove that the error resulted from the customer himself.

He added that the procedure followed in this case includes the customer obtaining an official account statement and submitting it to the police, which in turn handles the matter.

For her part, banking expert Sheikha Al-Ali said, “Banks are constantly keen to educate their customers through text messages and official applications, as they always emphasize a clear statement that says: (Do not share the verification code with anyone),” noting that this warning contributes to strengthening the legal position of banks in the event of fraudulent operations occurring as a result of the customer violating these instructions, which exempts them from the responsibility of compensation in the event of loss of money.

She added, “The competent authorities look into each case separately, taking into account the behavior of the customer and the extent of the bank’s commitment to protection measures,” noting that in many cases, the customer was held to a large part of the responsibility when it was proven that he shared the “OTP” code.

Al-Ali provided a set of advice to customers, most notably not sharing the OTP code under any circumstances, ignoring any calls requesting banking information, and relying only on the official applications of banks, in addition to the necessity of immediately reporting any suspicious transaction.

She stressed that protecting bank accounts from hacking attempts is a shared responsibility between the bank and the customer. While banks must constantly develop their security systems, the customer’s awareness and commitment to safety guidelines remain the first line of defense against electronic fraud.