Limitation of liability of users in case of fraudulent use of payment cards and electronic transactions

  • After a long legislative process, the amendments to Law No. 20,009 will soon begin to take effect, which will establish a regime of limitation of liability for holders or users of payment cards and electronic transactions in case of loss, theft, theft or fraud.
  • Among other modifications, (i) the old crime of fraudulent use of credit or debit card, will be replaced by the new crime of fraudulent use of payment cards and electronic transactions, whose commission will have a penalty of minor imprisonment in its medium to maximum degree (541 days to 5 years of imprisonment) and a fine corresponding to three times the amount defrauded; (ii) this new criminal offense, refers to the counterfeiting or theft, among other punishable conduct, of credit cards, payment cards with provision of funds, debit cards or cards “of any other similar system”, as well as electronic transactions (e.g., transfers or money transfers at ATMs), and the use, sale, export, import or distribution of data or the number of means of payment, and the malicious use of cards or keys; and, mainly(ii) a new regime of liability of the user (e.g. a natural person) and the issuer (e.g. a bank) will be established in cases of fraudulent use of means of payment.
  • The old Law No. 20,009 provided that users of credit cards issued by financial institutions or commercial houses could limit their liability under the terms established by that law, in case of theft, theft or loss, giving relevant notice to the issuing body of the card (for example, notice of the user of a cloned credit card to a bank).
  • After the notice of theft, theft or loss given by the user, the issuing body had to block the respective card, and in case the card was used after the notice, the issuing body had the right to prove, if it so decided, that it was the user who used it. The user had no responsibility for the operations carried out after the notice or news delivered to the issuer.
  • There was, then, a regime of limitation of liability for the user against the fraudulent use of his credit card, provided that he gave notice or notification to the card issuer.
  • The problem posed by this regime, relates to the fact that the user had to know the use or threat of fraudulent use of his credit card, in order to notify the issuer of theft, theft or loss, and thus be able to be exempt from responsibility.
  • Consequently, the user was required to know about the theft, theft or loss, in circumstances in which, in many cases, the holder was unaware that his card was being used fraudulently (e.g., the case of credit card cloning), and only learned about it when verifying the charges in his account.
  • The new regulations, which will amend Law No. 20,009, regarding the liability regime, establish different cases of application and a different procedure.
  • Indeed, the liability regime will now not only cover “credit card holders”, but also includes payment card users, which is a broader concept, which includes another class of cards, and is also incorporated into fraud committed in electronic transaction systems.
  • Although with the new regulations the user will maintain the obligation to notify the issuer, as soon as it becomes aware of the existence of unauthorized operations, now the user will not be responsible for fraudulent operations carried out without their authorization, when they have not been able to know the fact.
  • In the same way, in the event that the means of payment are used after the notice of loss, theft, theft or fraud, the issuer will be responsible for such operations and their economic consequences, and the user of the respective means of payment will be released from responsibility for these concepts.
  • Thus, in accordance with the provisions of the new article 3 of the Law, the clauses of the contracts that impose the duty of proof on the user, for operations carried out after the notice of loss, theft, theft or fraud, will not produce any effect and will be considered unwritten.
  • When fraudulent operations have been committed prior to the notice or notification, the user will have the duty to claim from the issuer those operations for which he does not know he has granted his authorization or consent, within 30 working days following the notice, and this claim may include all operations that have been carried out fraudulently, within a period of 120 calendar days prior to the date of the notice made by the user to the issuing body.
  • Once the complaint has been received from the user, the issuer must proceed according to the following rules:

I. If the amount claimed by the user is equal to or less than 35 UF, the issuer must proceed to the cancellation of the charges or the restitution of the funds corresponding to the claimed operations within 5 business days;

II. If the amount claimed by the user is greater than 35 UF, the issuer must proceed to the cancellation of the charges or the restitution of the funds corresponding to the operations claimed, only for a value of 35 UF, within 5 business days, and

III. If the amount claimed by the user is greater than 35 UF, and once the cancellation of the charges or the restitution of the funds corresponding to 35 UF has been made, the issuer will have 7 additional days to (i) cancel or refund the amount greater than that figure, or (ii) in case it collects antecedents that prove the existence of intent or serious fault on the part of the user, to exercise legal action before the local police judge that corresponds to the commune of the user’s domicile.

  • Consequently, it will be the duty of the issuing body to prove that the user was aware of the fraudulent operations or that he acted without due diligence for the handling of the means of payment, for which the mere registration of the operations will not necessarily suffice.
  • It is relevant, finally, to bear in mind that the Law prohibits the issuer from offering users the contracting of insurance whose coverage corresponds to risks or claims that the issuer must assume in accordance with the new regulations.