UAE: Are banks obliged to pay customers money stolen through credit card scams?

Question: I recently lost some money in a banking scam. The bank has concluded that I was at fault for losing the money as I entered my credit card details on a website without making sure it was legitimate. In cases like these, would the bank be legally obliged to return the money I lost? Can you explain the legal options available to me?

Answer: In the UAE, it is a crime if anyone hacks e-payment transactions applications or websites. This may lead to imprisonment and/or payment of fines by an individual or group of individuals who have indulged in such a crime. This is in accordance with Article 15 (2) of the Federal Decree Law No. 34 of 2021 on Countering rumours and Cybercrimes related to Hacking E- Payment Instruments, which states, “Whoever forges, clones or copies any credit card, debit card, or any e-payment, or captures its data or information using any of them shall be punished with imprisonment and/or a fine of not less than Dh200,000, or more than Dh2 million.”

The same penalties shall be imposed on whoever:

Stay up to date with the latest news. Follow KT on WhatsApp Channels.

2. Uses without authorisation any credit, electronic, or debit card or any other e-payment instrument, or any of its data or information with the intention of obtaining for himself or for third parties any funds or properties of others, or to utilise the services made available to third parties by these cards or instruments.”

Furthermore, financial institutions in the UAE are obligated to create awareness among their customers and the public related to financial crimes. This is in accordance with Clause 6.2.2.6 of the Consumer Protection Regulation issued by the Central Bank of UAE through its Circular No. 8 of 2020 to all licensed Financial Institutions in the UAE, which states, "Licensed financial institutions must demonstrate they have carried out sufficient consumer awareness activities related to educating consumers of the need to protect themselves from financial crime."

The financial institution in accordance with clause 6.2.2.5 of the Consumer Protection Regulations of Financial Institutions must maintain up-to-date security systems and be prepared to implement new cyber security strategies as needed. This ensures they can effectively protect against evolving threats. “Licensed financial institutions must ensure their security and protection systems are updated and have the capacity to develop and adopt new approaches to cyber security as required.”

In addition, financial institutions may have to compensate their customers in case of any financial loss to the customers due to financial crimes.

However, financial institutions are not liable to pay compensation for financial loss arising out of financial crimes if it is due to gross negligence or fraudulent behaviour of the customers. This is in accordance with Clause 6.2.2.4 of the Consumer Protection Regulations of Financial Institutions, which states, “Licensed financial institutions must compensate consumers in a timely manner for financial losses and expenses resulting from financial crimes, misappropriation, cyber-attacks and misuse of assets and information unless it can be proven that the loss was due to the gross negligence or fraudulent behaviour of the consumers."

Based on the aforementioned provisions of law, the bank may be obligated to compensate you for your financial losses resulting from a cybercrime/scam, provided that the loss was not due to your gross negligence or fraudulent behaviour. If you believe that your actions did not constitute gross negligence, the bank may be liable to return the money you lost.

• Dh6.95 for Dubai viral chocolate? Expat scammed in fake UAE National Day promo