1. Legal Framework in Portugal

Credential theft liability is mainly governed by:

(A) Decree-Law No. 91/2018 (Payment Services and Electronic Money Regime)

This implements PSD2 in Portugal.

Key rule:

• Unauthorized transactions must be refunded immediately
• Exception only if the user acted with:
  • fraud, or
  • gross negligence

(B) Portuguese Civil Code (Article 799)

• Presumes debtor (bank/service provider) is liable unless they prove no fault
• Bank must prove:
  • proper authentication, AND
  • customer gross negligence

(C) Cybercrime Law (Law No. 109/2009)

Criminalises:

• phishing
• hacking
• credential interception
• identity theft

(D) EU PSD2 Principle (very important)

• Strong customer authentication required (SCA)
• Liability shifts to bank unless user is grossly negligent

2. What Counts as Credential Theft?

Portuguese courts treat these as credential theft scenarios:

• phishing websites (fake bank login pages)
• SMS impersonation (bank-like messages)
• SIM swap fraud
• malware capturing passwords
• social engineering (fake bank calls)
• OTP interception

3. Core Liability Rule in Portugal

Default rule:

✔ Bank pays for unauthorized transactions

Exception:

❌ User pays only if:

• they intentionally shared credentials, OR
• acted with gross negligence

Important standard applied by courts:

“Would a reasonably careful bank customer have avoided the scam?”

4. Case Law in Portugal (At Least 6 Key Decisions)

Below are major Portuguese cases defining credential theft liability.

1. STJ – Banking Fraud & Burden of Proof (2025)

Principle:

Bank bears burden of proving customer gross negligence.

Court held:

• If user denies authorizing transaction:
  • bank must prove valid authentication AND user fault

📌 Key rule:

No proof of negligence → bank liable

(Source context: STJ jurisprudence on PSD2 liability principles )

2. STJ – Homebanking Fraud via Phishing (2023 Decision)

Principle:

Banks must refund unless fraud/gross negligence is proven.

Held:

• phishing victims are protected
• SMS impersonation alone is not negligence

📌 Key statement:

Receiving fake bank SMS does not automatically mean negligence

(Source summary of STJ rulings on phishing liability )

3. Tribunal da Relação de Coimbra – Homebanking Phishing Case (2016)

Facts:

• customer accessed fake banking page
• credentials captured by fraudster
• unauthorized transfers made

Held:

• bank liable
• no proof customer voluntarily disclosed credentials

📌 Principle:

Phishing victim not automatically negligent

4. Tribunal da Relação de Lisboa – Online Banking Fraud (2020)

Facts:

• transfers made using correct login + SMS confirmation
• customer claimed fraud

Held:

• if bank cannot prove customer negligence → liability stays with bank

📌 Principle:

authentication alone is not enough to shift liability

5. Tribunal da Relação do Porto – SMS Phishing Case (2023)

Facts:

• SMS appeared to be from bank
• user entered credentials and OTP
• money transferred fraudulently

Held:

• not gross negligence
• bank responsible

📌 Key rule:

believable bank impersonation = no customer fault

6. Tribunal da Relação de Coimbra – Pharming / System Fraud Case (2024)

Principle:

Banks carry responsibility for secure systems.

Held:

• bank must ensure secure homebanking
• presumption of bank fault applies unless rebutted

📌 Key rule:

system risk lies with bank, not customer

7. Tribunal da Relação de Coimbra – Credential Capture Case (2016 variant)

Principle:

If no proof customer disclosed credentials, bank is liable.

Held:

• even if fraud occurred via internet use
• no evidence of negligence → bank pays

📌 Rule:

absence of proof = liability stays with bank

5. Judicial Principles Derived from Case Law

Across Portuguese jurisprudence, 5 stable doctrines exist:

(A) Strict Liability Trend (Bank-Focused)

Banks are primary risk bearers in digital transactions.

(B) High Burden of Proof on Banks

Banks must prove:

• authentication success AND
• customer gross negligence

(C) Gross Negligence is Rarely Found

Courts usually reject negligence when:

• phishing looks realistic
• SMS appears legitimate
• user followed normal banking behavior

(D) Social Engineering is Recognised Risk

Courts accept that:

• phishing is sophisticated
• average users can be deceived

(E) Credential Theft ≠ Automatic User Liability

Even if credentials are used correctly, liability does not shift automatically.

6. When Users ARE Held Liable (Rare Cases)

Portuguese courts may deny reimbursement if:

• user gives full credentials knowingly
• user ignores explicit bank security warnings
• user shares OTP repeatedly
• user participates in obvious scam (e.g., transferring to “safe account” instructions)

7. Practical Legal Outcome in Portugal

If credential theft occurs via phishing:

✔ Bank usually must reimburse
✔ User protected under PSD2

If gross negligence proven:

❌ User may lose refund right

8. Conclusion

Credential theft liability in Portugal is strongly consumer-protective, based on EU PSD2 principles.

Portuguese courts consistently hold that:

• Banks are responsible for secure systems
• Victims of phishing are usually protected
• Only clear gross negligence shifts liability to the user
• Burden of proof lies heavily on banks