Spain – Man in the Middle fraud and EU Regulation 2024/886: a paradigm shift

The increase in so-called cybercrime in recent years is so significant that it requires strong legislative and judicial responses. Losses from online fraud in Europe exceed $100 billion, according to Nasdaq Ventures, of which $5 billion correspond to Spain.

In Spain, 192,375 cases of computer fraud were reported in 2019, but by 2023 this figure had risen to 427,448. According to the latest official data available, computer fraud accounts for 90.4% of all cybercrimes, with growth of 378% between 2016 and 2023.

There are many different types of computer fraud, and they are named in English (after all, the lingua franca of our time), including, among other ingenious methods used by skilled fraudsters, those with curious and amusing names (except for those who suffer from them) such as phishing, pharming, juice jacking, tabnabbing, bluesnarfing, catfishing, spoofing, vishing, smishing, whaling, carding, and the one we are interested in today, man in the middle (MITM).

Man in the Middle scam: how it works

This MITM fraud involves intercepting communications between two devices connected to a network, allowing the attacker to alter and divert messages exchanged between users. The fraudster intercepts a communication in which one user requests a payment from another and then modifies the IBAN of the bank account to which the transfer should be made in order to obtain the money. The process generally unfolds as follows:

• Without the company noticing, an attacker intercepts and manipulates an email, changing the IBAN number of the account to which the payment should be made.
• The cybercriminal impersonates the supplier, sending the message from an email address that is almost identical to the original, but with a slight alteration that is almost imperceptible.
• The receiving company, trusting the authenticity of the message, makes the transfer to the fraudulent account.

This results in a transfer of assets to the detriment of the person ordering the transfer and in favor of the cyber thief, so that when the person ordering the transfer notices the error, their first reaction is to try to contact the receiving bank in the hope that the funds can be blocked in time. However, in most cases, the cybercriminal has been quicker: the money has already been transferred to another account or withdrawn, leaving little room for maneuvering, except for the initiation of legal proceedings, which we will discuss below.

The immediate question is what responsibility the bank that has received the transfer order from the deceived user and credits the cyber fraudster’s account with the amount in question has in cases where the payer identifies not only the (fraudulent) IBAN but also the name of the beneficiary of the payment order, which obviously does not match the name of the holder of the bank account receiving the funds.

The common-sense answer would be that the bank receiving the transfer should confirm that the holder of the account to which the funds are credited and the individual or entity identified as the beneficiary in the transfer order match; if this is not the case, it should suspend the payment and request clarification from the payer. However, this is not the case in light of EU legislation and its transposition into Spanish law, as we will see below.

Until October 9, the European banking system operated under the premise that the validity of a transfer was based exclusively on the correctness of the IBAN. In other words, if the account number was correct, the transaction was considered valid, even if the beneficiary’s name did not match. This practice has led to numerous cases of fraud, unintentional errors, and loss of funds, especially in instant transfers, where speed can compromise security.

The most reasonable option for the defrauded payer to recover their money is to sue the bank receiving the payment order (with which they have no contractual relationship) for non-contractual liability under Article 1124 of the Civil Code; in fact, criminal proceedings against the account holder, who is usually referred to in slang as a “mule,” do not usually have a satisfactory outcome, both because the bird usually flies away and because of its lack of solvency.

The case law of the Provincial Courts has been divided between rulings that strictly and faithfully applied Article 59 of Royal Decree-Law 19/2018 of November 23, on payment services and other urgent financial measures, dismissing the claims of those defrauded, and others in which arguments were sought under the premise of lack of diligence to condemn the bank to compensate the payer.

This has led to the establishment of quasi-objective liability for banks in relation to digital fraud, imposing a higher standard of diligence on them and transferring the risk inherent in online banking to them, except in cases of willful misconduct or gross negligence on the part of the customer. This line of reasoning, which has been developed from lower court rulings (AP Madrid 178/2015; AP Alicante 107/2018; AP Valencia 212/2021) to the Supreme Court itself (STS 571/2025, among others), is in line with the idea that it is up to the bank to prove that its systems were secure, up to date, and sufficient to prevent the crime from being committed.

In this context, the concept of bonus argentarius takes on renewed relevance. This is a principle that was included in Law 57/68 to protect home buyers in the real estate sector, but the Supreme Court has ruled on several occasions that it can also be applied to other financial investments. This means that, in the event of losses due to negligence on the part of the financial institution, the customer can file a claim under Law 57/68 and hold the institution liable.

The bonus argentarius is based on the presumption of fault on the part of the financial institution, which means that even if the customer has no concrete evidence of negligence, it is assumed due to the duty of care that the institution must exercise in the management of investments.

Based on this principle, the diligence required of financial professionals is not that of the average trader or pater familias, but that of a qualified expert who assumes the obligation to protect the funds entrusted to them by implementing “necessary and renewable” security mechanisms. This implies not only maintaining basic technical measures for enhanced authentication, but also proactively adopting internationally recognized anti-fraud solutions, such as name-IBAN verification (Confirmation of Payee or IBAN-Naam Check), which have proven effective in comparable jurisdictions.

In line with that doctrine and case law, it can be said that the omission of beneficiary verification measures today constitutes a breach of the contractual duty of diligence and good faith (Articles 1104 and 1258 of the Civil Code), giving rise to civil liability for the damage caused, such that MITM fraud cannot be considered a residual risk attributable to the customer, but rather a systemic security failure attributable to the financial institution, as the designer and custodian of the electronic payment channel.

In this state of affairs, the Supreme Court, in its recent ruling of March 27, 2025, opted for the alternative of strict application of Article 59, arguing that „if the payment service user provides additional information to that required (specification of the information or unique identifier that the payment service user must provide for the correct initiation or execution of a payment order), the payment service provider shall only be liable for the execution of payment transactions in accordance with the unique identifier provided by the payment service user… and that the liability of the payment service provider, both at Community and national level, is such that it fulfills its obligation by executing the payment transaction in accordance with the unique identifier, without the addition of further information implying a higher standard of diligence

It is true that, in conclusion, the Supreme Court offered a glimmer of hope to defrauded users when it stated that „the interpretation set out above does not exempt the payment service provider from liability when circumstances, unrelated to the provision of additional data, are found to have contributed to the defective execution of the transaction, either because an additional requirement or demand (e.g., the identification of the beneficiary), or because the payment service provider of the payer or the beneficiary had taken advantage of the error for their own benefit, or because, once the existence of the error had been communicated without delay, one or the other had not taken the measures required by the diligence of an expert trader to allow retroaction or, where appropriate, to minimize the damage.“

Regulation (EU) 2024/886: a paradigm shift

And in this scenario fraught with doubts, Regulation (EU) 2024/886 bursts onto the scene, representing a 180-degree turn and a paradigm shift: the new European Regulation, approved in April 2024 and coming into force on October 9, 2025, establishes a clear obligation for banks: they must verify that the name of the beneficiary provided by the payer matches the IBAN holder before executing an immediate transfer in euros.

The new features of this regulation are

• mandatory application to all instant transfers within the SEPA area,
• the new name matching system: if there is a discrepancy between the name and the IBAN, the bank must alert the customer before executing the transaction, and
• increased liability for financial institutions in the event of fraud or error due to lack of verification.

In short, the aim is to reduce the risk of fraud, protect consumers, and increase confidence in digital payments.

This means that Law 19/2018, which regulates payment services in Spain and does not require verification of the beneficiary’s identity, is now outdated, underscoring the need for a national legislative review to harmonize the legal framework with European requirements.

In conclusion, the obligation to verify the beneficiary of transfers represents a significant step forward in consumer protection and the fight against financial fraud. Regulation (EU) 2024/886 marks a turning point in banking operations, imposing an active responsibility on institutions to ensure the authenticity of transfers.

In any case, the question remains open regarding the solution to MITM frauds executed before October 9, 2025, and the responsibility of the banking institution. For the time being, the aforementioned Supreme Court ruling of March 27 closes the door to claims against banks, but it cannot be ruled out that the entry into force of Regulation 2024/886 and the paradigm shift will lead to a rethinking of the Supreme Court’s position in line with the quasi-objective liability that lower courts have been maintaining. We will have to wait and see, but such a change would be a great success for bank users who have suffered from this MITM fraud and all other types of cyber fraud.