España – La estafa Man in the Middle y el Reglamento UE 2024/886: cambio de paradigma

3 de noviembre de 2025

  • España
  • Bancario
  • Litigios
  • Títulos e instrumentos financieros

El incremento de la llamada cibercriminalidad en los últimos años presenta una magnitud tal que exige reacciones legislativas y judiciales contundentes. Las pérdidas por fraudes online en Europa superan los 100.000 millones de dólares según Nasdaq Ventures de los que 5.000 millones corresponden a España.

En España se denunciaron en 2019, 192.375 casos de estafas informáticas, pero en 2023 ascendieron a 427.448. Según los últimos datos oficiales disponibles las estafas informáticas representan el 90,4% de toda la cibercriminalidad y su crecimiento en el periodo 2016-2023 fue del 378%.

Las variedades que presentan las estafas informáticas son múltiples y están bautizadas en inglés, (al fin y al cabo, la lingua franca de nuestro tiempo), incluyendo, entre otras ingeniosas modalidades de los hábiles estafadores, las conocidas con los curiosos y divertidos nombres (salvo para los que las padecen) como phishing, pharming,, juice jacking, tabnabbing, bluesnarfing, catfishing, spoofing, vishing, smishing, whaling, carding, y la que hoy nos interesa, man in the middle (MITM).

¿Qué es el ataque Man in the Middle?

El fraude MITM consiste en la interceptación las comunicaciones entre dos dispositivos conectados a una red, permitiendo al ciber caco alterar y desviar los mensajes intercambiados entre los usuarios. El estafador intercepta una comunicación en la que un usuario solicita a otro un pago y a continuación modifica el IBAN de la cuenta bancaria en la que debe realizarse la transferencia con el objetivo de hacerse con el dinero. El proceso se desarrolla generalmente de la siguiente manera:

  • Sin que la empresa lo detecte, un atacante intercepta y manipula un correo electrónico, cambiando el número IBAN de la cuenta en la que debe realizarse el pago.
  • El ciberdelincuente se hace pasar por el proveedor, enviando el mensaje desde una dirección de correo electrónico casi idéntica a la original, pero con una ligera alteración que resulta casi imperceptible.
  • La empresa receptora, confiando en la autenticidad del mensaje, realiza la transferencia a la cuenta fraudulenta.

De este modo, se consigue un desplazamiento patrimonial en detrimento del ordenante de la transferencia y a favor del ciber ladrón, de suerte que cuando el ordenante advierte el error, su primera reacción es intentar contactar con el banco receptor con la esperanza de que los fondos puedan ser bloqueados a tiempo. Sin embargo, en la mayoría de los casos, el ciberdelincuente ha sido más rápido: el dinero ya ha sido transferido a otra cuenta o retirado, dejando poco margen de maniobra, salvo el inicio de actuaciones judiciales a las que a continuación nos referimos.

La pregunta inmediata es qué responsabilidad tiene el banco que ha recibido la orden de transferencia del usuario engañado y abona en la cuenta del ciber estafador el importe en cuestión, en aquellos casos en los que el ordenante del pago identifica no solo el IBAN (fraudulento) sino también el nombre del beneficiario de la orden de pago que obviamente no coincide con el titular de la cuenta bancaria receptora de los fondos.

La respuesta desde el sentido común sería que el banco receptor de la transferencia debería confirmar que el titular de la cuenta de abono y la persona física o entidad identificada como beneficiario en la orden de transferencia coinciden; y si no fuere así, debería suspender el abono y solicitar aclaraciones al ordenante. Pero no es así en aplicación de la legislación de la UE y de la transposición de la misma al ordenamiento jurídico español como a continuación veremos.

Hasta el pasado 9 de octubre, el sistema bancario europeo ha operado bajo la premisa de que la validez de una transferencia se basa exclusivamente en la corrección del IBAN. Es decir, si el número de cuenta es correcto, la operación se considera válida, incluso si el nombre del beneficiario no coincide. Esta práctica ha generado numerosos casos de fraude, errores involuntarios y pérdida de fondos, especialmente en el ámbito de las transferencias inmediatas, donde la rapidez puede jugar en contra de la seguridad.

La opción más razonable del ordenante estafado para recuperar su dinero es demandar por la vía civil al banco receptor de la orden de abono (con quien carece de relación contractual) por responsabilidad extracontractual al amparo del art. 1124 del Código Civil; en efecto la vía penal contra el titular de la cuenta, que habitualmente es lo que en el argot se denomina “mula”, no suele tener recorrido exitoso, tanto porque lo normal es que el pájaro vuele como por su falta de solvencia.

 

La jurisprudencia de las Audiencias Provinciales ha estado dividida entre aquellos fallos en los que se acudía a una aplicación rigurosa y fiel del artículo 59 del Real Decreto-ley 19/2018, de 23 de noviembre, de servicios de pago y otras medidas urgentes en materia financiera, desestimando las reclamaciones de los estafados y otros en los que se buscaban argumentos bajo la premisa de falta de diligencia para condenar al banco a indemnizar al ordenante del pago.

Así se ha configurado la figura de una responsabilidad cuasi-objetiva de las entidades bancarias en materia de fraude digital, imponiéndoles un estándar reforzado de diligencia y trasladándoles el riesgo inherente a la actividad de banca en línea, salvo supuestos de dolo o negligencia grave del cliente. Esta línea, que se proyecta desde la jurisprudencia menor (AAP Madrid 178/2015; AP Alicante 107/2018; AP Valencia 212/2021) hasta el propio Tribunal Supremo (STS 571/2025, entre otras), se alinea con la idea de que corresponde al banco acreditar que sus sistemas eran seguros, actualizados y suficientes para evitar la consumación del ilícito.

En este marco, el concepto de bonus argentarius cobra renovada vigencia. Este es un principio que recogió la ley 57/68 para proteger a los compradores de viviendas en el sector inmobiliario, pero que el Tribunal Supremo sentenció en varias ocasiones que también se puede aplicar a otras inversiones financieras. En  lo que a MITM se refiere, significa que, en caso de pérdidas por negligencia de la entidad financiera, el cliente puede presentar una demanda al amparo de la Ley 57/68 y reclamar la responsabilidad de la entidad bancaria.

El bonus argentarius se basa en la presunción de culpa de la entidad financiera, lo que significa que, aunque el cliente no tenga pruebas concretas de la negligencia, esta se da por sentada debido al deber de cuidado que debe tener la entidad en la gestión de las inversiones.

En base a aquel principio, la diligencia exigible al profesional financiero no es la del comerciante medio ni la del pater familias, sino la de un experto cualificado que asume la obligación de proteger los fondos confiados mediante la implantación de mecanismos de seguridad “necesarios y renovables”. Ello implica no solo el mantenimiento de medidas técnicas básicas de autenticación reforzada, sino la adopción proactiva de soluciones antifraude reconocidas internacionalmente, como la verificación nombre-IBAN (Confirmation of Payee o IBAN-Naam Check), que han demostrado eficacia en jurisdicciones comparadas.

En línea con aquella doctrina y jurisprudencia, la omisión de medidas de verificación del beneficiario constituiría una infracción del deber contractual de diligencia y de la buena fe (arts. 1104 y 1258 CC), generadora de responsabilidad civil por el daño causado de suerte que el fraude MITM no puede considerarse un riesgo residual imputable al cliente, sino un fallo de seguridad sistémico imputable a la entidad financiera, en tanto que diseñadora y custodio del canal de pagos electrónicos.

Pero en  este estado de cosas el  Tribunal Supremo en su reciente sentencia de 27 de marzo de 2025 se decantaba por la alternativa de la aplicación estricta del artículo 59 argumentando que “si el usuario de servicios de pago facilita información adicional a la requerida (especificación de la información o del identificador único que el usuario de servicios de pago debe facilitar para la correcta iniciación o ejecución de una orden de pago), el proveedor de servicios de pago únicamente será responsable de la ejecución de las operaciones de pago de acuerdo con el identificador único facilitado por el usuario de servicios de pago… y que  la responsabilidad del proveedor de los servicios de pago, tanto a nivel comunitario como nacional, se desprende que cumple su obligación ejecutando la operación de pago de acuerdo con el identificador único, sin que la adición de información adicional implique una mayor diligencia exigible

Cierto que para finalizar, el TS abría una rendija a la esperanza de los usuarios estafados cuando afirmaba que “la interpretación expuesta no exime de responsabilidad al proveedor de los servicios de pago cuando se constate la concurrencia de circunstancias, ajenas al suministro de datos adicionales, que pudieren haber influido en la ejecución defectuosa de la operación, sea porque se hubiere estipulado expresamente entre el usuario y el proveedor algún requisito o exigencia añadida (v.gr. la identificación del beneficiario), sea porque el proveedor de servicios de pago del ordenante o del beneficiario hubieren aprovechado el error en beneficio propio, sea porque, comunicada sin demora la existencia del error, uno u otro no hubieran adoptado las medidas que imponía la diligencia de un comerciante experto para permitir la retroacción o, en su caso, minimizar el daño.”

Y en este escenario trufado de dudas irrumpe el Reglamento (UE) 2024/886 que supone un giro de 180 grados y un cambio de paradigma: el nuevo Reglamento europeo, aprobado en abril de 2024 y con entrada en vigor el 9 de octubre de 2025, establece una obligación clara para las entidades bancarias: deben verificar que el nombre del beneficiario proporcionado por el ordenante coincida con el titular del IBAN antes de ejecutar una transferencia inmediata en euros.

Las novedades de este nuevo Reglamento son (i) la aplicación obligatoria a todas las transferencias inmediatas dentro del espacio SEPA, (ii) el nuevo sistema de coincidencia de nombres: si hay discrepancia entre el nombre y el IBAN, el banco debe alertar al cliente antes de ejecutar la operación y (iii) la responsabilidad reforzada para las entidades financieras en caso de fraude o error por falta de verificación.

En suma se pretende reducir el riesgo de fraude, proteger al consumidor y aumentar la confianza en los pagos digitales.

Ello provoca que la Ley 19/2018, que regula los servicios de pago en España, que no contempla la obligación de verificar la identidad del beneficiario queda desfasada, lo que plantea la necesidad de una revisión legislativa a nivel nacional para armonizar el marco jurídico con las exigencias europeas.

En conclusión la obligación de verificar al beneficiario en las transferencias representa un avance significativo en la protección del consumidor y en la lucha contra el fraude financiero. El Reglamento (UE) 2024/886 marca un antes y un después en la operativa bancaria, imponiendo una responsabilidad activa a las entidades para garantizar la autenticidad de las transferencias.

Queda en todo caso abierta la cuestión respecto a la solución a los fraudes MITM ejecutados antes del 9 de octubre de 2025 y la responsabilidad de la entidad bancaria; de momento la sentencia STS  de 27 de marzo arriba citada cierra la puerta a las reclamaciones contra los bancos pero no puede descartarse que la entrada en vigor del Reglamento 2024/886 y el cambio de paradigma produzca un replanteamiento de la posición del TS en la línea de la responsabilidad cuasi objetiva que la jurisprudencia menor viene manteniendo. Habrá que esperar acontecimientos pero ese cambio sería un gran éxito para los usuarios bancarios sufridores de este fraude MITM y de  todos los demás dentro de las múltiples variedades de las  ciber estafas.

Summary: Corporate fraud has taken new and insidious forms in the digital age. One of these puts multinational groups in the crosshairs: it is the so-called «CEO Fraud.» This type of fraud is based on the fraudulent use of the identity of top corporate figures, such as CEOs or board chairmen. The modus operandi is devious: the fraudsters pose as the CEO or a senior executive of the multinational group and directly contact the Chief Financial Officers (CFOs) of the subsidiaries or affiliates, simulating a nonexistent confidential investment transaction to induce them to make urgent transfers to foreign bank accounts.

Background and dynamics of the CEO Fraud

CEO Fraud is a form of scam in which criminals impersonate senior management figures to trick employees, usually CFOs, into transferring funds into bank accounts controlled by the fraudsters. The choice to use the identities of apex figures such as CEOs lies in their perceived authority and ability to order even large payments, requested urgently and with instructions for strict confidentiality, without raising immediate suspicion.

Fraudsters adopt various communication tools to make their fraud attempts credible: at the starting point is usually a data breach, which allows criminals to gain access to the contact details of the CEO or CFO (email, landline phone number, cell phone number, whatsapp or social media accounts) or other people within the administrative office with operational powers over bank accounts.

Sometimes knowledge of this information does not even require illegitimate access to the company’s computer systems because those targeted by the scam spontaneously make this information public, for example, by indicating it on their profiles on the company website or by publicly displaying contacts on profiles in social media accounts (LinkedIn, Facebook, etc.) or even on presentations, business cards and company brochures in the context of public meetings.

Still other times, scammers do not even need to appropriate all the data of the CEO they want to impersonate, but only the recipient’s, and then claim that they are using a personal account with a different number or email address than those usually attributable to the real CEO.

Contacts are typically made as follows:

  • WhatsApp and SMS: The use of messages allows for immediate and personal communication, often perceived as legitimate by recipients. The fake CEO sends a message to the CFO using a cell phone number from the country where the parent company is based (e.g., +34 in the case of Spain), writing that it is his personal phone number and using a portrait photo of the real CEO in the WhatsApp profile, which reinforces the perception that the fraudster is the real CEO.
  • Phone calls: after the initial contact via text message, a phone call often follows, which may be either directly from the fake CEO or from a self-styled lawyer or consultant instructed by the CEO to give the CFO the necessary information about the fake investment transaction and instructions to proceed with the urgent payment.
  • Email: as an alternative to or in addition to texts and phone calls, communications may also go through emails, often indistinguishable from authentic ones, in which text formats, company logos, signatures, etc. are scrupulously replicated.

This is possible through various email spoofing techniques in which the sender’s email address is altered to appear as if the rightful owner sent the email. Basically, it is like someone sending a postal letter by putting a different address on the back of the envelope to disguise the true origin of the missive. In our case, this means that the CFO receives an email that-at first glance-appears to come from the CEO and not the scammer.

We also cannot rule out the possibility of fraudsters taking advantage of security holes in corporate systems, such as directly accessing internal chats within the organization.

In addition, the increasing popularity of morphing tools (i.e., creating images with human likenesses that can be traced back to real people) may make it even more difficult to unmask the scammer: to messages and phone calls we could, in fact, add video messages or even video lectures apparently given by the real CEO.

The (fake) takeover of a competitor company in Europe

Let us look at a real-life example of CEO Fraud to illustrate the practical ways in which these frauds are organized.

Scammers create a fake WhatsApp profile of the self-styled CEO of a multinational group based in Spain, using a Spanish phone number and reproducing the profile photo of the authentic CEO.

A message is sent through the fake account to the CFO of a subsidiary in Italy, announcing that a confidential investment transaction is underway to acquire a company in Portugal. This will require transferring a large sum to a Portuguese company the following day at a local bank.

The message stresses the importance of keeping the transaction strictly confidential, which is why the CFO cannot disclose the payment request to anyone: a confidentiality agreement from a (fake) law firm is even emailed before payment is made, which the CFO is persuaded to sign and return to the phantom lawyer in charge of the transaction.

Instructions for proceeding with the transfer are emailed to the CFO, again stressing the urgency of making the payment on the same day.

The day after arranging the transfer, having heard nothing more from the fake CEO, the CFO arranges to contact him at his corporate phone number and discovers the scam: by that time, however, it is too late because the sums have already been transferred by the criminals to one or more current accounts in foreign banks, making it very difficult, if not impossible, to trace the funds.

The main features of CEO fraud

  • Persuasion: the fact that fraudsters impersonate apex figures and make the CFO feel invested in important duties generates in the victim a desire to please superiors and to let their guard down.
  • Pressure: fraudsters instil a great sense of urgency, demanding payments extremely quickly and intimating secrecy about the transaction; this causes the victim to act without thinking, trying to be as efficient as possible.
  • Speed: It is good to know that a request for an urgent wire transfer cannot be withdrawn, or can be withdrawn by recall only under extremely tight deadlines; fraudsters take advantage of this to pocket the sums at banks that are not too scrupulous or to move them elsewhere, at most within a few days.

How to prevent these scams

CEO Fraud schemes can be very sophisticated, but they often have signs that, if recognized, can stop a scam before it causes irreparable damage.

The main clues are the atypical modes of contact (whatsapp, phone calls, emails from the fake CEO’s personal accounts), the request for strict confidentiality about the transaction, the urgency with which large sums are requested, the fact that the transfer is to be made to banks abroad, and the involvement of companies or individuals never previously mentioned.

To prevent scams such as CEO Fraud, corporate training of employees on how to recognize and respond to scams is crucial; it is also essential to have robust internal security procedures in place.

  • First, an essential and basic precaution is to adopt verification systems that scan e-mail messages for viruses and flag the origin of the e-mail from an account outside the corporate organization.
  • Second, it is critical that companies implement clear processes for payments to third parties, especially if the arrangements are different from the company’s standard operations. One way to do this is to provide value limits on the powers of disposition over current account operations, beyond which dual signatures with another director are required.
  • Finally, and generally, it is good to adopt all the rules of common sense and diligence in analyzing the case. Better to do one more internal check than one less; for example, in the case of a particularly realistic but nonetheless unusual request, forwarding the exchange with the alleged scammer to the address we believe to be real and asking for further confirmation in the forward email, rather than responding directly in the email loop, allows us to tell if the sender is bogus.

Legal actions to recover funds.

After the fraud is discovered, it is crucial to act quickly to increase the chances of recovering lost funds and prosecuting those responsible.

Possible Legal Actions

Prompt notification to the company’s bank to block or recall the wire payment, in addition to a timely criminal complaint in the country where the bank receiving the payment is based, are immediate steps that can help contain the damage and begin the recovery process.

In fact, in many countries, the pattern of CEO Fraud is well known, and specialized law enforcement units have the tools to move in a timely manner following a report of the crime.

Criminal investigations in the country of payment destination also allow for verification that they are the account holders and the people involved in the scam attempt, in some cases leading to the arrest of those responsible.

After attempting to obtain a freeze on the transfer or funds, it may then be possible to assess the behavior of the banking institutions involved in the affair, particularly to verify whether the beneficiary bank properly complied with its obligations under anti-money laundering regulations, which impose precise obligations to verify customers and the origin of funds.

Conclusions

CEO Fraud is a significant threat to companies of all sizes and industries, made possible and amplified by modern technologies and the globalization of financial markets. Companies must remain vigilant and proactive, continually updating their security procedures to keep pace with fraudsters’ evolving techniques.

Investment in training, technology and consulting is not just a protective measure, but a strategic necessity for business operations.

Finally, if the scam is successfully carried out, it is crucial to take prompt action to try to block the funds before they are moved to bank accounts in other countries and thus made untraceable.

Summary

The reform of the Brazilian Bankruptcy Act brings forward important changes in both reorganization procedures and liquidation measures.

When the Brazilian Bankruptcy Act was about to reach its 15th Anniversary, a major amendment was enacted. It was needed, in fact. Over the past 15 years, creations of the Bankruptcy Act have been tested, and practical experiences showed that some tools needed adjustments, and others demanded complete change.

The goal of this article is to list the top five most relevant novelties.

#5 – Reorganization plan presented by creditors

Before: the amendment, the construction of the reorganization plan was exclusively the responsibility of the debtor. If the majority of the creditors’ meeting decided to reject the plan, the automatic consequence would be the conversion into bankruptcy (liquidation).

Now: in cases like this, the creditors have the right to present an alternative judicial recovery plan. As a result, creditors assume a more relevant role in corporate restructuring.

#4 – Mediation focusing on the turnaround

Mediation is now encouraged in ongoing judicial reorganization processes so that creditors and debtors may find a way out to overcome the crisis.

The most important novelty is the anticipated mediation, which goal is to avoid reorganization and liquidation. In this procedure, the debtor convenes creditors for a mediated negotiation, and they may seek the judge for an order to stay enforcement measures.

#3 – Distressed assets operations

The disposal of debtor’s assets is now simplified in both judicial reorganization and bankruptcy. Particularly in bankruptcy – in which case maximizing the use of assets is essential – the law authorizes the anticipated sale, adjudication by creditors, and even the donation of assets that creditors are not interested in acquiring.

Besides that, the distressed assets acquisitions and M&A deals are now safer, with a clearer legal provision of a liability shield in favour of the purchaser.

#2 – Debtor-in-Possession (DIP) Financing

The lack of incentive to finance the debtor undergoing judicial reorganization has always been a reason for criticism by stakeholders. In the absence of legal provisions, potential financiers could be insecure about the risks of the operation and the lack of clear advantages to offset the risk.

The complaints were addressed with the legal treatment of the debtor’s financing during judicial reorganization. This type of financing is known as Debtor-in-Possession (DIP) Financing.

The debtor is allowed, through judicial authorization, to conclude financing contracts to pay for the maintenance of his activities and assets, as well as to be liable for restructuring expenses.

As a guarantee for the financing, the debtor may offer his own assets and rights or those of third parties, even if they belong to non-current assets, that is, assets not originally intended for sale, but which serve the business structure (machinery, for example).

#1 – Cross-Border Insolvency

Brazilian law finally incorporated the Uncitral Model Law on Cross-Border Insolvency. An integrated world full of global companies imposes the need to provide for specific rules on cross-border insolvency, which were hitherto non-existent, in order to eliminate the insecurity about the reach of foreign procedures for Brazilian creditors and about the effect of Brazilian procedures for foreign creditors.

We now have a new panorama, with the possibility of procedures abroad having effects in Brazil and also of Brazilian procedures reaching foreigners.

There is a detailed treatment of the participation of foreigners in Brazil and the international cooperation between judges and other authorities to put the fundamental principles that govern the entire insolvency system in motion, namely, the improvement of legal certainty, efficient management of the processes, maximization of assets, preservation of the company, and optimization of asset liquidation.

These are the five main new features, in a nutshell. If you are interested in learning more about any of these topics or if you want to stay updated on insolvency – turnaround in Brazil, please get in touch.

On 6 January 2022 Ukraine finally cancelled almost a two-year long moratorium for the creditor-trigged insolvencies. The moratorium was imposed in the late spring 2020 as a part of the nation’ response to first wave of COVID pandemic.

In a nutshell, the moratorium prohibited creditors from requesting insolvency action against those debtors whose obligations matured after 12 March 2020. A separate set of measures also lifted an early warning duty obliging directors of the companies in distress to file for insolvency within one month from a moment when the distress appeared.

The moratorium was heavily criticized by both domestic and international creditors, who legitimately blamed it for a non-selective approach.

As further 2021 statistic shown, the moratorium never seemed to reach a goal proclaimed by it authors and made no increase for insolvency relief requests by the debtor companies.

Instead, the country has been facing a steady increase in “zombie” companies having little to none liquidation value – and their owners clearly intending to get away with no creditor repayment.

With the moratorium being lifted off the creditors do expect to show no mercy to their Ukrainian debtors. This particularly worries those debtors potentially involved in wrongful trade or fraudulent action. Even with the moratorium in place in 2021 Ukrainian courts confirmed more than UAH 150 mln in creditors loss to be paid by the insolvent companies’ management and owners themselves. This number is expected to triple in 2022 – and there already were Supreme Court’s 2021 judgements confirming liability of the real owners standing behind opaque shareholder company and nominal directors.

As the creditors’ agitation grows, so do the debtor company owners’ concerns. As the owners\management liability process is extremely bespoke and often requires swift action, it is of crucial importance to get a throughout legal advise on either side – and much better to do that before the actual claim has been brought.

Lebanon’s secure banking sector plays an important role in the country’s stability and economic status. High liquidity and compliance with all international regulatory standards make it one of the most profitable in the region.

Stability

The Lebanese banking sector owes its solidity primarily to the stringent policies applied by the Lebanese Central Bank (LCB). Efforts are constantly being made to fight money laundering and terrorism funding.

The Lebanese diaspora also contributes to the stability through the flux of transfers and deposits of extraterritorial income. Compared with an estimated population of 4.9 million inhabitants, about 16 million Lebanese live abroad, largely engaged in trade and finance, and mainly concentrated in South America.

The banking sector’s stability is also bolstered by the currency exchange rate, which has been stable since 1997, when the Lebanese Pound (LBP) was pegged to the United States Dollar (USD) at a rate of 1507.5 LBP to the USD.

Banking Secret and Automatic exchange of Information

The Lebanese Banking Secrecy Law of September 3, 1956 was a key aspect in the expansion of the sector. Bank secrecy is applied to any bank operating in Lebanon, local or foreign, and prohibits the disclosure of any details or information about any account or accountholder. For long time this law has increased confidence in Lebanese banking together with the amount of foreign capital coming into the country.

Before the last economic and financial global shocks, the veil of banking secrecy could be lifted only with prior approval of the accountholder, in case of bankruptcy; for the exchange of information between banks about indebted accounts; and in case of legal actions between a bank and a client or illicit enrichment.

Nowadays, banking secrecy does not apply to US citizens because of the Foreign Account Tax Compliance Act (FATCA) that requires foreign banks to report American accountholders to the tax authority of the US. Even though Lebanon has not agreed to be FATCA compliant as a whole, individual Lebanon banks have agreed to comply.

Moreover, in 2016 Lebanon joined the Global Forum on Transparency and the Automatic Exchange of Information (AEOI) for tax purposes, committing to implement a series of regulatory reforms to better comply with the Common Reporting Standards of OECD.

Consequently, if the requested information is protected under the Banking Secrecy Law of 1956, the request will be forwarded to the Special Investigation Commission (SIC) at the Central Bank with an opinion from the Ministry of Finance for review before it can be disclosed to the foreign tax authority based on an information exchange agreement.

The regulatory framework and supervision of the banking sector is already in compliance with international standards, such as Basel I, II, and III. Abiding by these laws does not eliminate banking secrecy. New regulations just aim to provide a more effective tool to counter the fight against tax evasion and to track suspicious operations for money laundering purposes, or self-laundering, based on tax offenses.

According to the AEOI, starting from September 2018 Lebanese Tax Authority will exchange information automatically on non-residents, and will have access to information on residents who hold assets abroad. No issues for Lebanese residents.

The new legislation will impact: banks, brokers, trusts, fiduciaries, insurance companies, although only for a few products, and certain collective investment funds.

Corporate Governance

As part of the strategy to integrate Lebanon further into the international community and the global economy, corporate governance in banks is necessary to guarantee fairness, transparency and accountability.

It is mandatory for banks while optional for other companies. In fact, an innovation took place in the banking sector on July 26, 2006 when the Governor of the Lebanese Central Bank enacted the Basic Decision No. 9382 to order to comply with the banking rules instituted by the Basel Committee.

Account freedom and flexibility

Lebanese banks are known for being open to foreign investors and have branches worldwide. Foreign individuals or companies can easily open a bank account in Lebanon in any currency and benefit from all banking advantages offered to Lebanese citizens. Further, amounts deposited in Lebanon are exempt from taxes and the interest received is subject to a tax rate of 5-percent.

The author of this post is Claudia Caluori.

From 18 January 2017, the new European Regulation 655/2014 establishing a European Account Preservation Order procedure to facilitate cross-border debt recovery in civil and commercial matters will enter into force.

The Regulation foresees in a procedure to seize bank accounts of your debtor in other EU Member States (except when your debtor is domiciled in United Kingdom or Denmark), without that the debtor is notified hereof. The debtor will only notice once the seizure is into force.

Such cross-border seizure can be obtained before the Courts of an EU Member State who would have jurisdiction on the merits of the case under the EU Regulation 1215/2012 (Brussels I bis).

The seizure can be requested before, during or even after the procedure on the merits of the case. The request has to be filed using a standard document.

To grant the request, the Court will have to examine 1) if there is urgency (periculum in mora) and 2) if there is on basis of the provided evidence enough reason to assume the Court will also decide in favor of the creditor in the proceedings concerning the merits of the case (fumus boni iuris). Although these principles are not unknown to national legislation, both will have to await the autonomous interpretation by the European Court of Justice.

The new EU Regulation 655/2014 is however not created to bully any unwilling debtor by filing preservation order after preservation order. The Regulation foresees 2 mechanisms to avoid such practices:

  • According to art. 12, the creditor can be required to provide a security when he has not obtained any judgment in favor yet;
  • The creditor will also receive a fixed delay in which he has to undertake a proceedings about the merits of the case.

The new European Regulation 665/2014 also foresees a mechanism where a creditor can request information about his debtor’s bank account(s) in a certain Member State. 

Not unimportant, as the creditor needs to indicate the bank account number in his request for a transnational seizure (under Belgian national law, the indication of the name of the Bank would already be sufficient).

Art. 14 of the Regulation now foresees what one could call a bank account disclosure mechanism:

“Request for the obtaining of account information

Where the creditor has obtained in a Member State an enforceable judgment, court settlement or authentic instrument which requires the debtor to pay the creditor’s claim and the creditor has reasons to believe that the debtor holds one or more accounts with a bank in a specific Member State, but knows neither the name and/or address of the bank nor the IBAN, BIC or another bank number allowing the bank to be identified, he may request the court with which the application for the Preservation Order is lodged to request that the information authority of the Member State of enforcement obtain the information necessary to allow the bank or banks and the debtor’s account or accounts to be identified”.

In a few Member States (including Belgium), such disclosure mechanism is completely new.  The Regulation leaves it up to the Member States how they will organize this new disclosure, by giving a few examples:

“Each Member State shall make available in its national law at least one of the following methods of obtaining the information referred to in paragraph 1:

(a) an obligation on all banks in its territory to disclose, upon request by the information authority, whether the debtor holds an account with them;

(b) access for the information authority to the relevant information where that information is held by public authorities or administrations in registers or otherwise;

(c) the possibility for its courts to oblige the debtor to disclose with which bank or banks in its territory he holds one or more accounts where such an obligation is accompanied by an in personam order by the court prohibiting the withdrawal or transfer by him of funds held in his account or accounts up to the amount to be preserved by the Preservation Order; or

(d) any other methods which are effective and efficient for the purposes of obtaining the relevant information, provided that they are not disproportionately costly or time-consuming.

Does this mean any creditor can just run to the Court and ask information?

No, some conditions apply:

  • the creditor needs to be in possession of an enforceable judgment;
  • there need to be reasons to believe the debtor holds bank accounts in this Member State.

Conclusion: it will be interesting to see how the Member States will apply this new mechanism.  Whether it will be effective, will also depend on the interpretation of ‘reasons to believe the debtor holds bank accounts in this Member State’.  This will probably be the key to the question if this will end the Pyrrhus decisions, where a creditor is accorded his claim but cannot find assets to seize.

The author of this post is David Diris.

Javier Gaspar

Áreas de práctica

  • Arbitraje
  • Contratos de distribución
  • Franquicia
  • Derecho Internacional Privado
  • Deporte
Contáctanos Javier

Contacta con Javier





    Lea la política de privacidad de Legalmondo.
    Este sitio está protegido por reCAPTCHA y se aplican la Política de privacidad de Google y los Términos de servicio.

    Digital fraud: the fake CEO of the international group

    24 de abril de 2024

    • Italia
    • Bancario

    El incremento de la llamada cibercriminalidad en los últimos años presenta una magnitud tal que exige reacciones legislativas y judiciales contundentes. Las pérdidas por fraudes online en Europa superan los 100.000 millones de dólares según Nasdaq Ventures de los que 5.000 millones corresponden a España.

    En España se denunciaron en 2019, 192.375 casos de estafas informáticas, pero en 2023 ascendieron a 427.448. Según los últimos datos oficiales disponibles las estafas informáticas representan el 90,4% de toda la cibercriminalidad y su crecimiento en el periodo 2016-2023 fue del 378%.

    Las variedades que presentan las estafas informáticas son múltiples y están bautizadas en inglés, (al fin y al cabo, la lingua franca de nuestro tiempo), incluyendo, entre otras ingeniosas modalidades de los hábiles estafadores, las conocidas con los curiosos y divertidos nombres (salvo para los que las padecen) como phishing, pharming,, juice jacking, tabnabbing, bluesnarfing, catfishing, spoofing, vishing, smishing, whaling, carding, y la que hoy nos interesa, man in the middle (MITM).

    ¿Qué es el ataque Man in the Middle?

    El fraude MITM consiste en la interceptación las comunicaciones entre dos dispositivos conectados a una red, permitiendo al ciber caco alterar y desviar los mensajes intercambiados entre los usuarios. El estafador intercepta una comunicación en la que un usuario solicita a otro un pago y a continuación modifica el IBAN de la cuenta bancaria en la que debe realizarse la transferencia con el objetivo de hacerse con el dinero. El proceso se desarrolla generalmente de la siguiente manera:

    • Sin que la empresa lo detecte, un atacante intercepta y manipula un correo electrónico, cambiando el número IBAN de la cuenta en la que debe realizarse el pago.
    • El ciberdelincuente se hace pasar por el proveedor, enviando el mensaje desde una dirección de correo electrónico casi idéntica a la original, pero con una ligera alteración que resulta casi imperceptible.
    • La empresa receptora, confiando en la autenticidad del mensaje, realiza la transferencia a la cuenta fraudulenta.

    De este modo, se consigue un desplazamiento patrimonial en detrimento del ordenante de la transferencia y a favor del ciber ladrón, de suerte que cuando el ordenante advierte el error, su primera reacción es intentar contactar con el banco receptor con la esperanza de que los fondos puedan ser bloqueados a tiempo. Sin embargo, en la mayoría de los casos, el ciberdelincuente ha sido más rápido: el dinero ya ha sido transferido a otra cuenta o retirado, dejando poco margen de maniobra, salvo el inicio de actuaciones judiciales a las que a continuación nos referimos.

    La pregunta inmediata es qué responsabilidad tiene el banco que ha recibido la orden de transferencia del usuario engañado y abona en la cuenta del ciber estafador el importe en cuestión, en aquellos casos en los que el ordenante del pago identifica no solo el IBAN (fraudulento) sino también el nombre del beneficiario de la orden de pago que obviamente no coincide con el titular de la cuenta bancaria receptora de los fondos.

    La respuesta desde el sentido común sería que el banco receptor de la transferencia debería confirmar que el titular de la cuenta de abono y la persona física o entidad identificada como beneficiario en la orden de transferencia coinciden; y si no fuere así, debería suspender el abono y solicitar aclaraciones al ordenante. Pero no es así en aplicación de la legislación de la UE y de la transposición de la misma al ordenamiento jurídico español como a continuación veremos.

    Hasta el pasado 9 de octubre, el sistema bancario europeo ha operado bajo la premisa de que la validez de una transferencia se basa exclusivamente en la corrección del IBAN. Es decir, si el número de cuenta es correcto, la operación se considera válida, incluso si el nombre del beneficiario no coincide. Esta práctica ha generado numerosos casos de fraude, errores involuntarios y pérdida de fondos, especialmente en el ámbito de las transferencias inmediatas, donde la rapidez puede jugar en contra de la seguridad.

    La opción más razonable del ordenante estafado para recuperar su dinero es demandar por la vía civil al banco receptor de la orden de abono (con quien carece de relación contractual) por responsabilidad extracontractual al amparo del art. 1124 del Código Civil; en efecto la vía penal contra el titular de la cuenta, que habitualmente es lo que en el argot se denomina “mula”, no suele tener recorrido exitoso, tanto porque lo normal es que el pájaro vuele como por su falta de solvencia.

     

    La jurisprudencia de las Audiencias Provinciales ha estado dividida entre aquellos fallos en los que se acudía a una aplicación rigurosa y fiel del artículo 59 del Real Decreto-ley 19/2018, de 23 de noviembre, de servicios de pago y otras medidas urgentes en materia financiera, desestimando las reclamaciones de los estafados y otros en los que se buscaban argumentos bajo la premisa de falta de diligencia para condenar al banco a indemnizar al ordenante del pago.

    Así se ha configurado la figura de una responsabilidad cuasi-objetiva de las entidades bancarias en materia de fraude digital, imponiéndoles un estándar reforzado de diligencia y trasladándoles el riesgo inherente a la actividad de banca en línea, salvo supuestos de dolo o negligencia grave del cliente. Esta línea, que se proyecta desde la jurisprudencia menor (AAP Madrid 178/2015; AP Alicante 107/2018; AP Valencia 212/2021) hasta el propio Tribunal Supremo (STS 571/2025, entre otras), se alinea con la idea de que corresponde al banco acreditar que sus sistemas eran seguros, actualizados y suficientes para evitar la consumación del ilícito.

    En este marco, el concepto de bonus argentarius cobra renovada vigencia. Este es un principio que recogió la ley 57/68 para proteger a los compradores de viviendas en el sector inmobiliario, pero que el Tribunal Supremo sentenció en varias ocasiones que también se puede aplicar a otras inversiones financieras. En  lo que a MITM se refiere, significa que, en caso de pérdidas por negligencia de la entidad financiera, el cliente puede presentar una demanda al amparo de la Ley 57/68 y reclamar la responsabilidad de la entidad bancaria.

    El bonus argentarius se basa en la presunción de culpa de la entidad financiera, lo que significa que, aunque el cliente no tenga pruebas concretas de la negligencia, esta se da por sentada debido al deber de cuidado que debe tener la entidad en la gestión de las inversiones.

    En base a aquel principio, la diligencia exigible al profesional financiero no es la del comerciante medio ni la del pater familias, sino la de un experto cualificado que asume la obligación de proteger los fondos confiados mediante la implantación de mecanismos de seguridad “necesarios y renovables”. Ello implica no solo el mantenimiento de medidas técnicas básicas de autenticación reforzada, sino la adopción proactiva de soluciones antifraude reconocidas internacionalmente, como la verificación nombre-IBAN (Confirmation of Payee o IBAN-Naam Check), que han demostrado eficacia en jurisdicciones comparadas.

    En línea con aquella doctrina y jurisprudencia, la omisión de medidas de verificación del beneficiario constituiría una infracción del deber contractual de diligencia y de la buena fe (arts. 1104 y 1258 CC), generadora de responsabilidad civil por el daño causado de suerte que el fraude MITM no puede considerarse un riesgo residual imputable al cliente, sino un fallo de seguridad sistémico imputable a la entidad financiera, en tanto que diseñadora y custodio del canal de pagos electrónicos.

    Pero en  este estado de cosas el  Tribunal Supremo en su reciente sentencia de 27 de marzo de 2025 se decantaba por la alternativa de la aplicación estricta del artículo 59 argumentando que “si el usuario de servicios de pago facilita información adicional a la requerida (especificación de la información o del identificador único que el usuario de servicios de pago debe facilitar para la correcta iniciación o ejecución de una orden de pago), el proveedor de servicios de pago únicamente será responsable de la ejecución de las operaciones de pago de acuerdo con el identificador único facilitado por el usuario de servicios de pago… y que  la responsabilidad del proveedor de los servicios de pago, tanto a nivel comunitario como nacional, se desprende que cumple su obligación ejecutando la operación de pago de acuerdo con el identificador único, sin que la adición de información adicional implique una mayor diligencia exigible

    Cierto que para finalizar, el TS abría una rendija a la esperanza de los usuarios estafados cuando afirmaba que “la interpretación expuesta no exime de responsabilidad al proveedor de los servicios de pago cuando se constate la concurrencia de circunstancias, ajenas al suministro de datos adicionales, que pudieren haber influido en la ejecución defectuosa de la operación, sea porque se hubiere estipulado expresamente entre el usuario y el proveedor algún requisito o exigencia añadida (v.gr. la identificación del beneficiario), sea porque el proveedor de servicios de pago del ordenante o del beneficiario hubieren aprovechado el error en beneficio propio, sea porque, comunicada sin demora la existencia del error, uno u otro no hubieran adoptado las medidas que imponía la diligencia de un comerciante experto para permitir la retroacción o, en su caso, minimizar el daño.”

    Y en este escenario trufado de dudas irrumpe el Reglamento (UE) 2024/886 que supone un giro de 180 grados y un cambio de paradigma: el nuevo Reglamento europeo, aprobado en abril de 2024 y con entrada en vigor el 9 de octubre de 2025, establece una obligación clara para las entidades bancarias: deben verificar que el nombre del beneficiario proporcionado por el ordenante coincida con el titular del IBAN antes de ejecutar una transferencia inmediata en euros.

    Las novedades de este nuevo Reglamento son (i) la aplicación obligatoria a todas las transferencias inmediatas dentro del espacio SEPA, (ii) el nuevo sistema de coincidencia de nombres: si hay discrepancia entre el nombre y el IBAN, el banco debe alertar al cliente antes de ejecutar la operación y (iii) la responsabilidad reforzada para las entidades financieras en caso de fraude o error por falta de verificación.

    En suma se pretende reducir el riesgo de fraude, proteger al consumidor y aumentar la confianza en los pagos digitales.

    Ello provoca que la Ley 19/2018, que regula los servicios de pago en España, que no contempla la obligación de verificar la identidad del beneficiario queda desfasada, lo que plantea la necesidad de una revisión legislativa a nivel nacional para armonizar el marco jurídico con las exigencias europeas.

    En conclusión la obligación de verificar al beneficiario en las transferencias representa un avance significativo en la protección del consumidor y en la lucha contra el fraude financiero. El Reglamento (UE) 2024/886 marca un antes y un después en la operativa bancaria, imponiendo una responsabilidad activa a las entidades para garantizar la autenticidad de las transferencias.

    Queda en todo caso abierta la cuestión respecto a la solución a los fraudes MITM ejecutados antes del 9 de octubre de 2025 y la responsabilidad de la entidad bancaria; de momento la sentencia STS  de 27 de marzo arriba citada cierra la puerta a las reclamaciones contra los bancos pero no puede descartarse que la entrada en vigor del Reglamento 2024/886 y el cambio de paradigma produzca un replanteamiento de la posición del TS en la línea de la responsabilidad cuasi objetiva que la jurisprudencia menor viene manteniendo. Habrá que esperar acontecimientos pero ese cambio sería un gran éxito para los usuarios bancarios sufridores de este fraude MITM y de  todos los demás dentro de las múltiples variedades de las  ciber estafas.

    Summary: Corporate fraud has taken new and insidious forms in the digital age. One of these puts multinational groups in the crosshairs: it is the so-called «CEO Fraud.» This type of fraud is based on the fraudulent use of the identity of top corporate figures, such as CEOs or board chairmen. The modus operandi is devious: the fraudsters pose as the CEO or a senior executive of the multinational group and directly contact the Chief Financial Officers (CFOs) of the subsidiaries or affiliates, simulating a nonexistent confidential investment transaction to induce them to make urgent transfers to foreign bank accounts.

    Background and dynamics of the CEO Fraud

    CEO Fraud is a form of scam in which criminals impersonate senior management figures to trick employees, usually CFOs, into transferring funds into bank accounts controlled by the fraudsters. The choice to use the identities of apex figures such as CEOs lies in their perceived authority and ability to order even large payments, requested urgently and with instructions for strict confidentiality, without raising immediate suspicion.

    Fraudsters adopt various communication tools to make their fraud attempts credible: at the starting point is usually a data breach, which allows criminals to gain access to the contact details of the CEO or CFO (email, landline phone number, cell phone number, whatsapp or social media accounts) or other people within the administrative office with operational powers over bank accounts.

    Sometimes knowledge of this information does not even require illegitimate access to the company’s computer systems because those targeted by the scam spontaneously make this information public, for example, by indicating it on their profiles on the company website or by publicly displaying contacts on profiles in social media accounts (LinkedIn, Facebook, etc.) or even on presentations, business cards and company brochures in the context of public meetings.

    Still other times, scammers do not even need to appropriate all the data of the CEO they want to impersonate, but only the recipient’s, and then claim that they are using a personal account with a different number or email address than those usually attributable to the real CEO.

    Contacts are typically made as follows:

    • WhatsApp and SMS: The use of messages allows for immediate and personal communication, often perceived as legitimate by recipients. The fake CEO sends a message to the CFO using a cell phone number from the country where the parent company is based (e.g., +34 in the case of Spain), writing that it is his personal phone number and using a portrait photo of the real CEO in the WhatsApp profile, which reinforces the perception that the fraudster is the real CEO.
    • Phone calls: after the initial contact via text message, a phone call often follows, which may be either directly from the fake CEO or from a self-styled lawyer or consultant instructed by the CEO to give the CFO the necessary information about the fake investment transaction and instructions to proceed with the urgent payment.
    • Email: as an alternative to or in addition to texts and phone calls, communications may also go through emails, often indistinguishable from authentic ones, in which text formats, company logos, signatures, etc. are scrupulously replicated.

    This is possible through various email spoofing techniques in which the sender’s email address is altered to appear as if the rightful owner sent the email. Basically, it is like someone sending a postal letter by putting a different address on the back of the envelope to disguise the true origin of the missive. In our case, this means that the CFO receives an email that-at first glance-appears to come from the CEO and not the scammer.

    We also cannot rule out the possibility of fraudsters taking advantage of security holes in corporate systems, such as directly accessing internal chats within the organization.

    In addition, the increasing popularity of morphing tools (i.e., creating images with human likenesses that can be traced back to real people) may make it even more difficult to unmask the scammer: to messages and phone calls we could, in fact, add video messages or even video lectures apparently given by the real CEO.

    The (fake) takeover of a competitor company in Europe

    Let us look at a real-life example of CEO Fraud to illustrate the practical ways in which these frauds are organized.

    Scammers create a fake WhatsApp profile of the self-styled CEO of a multinational group based in Spain, using a Spanish phone number and reproducing the profile photo of the authentic CEO.

    A message is sent through the fake account to the CFO of a subsidiary in Italy, announcing that a confidential investment transaction is underway to acquire a company in Portugal. This will require transferring a large sum to a Portuguese company the following day at a local bank.

    The message stresses the importance of keeping the transaction strictly confidential, which is why the CFO cannot disclose the payment request to anyone: a confidentiality agreement from a (fake) law firm is even emailed before payment is made, which the CFO is persuaded to sign and return to the phantom lawyer in charge of the transaction.

    Instructions for proceeding with the transfer are emailed to the CFO, again stressing the urgency of making the payment on the same day.

    The day after arranging the transfer, having heard nothing more from the fake CEO, the CFO arranges to contact him at his corporate phone number and discovers the scam: by that time, however, it is too late because the sums have already been transferred by the criminals to one or more current accounts in foreign banks, making it very difficult, if not impossible, to trace the funds.

    The main features of CEO fraud

    • Persuasion: the fact that fraudsters impersonate apex figures and make the CFO feel invested in important duties generates in the victim a desire to please superiors and to let their guard down.
    • Pressure: fraudsters instil a great sense of urgency, demanding payments extremely quickly and intimating secrecy about the transaction; this causes the victim to act without thinking, trying to be as efficient as possible.
    • Speed: It is good to know that a request for an urgent wire transfer cannot be withdrawn, or can be withdrawn by recall only under extremely tight deadlines; fraudsters take advantage of this to pocket the sums at banks that are not too scrupulous or to move them elsewhere, at most within a few days.

    How to prevent these scams

    CEO Fraud schemes can be very sophisticated, but they often have signs that, if recognized, can stop a scam before it causes irreparable damage.

    The main clues are the atypical modes of contact (whatsapp, phone calls, emails from the fake CEO’s personal accounts), the request for strict confidentiality about the transaction, the urgency with which large sums are requested, the fact that the transfer is to be made to banks abroad, and the involvement of companies or individuals never previously mentioned.

    To prevent scams such as CEO Fraud, corporate training of employees on how to recognize and respond to scams is crucial; it is also essential to have robust internal security procedures in place.

    • First, an essential and basic precaution is to adopt verification systems that scan e-mail messages for viruses and flag the origin of the e-mail from an account outside the corporate organization.
    • Second, it is critical that companies implement clear processes for payments to third parties, especially if the arrangements are different from the company’s standard operations. One way to do this is to provide value limits on the powers of disposition over current account operations, beyond which dual signatures with another director are required.
    • Finally, and generally, it is good to adopt all the rules of common sense and diligence in analyzing the case. Better to do one more internal check than one less; for example, in the case of a particularly realistic but nonetheless unusual request, forwarding the exchange with the alleged scammer to the address we believe to be real and asking for further confirmation in the forward email, rather than responding directly in the email loop, allows us to tell if the sender is bogus.

    Legal actions to recover funds.

    After the fraud is discovered, it is crucial to act quickly to increase the chances of recovering lost funds and prosecuting those responsible.

    Possible Legal Actions

    Prompt notification to the company’s bank to block or recall the wire payment, in addition to a timely criminal complaint in the country where the bank receiving the payment is based, are immediate steps that can help contain the damage and begin the recovery process.

    In fact, in many countries, the pattern of CEO Fraud is well known, and specialized law enforcement units have the tools to move in a timely manner following a report of the crime.

    Criminal investigations in the country of payment destination also allow for verification that they are the account holders and the people involved in the scam attempt, in some cases leading to the arrest of those responsible.

    After attempting to obtain a freeze on the transfer or funds, it may then be possible to assess the behavior of the banking institutions involved in the affair, particularly to verify whether the beneficiary bank properly complied with its obligations under anti-money laundering regulations, which impose precise obligations to verify customers and the origin of funds.

    Conclusions

    CEO Fraud is a significant threat to companies of all sizes and industries, made possible and amplified by modern technologies and the globalization of financial markets. Companies must remain vigilant and proactive, continually updating their security procedures to keep pace with fraudsters’ evolving techniques.

    Investment in training, technology and consulting is not just a protective measure, but a strategic necessity for business operations.

    Finally, if the scam is successfully carried out, it is crucial to take prompt action to try to block the funds before they are moved to bank accounts in other countries and thus made untraceable.

    Summary

    The reform of the Brazilian Bankruptcy Act brings forward important changes in both reorganization procedures and liquidation measures.

    When the Brazilian Bankruptcy Act was about to reach its 15th Anniversary, a major amendment was enacted. It was needed, in fact. Over the past 15 years, creations of the Bankruptcy Act have been tested, and practical experiences showed that some tools needed adjustments, and others demanded complete change.

    The goal of this article is to list the top five most relevant novelties.

    #5 – Reorganization plan presented by creditors

    Before: the amendment, the construction of the reorganization plan was exclusively the responsibility of the debtor. If the majority of the creditors’ meeting decided to reject the plan, the automatic consequence would be the conversion into bankruptcy (liquidation).

    Now: in cases like this, the creditors have the right to present an alternative judicial recovery plan. As a result, creditors assume a more relevant role in corporate restructuring.

    #4 – Mediation focusing on the turnaround

    Mediation is now encouraged in ongoing judicial reorganization processes so that creditors and debtors may find a way out to overcome the crisis.

    The most important novelty is the anticipated mediation, which goal is to avoid reorganization and liquidation. In this procedure, the debtor convenes creditors for a mediated negotiation, and they may seek the judge for an order to stay enforcement measures.

    #3 – Distressed assets operations

    The disposal of debtor’s assets is now simplified in both judicial reorganization and bankruptcy. Particularly in bankruptcy – in which case maximizing the use of assets is essential – the law authorizes the anticipated sale, adjudication by creditors, and even the donation of assets that creditors are not interested in acquiring.

    Besides that, the distressed assets acquisitions and M&A deals are now safer, with a clearer legal provision of a liability shield in favour of the purchaser.

    #2 – Debtor-in-Possession (DIP) Financing

    The lack of incentive to finance the debtor undergoing judicial reorganization has always been a reason for criticism by stakeholders. In the absence of legal provisions, potential financiers could be insecure about the risks of the operation and the lack of clear advantages to offset the risk.

    The complaints were addressed with the legal treatment of the debtor’s financing during judicial reorganization. This type of financing is known as Debtor-in-Possession (DIP) Financing.

    The debtor is allowed, through judicial authorization, to conclude financing contracts to pay for the maintenance of his activities and assets, as well as to be liable for restructuring expenses.

    As a guarantee for the financing, the debtor may offer his own assets and rights or those of third parties, even if they belong to non-current assets, that is, assets not originally intended for sale, but which serve the business structure (machinery, for example).

    #1 – Cross-Border Insolvency

    Brazilian law finally incorporated the Uncitral Model Law on Cross-Border Insolvency. An integrated world full of global companies imposes the need to provide for specific rules on cross-border insolvency, which were hitherto non-existent, in order to eliminate the insecurity about the reach of foreign procedures for Brazilian creditors and about the effect of Brazilian procedures for foreign creditors.

    We now have a new panorama, with the possibility of procedures abroad having effects in Brazil and also of Brazilian procedures reaching foreigners.

    There is a detailed treatment of the participation of foreigners in Brazil and the international cooperation between judges and other authorities to put the fundamental principles that govern the entire insolvency system in motion, namely, the improvement of legal certainty, efficient management of the processes, maximization of assets, preservation of the company, and optimization of asset liquidation.

    These are the five main new features, in a nutshell. If you are interested in learning more about any of these topics or if you want to stay updated on insolvency – turnaround in Brazil, please get in touch.

    On 6 January 2022 Ukraine finally cancelled almost a two-year long moratorium for the creditor-trigged insolvencies. The moratorium was imposed in the late spring 2020 as a part of the nation’ response to first wave of COVID pandemic.

    In a nutshell, the moratorium prohibited creditors from requesting insolvency action against those debtors whose obligations matured after 12 March 2020. A separate set of measures also lifted an early warning duty obliging directors of the companies in distress to file for insolvency within one month from a moment when the distress appeared.

    The moratorium was heavily criticized by both domestic and international creditors, who legitimately blamed it for a non-selective approach.

    As further 2021 statistic shown, the moratorium never seemed to reach a goal proclaimed by it authors and made no increase for insolvency relief requests by the debtor companies.

    Instead, the country has been facing a steady increase in “zombie” companies having little to none liquidation value – and their owners clearly intending to get away with no creditor repayment.

    With the moratorium being lifted off the creditors do expect to show no mercy to their Ukrainian debtors. This particularly worries those debtors potentially involved in wrongful trade or fraudulent action. Even with the moratorium in place in 2021 Ukrainian courts confirmed more than UAH 150 mln in creditors loss to be paid by the insolvent companies’ management and owners themselves. This number is expected to triple in 2022 – and there already were Supreme Court’s 2021 judgements confirming liability of the real owners standing behind opaque shareholder company and nominal directors.

    As the creditors’ agitation grows, so do the debtor company owners’ concerns. As the owners\management liability process is extremely bespoke and often requires swift action, it is of crucial importance to get a throughout legal advise on either side – and much better to do that before the actual claim has been brought.

    Lebanon’s secure banking sector plays an important role in the country’s stability and economic status. High liquidity and compliance with all international regulatory standards make it one of the most profitable in the region.

    Stability

    The Lebanese banking sector owes its solidity primarily to the stringent policies applied by the Lebanese Central Bank (LCB). Efforts are constantly being made to fight money laundering and terrorism funding.

    The Lebanese diaspora also contributes to the stability through the flux of transfers and deposits of extraterritorial income. Compared with an estimated population of 4.9 million inhabitants, about 16 million Lebanese live abroad, largely engaged in trade and finance, and mainly concentrated in South America.

    The banking sector’s stability is also bolstered by the currency exchange rate, which has been stable since 1997, when the Lebanese Pound (LBP) was pegged to the United States Dollar (USD) at a rate of 1507.5 LBP to the USD.

    Banking Secret and Automatic exchange of Information

    The Lebanese Banking Secrecy Law of September 3, 1956 was a key aspect in the expansion of the sector. Bank secrecy is applied to any bank operating in Lebanon, local or foreign, and prohibits the disclosure of any details or information about any account or accountholder. For long time this law has increased confidence in Lebanese banking together with the amount of foreign capital coming into the country.

    Before the last economic and financial global shocks, the veil of banking secrecy could be lifted only with prior approval of the accountholder, in case of bankruptcy; for the exchange of information between banks about indebted accounts; and in case of legal actions between a bank and a client or illicit enrichment.

    Nowadays, banking secrecy does not apply to US citizens because of the Foreign Account Tax Compliance Act (FATCA) that requires foreign banks to report American accountholders to the tax authority of the US. Even though Lebanon has not agreed to be FATCA compliant as a whole, individual Lebanon banks have agreed to comply.

    Moreover, in 2016 Lebanon joined the Global Forum on Transparency and the Automatic Exchange of Information (AEOI) for tax purposes, committing to implement a series of regulatory reforms to better comply with the Common Reporting Standards of OECD.

    Consequently, if the requested information is protected under the Banking Secrecy Law of 1956, the request will be forwarded to the Special Investigation Commission (SIC) at the Central Bank with an opinion from the Ministry of Finance for review before it can be disclosed to the foreign tax authority based on an information exchange agreement.

    The regulatory framework and supervision of the banking sector is already in compliance with international standards, such as Basel I, II, and III. Abiding by these laws does not eliminate banking secrecy. New regulations just aim to provide a more effective tool to counter the fight against tax evasion and to track suspicious operations for money laundering purposes, or self-laundering, based on tax offenses.

    According to the AEOI, starting from September 2018 Lebanese Tax Authority will exchange information automatically on non-residents, and will have access to information on residents who hold assets abroad. No issues for Lebanese residents.

    The new legislation will impact: banks, brokers, trusts, fiduciaries, insurance companies, although only for a few products, and certain collective investment funds.

    Corporate Governance

    As part of the strategy to integrate Lebanon further into the international community and the global economy, corporate governance in banks is necessary to guarantee fairness, transparency and accountability.

    It is mandatory for banks while optional for other companies. In fact, an innovation took place in the banking sector on July 26, 2006 when the Governor of the Lebanese Central Bank enacted the Basic Decision No. 9382 to order to comply with the banking rules instituted by the Basel Committee.

    Account freedom and flexibility

    Lebanese banks are known for being open to foreign investors and have branches worldwide. Foreign individuals or companies can easily open a bank account in Lebanon in any currency and benefit from all banking advantages offered to Lebanese citizens. Further, amounts deposited in Lebanon are exempt from taxes and the interest received is subject to a tax rate of 5-percent.

    The author of this post is Claudia Caluori.

    From 18 January 2017, the new European Regulation 655/2014 establishing a European Account Preservation Order procedure to facilitate cross-border debt recovery in civil and commercial matters will enter into force.

    The Regulation foresees in a procedure to seize bank accounts of your debtor in other EU Member States (except when your debtor is domiciled in United Kingdom or Denmark), without that the debtor is notified hereof. The debtor will only notice once the seizure is into force.

    Such cross-border seizure can be obtained before the Courts of an EU Member State who would have jurisdiction on the merits of the case under the EU Regulation 1215/2012 (Brussels I bis).

    The seizure can be requested before, during or even after the procedure on the merits of the case. The request has to be filed using a standard document.

    To grant the request, the Court will have to examine 1) if there is urgency (periculum in mora) and 2) if there is on basis of the provided evidence enough reason to assume the Court will also decide in favor of the creditor in the proceedings concerning the merits of the case (fumus boni iuris). Although these principles are not unknown to national legislation, both will have to await the autonomous interpretation by the European Court of Justice.

    The new EU Regulation 655/2014 is however not created to bully any unwilling debtor by filing preservation order after preservation order. The Regulation foresees 2 mechanisms to avoid such practices:

    • According to art. 12, the creditor can be required to provide a security when he has not obtained any judgment in favor yet;
    • The creditor will also receive a fixed delay in which he has to undertake a proceedings about the merits of the case.

    The new European Regulation 665/2014 also foresees a mechanism where a creditor can request information about his debtor’s bank account(s) in a certain Member State. 

    Not unimportant, as the creditor needs to indicate the bank account number in his request for a transnational seizure (under Belgian national law, the indication of the name of the Bank would already be sufficient).

    Art. 14 of the Regulation now foresees what one could call a bank account disclosure mechanism:

    “Request for the obtaining of account information

    Where the creditor has obtained in a Member State an enforceable judgment, court settlement or authentic instrument which requires the debtor to pay the creditor’s claim and the creditor has reasons to believe that the debtor holds one or more accounts with a bank in a specific Member State, but knows neither the name and/or address of the bank nor the IBAN, BIC or another bank number allowing the bank to be identified, he may request the court with which the application for the Preservation Order is lodged to request that the information authority of the Member State of enforcement obtain the information necessary to allow the bank or banks and the debtor’s account or accounts to be identified”.

    In a few Member States (including Belgium), such disclosure mechanism is completely new.  The Regulation leaves it up to the Member States how they will organize this new disclosure, by giving a few examples:

    “Each Member State shall make available in its national law at least one of the following methods of obtaining the information referred to in paragraph 1:

    (a) an obligation on all banks in its territory to disclose, upon request by the information authority, whether the debtor holds an account with them;

    (b) access for the information authority to the relevant information where that information is held by public authorities or administrations in registers or otherwise;

    (c) the possibility for its courts to oblige the debtor to disclose with which bank or banks in its territory he holds one or more accounts where such an obligation is accompanied by an in personam order by the court prohibiting the withdrawal or transfer by him of funds held in his account or accounts up to the amount to be preserved by the Preservation Order; or

    (d) any other methods which are effective and efficient for the purposes of obtaining the relevant information, provided that they are not disproportionately costly or time-consuming.

    Does this mean any creditor can just run to the Court and ask information?

    No, some conditions apply:

    • the creditor needs to be in possession of an enforceable judgment;
    • there need to be reasons to believe the debtor holds bank accounts in this Member State.

    Conclusion: it will be interesting to see how the Member States will apply this new mechanism.  Whether it will be effective, will also depend on the interpretation of ‘reasons to believe the debtor holds bank accounts in this Member State’.  This will probably be the key to the question if this will end the Pyrrhus decisions, where a creditor is accorded his claim but cannot find assets to seize.

    The author of this post is David Diris.

    Roberto Luzi Crivellini

    Áreas de práctica

    • Arbitraje
    • Contratos de distribución
    • Comercio internacional
    • Derecho Internacional Privado
    • Derecho Inmobiliario
    Contáctanos Roberto

    Contacta con Roberto





      Lea la política de privacidad de Legalmondo.
      Este sitio está protegido por reCAPTCHA y se aplican la Política de privacidad de Google y los Términos de servicio.

      Brazil – Reforms in Insolvency and Turnaround

      4 de diciembre de 2022

      • Brasil
      • Bancario
      • Derecho Concursal

      El incremento de la llamada cibercriminalidad en los últimos años presenta una magnitud tal que exige reacciones legislativas y judiciales contundentes. Las pérdidas por fraudes online en Europa superan los 100.000 millones de dólares según Nasdaq Ventures de los que 5.000 millones corresponden a España.

      En España se denunciaron en 2019, 192.375 casos de estafas informáticas, pero en 2023 ascendieron a 427.448. Según los últimos datos oficiales disponibles las estafas informáticas representan el 90,4% de toda la cibercriminalidad y su crecimiento en el periodo 2016-2023 fue del 378%.

      Las variedades que presentan las estafas informáticas son múltiples y están bautizadas en inglés, (al fin y al cabo, la lingua franca de nuestro tiempo), incluyendo, entre otras ingeniosas modalidades de los hábiles estafadores, las conocidas con los curiosos y divertidos nombres (salvo para los que las padecen) como phishing, pharming,, juice jacking, tabnabbing, bluesnarfing, catfishing, spoofing, vishing, smishing, whaling, carding, y la que hoy nos interesa, man in the middle (MITM).

      ¿Qué es el ataque Man in the Middle?

      El fraude MITM consiste en la interceptación las comunicaciones entre dos dispositivos conectados a una red, permitiendo al ciber caco alterar y desviar los mensajes intercambiados entre los usuarios. El estafador intercepta una comunicación en la que un usuario solicita a otro un pago y a continuación modifica el IBAN de la cuenta bancaria en la que debe realizarse la transferencia con el objetivo de hacerse con el dinero. El proceso se desarrolla generalmente de la siguiente manera:

      • Sin que la empresa lo detecte, un atacante intercepta y manipula un correo electrónico, cambiando el número IBAN de la cuenta en la que debe realizarse el pago.
      • El ciberdelincuente se hace pasar por el proveedor, enviando el mensaje desde una dirección de correo electrónico casi idéntica a la original, pero con una ligera alteración que resulta casi imperceptible.
      • La empresa receptora, confiando en la autenticidad del mensaje, realiza la transferencia a la cuenta fraudulenta.

      De este modo, se consigue un desplazamiento patrimonial en detrimento del ordenante de la transferencia y a favor del ciber ladrón, de suerte que cuando el ordenante advierte el error, su primera reacción es intentar contactar con el banco receptor con la esperanza de que los fondos puedan ser bloqueados a tiempo. Sin embargo, en la mayoría de los casos, el ciberdelincuente ha sido más rápido: el dinero ya ha sido transferido a otra cuenta o retirado, dejando poco margen de maniobra, salvo el inicio de actuaciones judiciales a las que a continuación nos referimos.

      La pregunta inmediata es qué responsabilidad tiene el banco que ha recibido la orden de transferencia del usuario engañado y abona en la cuenta del ciber estafador el importe en cuestión, en aquellos casos en los que el ordenante del pago identifica no solo el IBAN (fraudulento) sino también el nombre del beneficiario de la orden de pago que obviamente no coincide con el titular de la cuenta bancaria receptora de los fondos.

      La respuesta desde el sentido común sería que el banco receptor de la transferencia debería confirmar que el titular de la cuenta de abono y la persona física o entidad identificada como beneficiario en la orden de transferencia coinciden; y si no fuere así, debería suspender el abono y solicitar aclaraciones al ordenante. Pero no es así en aplicación de la legislación de la UE y de la transposición de la misma al ordenamiento jurídico español como a continuación veremos.

      Hasta el pasado 9 de octubre, el sistema bancario europeo ha operado bajo la premisa de que la validez de una transferencia se basa exclusivamente en la corrección del IBAN. Es decir, si el número de cuenta es correcto, la operación se considera válida, incluso si el nombre del beneficiario no coincide. Esta práctica ha generado numerosos casos de fraude, errores involuntarios y pérdida de fondos, especialmente en el ámbito de las transferencias inmediatas, donde la rapidez puede jugar en contra de la seguridad.

      La opción más razonable del ordenante estafado para recuperar su dinero es demandar por la vía civil al banco receptor de la orden de abono (con quien carece de relación contractual) por responsabilidad extracontractual al amparo del art. 1124 del Código Civil; en efecto la vía penal contra el titular de la cuenta, que habitualmente es lo que en el argot se denomina “mula”, no suele tener recorrido exitoso, tanto porque lo normal es que el pájaro vuele como por su falta de solvencia.

       

      La jurisprudencia de las Audiencias Provinciales ha estado dividida entre aquellos fallos en los que se acudía a una aplicación rigurosa y fiel del artículo 59 del Real Decreto-ley 19/2018, de 23 de noviembre, de servicios de pago y otras medidas urgentes en materia financiera, desestimando las reclamaciones de los estafados y otros en los que se buscaban argumentos bajo la premisa de falta de diligencia para condenar al banco a indemnizar al ordenante del pago.

      Así se ha configurado la figura de una responsabilidad cuasi-objetiva de las entidades bancarias en materia de fraude digital, imponiéndoles un estándar reforzado de diligencia y trasladándoles el riesgo inherente a la actividad de banca en línea, salvo supuestos de dolo o negligencia grave del cliente. Esta línea, que se proyecta desde la jurisprudencia menor (AAP Madrid 178/2015; AP Alicante 107/2018; AP Valencia 212/2021) hasta el propio Tribunal Supremo (STS 571/2025, entre otras), se alinea con la idea de que corresponde al banco acreditar que sus sistemas eran seguros, actualizados y suficientes para evitar la consumación del ilícito.

      En este marco, el concepto de bonus argentarius cobra renovada vigencia. Este es un principio que recogió la ley 57/68 para proteger a los compradores de viviendas en el sector inmobiliario, pero que el Tribunal Supremo sentenció en varias ocasiones que también se puede aplicar a otras inversiones financieras. En  lo que a MITM se refiere, significa que, en caso de pérdidas por negligencia de la entidad financiera, el cliente puede presentar una demanda al amparo de la Ley 57/68 y reclamar la responsabilidad de la entidad bancaria.

      El bonus argentarius se basa en la presunción de culpa de la entidad financiera, lo que significa que, aunque el cliente no tenga pruebas concretas de la negligencia, esta se da por sentada debido al deber de cuidado que debe tener la entidad en la gestión de las inversiones.

      En base a aquel principio, la diligencia exigible al profesional financiero no es la del comerciante medio ni la del pater familias, sino la de un experto cualificado que asume la obligación de proteger los fondos confiados mediante la implantación de mecanismos de seguridad “necesarios y renovables”. Ello implica no solo el mantenimiento de medidas técnicas básicas de autenticación reforzada, sino la adopción proactiva de soluciones antifraude reconocidas internacionalmente, como la verificación nombre-IBAN (Confirmation of Payee o IBAN-Naam Check), que han demostrado eficacia en jurisdicciones comparadas.

      En línea con aquella doctrina y jurisprudencia, la omisión de medidas de verificación del beneficiario constituiría una infracción del deber contractual de diligencia y de la buena fe (arts. 1104 y 1258 CC), generadora de responsabilidad civil por el daño causado de suerte que el fraude MITM no puede considerarse un riesgo residual imputable al cliente, sino un fallo de seguridad sistémico imputable a la entidad financiera, en tanto que diseñadora y custodio del canal de pagos electrónicos.

      Pero en  este estado de cosas el  Tribunal Supremo en su reciente sentencia de 27 de marzo de 2025 se decantaba por la alternativa de la aplicación estricta del artículo 59 argumentando que “si el usuario de servicios de pago facilita información adicional a la requerida (especificación de la información o del identificador único que el usuario de servicios de pago debe facilitar para la correcta iniciación o ejecución de una orden de pago), el proveedor de servicios de pago únicamente será responsable de la ejecución de las operaciones de pago de acuerdo con el identificador único facilitado por el usuario de servicios de pago… y que  la responsabilidad del proveedor de los servicios de pago, tanto a nivel comunitario como nacional, se desprende que cumple su obligación ejecutando la operación de pago de acuerdo con el identificador único, sin que la adición de información adicional implique una mayor diligencia exigible

      Cierto que para finalizar, el TS abría una rendija a la esperanza de los usuarios estafados cuando afirmaba que “la interpretación expuesta no exime de responsabilidad al proveedor de los servicios de pago cuando se constate la concurrencia de circunstancias, ajenas al suministro de datos adicionales, que pudieren haber influido en la ejecución defectuosa de la operación, sea porque se hubiere estipulado expresamente entre el usuario y el proveedor algún requisito o exigencia añadida (v.gr. la identificación del beneficiario), sea porque el proveedor de servicios de pago del ordenante o del beneficiario hubieren aprovechado el error en beneficio propio, sea porque, comunicada sin demora la existencia del error, uno u otro no hubieran adoptado las medidas que imponía la diligencia de un comerciante experto para permitir la retroacción o, en su caso, minimizar el daño.”

      Y en este escenario trufado de dudas irrumpe el Reglamento (UE) 2024/886 que supone un giro de 180 grados y un cambio de paradigma: el nuevo Reglamento europeo, aprobado en abril de 2024 y con entrada en vigor el 9 de octubre de 2025, establece una obligación clara para las entidades bancarias: deben verificar que el nombre del beneficiario proporcionado por el ordenante coincida con el titular del IBAN antes de ejecutar una transferencia inmediata en euros.

      Las novedades de este nuevo Reglamento son (i) la aplicación obligatoria a todas las transferencias inmediatas dentro del espacio SEPA, (ii) el nuevo sistema de coincidencia de nombres: si hay discrepancia entre el nombre y el IBAN, el banco debe alertar al cliente antes de ejecutar la operación y (iii) la responsabilidad reforzada para las entidades financieras en caso de fraude o error por falta de verificación.

      En suma se pretende reducir el riesgo de fraude, proteger al consumidor y aumentar la confianza en los pagos digitales.

      Ello provoca que la Ley 19/2018, que regula los servicios de pago en España, que no contempla la obligación de verificar la identidad del beneficiario queda desfasada, lo que plantea la necesidad de una revisión legislativa a nivel nacional para armonizar el marco jurídico con las exigencias europeas.

      En conclusión la obligación de verificar al beneficiario en las transferencias representa un avance significativo en la protección del consumidor y en la lucha contra el fraude financiero. El Reglamento (UE) 2024/886 marca un antes y un después en la operativa bancaria, imponiendo una responsabilidad activa a las entidades para garantizar la autenticidad de las transferencias.

      Queda en todo caso abierta la cuestión respecto a la solución a los fraudes MITM ejecutados antes del 9 de octubre de 2025 y la responsabilidad de la entidad bancaria; de momento la sentencia STS  de 27 de marzo arriba citada cierra la puerta a las reclamaciones contra los bancos pero no puede descartarse que la entrada en vigor del Reglamento 2024/886 y el cambio de paradigma produzca un replanteamiento de la posición del TS en la línea de la responsabilidad cuasi objetiva que la jurisprudencia menor viene manteniendo. Habrá que esperar acontecimientos pero ese cambio sería un gran éxito para los usuarios bancarios sufridores de este fraude MITM y de  todos los demás dentro de las múltiples variedades de las  ciber estafas.

      Summary: Corporate fraud has taken new and insidious forms in the digital age. One of these puts multinational groups in the crosshairs: it is the so-called «CEO Fraud.» This type of fraud is based on the fraudulent use of the identity of top corporate figures, such as CEOs or board chairmen. The modus operandi is devious: the fraudsters pose as the CEO or a senior executive of the multinational group and directly contact the Chief Financial Officers (CFOs) of the subsidiaries or affiliates, simulating a nonexistent confidential investment transaction to induce them to make urgent transfers to foreign bank accounts.

      Background and dynamics of the CEO Fraud

      CEO Fraud is a form of scam in which criminals impersonate senior management figures to trick employees, usually CFOs, into transferring funds into bank accounts controlled by the fraudsters. The choice to use the identities of apex figures such as CEOs lies in their perceived authority and ability to order even large payments, requested urgently and with instructions for strict confidentiality, without raising immediate suspicion.

      Fraudsters adopt various communication tools to make their fraud attempts credible: at the starting point is usually a data breach, which allows criminals to gain access to the contact details of the CEO or CFO (email, landline phone number, cell phone number, whatsapp or social media accounts) or other people within the administrative office with operational powers over bank accounts.

      Sometimes knowledge of this information does not even require illegitimate access to the company’s computer systems because those targeted by the scam spontaneously make this information public, for example, by indicating it on their profiles on the company website or by publicly displaying contacts on profiles in social media accounts (LinkedIn, Facebook, etc.) or even on presentations, business cards and company brochures in the context of public meetings.

      Still other times, scammers do not even need to appropriate all the data of the CEO they want to impersonate, but only the recipient’s, and then claim that they are using a personal account with a different number or email address than those usually attributable to the real CEO.

      Contacts are typically made as follows:

      • WhatsApp and SMS: The use of messages allows for immediate and personal communication, often perceived as legitimate by recipients. The fake CEO sends a message to the CFO using a cell phone number from the country where the parent company is based (e.g., +34 in the case of Spain), writing that it is his personal phone number and using a portrait photo of the real CEO in the WhatsApp profile, which reinforces the perception that the fraudster is the real CEO.
      • Phone calls: after the initial contact via text message, a phone call often follows, which may be either directly from the fake CEO or from a self-styled lawyer or consultant instructed by the CEO to give the CFO the necessary information about the fake investment transaction and instructions to proceed with the urgent payment.
      • Email: as an alternative to or in addition to texts and phone calls, communications may also go through emails, often indistinguishable from authentic ones, in which text formats, company logos, signatures, etc. are scrupulously replicated.

      This is possible through various email spoofing techniques in which the sender’s email address is altered to appear as if the rightful owner sent the email. Basically, it is like someone sending a postal letter by putting a different address on the back of the envelope to disguise the true origin of the missive. In our case, this means that the CFO receives an email that-at first glance-appears to come from the CEO and not the scammer.

      We also cannot rule out the possibility of fraudsters taking advantage of security holes in corporate systems, such as directly accessing internal chats within the organization.

      In addition, the increasing popularity of morphing tools (i.e., creating images with human likenesses that can be traced back to real people) may make it even more difficult to unmask the scammer: to messages and phone calls we could, in fact, add video messages or even video lectures apparently given by the real CEO.

      The (fake) takeover of a competitor company in Europe

      Let us look at a real-life example of CEO Fraud to illustrate the practical ways in which these frauds are organized.

      Scammers create a fake WhatsApp profile of the self-styled CEO of a multinational group based in Spain, using a Spanish phone number and reproducing the profile photo of the authentic CEO.

      A message is sent through the fake account to the CFO of a subsidiary in Italy, announcing that a confidential investment transaction is underway to acquire a company in Portugal. This will require transferring a large sum to a Portuguese company the following day at a local bank.

      The message stresses the importance of keeping the transaction strictly confidential, which is why the CFO cannot disclose the payment request to anyone: a confidentiality agreement from a (fake) law firm is even emailed before payment is made, which the CFO is persuaded to sign and return to the phantom lawyer in charge of the transaction.

      Instructions for proceeding with the transfer are emailed to the CFO, again stressing the urgency of making the payment on the same day.

      The day after arranging the transfer, having heard nothing more from the fake CEO, the CFO arranges to contact him at his corporate phone number and discovers the scam: by that time, however, it is too late because the sums have already been transferred by the criminals to one or more current accounts in foreign banks, making it very difficult, if not impossible, to trace the funds.

      The main features of CEO fraud

      • Persuasion: the fact that fraudsters impersonate apex figures and make the CFO feel invested in important duties generates in the victim a desire to please superiors and to let their guard down.
      • Pressure: fraudsters instil a great sense of urgency, demanding payments extremely quickly and intimating secrecy about the transaction; this causes the victim to act without thinking, trying to be as efficient as possible.
      • Speed: It is good to know that a request for an urgent wire transfer cannot be withdrawn, or can be withdrawn by recall only under extremely tight deadlines; fraudsters take advantage of this to pocket the sums at banks that are not too scrupulous or to move them elsewhere, at most within a few days.

      How to prevent these scams

      CEO Fraud schemes can be very sophisticated, but they often have signs that, if recognized, can stop a scam before it causes irreparable damage.

      The main clues are the atypical modes of contact (whatsapp, phone calls, emails from the fake CEO’s personal accounts), the request for strict confidentiality about the transaction, the urgency with which large sums are requested, the fact that the transfer is to be made to banks abroad, and the involvement of companies or individuals never previously mentioned.

      To prevent scams such as CEO Fraud, corporate training of employees on how to recognize and respond to scams is crucial; it is also essential to have robust internal security procedures in place.

      • First, an essential and basic precaution is to adopt verification systems that scan e-mail messages for viruses and flag the origin of the e-mail from an account outside the corporate organization.
      • Second, it is critical that companies implement clear processes for payments to third parties, especially if the arrangements are different from the company’s standard operations. One way to do this is to provide value limits on the powers of disposition over current account operations, beyond which dual signatures with another director are required.
      • Finally, and generally, it is good to adopt all the rules of common sense and diligence in analyzing the case. Better to do one more internal check than one less; for example, in the case of a particularly realistic but nonetheless unusual request, forwarding the exchange with the alleged scammer to the address we believe to be real and asking for further confirmation in the forward email, rather than responding directly in the email loop, allows us to tell if the sender is bogus.

      Legal actions to recover funds.

      After the fraud is discovered, it is crucial to act quickly to increase the chances of recovering lost funds and prosecuting those responsible.

      Possible Legal Actions

      Prompt notification to the company’s bank to block or recall the wire payment, in addition to a timely criminal complaint in the country where the bank receiving the payment is based, are immediate steps that can help contain the damage and begin the recovery process.

      In fact, in many countries, the pattern of CEO Fraud is well known, and specialized law enforcement units have the tools to move in a timely manner following a report of the crime.

      Criminal investigations in the country of payment destination also allow for verification that they are the account holders and the people involved in the scam attempt, in some cases leading to the arrest of those responsible.

      After attempting to obtain a freeze on the transfer or funds, it may then be possible to assess the behavior of the banking institutions involved in the affair, particularly to verify whether the beneficiary bank properly complied with its obligations under anti-money laundering regulations, which impose precise obligations to verify customers and the origin of funds.

      Conclusions

      CEO Fraud is a significant threat to companies of all sizes and industries, made possible and amplified by modern technologies and the globalization of financial markets. Companies must remain vigilant and proactive, continually updating their security procedures to keep pace with fraudsters’ evolving techniques.

      Investment in training, technology and consulting is not just a protective measure, but a strategic necessity for business operations.

      Finally, if the scam is successfully carried out, it is crucial to take prompt action to try to block the funds before they are moved to bank accounts in other countries and thus made untraceable.

      Summary

      The reform of the Brazilian Bankruptcy Act brings forward important changes in both reorganization procedures and liquidation measures.

      When the Brazilian Bankruptcy Act was about to reach its 15th Anniversary, a major amendment was enacted. It was needed, in fact. Over the past 15 years, creations of the Bankruptcy Act have been tested, and practical experiences showed that some tools needed adjustments, and others demanded complete change.

      The goal of this article is to list the top five most relevant novelties.

      #5 – Reorganization plan presented by creditors

      Before: the amendment, the construction of the reorganization plan was exclusively the responsibility of the debtor. If the majority of the creditors’ meeting decided to reject the plan, the automatic consequence would be the conversion into bankruptcy (liquidation).

      Now: in cases like this, the creditors have the right to present an alternative judicial recovery plan. As a result, creditors assume a more relevant role in corporate restructuring.

      #4 – Mediation focusing on the turnaround

      Mediation is now encouraged in ongoing judicial reorganization processes so that creditors and debtors may find a way out to overcome the crisis.

      The most important novelty is the anticipated mediation, which goal is to avoid reorganization and liquidation. In this procedure, the debtor convenes creditors for a mediated negotiation, and they may seek the judge for an order to stay enforcement measures.

      #3 – Distressed assets operations

      The disposal of debtor’s assets is now simplified in both judicial reorganization and bankruptcy. Particularly in bankruptcy – in which case maximizing the use of assets is essential – the law authorizes the anticipated sale, adjudication by creditors, and even the donation of assets that creditors are not interested in acquiring.

      Besides that, the distressed assets acquisitions and M&A deals are now safer, with a clearer legal provision of a liability shield in favour of the purchaser.

      #2 – Debtor-in-Possession (DIP) Financing

      The lack of incentive to finance the debtor undergoing judicial reorganization has always been a reason for criticism by stakeholders. In the absence of legal provisions, potential financiers could be insecure about the risks of the operation and the lack of clear advantages to offset the risk.

      The complaints were addressed with the legal treatment of the debtor’s financing during judicial reorganization. This type of financing is known as Debtor-in-Possession (DIP) Financing.

      The debtor is allowed, through judicial authorization, to conclude financing contracts to pay for the maintenance of his activities and assets, as well as to be liable for restructuring expenses.

      As a guarantee for the financing, the debtor may offer his own assets and rights or those of third parties, even if they belong to non-current assets, that is, assets not originally intended for sale, but which serve the business structure (machinery, for example).

      #1 – Cross-Border Insolvency

      Brazilian law finally incorporated the Uncitral Model Law on Cross-Border Insolvency. An integrated world full of global companies imposes the need to provide for specific rules on cross-border insolvency, which were hitherto non-existent, in order to eliminate the insecurity about the reach of foreign procedures for Brazilian creditors and about the effect of Brazilian procedures for foreign creditors.

      We now have a new panorama, with the possibility of procedures abroad having effects in Brazil and also of Brazilian procedures reaching foreigners.

      There is a detailed treatment of the participation of foreigners in Brazil and the international cooperation between judges and other authorities to put the fundamental principles that govern the entire insolvency system in motion, namely, the improvement of legal certainty, efficient management of the processes, maximization of assets, preservation of the company, and optimization of asset liquidation.

      These are the five main new features, in a nutshell. If you are interested in learning more about any of these topics or if you want to stay updated on insolvency – turnaround in Brazil, please get in touch.

      On 6 January 2022 Ukraine finally cancelled almost a two-year long moratorium for the creditor-trigged insolvencies. The moratorium was imposed in the late spring 2020 as a part of the nation’ response to first wave of COVID pandemic.

      In a nutshell, the moratorium prohibited creditors from requesting insolvency action against those debtors whose obligations matured after 12 March 2020. A separate set of measures also lifted an early warning duty obliging directors of the companies in distress to file for insolvency within one month from a moment when the distress appeared.

      The moratorium was heavily criticized by both domestic and international creditors, who legitimately blamed it for a non-selective approach.

      As further 2021 statistic shown, the moratorium never seemed to reach a goal proclaimed by it authors and made no increase for insolvency relief requests by the debtor companies.

      Instead, the country has been facing a steady increase in “zombie” companies having little to none liquidation value – and their owners clearly intending to get away with no creditor repayment.

      With the moratorium being lifted off the creditors do expect to show no mercy to their Ukrainian debtors. This particularly worries those debtors potentially involved in wrongful trade or fraudulent action. Even with the moratorium in place in 2021 Ukrainian courts confirmed more than UAH 150 mln in creditors loss to be paid by the insolvent companies’ management and owners themselves. This number is expected to triple in 2022 – and there already were Supreme Court’s 2021 judgements confirming liability of the real owners standing behind opaque shareholder company and nominal directors.

      As the creditors’ agitation grows, so do the debtor company owners’ concerns. As the owners\management liability process is extremely bespoke and often requires swift action, it is of crucial importance to get a throughout legal advise on either side – and much better to do that before the actual claim has been brought.

      Lebanon’s secure banking sector plays an important role in the country’s stability and economic status. High liquidity and compliance with all international regulatory standards make it one of the most profitable in the region.

      Stability

      The Lebanese banking sector owes its solidity primarily to the stringent policies applied by the Lebanese Central Bank (LCB). Efforts are constantly being made to fight money laundering and terrorism funding.

      The Lebanese diaspora also contributes to the stability through the flux of transfers and deposits of extraterritorial income. Compared with an estimated population of 4.9 million inhabitants, about 16 million Lebanese live abroad, largely engaged in trade and finance, and mainly concentrated in South America.

      The banking sector’s stability is also bolstered by the currency exchange rate, which has been stable since 1997, when the Lebanese Pound (LBP) was pegged to the United States Dollar (USD) at a rate of 1507.5 LBP to the USD.

      Banking Secret and Automatic exchange of Information

      The Lebanese Banking Secrecy Law of September 3, 1956 was a key aspect in the expansion of the sector. Bank secrecy is applied to any bank operating in Lebanon, local or foreign, and prohibits the disclosure of any details or information about any account or accountholder. For long time this law has increased confidence in Lebanese banking together with the amount of foreign capital coming into the country.

      Before the last economic and financial global shocks, the veil of banking secrecy could be lifted only with prior approval of the accountholder, in case of bankruptcy; for the exchange of information between banks about indebted accounts; and in case of legal actions between a bank and a client or illicit enrichment.

      Nowadays, banking secrecy does not apply to US citizens because of the Foreign Account Tax Compliance Act (FATCA) that requires foreign banks to report American accountholders to the tax authority of the US. Even though Lebanon has not agreed to be FATCA compliant as a whole, individual Lebanon banks have agreed to comply.

      Moreover, in 2016 Lebanon joined the Global Forum on Transparency and the Automatic Exchange of Information (AEOI) for tax purposes, committing to implement a series of regulatory reforms to better comply with the Common Reporting Standards of OECD.

      Consequently, if the requested information is protected under the Banking Secrecy Law of 1956, the request will be forwarded to the Special Investigation Commission (SIC) at the Central Bank with an opinion from the Ministry of Finance for review before it can be disclosed to the foreign tax authority based on an information exchange agreement.

      The regulatory framework and supervision of the banking sector is already in compliance with international standards, such as Basel I, II, and III. Abiding by these laws does not eliminate banking secrecy. New regulations just aim to provide a more effective tool to counter the fight against tax evasion and to track suspicious operations for money laundering purposes, or self-laundering, based on tax offenses.

      According to the AEOI, starting from September 2018 Lebanese Tax Authority will exchange information automatically on non-residents, and will have access to information on residents who hold assets abroad. No issues for Lebanese residents.

      The new legislation will impact: banks, brokers, trusts, fiduciaries, insurance companies, although only for a few products, and certain collective investment funds.

      Corporate Governance

      As part of the strategy to integrate Lebanon further into the international community and the global economy, corporate governance in banks is necessary to guarantee fairness, transparency and accountability.

      It is mandatory for banks while optional for other companies. In fact, an innovation took place in the banking sector on July 26, 2006 when the Governor of the Lebanese Central Bank enacted the Basic Decision No. 9382 to order to comply with the banking rules instituted by the Basel Committee.

      Account freedom and flexibility

      Lebanese banks are known for being open to foreign investors and have branches worldwide. Foreign individuals or companies can easily open a bank account in Lebanon in any currency and benefit from all banking advantages offered to Lebanese citizens. Further, amounts deposited in Lebanon are exempt from taxes and the interest received is subject to a tax rate of 5-percent.

      The author of this post is Claudia Caluori.

      From 18 January 2017, the new European Regulation 655/2014 establishing a European Account Preservation Order procedure to facilitate cross-border debt recovery in civil and commercial matters will enter into force.

      The Regulation foresees in a procedure to seize bank accounts of your debtor in other EU Member States (except when your debtor is domiciled in United Kingdom or Denmark), without that the debtor is notified hereof. The debtor will only notice once the seizure is into force.

      Such cross-border seizure can be obtained before the Courts of an EU Member State who would have jurisdiction on the merits of the case under the EU Regulation 1215/2012 (Brussels I bis).

      The seizure can be requested before, during or even after the procedure on the merits of the case. The request has to be filed using a standard document.

      To grant the request, the Court will have to examine 1) if there is urgency (periculum in mora) and 2) if there is on basis of the provided evidence enough reason to assume the Court will also decide in favor of the creditor in the proceedings concerning the merits of the case (fumus boni iuris). Although these principles are not unknown to national legislation, both will have to await the autonomous interpretation by the European Court of Justice.

      The new EU Regulation 655/2014 is however not created to bully any unwilling debtor by filing preservation order after preservation order. The Regulation foresees 2 mechanisms to avoid such practices:

      • According to art. 12, the creditor can be required to provide a security when he has not obtained any judgment in favor yet;
      • The creditor will also receive a fixed delay in which he has to undertake a proceedings about the merits of the case.

      The new European Regulation 665/2014 also foresees a mechanism where a creditor can request information about his debtor’s bank account(s) in a certain Member State. 

      Not unimportant, as the creditor needs to indicate the bank account number in his request for a transnational seizure (under Belgian national law, the indication of the name of the Bank would already be sufficient).

      Art. 14 of the Regulation now foresees what one could call a bank account disclosure mechanism:

      “Request for the obtaining of account information

      Where the creditor has obtained in a Member State an enforceable judgment, court settlement or authentic instrument which requires the debtor to pay the creditor’s claim and the creditor has reasons to believe that the debtor holds one or more accounts with a bank in a specific Member State, but knows neither the name and/or address of the bank nor the IBAN, BIC or another bank number allowing the bank to be identified, he may request the court with which the application for the Preservation Order is lodged to request that the information authority of the Member State of enforcement obtain the information necessary to allow the bank or banks and the debtor’s account or accounts to be identified”.

      In a few Member States (including Belgium), such disclosure mechanism is completely new.  The Regulation leaves it up to the Member States how they will organize this new disclosure, by giving a few examples:

      “Each Member State shall make available in its national law at least one of the following methods of obtaining the information referred to in paragraph 1:

      (a) an obligation on all banks in its territory to disclose, upon request by the information authority, whether the debtor holds an account with them;

      (b) access for the information authority to the relevant information where that information is held by public authorities or administrations in registers or otherwise;

      (c) the possibility for its courts to oblige the debtor to disclose with which bank or banks in its territory he holds one or more accounts where such an obligation is accompanied by an in personam order by the court prohibiting the withdrawal or transfer by him of funds held in his account or accounts up to the amount to be preserved by the Preservation Order; or

      (d) any other methods which are effective and efficient for the purposes of obtaining the relevant information, provided that they are not disproportionately costly or time-consuming.

      Does this mean any creditor can just run to the Court and ask information?

      No, some conditions apply:

      • the creditor needs to be in possession of an enforceable judgment;
      • there need to be reasons to believe the debtor holds bank accounts in this Member State.

      Conclusion: it will be interesting to see how the Member States will apply this new mechanism.  Whether it will be effective, will also depend on the interpretation of ‘reasons to believe the debtor holds bank accounts in this Member State’.  This will probably be the key to the question if this will end the Pyrrhus decisions, where a creditor is accorded his claim but cannot find assets to seize.

      The author of this post is David Diris.

      Geraldo Fonseca

      Áreas de práctica

      • Derecho Societario
      • Reclamación de deudas
      • Derecho Concursal
      • Comercio internacional
      • Derecho Internacional Privado
      Contáctanos Geraldo

      Contacta con Geraldo





        Lea la política de privacidad de Legalmondo.
        Este sitio está protegido por reCAPTCHA y se aplican la Política de privacidad de Google y los Términos de servicio.

        Ukraine: new hope for the creditors as the debtors’ concern grows

        17 de enero de 2022

        • Ucrania
        • Bancario
        • Derecho Concursal
        • Litigios

        El incremento de la llamada cibercriminalidad en los últimos años presenta una magnitud tal que exige reacciones legislativas y judiciales contundentes. Las pérdidas por fraudes online en Europa superan los 100.000 millones de dólares según Nasdaq Ventures de los que 5.000 millones corresponden a España.

        En España se denunciaron en 2019, 192.375 casos de estafas informáticas, pero en 2023 ascendieron a 427.448. Según los últimos datos oficiales disponibles las estafas informáticas representan el 90,4% de toda la cibercriminalidad y su crecimiento en el periodo 2016-2023 fue del 378%.

        Las variedades que presentan las estafas informáticas son múltiples y están bautizadas en inglés, (al fin y al cabo, la lingua franca de nuestro tiempo), incluyendo, entre otras ingeniosas modalidades de los hábiles estafadores, las conocidas con los curiosos y divertidos nombres (salvo para los que las padecen) como phishing, pharming,, juice jacking, tabnabbing, bluesnarfing, catfishing, spoofing, vishing, smishing, whaling, carding, y la que hoy nos interesa, man in the middle (MITM).

        ¿Qué es el ataque Man in the Middle?

        El fraude MITM consiste en la interceptación las comunicaciones entre dos dispositivos conectados a una red, permitiendo al ciber caco alterar y desviar los mensajes intercambiados entre los usuarios. El estafador intercepta una comunicación en la que un usuario solicita a otro un pago y a continuación modifica el IBAN de la cuenta bancaria en la que debe realizarse la transferencia con el objetivo de hacerse con el dinero. El proceso se desarrolla generalmente de la siguiente manera:

        • Sin que la empresa lo detecte, un atacante intercepta y manipula un correo electrónico, cambiando el número IBAN de la cuenta en la que debe realizarse el pago.
        • El ciberdelincuente se hace pasar por el proveedor, enviando el mensaje desde una dirección de correo electrónico casi idéntica a la original, pero con una ligera alteración que resulta casi imperceptible.
        • La empresa receptora, confiando en la autenticidad del mensaje, realiza la transferencia a la cuenta fraudulenta.

        De este modo, se consigue un desplazamiento patrimonial en detrimento del ordenante de la transferencia y a favor del ciber ladrón, de suerte que cuando el ordenante advierte el error, su primera reacción es intentar contactar con el banco receptor con la esperanza de que los fondos puedan ser bloqueados a tiempo. Sin embargo, en la mayoría de los casos, el ciberdelincuente ha sido más rápido: el dinero ya ha sido transferido a otra cuenta o retirado, dejando poco margen de maniobra, salvo el inicio de actuaciones judiciales a las que a continuación nos referimos.

        La pregunta inmediata es qué responsabilidad tiene el banco que ha recibido la orden de transferencia del usuario engañado y abona en la cuenta del ciber estafador el importe en cuestión, en aquellos casos en los que el ordenante del pago identifica no solo el IBAN (fraudulento) sino también el nombre del beneficiario de la orden de pago que obviamente no coincide con el titular de la cuenta bancaria receptora de los fondos.

        La respuesta desde el sentido común sería que el banco receptor de la transferencia debería confirmar que el titular de la cuenta de abono y la persona física o entidad identificada como beneficiario en la orden de transferencia coinciden; y si no fuere así, debería suspender el abono y solicitar aclaraciones al ordenante. Pero no es así en aplicación de la legislación de la UE y de la transposición de la misma al ordenamiento jurídico español como a continuación veremos.

        Hasta el pasado 9 de octubre, el sistema bancario europeo ha operado bajo la premisa de que la validez de una transferencia se basa exclusivamente en la corrección del IBAN. Es decir, si el número de cuenta es correcto, la operación se considera válida, incluso si el nombre del beneficiario no coincide. Esta práctica ha generado numerosos casos de fraude, errores involuntarios y pérdida de fondos, especialmente en el ámbito de las transferencias inmediatas, donde la rapidez puede jugar en contra de la seguridad.

        La opción más razonable del ordenante estafado para recuperar su dinero es demandar por la vía civil al banco receptor de la orden de abono (con quien carece de relación contractual) por responsabilidad extracontractual al amparo del art. 1124 del Código Civil; en efecto la vía penal contra el titular de la cuenta, que habitualmente es lo que en el argot se denomina “mula”, no suele tener recorrido exitoso, tanto porque lo normal es que el pájaro vuele como por su falta de solvencia.

         

        La jurisprudencia de las Audiencias Provinciales ha estado dividida entre aquellos fallos en los que se acudía a una aplicación rigurosa y fiel del artículo 59 del Real Decreto-ley 19/2018, de 23 de noviembre, de servicios de pago y otras medidas urgentes en materia financiera, desestimando las reclamaciones de los estafados y otros en los que se buscaban argumentos bajo la premisa de falta de diligencia para condenar al banco a indemnizar al ordenante del pago.

        Así se ha configurado la figura de una responsabilidad cuasi-objetiva de las entidades bancarias en materia de fraude digital, imponiéndoles un estándar reforzado de diligencia y trasladándoles el riesgo inherente a la actividad de banca en línea, salvo supuestos de dolo o negligencia grave del cliente. Esta línea, que se proyecta desde la jurisprudencia menor (AAP Madrid 178/2015; AP Alicante 107/2018; AP Valencia 212/2021) hasta el propio Tribunal Supremo (STS 571/2025, entre otras), se alinea con la idea de que corresponde al banco acreditar que sus sistemas eran seguros, actualizados y suficientes para evitar la consumación del ilícito.

        En este marco, el concepto de bonus argentarius cobra renovada vigencia. Este es un principio que recogió la ley 57/68 para proteger a los compradores de viviendas en el sector inmobiliario, pero que el Tribunal Supremo sentenció en varias ocasiones que también se puede aplicar a otras inversiones financieras. En  lo que a MITM se refiere, significa que, en caso de pérdidas por negligencia de la entidad financiera, el cliente puede presentar una demanda al amparo de la Ley 57/68 y reclamar la responsabilidad de la entidad bancaria.

        El bonus argentarius se basa en la presunción de culpa de la entidad financiera, lo que significa que, aunque el cliente no tenga pruebas concretas de la negligencia, esta se da por sentada debido al deber de cuidado que debe tener la entidad en la gestión de las inversiones.

        En base a aquel principio, la diligencia exigible al profesional financiero no es la del comerciante medio ni la del pater familias, sino la de un experto cualificado que asume la obligación de proteger los fondos confiados mediante la implantación de mecanismos de seguridad “necesarios y renovables”. Ello implica no solo el mantenimiento de medidas técnicas básicas de autenticación reforzada, sino la adopción proactiva de soluciones antifraude reconocidas internacionalmente, como la verificación nombre-IBAN (Confirmation of Payee o IBAN-Naam Check), que han demostrado eficacia en jurisdicciones comparadas.

        En línea con aquella doctrina y jurisprudencia, la omisión de medidas de verificación del beneficiario constituiría una infracción del deber contractual de diligencia y de la buena fe (arts. 1104 y 1258 CC), generadora de responsabilidad civil por el daño causado de suerte que el fraude MITM no puede considerarse un riesgo residual imputable al cliente, sino un fallo de seguridad sistémico imputable a la entidad financiera, en tanto que diseñadora y custodio del canal de pagos electrónicos.

        Pero en  este estado de cosas el  Tribunal Supremo en su reciente sentencia de 27 de marzo de 2025 se decantaba por la alternativa de la aplicación estricta del artículo 59 argumentando que “si el usuario de servicios de pago facilita información adicional a la requerida (especificación de la información o del identificador único que el usuario de servicios de pago debe facilitar para la correcta iniciación o ejecución de una orden de pago), el proveedor de servicios de pago únicamente será responsable de la ejecución de las operaciones de pago de acuerdo con el identificador único facilitado por el usuario de servicios de pago… y que  la responsabilidad del proveedor de los servicios de pago, tanto a nivel comunitario como nacional, se desprende que cumple su obligación ejecutando la operación de pago de acuerdo con el identificador único, sin que la adición de información adicional implique una mayor diligencia exigible

        Cierto que para finalizar, el TS abría una rendija a la esperanza de los usuarios estafados cuando afirmaba que “la interpretación expuesta no exime de responsabilidad al proveedor de los servicios de pago cuando se constate la concurrencia de circunstancias, ajenas al suministro de datos adicionales, que pudieren haber influido en la ejecución defectuosa de la operación, sea porque se hubiere estipulado expresamente entre el usuario y el proveedor algún requisito o exigencia añadida (v.gr. la identificación del beneficiario), sea porque el proveedor de servicios de pago del ordenante o del beneficiario hubieren aprovechado el error en beneficio propio, sea porque, comunicada sin demora la existencia del error, uno u otro no hubieran adoptado las medidas que imponía la diligencia de un comerciante experto para permitir la retroacción o, en su caso, minimizar el daño.”

        Y en este escenario trufado de dudas irrumpe el Reglamento (UE) 2024/886 que supone un giro de 180 grados y un cambio de paradigma: el nuevo Reglamento europeo, aprobado en abril de 2024 y con entrada en vigor el 9 de octubre de 2025, establece una obligación clara para las entidades bancarias: deben verificar que el nombre del beneficiario proporcionado por el ordenante coincida con el titular del IBAN antes de ejecutar una transferencia inmediata en euros.

        Las novedades de este nuevo Reglamento son (i) la aplicación obligatoria a todas las transferencias inmediatas dentro del espacio SEPA, (ii) el nuevo sistema de coincidencia de nombres: si hay discrepancia entre el nombre y el IBAN, el banco debe alertar al cliente antes de ejecutar la operación y (iii) la responsabilidad reforzada para las entidades financieras en caso de fraude o error por falta de verificación.

        En suma se pretende reducir el riesgo de fraude, proteger al consumidor y aumentar la confianza en los pagos digitales.

        Ello provoca que la Ley 19/2018, que regula los servicios de pago en España, que no contempla la obligación de verificar la identidad del beneficiario queda desfasada, lo que plantea la necesidad de una revisión legislativa a nivel nacional para armonizar el marco jurídico con las exigencias europeas.

        En conclusión la obligación de verificar al beneficiario en las transferencias representa un avance significativo en la protección del consumidor y en la lucha contra el fraude financiero. El Reglamento (UE) 2024/886 marca un antes y un después en la operativa bancaria, imponiendo una responsabilidad activa a las entidades para garantizar la autenticidad de las transferencias.

        Queda en todo caso abierta la cuestión respecto a la solución a los fraudes MITM ejecutados antes del 9 de octubre de 2025 y la responsabilidad de la entidad bancaria; de momento la sentencia STS  de 27 de marzo arriba citada cierra la puerta a las reclamaciones contra los bancos pero no puede descartarse que la entrada en vigor del Reglamento 2024/886 y el cambio de paradigma produzca un replanteamiento de la posición del TS en la línea de la responsabilidad cuasi objetiva que la jurisprudencia menor viene manteniendo. Habrá que esperar acontecimientos pero ese cambio sería un gran éxito para los usuarios bancarios sufridores de este fraude MITM y de  todos los demás dentro de las múltiples variedades de las  ciber estafas.

        Summary: Corporate fraud has taken new and insidious forms in the digital age. One of these puts multinational groups in the crosshairs: it is the so-called «CEO Fraud.» This type of fraud is based on the fraudulent use of the identity of top corporate figures, such as CEOs or board chairmen. The modus operandi is devious: the fraudsters pose as the CEO or a senior executive of the multinational group and directly contact the Chief Financial Officers (CFOs) of the subsidiaries or affiliates, simulating a nonexistent confidential investment transaction to induce them to make urgent transfers to foreign bank accounts.

        Background and dynamics of the CEO Fraud

        CEO Fraud is a form of scam in which criminals impersonate senior management figures to trick employees, usually CFOs, into transferring funds into bank accounts controlled by the fraudsters. The choice to use the identities of apex figures such as CEOs lies in their perceived authority and ability to order even large payments, requested urgently and with instructions for strict confidentiality, without raising immediate suspicion.

        Fraudsters adopt various communication tools to make their fraud attempts credible: at the starting point is usually a data breach, which allows criminals to gain access to the contact details of the CEO or CFO (email, landline phone number, cell phone number, whatsapp or social media accounts) or other people within the administrative office with operational powers over bank accounts.

        Sometimes knowledge of this information does not even require illegitimate access to the company’s computer systems because those targeted by the scam spontaneously make this information public, for example, by indicating it on their profiles on the company website or by publicly displaying contacts on profiles in social media accounts (LinkedIn, Facebook, etc.) or even on presentations, business cards and company brochures in the context of public meetings.

        Still other times, scammers do not even need to appropriate all the data of the CEO they want to impersonate, but only the recipient’s, and then claim that they are using a personal account with a different number or email address than those usually attributable to the real CEO.

        Contacts are typically made as follows:

        • WhatsApp and SMS: The use of messages allows for immediate and personal communication, often perceived as legitimate by recipients. The fake CEO sends a message to the CFO using a cell phone number from the country where the parent company is based (e.g., +34 in the case of Spain), writing that it is his personal phone number and using a portrait photo of the real CEO in the WhatsApp profile, which reinforces the perception that the fraudster is the real CEO.
        • Phone calls: after the initial contact via text message, a phone call often follows, which may be either directly from the fake CEO or from a self-styled lawyer or consultant instructed by the CEO to give the CFO the necessary information about the fake investment transaction and instructions to proceed with the urgent payment.
        • Email: as an alternative to or in addition to texts and phone calls, communications may also go through emails, often indistinguishable from authentic ones, in which text formats, company logos, signatures, etc. are scrupulously replicated.

        This is possible through various email spoofing techniques in which the sender’s email address is altered to appear as if the rightful owner sent the email. Basically, it is like someone sending a postal letter by putting a different address on the back of the envelope to disguise the true origin of the missive. In our case, this means that the CFO receives an email that-at first glance-appears to come from the CEO and not the scammer.

        We also cannot rule out the possibility of fraudsters taking advantage of security holes in corporate systems, such as directly accessing internal chats within the organization.

        In addition, the increasing popularity of morphing tools (i.e., creating images with human likenesses that can be traced back to real people) may make it even more difficult to unmask the scammer: to messages and phone calls we could, in fact, add video messages or even video lectures apparently given by the real CEO.

        The (fake) takeover of a competitor company in Europe

        Let us look at a real-life example of CEO Fraud to illustrate the practical ways in which these frauds are organized.

        Scammers create a fake WhatsApp profile of the self-styled CEO of a multinational group based in Spain, using a Spanish phone number and reproducing the profile photo of the authentic CEO.

        A message is sent through the fake account to the CFO of a subsidiary in Italy, announcing that a confidential investment transaction is underway to acquire a company in Portugal. This will require transferring a large sum to a Portuguese company the following day at a local bank.

        The message stresses the importance of keeping the transaction strictly confidential, which is why the CFO cannot disclose the payment request to anyone: a confidentiality agreement from a (fake) law firm is even emailed before payment is made, which the CFO is persuaded to sign and return to the phantom lawyer in charge of the transaction.

        Instructions for proceeding with the transfer are emailed to the CFO, again stressing the urgency of making the payment on the same day.

        The day after arranging the transfer, having heard nothing more from the fake CEO, the CFO arranges to contact him at his corporate phone number and discovers the scam: by that time, however, it is too late because the sums have already been transferred by the criminals to one or more current accounts in foreign banks, making it very difficult, if not impossible, to trace the funds.

        The main features of CEO fraud

        • Persuasion: the fact that fraudsters impersonate apex figures and make the CFO feel invested in important duties generates in the victim a desire to please superiors and to let their guard down.
        • Pressure: fraudsters instil a great sense of urgency, demanding payments extremely quickly and intimating secrecy about the transaction; this causes the victim to act without thinking, trying to be as efficient as possible.
        • Speed: It is good to know that a request for an urgent wire transfer cannot be withdrawn, or can be withdrawn by recall only under extremely tight deadlines; fraudsters take advantage of this to pocket the sums at banks that are not too scrupulous or to move them elsewhere, at most within a few days.

        How to prevent these scams

        CEO Fraud schemes can be very sophisticated, but they often have signs that, if recognized, can stop a scam before it causes irreparable damage.

        The main clues are the atypical modes of contact (whatsapp, phone calls, emails from the fake CEO’s personal accounts), the request for strict confidentiality about the transaction, the urgency with which large sums are requested, the fact that the transfer is to be made to banks abroad, and the involvement of companies or individuals never previously mentioned.

        To prevent scams such as CEO Fraud, corporate training of employees on how to recognize and respond to scams is crucial; it is also essential to have robust internal security procedures in place.

        • First, an essential and basic precaution is to adopt verification systems that scan e-mail messages for viruses and flag the origin of the e-mail from an account outside the corporate organization.
        • Second, it is critical that companies implement clear processes for payments to third parties, especially if the arrangements are different from the company’s standard operations. One way to do this is to provide value limits on the powers of disposition over current account operations, beyond which dual signatures with another director are required.
        • Finally, and generally, it is good to adopt all the rules of common sense and diligence in analyzing the case. Better to do one more internal check than one less; for example, in the case of a particularly realistic but nonetheless unusual request, forwarding the exchange with the alleged scammer to the address we believe to be real and asking for further confirmation in the forward email, rather than responding directly in the email loop, allows us to tell if the sender is bogus.

        Legal actions to recover funds.

        After the fraud is discovered, it is crucial to act quickly to increase the chances of recovering lost funds and prosecuting those responsible.

        Possible Legal Actions

        Prompt notification to the company’s bank to block or recall the wire payment, in addition to a timely criminal complaint in the country where the bank receiving the payment is based, are immediate steps that can help contain the damage and begin the recovery process.

        In fact, in many countries, the pattern of CEO Fraud is well known, and specialized law enforcement units have the tools to move in a timely manner following a report of the crime.

        Criminal investigations in the country of payment destination also allow for verification that they are the account holders and the people involved in the scam attempt, in some cases leading to the arrest of those responsible.

        After attempting to obtain a freeze on the transfer or funds, it may then be possible to assess the behavior of the banking institutions involved in the affair, particularly to verify whether the beneficiary bank properly complied with its obligations under anti-money laundering regulations, which impose precise obligations to verify customers and the origin of funds.

        Conclusions

        CEO Fraud is a significant threat to companies of all sizes and industries, made possible and amplified by modern technologies and the globalization of financial markets. Companies must remain vigilant and proactive, continually updating their security procedures to keep pace with fraudsters’ evolving techniques.

        Investment in training, technology and consulting is not just a protective measure, but a strategic necessity for business operations.

        Finally, if the scam is successfully carried out, it is crucial to take prompt action to try to block the funds before they are moved to bank accounts in other countries and thus made untraceable.

        Summary

        The reform of the Brazilian Bankruptcy Act brings forward important changes in both reorganization procedures and liquidation measures.

        When the Brazilian Bankruptcy Act was about to reach its 15th Anniversary, a major amendment was enacted. It was needed, in fact. Over the past 15 years, creations of the Bankruptcy Act have been tested, and practical experiences showed that some tools needed adjustments, and others demanded complete change.

        The goal of this article is to list the top five most relevant novelties.

        #5 – Reorganization plan presented by creditors

        Before: the amendment, the construction of the reorganization plan was exclusively the responsibility of the debtor. If the majority of the creditors’ meeting decided to reject the plan, the automatic consequence would be the conversion into bankruptcy (liquidation).

        Now: in cases like this, the creditors have the right to present an alternative judicial recovery plan. As a result, creditors assume a more relevant role in corporate restructuring.

        #4 – Mediation focusing on the turnaround

        Mediation is now encouraged in ongoing judicial reorganization processes so that creditors and debtors may find a way out to overcome the crisis.

        The most important novelty is the anticipated mediation, which goal is to avoid reorganization and liquidation. In this procedure, the debtor convenes creditors for a mediated negotiation, and they may seek the judge for an order to stay enforcement measures.

        #3 – Distressed assets operations

        The disposal of debtor’s assets is now simplified in both judicial reorganization and bankruptcy. Particularly in bankruptcy – in which case maximizing the use of assets is essential – the law authorizes the anticipated sale, adjudication by creditors, and even the donation of assets that creditors are not interested in acquiring.

        Besides that, the distressed assets acquisitions and M&A deals are now safer, with a clearer legal provision of a liability shield in favour of the purchaser.

        #2 – Debtor-in-Possession (DIP) Financing

        The lack of incentive to finance the debtor undergoing judicial reorganization has always been a reason for criticism by stakeholders. In the absence of legal provisions, potential financiers could be insecure about the risks of the operation and the lack of clear advantages to offset the risk.

        The complaints were addressed with the legal treatment of the debtor’s financing during judicial reorganization. This type of financing is known as Debtor-in-Possession (DIP) Financing.

        The debtor is allowed, through judicial authorization, to conclude financing contracts to pay for the maintenance of his activities and assets, as well as to be liable for restructuring expenses.

        As a guarantee for the financing, the debtor may offer his own assets and rights or those of third parties, even if they belong to non-current assets, that is, assets not originally intended for sale, but which serve the business structure (machinery, for example).

        #1 – Cross-Border Insolvency

        Brazilian law finally incorporated the Uncitral Model Law on Cross-Border Insolvency. An integrated world full of global companies imposes the need to provide for specific rules on cross-border insolvency, which were hitherto non-existent, in order to eliminate the insecurity about the reach of foreign procedures for Brazilian creditors and about the effect of Brazilian procedures for foreign creditors.

        We now have a new panorama, with the possibility of procedures abroad having effects in Brazil and also of Brazilian procedures reaching foreigners.

        There is a detailed treatment of the participation of foreigners in Brazil and the international cooperation between judges and other authorities to put the fundamental principles that govern the entire insolvency system in motion, namely, the improvement of legal certainty, efficient management of the processes, maximization of assets, preservation of the company, and optimization of asset liquidation.

        These are the five main new features, in a nutshell. If you are interested in learning more about any of these topics or if you want to stay updated on insolvency – turnaround in Brazil, please get in touch.

        On 6 January 2022 Ukraine finally cancelled almost a two-year long moratorium for the creditor-trigged insolvencies. The moratorium was imposed in the late spring 2020 as a part of the nation’ response to first wave of COVID pandemic.

        In a nutshell, the moratorium prohibited creditors from requesting insolvency action against those debtors whose obligations matured after 12 March 2020. A separate set of measures also lifted an early warning duty obliging directors of the companies in distress to file for insolvency within one month from a moment when the distress appeared.

        The moratorium was heavily criticized by both domestic and international creditors, who legitimately blamed it for a non-selective approach.

        As further 2021 statistic shown, the moratorium never seemed to reach a goal proclaimed by it authors and made no increase for insolvency relief requests by the debtor companies.

        Instead, the country has been facing a steady increase in “zombie” companies having little to none liquidation value – and their owners clearly intending to get away with no creditor repayment.

        With the moratorium being lifted off the creditors do expect to show no mercy to their Ukrainian debtors. This particularly worries those debtors potentially involved in wrongful trade or fraudulent action. Even with the moratorium in place in 2021 Ukrainian courts confirmed more than UAH 150 mln in creditors loss to be paid by the insolvent companies’ management and owners themselves. This number is expected to triple in 2022 – and there already were Supreme Court’s 2021 judgements confirming liability of the real owners standing behind opaque shareholder company and nominal directors.

        As the creditors’ agitation grows, so do the debtor company owners’ concerns. As the owners\management liability process is extremely bespoke and often requires swift action, it is of crucial importance to get a throughout legal advise on either side – and much better to do that before the actual claim has been brought.

        Lebanon’s secure banking sector plays an important role in the country’s stability and economic status. High liquidity and compliance with all international regulatory standards make it one of the most profitable in the region.

        Stability

        The Lebanese banking sector owes its solidity primarily to the stringent policies applied by the Lebanese Central Bank (LCB). Efforts are constantly being made to fight money laundering and terrorism funding.

        The Lebanese diaspora also contributes to the stability through the flux of transfers and deposits of extraterritorial income. Compared with an estimated population of 4.9 million inhabitants, about 16 million Lebanese live abroad, largely engaged in trade and finance, and mainly concentrated in South America.

        The banking sector’s stability is also bolstered by the currency exchange rate, which has been stable since 1997, when the Lebanese Pound (LBP) was pegged to the United States Dollar (USD) at a rate of 1507.5 LBP to the USD.

        Banking Secret and Automatic exchange of Information

        The Lebanese Banking Secrecy Law of September 3, 1956 was a key aspect in the expansion of the sector. Bank secrecy is applied to any bank operating in Lebanon, local or foreign, and prohibits the disclosure of any details or information about any account or accountholder. For long time this law has increased confidence in Lebanese banking together with the amount of foreign capital coming into the country.

        Before the last economic and financial global shocks, the veil of banking secrecy could be lifted only with prior approval of the accountholder, in case of bankruptcy; for the exchange of information between banks about indebted accounts; and in case of legal actions between a bank and a client or illicit enrichment.

        Nowadays, banking secrecy does not apply to US citizens because of the Foreign Account Tax Compliance Act (FATCA) that requires foreign banks to report American accountholders to the tax authority of the US. Even though Lebanon has not agreed to be FATCA compliant as a whole, individual Lebanon banks have agreed to comply.

        Moreover, in 2016 Lebanon joined the Global Forum on Transparency and the Automatic Exchange of Information (AEOI) for tax purposes, committing to implement a series of regulatory reforms to better comply with the Common Reporting Standards of OECD.

        Consequently, if the requested information is protected under the Banking Secrecy Law of 1956, the request will be forwarded to the Special Investigation Commission (SIC) at the Central Bank with an opinion from the Ministry of Finance for review before it can be disclosed to the foreign tax authority based on an information exchange agreement.

        The regulatory framework and supervision of the banking sector is already in compliance with international standards, such as Basel I, II, and III. Abiding by these laws does not eliminate banking secrecy. New regulations just aim to provide a more effective tool to counter the fight against tax evasion and to track suspicious operations for money laundering purposes, or self-laundering, based on tax offenses.

        According to the AEOI, starting from September 2018 Lebanese Tax Authority will exchange information automatically on non-residents, and will have access to information on residents who hold assets abroad. No issues for Lebanese residents.

        The new legislation will impact: banks, brokers, trusts, fiduciaries, insurance companies, although only for a few products, and certain collective investment funds.

        Corporate Governance

        As part of the strategy to integrate Lebanon further into the international community and the global economy, corporate governance in banks is necessary to guarantee fairness, transparency and accountability.

        It is mandatory for banks while optional for other companies. In fact, an innovation took place in the banking sector on July 26, 2006 when the Governor of the Lebanese Central Bank enacted the Basic Decision No. 9382 to order to comply with the banking rules instituted by the Basel Committee.

        Account freedom and flexibility

        Lebanese banks are known for being open to foreign investors and have branches worldwide. Foreign individuals or companies can easily open a bank account in Lebanon in any currency and benefit from all banking advantages offered to Lebanese citizens. Further, amounts deposited in Lebanon are exempt from taxes and the interest received is subject to a tax rate of 5-percent.

        The author of this post is Claudia Caluori.

        From 18 January 2017, the new European Regulation 655/2014 establishing a European Account Preservation Order procedure to facilitate cross-border debt recovery in civil and commercial matters will enter into force.

        The Regulation foresees in a procedure to seize bank accounts of your debtor in other EU Member States (except when your debtor is domiciled in United Kingdom or Denmark), without that the debtor is notified hereof. The debtor will only notice once the seizure is into force.

        Such cross-border seizure can be obtained before the Courts of an EU Member State who would have jurisdiction on the merits of the case under the EU Regulation 1215/2012 (Brussels I bis).

        The seizure can be requested before, during or even after the procedure on the merits of the case. The request has to be filed using a standard document.

        To grant the request, the Court will have to examine 1) if there is urgency (periculum in mora) and 2) if there is on basis of the provided evidence enough reason to assume the Court will also decide in favor of the creditor in the proceedings concerning the merits of the case (fumus boni iuris). Although these principles are not unknown to national legislation, both will have to await the autonomous interpretation by the European Court of Justice.

        The new EU Regulation 655/2014 is however not created to bully any unwilling debtor by filing preservation order after preservation order. The Regulation foresees 2 mechanisms to avoid such practices:

        • According to art. 12, the creditor can be required to provide a security when he has not obtained any judgment in favor yet;
        • The creditor will also receive a fixed delay in which he has to undertake a proceedings about the merits of the case.

        The new European Regulation 665/2014 also foresees a mechanism where a creditor can request information about his debtor’s bank account(s) in a certain Member State. 

        Not unimportant, as the creditor needs to indicate the bank account number in his request for a transnational seizure (under Belgian national law, the indication of the name of the Bank would already be sufficient).

        Art. 14 of the Regulation now foresees what one could call a bank account disclosure mechanism:

        “Request for the obtaining of account information

        Where the creditor has obtained in a Member State an enforceable judgment, court settlement or authentic instrument which requires the debtor to pay the creditor’s claim and the creditor has reasons to believe that the debtor holds one or more accounts with a bank in a specific Member State, but knows neither the name and/or address of the bank nor the IBAN, BIC or another bank number allowing the bank to be identified, he may request the court with which the application for the Preservation Order is lodged to request that the information authority of the Member State of enforcement obtain the information necessary to allow the bank or banks and the debtor’s account or accounts to be identified”.

        In a few Member States (including Belgium), such disclosure mechanism is completely new.  The Regulation leaves it up to the Member States how they will organize this new disclosure, by giving a few examples:

        “Each Member State shall make available in its national law at least one of the following methods of obtaining the information referred to in paragraph 1:

        (a) an obligation on all banks in its territory to disclose, upon request by the information authority, whether the debtor holds an account with them;

        (b) access for the information authority to the relevant information where that information is held by public authorities or administrations in registers or otherwise;

        (c) the possibility for its courts to oblige the debtor to disclose with which bank or banks in its territory he holds one or more accounts where such an obligation is accompanied by an in personam order by the court prohibiting the withdrawal or transfer by him of funds held in his account or accounts up to the amount to be preserved by the Preservation Order; or

        (d) any other methods which are effective and efficient for the purposes of obtaining the relevant information, provided that they are not disproportionately costly or time-consuming.

        Does this mean any creditor can just run to the Court and ask information?

        No, some conditions apply:

        • the creditor needs to be in possession of an enforceable judgment;
        • there need to be reasons to believe the debtor holds bank accounts in this Member State.

        Conclusion: it will be interesting to see how the Member States will apply this new mechanism.  Whether it will be effective, will also depend on the interpretation of ‘reasons to believe the debtor holds bank accounts in this Member State’.  This will probably be the key to the question if this will end the Pyrrhus decisions, where a creditor is accorded his claim but cannot find assets to seize.

        The author of this post is David Diris.

        Anton Molchanov

        Áreas de práctica

        • Agricultura
        • Derecho Societario
        • Reclamación de deudas
        • Títulos e instrumentos financieros
        • Derecho Concursal
        Contáctanos Anton

        Contacta con Anton





          Lea la política de privacidad de Legalmondo.
          Este sitio está protegido por reCAPTCHA y se aplican la Política de privacidad de Google y los Términos de servicio.

          The Lebanese Banking Sector

          12 de abril de 2017

          • Libano
          • Bancario
          • Derecho Societario

          El incremento de la llamada cibercriminalidad en los últimos años presenta una magnitud tal que exige reacciones legislativas y judiciales contundentes. Las pérdidas por fraudes online en Europa superan los 100.000 millones de dólares según Nasdaq Ventures de los que 5.000 millones corresponden a España.

          En España se denunciaron en 2019, 192.375 casos de estafas informáticas, pero en 2023 ascendieron a 427.448. Según los últimos datos oficiales disponibles las estafas informáticas representan el 90,4% de toda la cibercriminalidad y su crecimiento en el periodo 2016-2023 fue del 378%.

          Las variedades que presentan las estafas informáticas son múltiples y están bautizadas en inglés, (al fin y al cabo, la lingua franca de nuestro tiempo), incluyendo, entre otras ingeniosas modalidades de los hábiles estafadores, las conocidas con los curiosos y divertidos nombres (salvo para los que las padecen) como phishing, pharming,, juice jacking, tabnabbing, bluesnarfing, catfishing, spoofing, vishing, smishing, whaling, carding, y la que hoy nos interesa, man in the middle (MITM).

          ¿Qué es el ataque Man in the Middle?

          El fraude MITM consiste en la interceptación las comunicaciones entre dos dispositivos conectados a una red, permitiendo al ciber caco alterar y desviar los mensajes intercambiados entre los usuarios. El estafador intercepta una comunicación en la que un usuario solicita a otro un pago y a continuación modifica el IBAN de la cuenta bancaria en la que debe realizarse la transferencia con el objetivo de hacerse con el dinero. El proceso se desarrolla generalmente de la siguiente manera:

          • Sin que la empresa lo detecte, un atacante intercepta y manipula un correo electrónico, cambiando el número IBAN de la cuenta en la que debe realizarse el pago.
          • El ciberdelincuente se hace pasar por el proveedor, enviando el mensaje desde una dirección de correo electrónico casi idéntica a la original, pero con una ligera alteración que resulta casi imperceptible.
          • La empresa receptora, confiando en la autenticidad del mensaje, realiza la transferencia a la cuenta fraudulenta.

          De este modo, se consigue un desplazamiento patrimonial en detrimento del ordenante de la transferencia y a favor del ciber ladrón, de suerte que cuando el ordenante advierte el error, su primera reacción es intentar contactar con el banco receptor con la esperanza de que los fondos puedan ser bloqueados a tiempo. Sin embargo, en la mayoría de los casos, el ciberdelincuente ha sido más rápido: el dinero ya ha sido transferido a otra cuenta o retirado, dejando poco margen de maniobra, salvo el inicio de actuaciones judiciales a las que a continuación nos referimos.

          La pregunta inmediata es qué responsabilidad tiene el banco que ha recibido la orden de transferencia del usuario engañado y abona en la cuenta del ciber estafador el importe en cuestión, en aquellos casos en los que el ordenante del pago identifica no solo el IBAN (fraudulento) sino también el nombre del beneficiario de la orden de pago que obviamente no coincide con el titular de la cuenta bancaria receptora de los fondos.

          La respuesta desde el sentido común sería que el banco receptor de la transferencia debería confirmar que el titular de la cuenta de abono y la persona física o entidad identificada como beneficiario en la orden de transferencia coinciden; y si no fuere así, debería suspender el abono y solicitar aclaraciones al ordenante. Pero no es así en aplicación de la legislación de la UE y de la transposición de la misma al ordenamiento jurídico español como a continuación veremos.

          Hasta el pasado 9 de octubre, el sistema bancario europeo ha operado bajo la premisa de que la validez de una transferencia se basa exclusivamente en la corrección del IBAN. Es decir, si el número de cuenta es correcto, la operación se considera válida, incluso si el nombre del beneficiario no coincide. Esta práctica ha generado numerosos casos de fraude, errores involuntarios y pérdida de fondos, especialmente en el ámbito de las transferencias inmediatas, donde la rapidez puede jugar en contra de la seguridad.

          La opción más razonable del ordenante estafado para recuperar su dinero es demandar por la vía civil al banco receptor de la orden de abono (con quien carece de relación contractual) por responsabilidad extracontractual al amparo del art. 1124 del Código Civil; en efecto la vía penal contra el titular de la cuenta, que habitualmente es lo que en el argot se denomina “mula”, no suele tener recorrido exitoso, tanto porque lo normal es que el pájaro vuele como por su falta de solvencia.

           

          La jurisprudencia de las Audiencias Provinciales ha estado dividida entre aquellos fallos en los que se acudía a una aplicación rigurosa y fiel del artículo 59 del Real Decreto-ley 19/2018, de 23 de noviembre, de servicios de pago y otras medidas urgentes en materia financiera, desestimando las reclamaciones de los estafados y otros en los que se buscaban argumentos bajo la premisa de falta de diligencia para condenar al banco a indemnizar al ordenante del pago.

          Así se ha configurado la figura de una responsabilidad cuasi-objetiva de las entidades bancarias en materia de fraude digital, imponiéndoles un estándar reforzado de diligencia y trasladándoles el riesgo inherente a la actividad de banca en línea, salvo supuestos de dolo o negligencia grave del cliente. Esta línea, que se proyecta desde la jurisprudencia menor (AAP Madrid 178/2015; AP Alicante 107/2018; AP Valencia 212/2021) hasta el propio Tribunal Supremo (STS 571/2025, entre otras), se alinea con la idea de que corresponde al banco acreditar que sus sistemas eran seguros, actualizados y suficientes para evitar la consumación del ilícito.

          En este marco, el concepto de bonus argentarius cobra renovada vigencia. Este es un principio que recogió la ley 57/68 para proteger a los compradores de viviendas en el sector inmobiliario, pero que el Tribunal Supremo sentenció en varias ocasiones que también se puede aplicar a otras inversiones financieras. En  lo que a MITM se refiere, significa que, en caso de pérdidas por negligencia de la entidad financiera, el cliente puede presentar una demanda al amparo de la Ley 57/68 y reclamar la responsabilidad de la entidad bancaria.

          El bonus argentarius se basa en la presunción de culpa de la entidad financiera, lo que significa que, aunque el cliente no tenga pruebas concretas de la negligencia, esta se da por sentada debido al deber de cuidado que debe tener la entidad en la gestión de las inversiones.

          En base a aquel principio, la diligencia exigible al profesional financiero no es la del comerciante medio ni la del pater familias, sino la de un experto cualificado que asume la obligación de proteger los fondos confiados mediante la implantación de mecanismos de seguridad “necesarios y renovables”. Ello implica no solo el mantenimiento de medidas técnicas básicas de autenticación reforzada, sino la adopción proactiva de soluciones antifraude reconocidas internacionalmente, como la verificación nombre-IBAN (Confirmation of Payee o IBAN-Naam Check), que han demostrado eficacia en jurisdicciones comparadas.

          En línea con aquella doctrina y jurisprudencia, la omisión de medidas de verificación del beneficiario constituiría una infracción del deber contractual de diligencia y de la buena fe (arts. 1104 y 1258 CC), generadora de responsabilidad civil por el daño causado de suerte que el fraude MITM no puede considerarse un riesgo residual imputable al cliente, sino un fallo de seguridad sistémico imputable a la entidad financiera, en tanto que diseñadora y custodio del canal de pagos electrónicos.

          Pero en  este estado de cosas el  Tribunal Supremo en su reciente sentencia de 27 de marzo de 2025 se decantaba por la alternativa de la aplicación estricta del artículo 59 argumentando que “si el usuario de servicios de pago facilita información adicional a la requerida (especificación de la información o del identificador único que el usuario de servicios de pago debe facilitar para la correcta iniciación o ejecución de una orden de pago), el proveedor de servicios de pago únicamente será responsable de la ejecución de las operaciones de pago de acuerdo con el identificador único facilitado por el usuario de servicios de pago… y que  la responsabilidad del proveedor de los servicios de pago, tanto a nivel comunitario como nacional, se desprende que cumple su obligación ejecutando la operación de pago de acuerdo con el identificador único, sin que la adición de información adicional implique una mayor diligencia exigible

          Cierto que para finalizar, el TS abría una rendija a la esperanza de los usuarios estafados cuando afirmaba que “la interpretación expuesta no exime de responsabilidad al proveedor de los servicios de pago cuando se constate la concurrencia de circunstancias, ajenas al suministro de datos adicionales, que pudieren haber influido en la ejecución defectuosa de la operación, sea porque se hubiere estipulado expresamente entre el usuario y el proveedor algún requisito o exigencia añadida (v.gr. la identificación del beneficiario), sea porque el proveedor de servicios de pago del ordenante o del beneficiario hubieren aprovechado el error en beneficio propio, sea porque, comunicada sin demora la existencia del error, uno u otro no hubieran adoptado las medidas que imponía la diligencia de un comerciante experto para permitir la retroacción o, en su caso, minimizar el daño.”

          Y en este escenario trufado de dudas irrumpe el Reglamento (UE) 2024/886 que supone un giro de 180 grados y un cambio de paradigma: el nuevo Reglamento europeo, aprobado en abril de 2024 y con entrada en vigor el 9 de octubre de 2025, establece una obligación clara para las entidades bancarias: deben verificar que el nombre del beneficiario proporcionado por el ordenante coincida con el titular del IBAN antes de ejecutar una transferencia inmediata en euros.

          Las novedades de este nuevo Reglamento son (i) la aplicación obligatoria a todas las transferencias inmediatas dentro del espacio SEPA, (ii) el nuevo sistema de coincidencia de nombres: si hay discrepancia entre el nombre y el IBAN, el banco debe alertar al cliente antes de ejecutar la operación y (iii) la responsabilidad reforzada para las entidades financieras en caso de fraude o error por falta de verificación.

          En suma se pretende reducir el riesgo de fraude, proteger al consumidor y aumentar la confianza en los pagos digitales.

          Ello provoca que la Ley 19/2018, que regula los servicios de pago en España, que no contempla la obligación de verificar la identidad del beneficiario queda desfasada, lo que plantea la necesidad de una revisión legislativa a nivel nacional para armonizar el marco jurídico con las exigencias europeas.

          En conclusión la obligación de verificar al beneficiario en las transferencias representa un avance significativo en la protección del consumidor y en la lucha contra el fraude financiero. El Reglamento (UE) 2024/886 marca un antes y un después en la operativa bancaria, imponiendo una responsabilidad activa a las entidades para garantizar la autenticidad de las transferencias.

          Queda en todo caso abierta la cuestión respecto a la solución a los fraudes MITM ejecutados antes del 9 de octubre de 2025 y la responsabilidad de la entidad bancaria; de momento la sentencia STS  de 27 de marzo arriba citada cierra la puerta a las reclamaciones contra los bancos pero no puede descartarse que la entrada en vigor del Reglamento 2024/886 y el cambio de paradigma produzca un replanteamiento de la posición del TS en la línea de la responsabilidad cuasi objetiva que la jurisprudencia menor viene manteniendo. Habrá que esperar acontecimientos pero ese cambio sería un gran éxito para los usuarios bancarios sufridores de este fraude MITM y de  todos los demás dentro de las múltiples variedades de las  ciber estafas.

          Summary: Corporate fraud has taken new and insidious forms in the digital age. One of these puts multinational groups in the crosshairs: it is the so-called «CEO Fraud.» This type of fraud is based on the fraudulent use of the identity of top corporate figures, such as CEOs or board chairmen. The modus operandi is devious: the fraudsters pose as the CEO or a senior executive of the multinational group and directly contact the Chief Financial Officers (CFOs) of the subsidiaries or affiliates, simulating a nonexistent confidential investment transaction to induce them to make urgent transfers to foreign bank accounts.

          Background and dynamics of the CEO Fraud

          CEO Fraud is a form of scam in which criminals impersonate senior management figures to trick employees, usually CFOs, into transferring funds into bank accounts controlled by the fraudsters. The choice to use the identities of apex figures such as CEOs lies in their perceived authority and ability to order even large payments, requested urgently and with instructions for strict confidentiality, without raising immediate suspicion.

          Fraudsters adopt various communication tools to make their fraud attempts credible: at the starting point is usually a data breach, which allows criminals to gain access to the contact details of the CEO or CFO (email, landline phone number, cell phone number, whatsapp or social media accounts) or other people within the administrative office with operational powers over bank accounts.

          Sometimes knowledge of this information does not even require illegitimate access to the company’s computer systems because those targeted by the scam spontaneously make this information public, for example, by indicating it on their profiles on the company website or by publicly displaying contacts on profiles in social media accounts (LinkedIn, Facebook, etc.) or even on presentations, business cards and company brochures in the context of public meetings.

          Still other times, scammers do not even need to appropriate all the data of the CEO they want to impersonate, but only the recipient’s, and then claim that they are using a personal account with a different number or email address than those usually attributable to the real CEO.

          Contacts are typically made as follows:

          • WhatsApp and SMS: The use of messages allows for immediate and personal communication, often perceived as legitimate by recipients. The fake CEO sends a message to the CFO using a cell phone number from the country where the parent company is based (e.g., +34 in the case of Spain), writing that it is his personal phone number and using a portrait photo of the real CEO in the WhatsApp profile, which reinforces the perception that the fraudster is the real CEO.
          • Phone calls: after the initial contact via text message, a phone call often follows, which may be either directly from the fake CEO or from a self-styled lawyer or consultant instructed by the CEO to give the CFO the necessary information about the fake investment transaction and instructions to proceed with the urgent payment.
          • Email: as an alternative to or in addition to texts and phone calls, communications may also go through emails, often indistinguishable from authentic ones, in which text formats, company logos, signatures, etc. are scrupulously replicated.

          This is possible through various email spoofing techniques in which the sender’s email address is altered to appear as if the rightful owner sent the email. Basically, it is like someone sending a postal letter by putting a different address on the back of the envelope to disguise the true origin of the missive. In our case, this means that the CFO receives an email that-at first glance-appears to come from the CEO and not the scammer.

          We also cannot rule out the possibility of fraudsters taking advantage of security holes in corporate systems, such as directly accessing internal chats within the organization.

          In addition, the increasing popularity of morphing tools (i.e., creating images with human likenesses that can be traced back to real people) may make it even more difficult to unmask the scammer: to messages and phone calls we could, in fact, add video messages or even video lectures apparently given by the real CEO.

          The (fake) takeover of a competitor company in Europe

          Let us look at a real-life example of CEO Fraud to illustrate the practical ways in which these frauds are organized.

          Scammers create a fake WhatsApp profile of the self-styled CEO of a multinational group based in Spain, using a Spanish phone number and reproducing the profile photo of the authentic CEO.

          A message is sent through the fake account to the CFO of a subsidiary in Italy, announcing that a confidential investment transaction is underway to acquire a company in Portugal. This will require transferring a large sum to a Portuguese company the following day at a local bank.

          The message stresses the importance of keeping the transaction strictly confidential, which is why the CFO cannot disclose the payment request to anyone: a confidentiality agreement from a (fake) law firm is even emailed before payment is made, which the CFO is persuaded to sign and return to the phantom lawyer in charge of the transaction.

          Instructions for proceeding with the transfer are emailed to the CFO, again stressing the urgency of making the payment on the same day.

          The day after arranging the transfer, having heard nothing more from the fake CEO, the CFO arranges to contact him at his corporate phone number and discovers the scam: by that time, however, it is too late because the sums have already been transferred by the criminals to one or more current accounts in foreign banks, making it very difficult, if not impossible, to trace the funds.

          The main features of CEO fraud

          • Persuasion: the fact that fraudsters impersonate apex figures and make the CFO feel invested in important duties generates in the victim a desire to please superiors and to let their guard down.
          • Pressure: fraudsters instil a great sense of urgency, demanding payments extremely quickly and intimating secrecy about the transaction; this causes the victim to act without thinking, trying to be as efficient as possible.
          • Speed: It is good to know that a request for an urgent wire transfer cannot be withdrawn, or can be withdrawn by recall only under extremely tight deadlines; fraudsters take advantage of this to pocket the sums at banks that are not too scrupulous or to move them elsewhere, at most within a few days.

          How to prevent these scams

          CEO Fraud schemes can be very sophisticated, but they often have signs that, if recognized, can stop a scam before it causes irreparable damage.

          The main clues are the atypical modes of contact (whatsapp, phone calls, emails from the fake CEO’s personal accounts), the request for strict confidentiality about the transaction, the urgency with which large sums are requested, the fact that the transfer is to be made to banks abroad, and the involvement of companies or individuals never previously mentioned.

          To prevent scams such as CEO Fraud, corporate training of employees on how to recognize and respond to scams is crucial; it is also essential to have robust internal security procedures in place.

          • First, an essential and basic precaution is to adopt verification systems that scan e-mail messages for viruses and flag the origin of the e-mail from an account outside the corporate organization.
          • Second, it is critical that companies implement clear processes for payments to third parties, especially if the arrangements are different from the company’s standard operations. One way to do this is to provide value limits on the powers of disposition over current account operations, beyond which dual signatures with another director are required.
          • Finally, and generally, it is good to adopt all the rules of common sense and diligence in analyzing the case. Better to do one more internal check than one less; for example, in the case of a particularly realistic but nonetheless unusual request, forwarding the exchange with the alleged scammer to the address we believe to be real and asking for further confirmation in the forward email, rather than responding directly in the email loop, allows us to tell if the sender is bogus.

          Legal actions to recover funds.

          After the fraud is discovered, it is crucial to act quickly to increase the chances of recovering lost funds and prosecuting those responsible.

          Possible Legal Actions

          Prompt notification to the company’s bank to block or recall the wire payment, in addition to a timely criminal complaint in the country where the bank receiving the payment is based, are immediate steps that can help contain the damage and begin the recovery process.

          In fact, in many countries, the pattern of CEO Fraud is well known, and specialized law enforcement units have the tools to move in a timely manner following a report of the crime.

          Criminal investigations in the country of payment destination also allow for verification that they are the account holders and the people involved in the scam attempt, in some cases leading to the arrest of those responsible.

          After attempting to obtain a freeze on the transfer or funds, it may then be possible to assess the behavior of the banking institutions involved in the affair, particularly to verify whether the beneficiary bank properly complied with its obligations under anti-money laundering regulations, which impose precise obligations to verify customers and the origin of funds.

          Conclusions

          CEO Fraud is a significant threat to companies of all sizes and industries, made possible and amplified by modern technologies and the globalization of financial markets. Companies must remain vigilant and proactive, continually updating their security procedures to keep pace with fraudsters’ evolving techniques.

          Investment in training, technology and consulting is not just a protective measure, but a strategic necessity for business operations.

          Finally, if the scam is successfully carried out, it is crucial to take prompt action to try to block the funds before they are moved to bank accounts in other countries and thus made untraceable.

          Summary

          The reform of the Brazilian Bankruptcy Act brings forward important changes in both reorganization procedures and liquidation measures.

          When the Brazilian Bankruptcy Act was about to reach its 15th Anniversary, a major amendment was enacted. It was needed, in fact. Over the past 15 years, creations of the Bankruptcy Act have been tested, and practical experiences showed that some tools needed adjustments, and others demanded complete change.

          The goal of this article is to list the top five most relevant novelties.

          #5 – Reorganization plan presented by creditors

          Before: the amendment, the construction of the reorganization plan was exclusively the responsibility of the debtor. If the majority of the creditors’ meeting decided to reject the plan, the automatic consequence would be the conversion into bankruptcy (liquidation).

          Now: in cases like this, the creditors have the right to present an alternative judicial recovery plan. As a result, creditors assume a more relevant role in corporate restructuring.

          #4 – Mediation focusing on the turnaround

          Mediation is now encouraged in ongoing judicial reorganization processes so that creditors and debtors may find a way out to overcome the crisis.

          The most important novelty is the anticipated mediation, which goal is to avoid reorganization and liquidation. In this procedure, the debtor convenes creditors for a mediated negotiation, and they may seek the judge for an order to stay enforcement measures.

          #3 – Distressed assets operations

          The disposal of debtor’s assets is now simplified in both judicial reorganization and bankruptcy. Particularly in bankruptcy – in which case maximizing the use of assets is essential – the law authorizes the anticipated sale, adjudication by creditors, and even the donation of assets that creditors are not interested in acquiring.

          Besides that, the distressed assets acquisitions and M&A deals are now safer, with a clearer legal provision of a liability shield in favour of the purchaser.

          #2 – Debtor-in-Possession (DIP) Financing

          The lack of incentive to finance the debtor undergoing judicial reorganization has always been a reason for criticism by stakeholders. In the absence of legal provisions, potential financiers could be insecure about the risks of the operation and the lack of clear advantages to offset the risk.

          The complaints were addressed with the legal treatment of the debtor’s financing during judicial reorganization. This type of financing is known as Debtor-in-Possession (DIP) Financing.

          The debtor is allowed, through judicial authorization, to conclude financing contracts to pay for the maintenance of his activities and assets, as well as to be liable for restructuring expenses.

          As a guarantee for the financing, the debtor may offer his own assets and rights or those of third parties, even if they belong to non-current assets, that is, assets not originally intended for sale, but which serve the business structure (machinery, for example).

          #1 – Cross-Border Insolvency

          Brazilian law finally incorporated the Uncitral Model Law on Cross-Border Insolvency. An integrated world full of global companies imposes the need to provide for specific rules on cross-border insolvency, which were hitherto non-existent, in order to eliminate the insecurity about the reach of foreign procedures for Brazilian creditors and about the effect of Brazilian procedures for foreign creditors.

          We now have a new panorama, with the possibility of procedures abroad having effects in Brazil and also of Brazilian procedures reaching foreigners.

          There is a detailed treatment of the participation of foreigners in Brazil and the international cooperation between judges and other authorities to put the fundamental principles that govern the entire insolvency system in motion, namely, the improvement of legal certainty, efficient management of the processes, maximization of assets, preservation of the company, and optimization of asset liquidation.

          These are the five main new features, in a nutshell. If you are interested in learning more about any of these topics or if you want to stay updated on insolvency – turnaround in Brazil, please get in touch.

          On 6 January 2022 Ukraine finally cancelled almost a two-year long moratorium for the creditor-trigged insolvencies. The moratorium was imposed in the late spring 2020 as a part of the nation’ response to first wave of COVID pandemic.

          In a nutshell, the moratorium prohibited creditors from requesting insolvency action against those debtors whose obligations matured after 12 March 2020. A separate set of measures also lifted an early warning duty obliging directors of the companies in distress to file for insolvency within one month from a moment when the distress appeared.

          The moratorium was heavily criticized by both domestic and international creditors, who legitimately blamed it for a non-selective approach.

          As further 2021 statistic shown, the moratorium never seemed to reach a goal proclaimed by it authors and made no increase for insolvency relief requests by the debtor companies.

          Instead, the country has been facing a steady increase in “zombie” companies having little to none liquidation value – and their owners clearly intending to get away with no creditor repayment.

          With the moratorium being lifted off the creditors do expect to show no mercy to their Ukrainian debtors. This particularly worries those debtors potentially involved in wrongful trade or fraudulent action. Even with the moratorium in place in 2021 Ukrainian courts confirmed more than UAH 150 mln in creditors loss to be paid by the insolvent companies’ management and owners themselves. This number is expected to triple in 2022 – and there already were Supreme Court’s 2021 judgements confirming liability of the real owners standing behind opaque shareholder company and nominal directors.

          As the creditors’ agitation grows, so do the debtor company owners’ concerns. As the owners\management liability process is extremely bespoke and often requires swift action, it is of crucial importance to get a throughout legal advise on either side – and much better to do that before the actual claim has been brought.

          Lebanon’s secure banking sector plays an important role in the country’s stability and economic status. High liquidity and compliance with all international regulatory standards make it one of the most profitable in the region.

          Stability

          The Lebanese banking sector owes its solidity primarily to the stringent policies applied by the Lebanese Central Bank (LCB). Efforts are constantly being made to fight money laundering and terrorism funding.

          The Lebanese diaspora also contributes to the stability through the flux of transfers and deposits of extraterritorial income. Compared with an estimated population of 4.9 million inhabitants, about 16 million Lebanese live abroad, largely engaged in trade and finance, and mainly concentrated in South America.

          The banking sector’s stability is also bolstered by the currency exchange rate, which has been stable since 1997, when the Lebanese Pound (LBP) was pegged to the United States Dollar (USD) at a rate of 1507.5 LBP to the USD.

          Banking Secret and Automatic exchange of Information

          The Lebanese Banking Secrecy Law of September 3, 1956 was a key aspect in the expansion of the sector. Bank secrecy is applied to any bank operating in Lebanon, local or foreign, and prohibits the disclosure of any details or information about any account or accountholder. For long time this law has increased confidence in Lebanese banking together with the amount of foreign capital coming into the country.

          Before the last economic and financial global shocks, the veil of banking secrecy could be lifted only with prior approval of the accountholder, in case of bankruptcy; for the exchange of information between banks about indebted accounts; and in case of legal actions between a bank and a client or illicit enrichment.

          Nowadays, banking secrecy does not apply to US citizens because of the Foreign Account Tax Compliance Act (FATCA) that requires foreign banks to report American accountholders to the tax authority of the US. Even though Lebanon has not agreed to be FATCA compliant as a whole, individual Lebanon banks have agreed to comply.

          Moreover, in 2016 Lebanon joined the Global Forum on Transparency and the Automatic Exchange of Information (AEOI) for tax purposes, committing to implement a series of regulatory reforms to better comply with the Common Reporting Standards of OECD.

          Consequently, if the requested information is protected under the Banking Secrecy Law of 1956, the request will be forwarded to the Special Investigation Commission (SIC) at the Central Bank with an opinion from the Ministry of Finance for review before it can be disclosed to the foreign tax authority based on an information exchange agreement.

          The regulatory framework and supervision of the banking sector is already in compliance with international standards, such as Basel I, II, and III. Abiding by these laws does not eliminate banking secrecy. New regulations just aim to provide a more effective tool to counter the fight against tax evasion and to track suspicious operations for money laundering purposes, or self-laundering, based on tax offenses.

          According to the AEOI, starting from September 2018 Lebanese Tax Authority will exchange information automatically on non-residents, and will have access to information on residents who hold assets abroad. No issues for Lebanese residents.

          The new legislation will impact: banks, brokers, trusts, fiduciaries, insurance companies, although only for a few products, and certain collective investment funds.

          Corporate Governance

          As part of the strategy to integrate Lebanon further into the international community and the global economy, corporate governance in banks is necessary to guarantee fairness, transparency and accountability.

          It is mandatory for banks while optional for other companies. In fact, an innovation took place in the banking sector on July 26, 2006 when the Governor of the Lebanese Central Bank enacted the Basic Decision No. 9382 to order to comply with the banking rules instituted by the Basel Committee.

          Account freedom and flexibility

          Lebanese banks are known for being open to foreign investors and have branches worldwide. Foreign individuals or companies can easily open a bank account in Lebanon in any currency and benefit from all banking advantages offered to Lebanese citizens. Further, amounts deposited in Lebanon are exempt from taxes and the interest received is subject to a tax rate of 5-percent.

          The author of this post is Claudia Caluori.

          From 18 January 2017, the new European Regulation 655/2014 establishing a European Account Preservation Order procedure to facilitate cross-border debt recovery in civil and commercial matters will enter into force.

          The Regulation foresees in a procedure to seize bank accounts of your debtor in other EU Member States (except when your debtor is domiciled in United Kingdom or Denmark), without that the debtor is notified hereof. The debtor will only notice once the seizure is into force.

          Such cross-border seizure can be obtained before the Courts of an EU Member State who would have jurisdiction on the merits of the case under the EU Regulation 1215/2012 (Brussels I bis).

          The seizure can be requested before, during or even after the procedure on the merits of the case. The request has to be filed using a standard document.

          To grant the request, the Court will have to examine 1) if there is urgency (periculum in mora) and 2) if there is on basis of the provided evidence enough reason to assume the Court will also decide in favor of the creditor in the proceedings concerning the merits of the case (fumus boni iuris). Although these principles are not unknown to national legislation, both will have to await the autonomous interpretation by the European Court of Justice.

          The new EU Regulation 655/2014 is however not created to bully any unwilling debtor by filing preservation order after preservation order. The Regulation foresees 2 mechanisms to avoid such practices:

          • According to art. 12, the creditor can be required to provide a security when he has not obtained any judgment in favor yet;
          • The creditor will also receive a fixed delay in which he has to undertake a proceedings about the merits of the case.

          The new European Regulation 665/2014 also foresees a mechanism where a creditor can request information about his debtor’s bank account(s) in a certain Member State. 

          Not unimportant, as the creditor needs to indicate the bank account number in his request for a transnational seizure (under Belgian national law, the indication of the name of the Bank would already be sufficient).

          Art. 14 of the Regulation now foresees what one could call a bank account disclosure mechanism:

          “Request for the obtaining of account information

          Where the creditor has obtained in a Member State an enforceable judgment, court settlement or authentic instrument which requires the debtor to pay the creditor’s claim and the creditor has reasons to believe that the debtor holds one or more accounts with a bank in a specific Member State, but knows neither the name and/or address of the bank nor the IBAN, BIC or another bank number allowing the bank to be identified, he may request the court with which the application for the Preservation Order is lodged to request that the information authority of the Member State of enforcement obtain the information necessary to allow the bank or banks and the debtor’s account or accounts to be identified”.

          In a few Member States (including Belgium), such disclosure mechanism is completely new.  The Regulation leaves it up to the Member States how they will organize this new disclosure, by giving a few examples:

          “Each Member State shall make available in its national law at least one of the following methods of obtaining the information referred to in paragraph 1:

          (a) an obligation on all banks in its territory to disclose, upon request by the information authority, whether the debtor holds an account with them;

          (b) access for the information authority to the relevant information where that information is held by public authorities or administrations in registers or otherwise;

          (c) the possibility for its courts to oblige the debtor to disclose with which bank or banks in its territory he holds one or more accounts where such an obligation is accompanied by an in personam order by the court prohibiting the withdrawal or transfer by him of funds held in his account or accounts up to the amount to be preserved by the Preservation Order; or

          (d) any other methods which are effective and efficient for the purposes of obtaining the relevant information, provided that they are not disproportionately costly or time-consuming.

          Does this mean any creditor can just run to the Court and ask information?

          No, some conditions apply:

          • the creditor needs to be in possession of an enforceable judgment;
          • there need to be reasons to believe the debtor holds bank accounts in this Member State.

          Conclusion: it will be interesting to see how the Member States will apply this new mechanism.  Whether it will be effective, will also depend on the interpretation of ‘reasons to believe the debtor holds bank accounts in this Member State’.  This will probably be the key to the question if this will end the Pyrrhus decisions, where a creditor is accorded his claim but cannot find assets to seize.

          The author of this post is David Diris.

          The EU Regulation 655/2014 on transnational seizures on bank accounts

          21 de diciembre de 2016

          • Europa
          • Bancario
          • Reclamación de deudas
          • Litigios

          El incremento de la llamada cibercriminalidad en los últimos años presenta una magnitud tal que exige reacciones legislativas y judiciales contundentes. Las pérdidas por fraudes online en Europa superan los 100.000 millones de dólares según Nasdaq Ventures de los que 5.000 millones corresponden a España.

          En España se denunciaron en 2019, 192.375 casos de estafas informáticas, pero en 2023 ascendieron a 427.448. Según los últimos datos oficiales disponibles las estafas informáticas representan el 90,4% de toda la cibercriminalidad y su crecimiento en el periodo 2016-2023 fue del 378%.

          Las variedades que presentan las estafas informáticas son múltiples y están bautizadas en inglés, (al fin y al cabo, la lingua franca de nuestro tiempo), incluyendo, entre otras ingeniosas modalidades de los hábiles estafadores, las conocidas con los curiosos y divertidos nombres (salvo para los que las padecen) como phishing, pharming,, juice jacking, tabnabbing, bluesnarfing, catfishing, spoofing, vishing, smishing, whaling, carding, y la que hoy nos interesa, man in the middle (MITM).

          ¿Qué es el ataque Man in the Middle?

          El fraude MITM consiste en la interceptación las comunicaciones entre dos dispositivos conectados a una red, permitiendo al ciber caco alterar y desviar los mensajes intercambiados entre los usuarios. El estafador intercepta una comunicación en la que un usuario solicita a otro un pago y a continuación modifica el IBAN de la cuenta bancaria en la que debe realizarse la transferencia con el objetivo de hacerse con el dinero. El proceso se desarrolla generalmente de la siguiente manera:

          • Sin que la empresa lo detecte, un atacante intercepta y manipula un correo electrónico, cambiando el número IBAN de la cuenta en la que debe realizarse el pago.
          • El ciberdelincuente se hace pasar por el proveedor, enviando el mensaje desde una dirección de correo electrónico casi idéntica a la original, pero con una ligera alteración que resulta casi imperceptible.
          • La empresa receptora, confiando en la autenticidad del mensaje, realiza la transferencia a la cuenta fraudulenta.

          De este modo, se consigue un desplazamiento patrimonial en detrimento del ordenante de la transferencia y a favor del ciber ladrón, de suerte que cuando el ordenante advierte el error, su primera reacción es intentar contactar con el banco receptor con la esperanza de que los fondos puedan ser bloqueados a tiempo. Sin embargo, en la mayoría de los casos, el ciberdelincuente ha sido más rápido: el dinero ya ha sido transferido a otra cuenta o retirado, dejando poco margen de maniobra, salvo el inicio de actuaciones judiciales a las que a continuación nos referimos.

          La pregunta inmediata es qué responsabilidad tiene el banco que ha recibido la orden de transferencia del usuario engañado y abona en la cuenta del ciber estafador el importe en cuestión, en aquellos casos en los que el ordenante del pago identifica no solo el IBAN (fraudulento) sino también el nombre del beneficiario de la orden de pago que obviamente no coincide con el titular de la cuenta bancaria receptora de los fondos.

          La respuesta desde el sentido común sería que el banco receptor de la transferencia debería confirmar que el titular de la cuenta de abono y la persona física o entidad identificada como beneficiario en la orden de transferencia coinciden; y si no fuere así, debería suspender el abono y solicitar aclaraciones al ordenante. Pero no es así en aplicación de la legislación de la UE y de la transposición de la misma al ordenamiento jurídico español como a continuación veremos.

          Hasta el pasado 9 de octubre, el sistema bancario europeo ha operado bajo la premisa de que la validez de una transferencia se basa exclusivamente en la corrección del IBAN. Es decir, si el número de cuenta es correcto, la operación se considera válida, incluso si el nombre del beneficiario no coincide. Esta práctica ha generado numerosos casos de fraude, errores involuntarios y pérdida de fondos, especialmente en el ámbito de las transferencias inmediatas, donde la rapidez puede jugar en contra de la seguridad.

          La opción más razonable del ordenante estafado para recuperar su dinero es demandar por la vía civil al banco receptor de la orden de abono (con quien carece de relación contractual) por responsabilidad extracontractual al amparo del art. 1124 del Código Civil; en efecto la vía penal contra el titular de la cuenta, que habitualmente es lo que en el argot se denomina “mula”, no suele tener recorrido exitoso, tanto porque lo normal es que el pájaro vuele como por su falta de solvencia.

           

          La jurisprudencia de las Audiencias Provinciales ha estado dividida entre aquellos fallos en los que se acudía a una aplicación rigurosa y fiel del artículo 59 del Real Decreto-ley 19/2018, de 23 de noviembre, de servicios de pago y otras medidas urgentes en materia financiera, desestimando las reclamaciones de los estafados y otros en los que se buscaban argumentos bajo la premisa de falta de diligencia para condenar al banco a indemnizar al ordenante del pago.

          Así se ha configurado la figura de una responsabilidad cuasi-objetiva de las entidades bancarias en materia de fraude digital, imponiéndoles un estándar reforzado de diligencia y trasladándoles el riesgo inherente a la actividad de banca en línea, salvo supuestos de dolo o negligencia grave del cliente. Esta línea, que se proyecta desde la jurisprudencia menor (AAP Madrid 178/2015; AP Alicante 107/2018; AP Valencia 212/2021) hasta el propio Tribunal Supremo (STS 571/2025, entre otras), se alinea con la idea de que corresponde al banco acreditar que sus sistemas eran seguros, actualizados y suficientes para evitar la consumación del ilícito.

          En este marco, el concepto de bonus argentarius cobra renovada vigencia. Este es un principio que recogió la ley 57/68 para proteger a los compradores de viviendas en el sector inmobiliario, pero que el Tribunal Supremo sentenció en varias ocasiones que también se puede aplicar a otras inversiones financieras. En  lo que a MITM se refiere, significa que, en caso de pérdidas por negligencia de la entidad financiera, el cliente puede presentar una demanda al amparo de la Ley 57/68 y reclamar la responsabilidad de la entidad bancaria.

          El bonus argentarius se basa en la presunción de culpa de la entidad financiera, lo que significa que, aunque el cliente no tenga pruebas concretas de la negligencia, esta se da por sentada debido al deber de cuidado que debe tener la entidad en la gestión de las inversiones.

          En base a aquel principio, la diligencia exigible al profesional financiero no es la del comerciante medio ni la del pater familias, sino la de un experto cualificado que asume la obligación de proteger los fondos confiados mediante la implantación de mecanismos de seguridad “necesarios y renovables”. Ello implica no solo el mantenimiento de medidas técnicas básicas de autenticación reforzada, sino la adopción proactiva de soluciones antifraude reconocidas internacionalmente, como la verificación nombre-IBAN (Confirmation of Payee o IBAN-Naam Check), que han demostrado eficacia en jurisdicciones comparadas.

          En línea con aquella doctrina y jurisprudencia, la omisión de medidas de verificación del beneficiario constituiría una infracción del deber contractual de diligencia y de la buena fe (arts. 1104 y 1258 CC), generadora de responsabilidad civil por el daño causado de suerte que el fraude MITM no puede considerarse un riesgo residual imputable al cliente, sino un fallo de seguridad sistémico imputable a la entidad financiera, en tanto que diseñadora y custodio del canal de pagos electrónicos.

          Pero en  este estado de cosas el  Tribunal Supremo en su reciente sentencia de 27 de marzo de 2025 se decantaba por la alternativa de la aplicación estricta del artículo 59 argumentando que “si el usuario de servicios de pago facilita información adicional a la requerida (especificación de la información o del identificador único que el usuario de servicios de pago debe facilitar para la correcta iniciación o ejecución de una orden de pago), el proveedor de servicios de pago únicamente será responsable de la ejecución de las operaciones de pago de acuerdo con el identificador único facilitado por el usuario de servicios de pago… y que  la responsabilidad del proveedor de los servicios de pago, tanto a nivel comunitario como nacional, se desprende que cumple su obligación ejecutando la operación de pago de acuerdo con el identificador único, sin que la adición de información adicional implique una mayor diligencia exigible

          Cierto que para finalizar, el TS abría una rendija a la esperanza de los usuarios estafados cuando afirmaba que “la interpretación expuesta no exime de responsabilidad al proveedor de los servicios de pago cuando se constate la concurrencia de circunstancias, ajenas al suministro de datos adicionales, que pudieren haber influido en la ejecución defectuosa de la operación, sea porque se hubiere estipulado expresamente entre el usuario y el proveedor algún requisito o exigencia añadida (v.gr. la identificación del beneficiario), sea porque el proveedor de servicios de pago del ordenante o del beneficiario hubieren aprovechado el error en beneficio propio, sea porque, comunicada sin demora la existencia del error, uno u otro no hubieran adoptado las medidas que imponía la diligencia de un comerciante experto para permitir la retroacción o, en su caso, minimizar el daño.”

          Y en este escenario trufado de dudas irrumpe el Reglamento (UE) 2024/886 que supone un giro de 180 grados y un cambio de paradigma: el nuevo Reglamento europeo, aprobado en abril de 2024 y con entrada en vigor el 9 de octubre de 2025, establece una obligación clara para las entidades bancarias: deben verificar que el nombre del beneficiario proporcionado por el ordenante coincida con el titular del IBAN antes de ejecutar una transferencia inmediata en euros.

          Las novedades de este nuevo Reglamento son (i) la aplicación obligatoria a todas las transferencias inmediatas dentro del espacio SEPA, (ii) el nuevo sistema de coincidencia de nombres: si hay discrepancia entre el nombre y el IBAN, el banco debe alertar al cliente antes de ejecutar la operación y (iii) la responsabilidad reforzada para las entidades financieras en caso de fraude o error por falta de verificación.

          En suma se pretende reducir el riesgo de fraude, proteger al consumidor y aumentar la confianza en los pagos digitales.

          Ello provoca que la Ley 19/2018, que regula los servicios de pago en España, que no contempla la obligación de verificar la identidad del beneficiario queda desfasada, lo que plantea la necesidad de una revisión legislativa a nivel nacional para armonizar el marco jurídico con las exigencias europeas.

          En conclusión la obligación de verificar al beneficiario en las transferencias representa un avance significativo en la protección del consumidor y en la lucha contra el fraude financiero. El Reglamento (UE) 2024/886 marca un antes y un después en la operativa bancaria, imponiendo una responsabilidad activa a las entidades para garantizar la autenticidad de las transferencias.

          Queda en todo caso abierta la cuestión respecto a la solución a los fraudes MITM ejecutados antes del 9 de octubre de 2025 y la responsabilidad de la entidad bancaria; de momento la sentencia STS  de 27 de marzo arriba citada cierra la puerta a las reclamaciones contra los bancos pero no puede descartarse que la entrada en vigor del Reglamento 2024/886 y el cambio de paradigma produzca un replanteamiento de la posición del TS en la línea de la responsabilidad cuasi objetiva que la jurisprudencia menor viene manteniendo. Habrá que esperar acontecimientos pero ese cambio sería un gran éxito para los usuarios bancarios sufridores de este fraude MITM y de  todos los demás dentro de las múltiples variedades de las  ciber estafas.

          Summary: Corporate fraud has taken new and insidious forms in the digital age. One of these puts multinational groups in the crosshairs: it is the so-called «CEO Fraud.» This type of fraud is based on the fraudulent use of the identity of top corporate figures, such as CEOs or board chairmen. The modus operandi is devious: the fraudsters pose as the CEO or a senior executive of the multinational group and directly contact the Chief Financial Officers (CFOs) of the subsidiaries or affiliates, simulating a nonexistent confidential investment transaction to induce them to make urgent transfers to foreign bank accounts.

          Background and dynamics of the CEO Fraud

          CEO Fraud is a form of scam in which criminals impersonate senior management figures to trick employees, usually CFOs, into transferring funds into bank accounts controlled by the fraudsters. The choice to use the identities of apex figures such as CEOs lies in their perceived authority and ability to order even large payments, requested urgently and with instructions for strict confidentiality, without raising immediate suspicion.

          Fraudsters adopt various communication tools to make their fraud attempts credible: at the starting point is usually a data breach, which allows criminals to gain access to the contact details of the CEO or CFO (email, landline phone number, cell phone number, whatsapp or social media accounts) or other people within the administrative office with operational powers over bank accounts.

          Sometimes knowledge of this information does not even require illegitimate access to the company’s computer systems because those targeted by the scam spontaneously make this information public, for example, by indicating it on their profiles on the company website or by publicly displaying contacts on profiles in social media accounts (LinkedIn, Facebook, etc.) or even on presentations, business cards and company brochures in the context of public meetings.

          Still other times, scammers do not even need to appropriate all the data of the CEO they want to impersonate, but only the recipient’s, and then claim that they are using a personal account with a different number or email address than those usually attributable to the real CEO.

          Contacts are typically made as follows:

          • WhatsApp and SMS: The use of messages allows for immediate and personal communication, often perceived as legitimate by recipients. The fake CEO sends a message to the CFO using a cell phone number from the country where the parent company is based (e.g., +34 in the case of Spain), writing that it is his personal phone number and using a portrait photo of the real CEO in the WhatsApp profile, which reinforces the perception that the fraudster is the real CEO.
          • Phone calls: after the initial contact via text message, a phone call often follows, which may be either directly from the fake CEO or from a self-styled lawyer or consultant instructed by the CEO to give the CFO the necessary information about the fake investment transaction and instructions to proceed with the urgent payment.
          • Email: as an alternative to or in addition to texts and phone calls, communications may also go through emails, often indistinguishable from authentic ones, in which text formats, company logos, signatures, etc. are scrupulously replicated.

          This is possible through various email spoofing techniques in which the sender’s email address is altered to appear as if the rightful owner sent the email. Basically, it is like someone sending a postal letter by putting a different address on the back of the envelope to disguise the true origin of the missive. In our case, this means that the CFO receives an email that-at first glance-appears to come from the CEO and not the scammer.

          We also cannot rule out the possibility of fraudsters taking advantage of security holes in corporate systems, such as directly accessing internal chats within the organization.

          In addition, the increasing popularity of morphing tools (i.e., creating images with human likenesses that can be traced back to real people) may make it even more difficult to unmask the scammer: to messages and phone calls we could, in fact, add video messages or even video lectures apparently given by the real CEO.

          The (fake) takeover of a competitor company in Europe

          Let us look at a real-life example of CEO Fraud to illustrate the practical ways in which these frauds are organized.

          Scammers create a fake WhatsApp profile of the self-styled CEO of a multinational group based in Spain, using a Spanish phone number and reproducing the profile photo of the authentic CEO.

          A message is sent through the fake account to the CFO of a subsidiary in Italy, announcing that a confidential investment transaction is underway to acquire a company in Portugal. This will require transferring a large sum to a Portuguese company the following day at a local bank.

          The message stresses the importance of keeping the transaction strictly confidential, which is why the CFO cannot disclose the payment request to anyone: a confidentiality agreement from a (fake) law firm is even emailed before payment is made, which the CFO is persuaded to sign and return to the phantom lawyer in charge of the transaction.

          Instructions for proceeding with the transfer are emailed to the CFO, again stressing the urgency of making the payment on the same day.

          The day after arranging the transfer, having heard nothing more from the fake CEO, the CFO arranges to contact him at his corporate phone number and discovers the scam: by that time, however, it is too late because the sums have already been transferred by the criminals to one or more current accounts in foreign banks, making it very difficult, if not impossible, to trace the funds.

          The main features of CEO fraud

          • Persuasion: the fact that fraudsters impersonate apex figures and make the CFO feel invested in important duties generates in the victim a desire to please superiors and to let their guard down.
          • Pressure: fraudsters instil a great sense of urgency, demanding payments extremely quickly and intimating secrecy about the transaction; this causes the victim to act without thinking, trying to be as efficient as possible.
          • Speed: It is good to know that a request for an urgent wire transfer cannot be withdrawn, or can be withdrawn by recall only under extremely tight deadlines; fraudsters take advantage of this to pocket the sums at banks that are not too scrupulous or to move them elsewhere, at most within a few days.

          How to prevent these scams

          CEO Fraud schemes can be very sophisticated, but they often have signs that, if recognized, can stop a scam before it causes irreparable damage.

          The main clues are the atypical modes of contact (whatsapp, phone calls, emails from the fake CEO’s personal accounts), the request for strict confidentiality about the transaction, the urgency with which large sums are requested, the fact that the transfer is to be made to banks abroad, and the involvement of companies or individuals never previously mentioned.

          To prevent scams such as CEO Fraud, corporate training of employees on how to recognize and respond to scams is crucial; it is also essential to have robust internal security procedures in place.

          • First, an essential and basic precaution is to adopt verification systems that scan e-mail messages for viruses and flag the origin of the e-mail from an account outside the corporate organization.
          • Second, it is critical that companies implement clear processes for payments to third parties, especially if the arrangements are different from the company’s standard operations. One way to do this is to provide value limits on the powers of disposition over current account operations, beyond which dual signatures with another director are required.
          • Finally, and generally, it is good to adopt all the rules of common sense and diligence in analyzing the case. Better to do one more internal check than one less; for example, in the case of a particularly realistic but nonetheless unusual request, forwarding the exchange with the alleged scammer to the address we believe to be real and asking for further confirmation in the forward email, rather than responding directly in the email loop, allows us to tell if the sender is bogus.

          Legal actions to recover funds.

          After the fraud is discovered, it is crucial to act quickly to increase the chances of recovering lost funds and prosecuting those responsible.

          Possible Legal Actions

          Prompt notification to the company’s bank to block or recall the wire payment, in addition to a timely criminal complaint in the country where the bank receiving the payment is based, are immediate steps that can help contain the damage and begin the recovery process.

          In fact, in many countries, the pattern of CEO Fraud is well known, and specialized law enforcement units have the tools to move in a timely manner following a report of the crime.

          Criminal investigations in the country of payment destination also allow for verification that they are the account holders and the people involved in the scam attempt, in some cases leading to the arrest of those responsible.

          After attempting to obtain a freeze on the transfer or funds, it may then be possible to assess the behavior of the banking institutions involved in the affair, particularly to verify whether the beneficiary bank properly complied with its obligations under anti-money laundering regulations, which impose precise obligations to verify customers and the origin of funds.

          Conclusions

          CEO Fraud is a significant threat to companies of all sizes and industries, made possible and amplified by modern technologies and the globalization of financial markets. Companies must remain vigilant and proactive, continually updating their security procedures to keep pace with fraudsters’ evolving techniques.

          Investment in training, technology and consulting is not just a protective measure, but a strategic necessity for business operations.

          Finally, if the scam is successfully carried out, it is crucial to take prompt action to try to block the funds before they are moved to bank accounts in other countries and thus made untraceable.

          Summary

          The reform of the Brazilian Bankruptcy Act brings forward important changes in both reorganization procedures and liquidation measures.

          When the Brazilian Bankruptcy Act was about to reach its 15th Anniversary, a major amendment was enacted. It was needed, in fact. Over the past 15 years, creations of the Bankruptcy Act have been tested, and practical experiences showed that some tools needed adjustments, and others demanded complete change.

          The goal of this article is to list the top five most relevant novelties.

          #5 – Reorganization plan presented by creditors

          Before: the amendment, the construction of the reorganization plan was exclusively the responsibility of the debtor. If the majority of the creditors’ meeting decided to reject the plan, the automatic consequence would be the conversion into bankruptcy (liquidation).

          Now: in cases like this, the creditors have the right to present an alternative judicial recovery plan. As a result, creditors assume a more relevant role in corporate restructuring.

          #4 – Mediation focusing on the turnaround

          Mediation is now encouraged in ongoing judicial reorganization processes so that creditors and debtors may find a way out to overcome the crisis.

          The most important novelty is the anticipated mediation, which goal is to avoid reorganization and liquidation. In this procedure, the debtor convenes creditors for a mediated negotiation, and they may seek the judge for an order to stay enforcement measures.

          #3 – Distressed assets operations

          The disposal of debtor’s assets is now simplified in both judicial reorganization and bankruptcy. Particularly in bankruptcy – in which case maximizing the use of assets is essential – the law authorizes the anticipated sale, adjudication by creditors, and even the donation of assets that creditors are not interested in acquiring.

          Besides that, the distressed assets acquisitions and M&A deals are now safer, with a clearer legal provision of a liability shield in favour of the purchaser.

          #2 – Debtor-in-Possession (DIP) Financing

          The lack of incentive to finance the debtor undergoing judicial reorganization has always been a reason for criticism by stakeholders. In the absence of legal provisions, potential financiers could be insecure about the risks of the operation and the lack of clear advantages to offset the risk.

          The complaints were addressed with the legal treatment of the debtor’s financing during judicial reorganization. This type of financing is known as Debtor-in-Possession (DIP) Financing.

          The debtor is allowed, through judicial authorization, to conclude financing contracts to pay for the maintenance of his activities and assets, as well as to be liable for restructuring expenses.

          As a guarantee for the financing, the debtor may offer his own assets and rights or those of third parties, even if they belong to non-current assets, that is, assets not originally intended for sale, but which serve the business structure (machinery, for example).

          #1 – Cross-Border Insolvency

          Brazilian law finally incorporated the Uncitral Model Law on Cross-Border Insolvency. An integrated world full of global companies imposes the need to provide for specific rules on cross-border insolvency, which were hitherto non-existent, in order to eliminate the insecurity about the reach of foreign procedures for Brazilian creditors and about the effect of Brazilian procedures for foreign creditors.

          We now have a new panorama, with the possibility of procedures abroad having effects in Brazil and also of Brazilian procedures reaching foreigners.

          There is a detailed treatment of the participation of foreigners in Brazil and the international cooperation between judges and other authorities to put the fundamental principles that govern the entire insolvency system in motion, namely, the improvement of legal certainty, efficient management of the processes, maximization of assets, preservation of the company, and optimization of asset liquidation.

          These are the five main new features, in a nutshell. If you are interested in learning more about any of these topics or if you want to stay updated on insolvency – turnaround in Brazil, please get in touch.

          On 6 January 2022 Ukraine finally cancelled almost a two-year long moratorium for the creditor-trigged insolvencies. The moratorium was imposed in the late spring 2020 as a part of the nation’ response to first wave of COVID pandemic.

          In a nutshell, the moratorium prohibited creditors from requesting insolvency action against those debtors whose obligations matured after 12 March 2020. A separate set of measures also lifted an early warning duty obliging directors of the companies in distress to file for insolvency within one month from a moment when the distress appeared.

          The moratorium was heavily criticized by both domestic and international creditors, who legitimately blamed it for a non-selective approach.

          As further 2021 statistic shown, the moratorium never seemed to reach a goal proclaimed by it authors and made no increase for insolvency relief requests by the debtor companies.

          Instead, the country has been facing a steady increase in “zombie” companies having little to none liquidation value – and their owners clearly intending to get away with no creditor repayment.

          With the moratorium being lifted off the creditors do expect to show no mercy to their Ukrainian debtors. This particularly worries those debtors potentially involved in wrongful trade or fraudulent action. Even with the moratorium in place in 2021 Ukrainian courts confirmed more than UAH 150 mln in creditors loss to be paid by the insolvent companies’ management and owners themselves. This number is expected to triple in 2022 – and there already were Supreme Court’s 2021 judgements confirming liability of the real owners standing behind opaque shareholder company and nominal directors.

          As the creditors’ agitation grows, so do the debtor company owners’ concerns. As the owners\management liability process is extremely bespoke and often requires swift action, it is of crucial importance to get a throughout legal advise on either side – and much better to do that before the actual claim has been brought.

          Lebanon’s secure banking sector plays an important role in the country’s stability and economic status. High liquidity and compliance with all international regulatory standards make it one of the most profitable in the region.

          Stability

          The Lebanese banking sector owes its solidity primarily to the stringent policies applied by the Lebanese Central Bank (LCB). Efforts are constantly being made to fight money laundering and terrorism funding.

          The Lebanese diaspora also contributes to the stability through the flux of transfers and deposits of extraterritorial income. Compared with an estimated population of 4.9 million inhabitants, about 16 million Lebanese live abroad, largely engaged in trade and finance, and mainly concentrated in South America.

          The banking sector’s stability is also bolstered by the currency exchange rate, which has been stable since 1997, when the Lebanese Pound (LBP) was pegged to the United States Dollar (USD) at a rate of 1507.5 LBP to the USD.

          Banking Secret and Automatic exchange of Information

          The Lebanese Banking Secrecy Law of September 3, 1956 was a key aspect in the expansion of the sector. Bank secrecy is applied to any bank operating in Lebanon, local or foreign, and prohibits the disclosure of any details or information about any account or accountholder. For long time this law has increased confidence in Lebanese banking together with the amount of foreign capital coming into the country.

          Before the last economic and financial global shocks, the veil of banking secrecy could be lifted only with prior approval of the accountholder, in case of bankruptcy; for the exchange of information between banks about indebted accounts; and in case of legal actions between a bank and a client or illicit enrichment.

          Nowadays, banking secrecy does not apply to US citizens because of the Foreign Account Tax Compliance Act (FATCA) that requires foreign banks to report American accountholders to the tax authority of the US. Even though Lebanon has not agreed to be FATCA compliant as a whole, individual Lebanon banks have agreed to comply.

          Moreover, in 2016 Lebanon joined the Global Forum on Transparency and the Automatic Exchange of Information (AEOI) for tax purposes, committing to implement a series of regulatory reforms to better comply with the Common Reporting Standards of OECD.

          Consequently, if the requested information is protected under the Banking Secrecy Law of 1956, the request will be forwarded to the Special Investigation Commission (SIC) at the Central Bank with an opinion from the Ministry of Finance for review before it can be disclosed to the foreign tax authority based on an information exchange agreement.

          The regulatory framework and supervision of the banking sector is already in compliance with international standards, such as Basel I, II, and III. Abiding by these laws does not eliminate banking secrecy. New regulations just aim to provide a more effective tool to counter the fight against tax evasion and to track suspicious operations for money laundering purposes, or self-laundering, based on tax offenses.

          According to the AEOI, starting from September 2018 Lebanese Tax Authority will exchange information automatically on non-residents, and will have access to information on residents who hold assets abroad. No issues for Lebanese residents.

          The new legislation will impact: banks, brokers, trusts, fiduciaries, insurance companies, although only for a few products, and certain collective investment funds.

          Corporate Governance

          As part of the strategy to integrate Lebanon further into the international community and the global economy, corporate governance in banks is necessary to guarantee fairness, transparency and accountability.

          It is mandatory for banks while optional for other companies. In fact, an innovation took place in the banking sector on July 26, 2006 when the Governor of the Lebanese Central Bank enacted the Basic Decision No. 9382 to order to comply with the banking rules instituted by the Basel Committee.

          Account freedom and flexibility

          Lebanese banks are known for being open to foreign investors and have branches worldwide. Foreign individuals or companies can easily open a bank account in Lebanon in any currency and benefit from all banking advantages offered to Lebanese citizens. Further, amounts deposited in Lebanon are exempt from taxes and the interest received is subject to a tax rate of 5-percent.

          The author of this post is Claudia Caluori.

          From 18 January 2017, the new European Regulation 655/2014 establishing a European Account Preservation Order procedure to facilitate cross-border debt recovery in civil and commercial matters will enter into force.

          The Regulation foresees in a procedure to seize bank accounts of your debtor in other EU Member States (except when your debtor is domiciled in United Kingdom or Denmark), without that the debtor is notified hereof. The debtor will only notice once the seizure is into force.

          Such cross-border seizure can be obtained before the Courts of an EU Member State who would have jurisdiction on the merits of the case under the EU Regulation 1215/2012 (Brussels I bis).

          The seizure can be requested before, during or even after the procedure on the merits of the case. The request has to be filed using a standard document.

          To grant the request, the Court will have to examine 1) if there is urgency (periculum in mora) and 2) if there is on basis of the provided evidence enough reason to assume the Court will also decide in favor of the creditor in the proceedings concerning the merits of the case (fumus boni iuris). Although these principles are not unknown to national legislation, both will have to await the autonomous interpretation by the European Court of Justice.

          The new EU Regulation 655/2014 is however not created to bully any unwilling debtor by filing preservation order after preservation order. The Regulation foresees 2 mechanisms to avoid such practices:

          • According to art. 12, the creditor can be required to provide a security when he has not obtained any judgment in favor yet;
          • The creditor will also receive a fixed delay in which he has to undertake a proceedings about the merits of the case.

          The new European Regulation 665/2014 also foresees a mechanism where a creditor can request information about his debtor’s bank account(s) in a certain Member State. 

          Not unimportant, as the creditor needs to indicate the bank account number in his request for a transnational seizure (under Belgian national law, the indication of the name of the Bank would already be sufficient).

          Art. 14 of the Regulation now foresees what one could call a bank account disclosure mechanism:

          “Request for the obtaining of account information

          Where the creditor has obtained in a Member State an enforceable judgment, court settlement or authentic instrument which requires the debtor to pay the creditor’s claim and the creditor has reasons to believe that the debtor holds one or more accounts with a bank in a specific Member State, but knows neither the name and/or address of the bank nor the IBAN, BIC or another bank number allowing the bank to be identified, he may request the court with which the application for the Preservation Order is lodged to request that the information authority of the Member State of enforcement obtain the information necessary to allow the bank or banks and the debtor’s account or accounts to be identified”.

          In a few Member States (including Belgium), such disclosure mechanism is completely new.  The Regulation leaves it up to the Member States how they will organize this new disclosure, by giving a few examples:

          “Each Member State shall make available in its national law at least one of the following methods of obtaining the information referred to in paragraph 1:

          (a) an obligation on all banks in its territory to disclose, upon request by the information authority, whether the debtor holds an account with them;

          (b) access for the information authority to the relevant information where that information is held by public authorities or administrations in registers or otherwise;

          (c) the possibility for its courts to oblige the debtor to disclose with which bank or banks in its territory he holds one or more accounts where such an obligation is accompanied by an in personam order by the court prohibiting the withdrawal or transfer by him of funds held in his account or accounts up to the amount to be preserved by the Preservation Order; or

          (d) any other methods which are effective and efficient for the purposes of obtaining the relevant information, provided that they are not disproportionately costly or time-consuming.

          Does this mean any creditor can just run to the Court and ask information?

          No, some conditions apply:

          • the creditor needs to be in possession of an enforceable judgment;
          • there need to be reasons to believe the debtor holds bank accounts in this Member State.

          Conclusion: it will be interesting to see how the Member States will apply this new mechanism.  Whether it will be effective, will also depend on the interpretation of ‘reasons to believe the debtor holds bank accounts in this Member State’.  This will probably be the key to the question if this will end the Pyrrhus decisions, where a creditor is accorded his claim but cannot find assets to seize.

          The author of this post is David Diris.