Spain – Man in the Middle fraud and EU Regulation 2024/886: a paradigm shift

3 de Novembro, 2025

  • Espanha
  • Banca
  • Financiamento e títulos
  • Contencioso

The increase in so-called cybercrime in recent years is so significant that it requires strong legislative and judicial responses. Losses from online fraud in Europe exceed $100 billion, according to Nasdaq Ventures, of which $5 billion correspond to Spain.

In Spain, 192,375 cases of computer fraud were reported in 2019, but by 2023 this figure had risen to 427,448. According to the latest official data available, computer fraud accounts for 90.4% of all cybercrimes, with growth of 378% between 2016 and 2023.

There are many different types of computer fraud, and they are named in English (after all, the lingua franca of our time), including, among other ingenious methods used by skilled fraudsters, those with curious and amusing names (except for those who suffer from them) such as phishing, pharming, juice jacking, tabnabbing, bluesnarfing, catfishing, spoofing, vishing, smishing, whaling, carding, and the one we are interested in today, man in the middle (MITM).

Man in the Middle scam: how it works

This MITM fraud involves intercepting communications between two devices connected to a network, allowing the attacker to alter and divert messages exchanged between users. The fraudster intercepts a communication in which one user requests a payment from another and then modifies the IBAN of the bank account to which the transfer should be made in order to obtain the money. The process generally unfolds as follows:

  • Without the company noticing, an attacker intercepts and manipulates an email, changing the IBAN number of the account to which the payment should be made.
  • The cybercriminal impersonates the supplier, sending the message from an email address that is almost identical to the original, but with a slight alteration that is almost imperceptible.
  • The receiving company, trusting the authenticity of the message, makes the transfer to the fraudulent account.

 

This results in a transfer of assets to the detriment of the person ordering the transfer and in favor of the cyber thief, so that when the person ordering the transfer notices the error, their first reaction is to try to contact the receiving bank in the hope that the funds can be blocked in time. However, in most cases, the cybercriminal has been quicker: the money has already been transferred to another account or withdrawn, leaving little room for maneuvering, except for the initiation of legal proceedings, which we will discuss below.

The immediate question is what responsibility the bank that has received the transfer order from the deceived user and credits the cyber fraudster’s account with the amount in question has in cases where the payer identifies not only the (fraudulent) IBAN but also the name of the beneficiary of the payment order, which obviously does not match the name of the holder of the bank account receiving the funds.

The common-sense answer would be that the bank receiving the transfer should confirm that the holder of the account to which the funds are credited and the individual or entity identified as the beneficiary in the transfer order match; if this is not the case, it should suspend the payment and request clarification from the payer. However, this is not the case in light of EU legislation and its transposition into Spanish law, as we will see below.

Until October 9, the European banking system operated under the premise that the validity of a transfer was based exclusively on the correctness of the IBAN. In other words, if the account number was correct, the transaction was considered valid, even if the beneficiary’s name did not match. This practice has led to numerous cases of fraud, unintentional errors, and loss of funds, especially in instant transfers, where speed can compromise security.

The most reasonable option for the defrauded payer to recover their money is to sue the bank receiving the payment order (with which they have no contractual relationship) for non-contractual liability under Article 1124 of the Civil Code; in fact, criminal proceedings against the account holder, who is usually referred to in slang as a “mule,” do not usually have a satisfactory outcome, both because the bird usually flies away and because of its lack of solvency.

The case law of the Provincial Courts has been divided between rulings that strictly and faithfully applied Article 59 of Royal Decree-Law 19/2018 of November 23, on payment services and other urgent financial measures, dismissing the claims of those defrauded, and others in which arguments were sought under the premise of lack of diligence to condemn the bank to compensate the payer.

This has led to the establishment of quasi-objective liability for banks in relation to digital fraud, imposing a higher standard of diligence on them and transferring the risk inherent in online banking to them, except in cases of willful misconduct or gross negligence on the part of the customer. This line of reasoning, which has been developed from lower court rulings (AP Madrid 178/2015; AP Alicante 107/2018; AP Valencia 212/2021) to the Supreme Court itself (STS 571/2025, among others), is in line with the idea that it is up to the bank to prove that its systems were secure, up to date, and sufficient to prevent the crime from being committed.

In this context, the concept of bonus argentarius takes on renewed relevance. This is a principle that was included in Law 57/68 to protect home buyers in the real estate sector, but the Supreme Court has ruled on several occasions that it can also be applied to other financial investments. This means that, in the event of losses due to negligence on the part of the financial institution, the customer can file a claim under Law 57/68 and hold the institution liable.

The bonus argentarius is based on the presumption of fault on the part of the financial institution, which means that even if the customer has no concrete evidence of negligence, it is assumed due to the duty of care that the institution must exercise in the management of investments.

Based on this principle, the diligence required of financial professionals is not that of the average trader or pater familias, but that of a qualified expert who assumes the obligation to protect the funds entrusted to them by implementing “necessary and renewable” security mechanisms. This implies not only maintaining basic technical measures for enhanced authentication, but also proactively adopting internationally recognized anti-fraud solutions, such as name-IBAN verification (Confirmation of Payee or IBAN-Naam Check), which have proven effective in comparable jurisdictions.

In line with that doctrine and case law, it can be said that the omission of beneficiary verification measures today constitutes a breach of the contractual duty of diligence and good faith (Articles 1104 and 1258 of the Civil Code), giving rise to civil liability for the damage caused, such that MITM fraud cannot be considered a residual risk attributable to the customer, but rather a systemic security failure attributable to the financial institution, as the designer and custodian of the electronic payment channel.

In this state of affairs, the Supreme Court, in its recent ruling of March 27, 2025, opted for the alternative of strict application of Article 59, arguing that “if the payment service user provides additional information to that required (specification of the information or unique identifier that the payment service user must provide for the correct initiation or execution of a payment order), the payment service provider shall only be liable for the execution of payment transactions in accordance with the unique identifier provided by the payment service user… and that the liability of the payment service provider, both at Community and national level, is such that it fulfills its obligation by executing the payment transaction in accordance with the unique identifier, without the addition of further information implying a higher standard of diligence

It is true that, in conclusion, the Supreme Court offered a glimmer of hope to defrauded users when it stated that “the interpretation set out above does not exempt the payment service provider from liability when circumstances, unrelated to the provision of additional data, are found to have contributed to the defective execution of the transaction, either because an additional requirement or demand (e.g., the identification of the beneficiary), or because the payment service provider of the payer or the beneficiary had taken advantage of the error for their own benefit, or because, once the existence of the error had been communicated without delay, one or the other had not taken the measures required by the diligence of an expert trader to allow retroaction or, where appropriate, to minimize the damage.”

Regulation (EU) 2024/886: a paradigm shift

And in this scenario fraught with doubts, Regulation (EU) 2024/886 bursts onto the scene, representing a 180-degree turn and a paradigm shift: the new European Regulation, approved in April 2024 and coming into force on October 9, 2025, establishes a clear obligation for banks: they must verify that the name of the beneficiary provided by the payer matches the IBAN holder before executing an immediate transfer in euros.

The new features of this regulation are

  • mandatory application to all instant transfers within the SEPA area,
  • the new name matching system: if there is a discrepancy between the name and the IBAN, the bank must alert the customer before executing the transaction, and
  • increased liability for financial institutions in the event of fraud or error due to lack of verification.

In short, the aim is to reduce the risk of fraud, protect consumers, and increase confidence in digital payments.

This means that Law 19/2018, which regulates payment services in Spain and does not require verification of the beneficiary’s identity, is now outdated, underscoring the need for a national legislative review to harmonize the legal framework with European requirements.

In conclusion, the obligation to verify the beneficiary of transfers represents a significant step forward in consumer protection and the fight against financial fraud. Regulation (EU) 2024/886 marks a turning point in banking operations, imposing an active responsibility on institutions to ensure the authenticity of transfers.

In any case, the question remains open regarding the solution to MITM frauds executed before October 9, 2025, and the responsibility of the banking institution. For the time being, the aforementioned Supreme Court ruling of March 27 closes the door to claims against banks, but it cannot be ruled out that the entry into force of Regulation 2024/886 and the paradigm shift will lead to a rethinking of the Supreme Court’s position in line with the quasi-objective liability that lower courts have been maintaining. We will have to wait and see, but such a change would be a great success for bank users who have suffered from this MITM fraud and all other types of cyber fraud.

Summary: Corporate fraud has taken new and insidious forms in the digital age. One of these puts multinational groups in the crosshairs: it is the so-called “CEO Fraud.” This type of fraud is based on the fraudulent use of the identity of top corporate figures, such as CEOs or board chairmen. The modus operandi is devious: the fraudsters pose as the CEO or a senior executive of the multinational group and directly contact the Chief Financial Officers (CFOs) of the subsidiaries or affiliates, simulating a nonexistent confidential investment transaction to induce them to make urgent transfers to foreign bank accounts.

Background and dynamics of the CEO Fraud

CEO Fraud is a form of scam in which criminals impersonate senior management figures to trick employees, usually CFOs, into transferring funds into bank accounts controlled by the fraudsters. The choice to use the identities of apex figures such as CEOs lies in their perceived authority and ability to order even large payments, requested urgently and with instructions for strict confidentiality, without raising immediate suspicion.

Fraudsters adopt various communication tools to make their fraud attempts credible: at the starting point is usually a data breach, which allows criminals to gain access to the contact details of the CEO or CFO (email, landline phone number, cell phone number, whatsapp or social media accounts) or other people within the administrative office with operational powers over bank accounts.

Sometimes knowledge of this information does not even require illegitimate access to the company’s computer systems because those targeted by the scam spontaneously make this information public, for example, by indicating it on their profiles on the company website or by publicly displaying contacts on profiles in social media accounts (LinkedIn, Facebook, etc.) or even on presentations, business cards and company brochures in the context of public meetings.

Still other times, scammers do not even need to appropriate all the data of the CEO they want to impersonate, but only the recipient’s, and then claim that they are using a personal account with a different number or email address than those usually attributable to the real CEO.

Contacts are typically made as follows:

  • WhatsApp and SMS: The use of messages allows for immediate and personal communication, often perceived as legitimate by recipients. The fake CEO sends a message to the CFO using a cell phone number from the country where the parent company is based (e.g., +34 in the case of Spain), writing that it is his personal phone number and using a portrait photo of the real CEO in the WhatsApp profile, which reinforces the perception that the fraudster is the real CEO.
  • Phone calls: after the initial contact via text message, a phone call often follows, which may be either directly from the fake CEO or from a self-styled lawyer or consultant instructed by the CEO to give the CFO the necessary information about the fake investment transaction and instructions to proceed with the urgent payment.
  • Email: as an alternative to or in addition to texts and phone calls, communications may also go through emails, often indistinguishable from authentic ones, in which text formats, company logos, signatures, etc. are scrupulously replicated.

This is possible through various email spoofing techniques in which the sender’s email address is altered to appear as if the rightful owner sent the email. Basically, it is like someone sending a postal letter by putting a different address on the back of the envelope to disguise the true origin of the missive. In our case, this means that the CFO receives an email that-at first glance-appears to come from the CEO and not the scammer.

We also cannot rule out the possibility of fraudsters taking advantage of security holes in corporate systems, such as directly accessing internal chats within the organization.

In addition, the increasing popularity of morphing tools (i.e., creating images with human likenesses that can be traced back to real people) may make it even more difficult to unmask the scammer: to messages and phone calls we could, in fact, add video messages or even video lectures apparently given by the real CEO.

The (fake) takeover of a competitor company in Europe

Let us look at a real-life example of CEO Fraud to illustrate the practical ways in which these frauds are organized.

Scammers create a fake WhatsApp profile of the self-styled CEO of a multinational group based in Spain, using a Spanish phone number and reproducing the profile photo of the authentic CEO.

A message is sent through the fake account to the CFO of a subsidiary in Italy, announcing that a confidential investment transaction is underway to acquire a company in Portugal. This will require transferring a large sum to a Portuguese company the following day at a local bank.

The message stresses the importance of keeping the transaction strictly confidential, which is why the CFO cannot disclose the payment request to anyone: a confidentiality agreement from a (fake) law firm is even emailed before payment is made, which the CFO is persuaded to sign and return to the phantom lawyer in charge of the transaction.

Instructions for proceeding with the transfer are emailed to the CFO, again stressing the urgency of making the payment on the same day.

The day after arranging the transfer, having heard nothing more from the fake CEO, the CFO arranges to contact him at his corporate phone number and discovers the scam: by that time, however, it is too late because the sums have already been transferred by the criminals to one or more current accounts in foreign banks, making it very difficult, if not impossible, to trace the funds.

The main features of CEO fraud

  • Persuasion: the fact that fraudsters impersonate apex figures and make the CFO feel invested in important duties generates in the victim a desire to please superiors and to let their guard down.
  • Pressure: fraudsters instil a great sense of urgency, demanding payments extremely quickly and intimating secrecy about the transaction; this causes the victim to act without thinking, trying to be as efficient as possible.
  • Speed: It is good to know that a request for an urgent wire transfer cannot be withdrawn, or can be withdrawn by recall only under extremely tight deadlines; fraudsters take advantage of this to pocket the sums at banks that are not too scrupulous or to move them elsewhere, at most within a few days.

How to prevent these scams

CEO Fraud schemes can be very sophisticated, but they often have signs that, if recognized, can stop a scam before it causes irreparable damage.

The main clues are the atypical modes of contact (whatsapp, phone calls, emails from the fake CEO’s personal accounts), the request for strict confidentiality about the transaction, the urgency with which large sums are requested, the fact that the transfer is to be made to banks abroad, and the involvement of companies or individuals never previously mentioned.

To prevent scams such as CEO Fraud, corporate training of employees on how to recognize and respond to scams is crucial; it is also essential to have robust internal security procedures in place.

  • First, an essential and basic precaution is to adopt verification systems that scan e-mail messages for viruses and flag the origin of the e-mail from an account outside the corporate organization.
  • Second, it is critical that companies implement clear processes for payments to third parties, especially if the arrangements are different from the company’s standard operations. One way to do this is to provide value limits on the powers of disposition over current account operations, beyond which dual signatures with another director are required.
  • Finally, and generally, it is good to adopt all the rules of common sense and diligence in analyzing the case. Better to do one more internal check than one less; for example, in the case of a particularly realistic but nonetheless unusual request, forwarding the exchange with the alleged scammer to the address we believe to be real and asking for further confirmation in the forward email, rather than responding directly in the email loop, allows us to tell if the sender is bogus.

Legal actions to recover funds.

After the fraud is discovered, it is crucial to act quickly to increase the chances of recovering lost funds and prosecuting those responsible.

Possible Legal Actions

Prompt notification to the company’s bank to block or recall the wire payment, in addition to a timely criminal complaint in the country where the bank receiving the payment is based, are immediate steps that can help contain the damage and begin the recovery process.

In fact, in many countries, the pattern of CEO Fraud is well known, and specialized law enforcement units have the tools to move in a timely manner following a report of the crime.

Criminal investigations in the country of payment destination also allow for verification that they are the account holders and the people involved in the scam attempt, in some cases leading to the arrest of those responsible.

After attempting to obtain a freeze on the transfer or funds, it may then be possible to assess the behavior of the banking institutions involved in the affair, particularly to verify whether the beneficiary bank properly complied with its obligations under anti-money laundering regulations, which impose precise obligations to verify customers and the origin of funds.

Conclusions

CEO Fraud is a significant threat to companies of all sizes and industries, made possible and amplified by modern technologies and the globalization of financial markets. Companies must remain vigilant and proactive, continually updating their security procedures to keep pace with fraudsters’ evolving techniques.

Investment in training, technology and consulting is not just a protective measure, but a strategic necessity for business operations.

Finally, if the scam is successfully carried out, it is crucial to take prompt action to try to block the funds before they are moved to bank accounts in other countries and thus made untraceable.

Summary

The reform of the Brazilian Bankruptcy Act brings forward important changes in both reorganization procedures and liquidation measures.

When the Brazilian Bankruptcy Act was about to reach its 15th Anniversary, a major amendment was enacted. It was needed, in fact. Over the past 15 years, creations of the Bankruptcy Act have been tested, and practical experiences showed that some tools needed adjustments, and others demanded complete change.

The goal of this article is to list the top five most relevant novelties.

#5 – Reorganization plan presented by creditors

Before: the amendment, the construction of the reorganization plan was exclusively the responsibility of the debtor. If the majority of the creditors’ meeting decided to reject the plan, the automatic consequence would be the conversion into bankruptcy (liquidation).

Now: in cases like this, the creditors have the right to present an alternative judicial recovery plan. As a result, creditors assume a more relevant role in corporate restructuring.

#4 – Mediation focusing on the turnaround

Mediation is now encouraged in ongoing judicial reorganization processes so that creditors and debtors may find a way out to overcome the crisis.

The most important novelty is the anticipated mediation, which goal is to avoid reorganization and liquidation. In this procedure, the debtor convenes creditors for a mediated negotiation, and they may seek the judge for an order to stay enforcement measures.

#3 – Distressed assets operations

The disposal of debtor’s assets is now simplified in both judicial reorganization and bankruptcy. Particularly in bankruptcy – in which case maximizing the use of assets is essential – the law authorizes the anticipated sale, adjudication by creditors, and even the donation of assets that creditors are not interested in acquiring.

Besides that, the distressed assets acquisitions and M&A deals are now safer, with a clearer legal provision of a liability shield in favour of the purchaser.

#2 – Debtor-in-Possession (DIP) Financing

The lack of incentive to finance the debtor undergoing judicial reorganization has always been a reason for criticism by stakeholders. In the absence of legal provisions, potential financiers could be insecure about the risks of the operation and the lack of clear advantages to offset the risk.

The complaints were addressed with the legal treatment of the debtor’s financing during judicial reorganization. This type of financing is known as Debtor-in-Possession (DIP) Financing.

The debtor is allowed, through judicial authorization, to conclude financing contracts to pay for the maintenance of his activities and assets, as well as to be liable for restructuring expenses.

As a guarantee for the financing, the debtor may offer his own assets and rights or those of third parties, even if they belong to non-current assets, that is, assets not originally intended for sale, but which serve the business structure (machinery, for example).

#1 – Cross-Border Insolvency

Brazilian law finally incorporated the Uncitral Model Law on Cross-Border Insolvency. An integrated world full of global companies imposes the need to provide for specific rules on cross-border insolvency, which were hitherto non-existent, in order to eliminate the insecurity about the reach of foreign procedures for Brazilian creditors and about the effect of Brazilian procedures for foreign creditors.

We now have a new panorama, with the possibility of procedures abroad having effects in Brazil and also of Brazilian procedures reaching foreigners.

There is a detailed treatment of the participation of foreigners in Brazil and the international cooperation between judges and other authorities to put the fundamental principles that govern the entire insolvency system in motion, namely, the improvement of legal certainty, efficient management of the processes, maximization of assets, preservation of the company, and optimization of asset liquidation.

These are the five main new features, in a nutshell. If you are interested in learning more about any of these topics or if you want to stay updated on insolvency – turnaround in Brazil, please get in touch.

On 6 January 2022 Ukraine finally cancelled almost a two-year long moratorium for the creditor-trigged insolvencies. The moratorium was imposed in the late spring 2020 as a part of the nation’ response to first wave of COVID pandemic.

In a nutshell, the moratorium prohibited creditors from requesting insolvency action against those debtors whose obligations matured after 12 March 2020. A separate set of measures also lifted an early warning duty obliging directors of the companies in distress to file for insolvency within one month from a moment when the distress appeared.

The moratorium was heavily criticized by both domestic and international creditors, who legitimately blamed it for a non-selective approach.

As further 2021 statistic shown, the moratorium never seemed to reach a goal proclaimed by it authors and made no increase for insolvency relief requests by the debtor companies.

Instead, the country has been facing a steady increase in “zombie” companies having little to none liquidation value – and their owners clearly intending to get away with no creditor repayment.

With the moratorium being lifted off the creditors do expect to show no mercy to their Ukrainian debtors. This particularly worries those debtors potentially involved in wrongful trade or fraudulent action. Even with the moratorium in place in 2021 Ukrainian courts confirmed more than UAH 150 mln in creditors loss to be paid by the insolvent companies’ management and owners themselves. This number is expected to triple in 2022 – and there already were Supreme Court’s 2021 judgements confirming liability of the real owners standing behind opaque shareholder company and nominal directors.

As the creditors’ agitation grows, so do the debtor company owners’ concerns. As the owners\management liability process is extremely bespoke and often requires swift action, it is of crucial importance to get a throughout legal advise on either side – and much better to do that before the actual claim has been brought.

Lebanon’s secure banking sector plays an important role in the country’s stability and economic status. High liquidity and compliance with all international regulatory standards make it one of the most profitable in the region.

Stability

The Lebanese banking sector owes its solidity primarily to the stringent policies applied by the Lebanese Central Bank (LCB). Efforts are constantly being made to fight money laundering and terrorism funding.

The Lebanese diaspora also contributes to the stability through the flux of transfers and deposits of extraterritorial income. Compared with an estimated population of 4.9 million inhabitants, about 16 million Lebanese live abroad, largely engaged in trade and finance, and mainly concentrated in South America.

The banking sector’s stability is also bolstered by the currency exchange rate, which has been stable since 1997, when the Lebanese Pound (LBP) was pegged to the United States Dollar (USD) at a rate of 1507.5 LBP to the USD.

Banking Secret and Automatic exchange of Information

The Lebanese Banking Secrecy Law of September 3, 1956 was a key aspect in the expansion of the sector. Bank secrecy is applied to any bank operating in Lebanon, local or foreign, and prohibits the disclosure of any details or information about any account or accountholder. For long time this law has increased confidence in Lebanese banking together with the amount of foreign capital coming into the country.

Before the last economic and financial global shocks, the veil of banking secrecy could be lifted only with prior approval of the accountholder, in case of bankruptcy; for the exchange of information between banks about indebted accounts; and in case of legal actions between a bank and a client or illicit enrichment.

Nowadays, banking secrecy does not apply to US citizens because of the Foreign Account Tax Compliance Act (FATCA) that requires foreign banks to report American accountholders to the tax authority of the US. Even though Lebanon has not agreed to be FATCA compliant as a whole, individual Lebanon banks have agreed to comply.

Moreover, in 2016 Lebanon joined the Global Forum on Transparency and the Automatic Exchange of Information (AEOI) for tax purposes, committing to implement a series of regulatory reforms to better comply with the Common Reporting Standards of OECD.

Consequently, if the requested information is protected under the Banking Secrecy Law of 1956, the request will be forwarded to the Special Investigation Commission (SIC) at the Central Bank with an opinion from the Ministry of Finance for review before it can be disclosed to the foreign tax authority based on an information exchange agreement.

The regulatory framework and supervision of the banking sector is already in compliance with international standards, such as Basel I, II, and III. Abiding by these laws does not eliminate banking secrecy. New regulations just aim to provide a more effective tool to counter the fight against tax evasion and to track suspicious operations for money laundering purposes, or self-laundering, based on tax offenses.

According to the AEOI, starting from September 2018 Lebanese Tax Authority will exchange information automatically on non-residents, and will have access to information on residents who hold assets abroad. No issues for Lebanese residents.

The new legislation will impact: banks, brokers, trusts, fiduciaries, insurance companies, although only for a few products, and certain collective investment funds.

Corporate Governance

As part of the strategy to integrate Lebanon further into the international community and the global economy, corporate governance in banks is necessary to guarantee fairness, transparency and accountability.

It is mandatory for banks while optional for other companies. In fact, an innovation took place in the banking sector on July 26, 2006 when the Governor of the Lebanese Central Bank enacted the Basic Decision No. 9382 to order to comply with the banking rules instituted by the Basel Committee.

Account freedom and flexibility

Lebanese banks are known for being open to foreign investors and have branches worldwide. Foreign individuals or companies can easily open a bank account in Lebanon in any currency and benefit from all banking advantages offered to Lebanese citizens. Further, amounts deposited in Lebanon are exempt from taxes and the interest received is subject to a tax rate of 5-percent.

The author of this post is Claudia Caluori.

From 18 January 2017, the new European Regulation 655/2014 establishing a European Account Preservation Order procedure to facilitate cross-border debt recovery in civil and commercial matters will enter into force.

The Regulation foresees in a procedure to seize bank accounts of your debtor in other EU Member States (except when your debtor is domiciled in United Kingdom or Denmark), without that the debtor is notified hereof. The debtor will only notice once the seizure is into force.

Such cross-border seizure can be obtained before the Courts of an EU Member State who would have jurisdiction on the merits of the case under the EU Regulation 1215/2012 (Brussels I bis).

The seizure can be requested before, during or even after the procedure on the merits of the case. The request has to be filed using a standard document.

To grant the request, the Court will have to examine 1) if there is urgency (periculum in mora) and 2) if there is on basis of the provided evidence enough reason to assume the Court will also decide in favor of the creditor in the proceedings concerning the merits of the case (fumus boni iuris). Although these principles are not unknown to national legislation, both will have to await the autonomous interpretation by the European Court of Justice.

The new EU Regulation 655/2014 is however not created to bully any unwilling debtor by filing preservation order after preservation order. The Regulation foresees 2 mechanisms to avoid such practices:

  • According to art. 12, the creditor can be required to provide a security when he has not obtained any judgment in favor yet;
  • The creditor will also receive a fixed delay in which he has to undertake a proceedings about the merits of the case.

The new European Regulation 665/2014 also foresees a mechanism where a creditor can request information about his debtor’s bank account(s) in a certain Member State. 

Not unimportant, as the creditor needs to indicate the bank account number in his request for a transnational seizure (under Belgian national law, the indication of the name of the Bank would already be sufficient).

Art. 14 of the Regulation now foresees what one could call a bank account disclosure mechanism:

“Request for the obtaining of account information

Where the creditor has obtained in a Member State an enforceable judgment, court settlement or authentic instrument which requires the debtor to pay the creditor’s claim and the creditor has reasons to believe that the debtor holds one or more accounts with a bank in a specific Member State, but knows neither the name and/or address of the bank nor the IBAN, BIC or another bank number allowing the bank to be identified, he may request the court with which the application for the Preservation Order is lodged to request that the information authority of the Member State of enforcement obtain the information necessary to allow the bank or banks and the debtor’s account or accounts to be identified”.

In a few Member States (including Belgium), such disclosure mechanism is completely new.  The Regulation leaves it up to the Member States how they will organize this new disclosure, by giving a few examples:

“Each Member State shall make available in its national law at least one of the following methods of obtaining the information referred to in paragraph 1:

(a) an obligation on all banks in its territory to disclose, upon request by the information authority, whether the debtor holds an account with them;

(b) access for the information authority to the relevant information where that information is held by public authorities or administrations in registers or otherwise;

(c) the possibility for its courts to oblige the debtor to disclose with which bank or banks in its territory he holds one or more accounts where such an obligation is accompanied by an in personam order by the court prohibiting the withdrawal or transfer by him of funds held in his account or accounts up to the amount to be preserved by the Preservation Order; or

(d) any other methods which are effective and efficient for the purposes of obtaining the relevant information, provided that they are not disproportionately costly or time-consuming.

Does this mean any creditor can just run to the Court and ask information?

No, some conditions apply:

  • the creditor needs to be in possession of an enforceable judgment;
  • there need to be reasons to believe the debtor holds bank accounts in this Member State.

Conclusion: it will be interesting to see how the Member States will apply this new mechanism.  Whether it will be effective, will also depend on the interpretation of ‘reasons to believe the debtor holds bank accounts in this Member State’.  This will probably be the key to the question if this will end the Pyrrhus decisions, where a creditor is accorded his claim but cannot find assets to seize.

The author of this post is David Diris.

Javier Gaspar

Áreas de prática

  • Arbitragem
  • Distribuição
  • Franchising
  • Contencioso
  • Desporto
Contato Javier

Scrivi a Javier





    Read the privacy policy of Legalmondo.
    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Digital fraud: the fake CEO of the international group

    24 de Abril, 2024

    • Itália
    • Banca

    The increase in so-called cybercrime in recent years is so significant that it requires strong legislative and judicial responses. Losses from online fraud in Europe exceed $100 billion, according to Nasdaq Ventures, of which $5 billion correspond to Spain.

    In Spain, 192,375 cases of computer fraud were reported in 2019, but by 2023 this figure had risen to 427,448. According to the latest official data available, computer fraud accounts for 90.4% of all cybercrimes, with growth of 378% between 2016 and 2023.

    There are many different types of computer fraud, and they are named in English (after all, the lingua franca of our time), including, among other ingenious methods used by skilled fraudsters, those with curious and amusing names (except for those who suffer from them) such as phishing, pharming, juice jacking, tabnabbing, bluesnarfing, catfishing, spoofing, vishing, smishing, whaling, carding, and the one we are interested in today, man in the middle (MITM).

    Man in the Middle scam: how it works

    This MITM fraud involves intercepting communications between two devices connected to a network, allowing the attacker to alter and divert messages exchanged between users. The fraudster intercepts a communication in which one user requests a payment from another and then modifies the IBAN of the bank account to which the transfer should be made in order to obtain the money. The process generally unfolds as follows:

    • Without the company noticing, an attacker intercepts and manipulates an email, changing the IBAN number of the account to which the payment should be made.
    • The cybercriminal impersonates the supplier, sending the message from an email address that is almost identical to the original, but with a slight alteration that is almost imperceptible.
    • The receiving company, trusting the authenticity of the message, makes the transfer to the fraudulent account.

     

    This results in a transfer of assets to the detriment of the person ordering the transfer and in favor of the cyber thief, so that when the person ordering the transfer notices the error, their first reaction is to try to contact the receiving bank in the hope that the funds can be blocked in time. However, in most cases, the cybercriminal has been quicker: the money has already been transferred to another account or withdrawn, leaving little room for maneuvering, except for the initiation of legal proceedings, which we will discuss below.

    The immediate question is what responsibility the bank that has received the transfer order from the deceived user and credits the cyber fraudster’s account with the amount in question has in cases where the payer identifies not only the (fraudulent) IBAN but also the name of the beneficiary of the payment order, which obviously does not match the name of the holder of the bank account receiving the funds.

    The common-sense answer would be that the bank receiving the transfer should confirm that the holder of the account to which the funds are credited and the individual or entity identified as the beneficiary in the transfer order match; if this is not the case, it should suspend the payment and request clarification from the payer. However, this is not the case in light of EU legislation and its transposition into Spanish law, as we will see below.

    Until October 9, the European banking system operated under the premise that the validity of a transfer was based exclusively on the correctness of the IBAN. In other words, if the account number was correct, the transaction was considered valid, even if the beneficiary’s name did not match. This practice has led to numerous cases of fraud, unintentional errors, and loss of funds, especially in instant transfers, where speed can compromise security.

    The most reasonable option for the defrauded payer to recover their money is to sue the bank receiving the payment order (with which they have no contractual relationship) for non-contractual liability under Article 1124 of the Civil Code; in fact, criminal proceedings against the account holder, who is usually referred to in slang as a “mule,” do not usually have a satisfactory outcome, both because the bird usually flies away and because of its lack of solvency.

    The case law of the Provincial Courts has been divided between rulings that strictly and faithfully applied Article 59 of Royal Decree-Law 19/2018 of November 23, on payment services and other urgent financial measures, dismissing the claims of those defrauded, and others in which arguments were sought under the premise of lack of diligence to condemn the bank to compensate the payer.

    This has led to the establishment of quasi-objective liability for banks in relation to digital fraud, imposing a higher standard of diligence on them and transferring the risk inherent in online banking to them, except in cases of willful misconduct or gross negligence on the part of the customer. This line of reasoning, which has been developed from lower court rulings (AP Madrid 178/2015; AP Alicante 107/2018; AP Valencia 212/2021) to the Supreme Court itself (STS 571/2025, among others), is in line with the idea that it is up to the bank to prove that its systems were secure, up to date, and sufficient to prevent the crime from being committed.

    In this context, the concept of bonus argentarius takes on renewed relevance. This is a principle that was included in Law 57/68 to protect home buyers in the real estate sector, but the Supreme Court has ruled on several occasions that it can also be applied to other financial investments. This means that, in the event of losses due to negligence on the part of the financial institution, the customer can file a claim under Law 57/68 and hold the institution liable.

    The bonus argentarius is based on the presumption of fault on the part of the financial institution, which means that even if the customer has no concrete evidence of negligence, it is assumed due to the duty of care that the institution must exercise in the management of investments.

    Based on this principle, the diligence required of financial professionals is not that of the average trader or pater familias, but that of a qualified expert who assumes the obligation to protect the funds entrusted to them by implementing “necessary and renewable” security mechanisms. This implies not only maintaining basic technical measures for enhanced authentication, but also proactively adopting internationally recognized anti-fraud solutions, such as name-IBAN verification (Confirmation of Payee or IBAN-Naam Check), which have proven effective in comparable jurisdictions.

    In line with that doctrine and case law, it can be said that the omission of beneficiary verification measures today constitutes a breach of the contractual duty of diligence and good faith (Articles 1104 and 1258 of the Civil Code), giving rise to civil liability for the damage caused, such that MITM fraud cannot be considered a residual risk attributable to the customer, but rather a systemic security failure attributable to the financial institution, as the designer and custodian of the electronic payment channel.

    In this state of affairs, the Supreme Court, in its recent ruling of March 27, 2025, opted for the alternative of strict application of Article 59, arguing that “if the payment service user provides additional information to that required (specification of the information or unique identifier that the payment service user must provide for the correct initiation or execution of a payment order), the payment service provider shall only be liable for the execution of payment transactions in accordance with the unique identifier provided by the payment service user… and that the liability of the payment service provider, both at Community and national level, is such that it fulfills its obligation by executing the payment transaction in accordance with the unique identifier, without the addition of further information implying a higher standard of diligence

    It is true that, in conclusion, the Supreme Court offered a glimmer of hope to defrauded users when it stated that “the interpretation set out above does not exempt the payment service provider from liability when circumstances, unrelated to the provision of additional data, are found to have contributed to the defective execution of the transaction, either because an additional requirement or demand (e.g., the identification of the beneficiary), or because the payment service provider of the payer or the beneficiary had taken advantage of the error for their own benefit, or because, once the existence of the error had been communicated without delay, one or the other had not taken the measures required by the diligence of an expert trader to allow retroaction or, where appropriate, to minimize the damage.”

    Regulation (EU) 2024/886: a paradigm shift

    And in this scenario fraught with doubts, Regulation (EU) 2024/886 bursts onto the scene, representing a 180-degree turn and a paradigm shift: the new European Regulation, approved in April 2024 and coming into force on October 9, 2025, establishes a clear obligation for banks: they must verify that the name of the beneficiary provided by the payer matches the IBAN holder before executing an immediate transfer in euros.

    The new features of this regulation are

    • mandatory application to all instant transfers within the SEPA area,
    • the new name matching system: if there is a discrepancy between the name and the IBAN, the bank must alert the customer before executing the transaction, and
    • increased liability for financial institutions in the event of fraud or error due to lack of verification.

    In short, the aim is to reduce the risk of fraud, protect consumers, and increase confidence in digital payments.

    This means that Law 19/2018, which regulates payment services in Spain and does not require verification of the beneficiary’s identity, is now outdated, underscoring the need for a national legislative review to harmonize the legal framework with European requirements.

    In conclusion, the obligation to verify the beneficiary of transfers represents a significant step forward in consumer protection and the fight against financial fraud. Regulation (EU) 2024/886 marks a turning point in banking operations, imposing an active responsibility on institutions to ensure the authenticity of transfers.

    In any case, the question remains open regarding the solution to MITM frauds executed before October 9, 2025, and the responsibility of the banking institution. For the time being, the aforementioned Supreme Court ruling of March 27 closes the door to claims against banks, but it cannot be ruled out that the entry into force of Regulation 2024/886 and the paradigm shift will lead to a rethinking of the Supreme Court’s position in line with the quasi-objective liability that lower courts have been maintaining. We will have to wait and see, but such a change would be a great success for bank users who have suffered from this MITM fraud and all other types of cyber fraud.

    Summary: Corporate fraud has taken new and insidious forms in the digital age. One of these puts multinational groups in the crosshairs: it is the so-called “CEO Fraud.” This type of fraud is based on the fraudulent use of the identity of top corporate figures, such as CEOs or board chairmen. The modus operandi is devious: the fraudsters pose as the CEO or a senior executive of the multinational group and directly contact the Chief Financial Officers (CFOs) of the subsidiaries or affiliates, simulating a nonexistent confidential investment transaction to induce them to make urgent transfers to foreign bank accounts.

    Background and dynamics of the CEO Fraud

    CEO Fraud is a form of scam in which criminals impersonate senior management figures to trick employees, usually CFOs, into transferring funds into bank accounts controlled by the fraudsters. The choice to use the identities of apex figures such as CEOs lies in their perceived authority and ability to order even large payments, requested urgently and with instructions for strict confidentiality, without raising immediate suspicion.

    Fraudsters adopt various communication tools to make their fraud attempts credible: at the starting point is usually a data breach, which allows criminals to gain access to the contact details of the CEO or CFO (email, landline phone number, cell phone number, whatsapp or social media accounts) or other people within the administrative office with operational powers over bank accounts.

    Sometimes knowledge of this information does not even require illegitimate access to the company’s computer systems because those targeted by the scam spontaneously make this information public, for example, by indicating it on their profiles on the company website or by publicly displaying contacts on profiles in social media accounts (LinkedIn, Facebook, etc.) or even on presentations, business cards and company brochures in the context of public meetings.

    Still other times, scammers do not even need to appropriate all the data of the CEO they want to impersonate, but only the recipient’s, and then claim that they are using a personal account with a different number or email address than those usually attributable to the real CEO.

    Contacts are typically made as follows:

    • WhatsApp and SMS: The use of messages allows for immediate and personal communication, often perceived as legitimate by recipients. The fake CEO sends a message to the CFO using a cell phone number from the country where the parent company is based (e.g., +34 in the case of Spain), writing that it is his personal phone number and using a portrait photo of the real CEO in the WhatsApp profile, which reinforces the perception that the fraudster is the real CEO.
    • Phone calls: after the initial contact via text message, a phone call often follows, which may be either directly from the fake CEO or from a self-styled lawyer or consultant instructed by the CEO to give the CFO the necessary information about the fake investment transaction and instructions to proceed with the urgent payment.
    • Email: as an alternative to or in addition to texts and phone calls, communications may also go through emails, often indistinguishable from authentic ones, in which text formats, company logos, signatures, etc. are scrupulously replicated.

    This is possible through various email spoofing techniques in which the sender’s email address is altered to appear as if the rightful owner sent the email. Basically, it is like someone sending a postal letter by putting a different address on the back of the envelope to disguise the true origin of the missive. In our case, this means that the CFO receives an email that-at first glance-appears to come from the CEO and not the scammer.

    We also cannot rule out the possibility of fraudsters taking advantage of security holes in corporate systems, such as directly accessing internal chats within the organization.

    In addition, the increasing popularity of morphing tools (i.e., creating images with human likenesses that can be traced back to real people) may make it even more difficult to unmask the scammer: to messages and phone calls we could, in fact, add video messages or even video lectures apparently given by the real CEO.

    The (fake) takeover of a competitor company in Europe

    Let us look at a real-life example of CEO Fraud to illustrate the practical ways in which these frauds are organized.

    Scammers create a fake WhatsApp profile of the self-styled CEO of a multinational group based in Spain, using a Spanish phone number and reproducing the profile photo of the authentic CEO.

    A message is sent through the fake account to the CFO of a subsidiary in Italy, announcing that a confidential investment transaction is underway to acquire a company in Portugal. This will require transferring a large sum to a Portuguese company the following day at a local bank.

    The message stresses the importance of keeping the transaction strictly confidential, which is why the CFO cannot disclose the payment request to anyone: a confidentiality agreement from a (fake) law firm is even emailed before payment is made, which the CFO is persuaded to sign and return to the phantom lawyer in charge of the transaction.

    Instructions for proceeding with the transfer are emailed to the CFO, again stressing the urgency of making the payment on the same day.

    The day after arranging the transfer, having heard nothing more from the fake CEO, the CFO arranges to contact him at his corporate phone number and discovers the scam: by that time, however, it is too late because the sums have already been transferred by the criminals to one or more current accounts in foreign banks, making it very difficult, if not impossible, to trace the funds.

    The main features of CEO fraud

    • Persuasion: the fact that fraudsters impersonate apex figures and make the CFO feel invested in important duties generates in the victim a desire to please superiors and to let their guard down.
    • Pressure: fraudsters instil a great sense of urgency, demanding payments extremely quickly and intimating secrecy about the transaction; this causes the victim to act without thinking, trying to be as efficient as possible.
    • Speed: It is good to know that a request for an urgent wire transfer cannot be withdrawn, or can be withdrawn by recall only under extremely tight deadlines; fraudsters take advantage of this to pocket the sums at banks that are not too scrupulous or to move them elsewhere, at most within a few days.

    How to prevent these scams

    CEO Fraud schemes can be very sophisticated, but they often have signs that, if recognized, can stop a scam before it causes irreparable damage.

    The main clues are the atypical modes of contact (whatsapp, phone calls, emails from the fake CEO’s personal accounts), the request for strict confidentiality about the transaction, the urgency with which large sums are requested, the fact that the transfer is to be made to banks abroad, and the involvement of companies or individuals never previously mentioned.

    To prevent scams such as CEO Fraud, corporate training of employees on how to recognize and respond to scams is crucial; it is also essential to have robust internal security procedures in place.

    • First, an essential and basic precaution is to adopt verification systems that scan e-mail messages for viruses and flag the origin of the e-mail from an account outside the corporate organization.
    • Second, it is critical that companies implement clear processes for payments to third parties, especially if the arrangements are different from the company’s standard operations. One way to do this is to provide value limits on the powers of disposition over current account operations, beyond which dual signatures with another director are required.
    • Finally, and generally, it is good to adopt all the rules of common sense and diligence in analyzing the case. Better to do one more internal check than one less; for example, in the case of a particularly realistic but nonetheless unusual request, forwarding the exchange with the alleged scammer to the address we believe to be real and asking for further confirmation in the forward email, rather than responding directly in the email loop, allows us to tell if the sender is bogus.

    Legal actions to recover funds.

    After the fraud is discovered, it is crucial to act quickly to increase the chances of recovering lost funds and prosecuting those responsible.

    Possible Legal Actions

    Prompt notification to the company’s bank to block or recall the wire payment, in addition to a timely criminal complaint in the country where the bank receiving the payment is based, are immediate steps that can help contain the damage and begin the recovery process.

    In fact, in many countries, the pattern of CEO Fraud is well known, and specialized law enforcement units have the tools to move in a timely manner following a report of the crime.

    Criminal investigations in the country of payment destination also allow for verification that they are the account holders and the people involved in the scam attempt, in some cases leading to the arrest of those responsible.

    After attempting to obtain a freeze on the transfer or funds, it may then be possible to assess the behavior of the banking institutions involved in the affair, particularly to verify whether the beneficiary bank properly complied with its obligations under anti-money laundering regulations, which impose precise obligations to verify customers and the origin of funds.

    Conclusions

    CEO Fraud is a significant threat to companies of all sizes and industries, made possible and amplified by modern technologies and the globalization of financial markets. Companies must remain vigilant and proactive, continually updating their security procedures to keep pace with fraudsters’ evolving techniques.

    Investment in training, technology and consulting is not just a protective measure, but a strategic necessity for business operations.

    Finally, if the scam is successfully carried out, it is crucial to take prompt action to try to block the funds before they are moved to bank accounts in other countries and thus made untraceable.

    Summary

    The reform of the Brazilian Bankruptcy Act brings forward important changes in both reorganization procedures and liquidation measures.

    When the Brazilian Bankruptcy Act was about to reach its 15th Anniversary, a major amendment was enacted. It was needed, in fact. Over the past 15 years, creations of the Bankruptcy Act have been tested, and practical experiences showed that some tools needed adjustments, and others demanded complete change.

    The goal of this article is to list the top five most relevant novelties.

    #5 – Reorganization plan presented by creditors

    Before: the amendment, the construction of the reorganization plan was exclusively the responsibility of the debtor. If the majority of the creditors’ meeting decided to reject the plan, the automatic consequence would be the conversion into bankruptcy (liquidation).

    Now: in cases like this, the creditors have the right to present an alternative judicial recovery plan. As a result, creditors assume a more relevant role in corporate restructuring.

    #4 – Mediation focusing on the turnaround

    Mediation is now encouraged in ongoing judicial reorganization processes so that creditors and debtors may find a way out to overcome the crisis.

    The most important novelty is the anticipated mediation, which goal is to avoid reorganization and liquidation. In this procedure, the debtor convenes creditors for a mediated negotiation, and they may seek the judge for an order to stay enforcement measures.

    #3 – Distressed assets operations

    The disposal of debtor’s assets is now simplified in both judicial reorganization and bankruptcy. Particularly in bankruptcy – in which case maximizing the use of assets is essential – the law authorizes the anticipated sale, adjudication by creditors, and even the donation of assets that creditors are not interested in acquiring.

    Besides that, the distressed assets acquisitions and M&A deals are now safer, with a clearer legal provision of a liability shield in favour of the purchaser.

    #2 – Debtor-in-Possession (DIP) Financing

    The lack of incentive to finance the debtor undergoing judicial reorganization has always been a reason for criticism by stakeholders. In the absence of legal provisions, potential financiers could be insecure about the risks of the operation and the lack of clear advantages to offset the risk.

    The complaints were addressed with the legal treatment of the debtor’s financing during judicial reorganization. This type of financing is known as Debtor-in-Possession (DIP) Financing.

    The debtor is allowed, through judicial authorization, to conclude financing contracts to pay for the maintenance of his activities and assets, as well as to be liable for restructuring expenses.

    As a guarantee for the financing, the debtor may offer his own assets and rights or those of third parties, even if they belong to non-current assets, that is, assets not originally intended for sale, but which serve the business structure (machinery, for example).

    #1 – Cross-Border Insolvency

    Brazilian law finally incorporated the Uncitral Model Law on Cross-Border Insolvency. An integrated world full of global companies imposes the need to provide for specific rules on cross-border insolvency, which were hitherto non-existent, in order to eliminate the insecurity about the reach of foreign procedures for Brazilian creditors and about the effect of Brazilian procedures for foreign creditors.

    We now have a new panorama, with the possibility of procedures abroad having effects in Brazil and also of Brazilian procedures reaching foreigners.

    There is a detailed treatment of the participation of foreigners in Brazil and the international cooperation between judges and other authorities to put the fundamental principles that govern the entire insolvency system in motion, namely, the improvement of legal certainty, efficient management of the processes, maximization of assets, preservation of the company, and optimization of asset liquidation.

    These are the five main new features, in a nutshell. If you are interested in learning more about any of these topics or if you want to stay updated on insolvency – turnaround in Brazil, please get in touch.

    On 6 January 2022 Ukraine finally cancelled almost a two-year long moratorium for the creditor-trigged insolvencies. The moratorium was imposed in the late spring 2020 as a part of the nation’ response to first wave of COVID pandemic.

    In a nutshell, the moratorium prohibited creditors from requesting insolvency action against those debtors whose obligations matured after 12 March 2020. A separate set of measures also lifted an early warning duty obliging directors of the companies in distress to file for insolvency within one month from a moment when the distress appeared.

    The moratorium was heavily criticized by both domestic and international creditors, who legitimately blamed it for a non-selective approach.

    As further 2021 statistic shown, the moratorium never seemed to reach a goal proclaimed by it authors and made no increase for insolvency relief requests by the debtor companies.

    Instead, the country has been facing a steady increase in “zombie” companies having little to none liquidation value – and their owners clearly intending to get away with no creditor repayment.

    With the moratorium being lifted off the creditors do expect to show no mercy to their Ukrainian debtors. This particularly worries those debtors potentially involved in wrongful trade or fraudulent action. Even with the moratorium in place in 2021 Ukrainian courts confirmed more than UAH 150 mln in creditors loss to be paid by the insolvent companies’ management and owners themselves. This number is expected to triple in 2022 – and there already were Supreme Court’s 2021 judgements confirming liability of the real owners standing behind opaque shareholder company and nominal directors.

    As the creditors’ agitation grows, so do the debtor company owners’ concerns. As the owners\management liability process is extremely bespoke and often requires swift action, it is of crucial importance to get a throughout legal advise on either side – and much better to do that before the actual claim has been brought.

    Lebanon’s secure banking sector plays an important role in the country’s stability and economic status. High liquidity and compliance with all international regulatory standards make it one of the most profitable in the region.

    Stability

    The Lebanese banking sector owes its solidity primarily to the stringent policies applied by the Lebanese Central Bank (LCB). Efforts are constantly being made to fight money laundering and terrorism funding.

    The Lebanese diaspora also contributes to the stability through the flux of transfers and deposits of extraterritorial income. Compared with an estimated population of 4.9 million inhabitants, about 16 million Lebanese live abroad, largely engaged in trade and finance, and mainly concentrated in South America.

    The banking sector’s stability is also bolstered by the currency exchange rate, which has been stable since 1997, when the Lebanese Pound (LBP) was pegged to the United States Dollar (USD) at a rate of 1507.5 LBP to the USD.

    Banking Secret and Automatic exchange of Information

    The Lebanese Banking Secrecy Law of September 3, 1956 was a key aspect in the expansion of the sector. Bank secrecy is applied to any bank operating in Lebanon, local or foreign, and prohibits the disclosure of any details or information about any account or accountholder. For long time this law has increased confidence in Lebanese banking together with the amount of foreign capital coming into the country.

    Before the last economic and financial global shocks, the veil of banking secrecy could be lifted only with prior approval of the accountholder, in case of bankruptcy; for the exchange of information between banks about indebted accounts; and in case of legal actions between a bank and a client or illicit enrichment.

    Nowadays, banking secrecy does not apply to US citizens because of the Foreign Account Tax Compliance Act (FATCA) that requires foreign banks to report American accountholders to the tax authority of the US. Even though Lebanon has not agreed to be FATCA compliant as a whole, individual Lebanon banks have agreed to comply.

    Moreover, in 2016 Lebanon joined the Global Forum on Transparency and the Automatic Exchange of Information (AEOI) for tax purposes, committing to implement a series of regulatory reforms to better comply with the Common Reporting Standards of OECD.

    Consequently, if the requested information is protected under the Banking Secrecy Law of 1956, the request will be forwarded to the Special Investigation Commission (SIC) at the Central Bank with an opinion from the Ministry of Finance for review before it can be disclosed to the foreign tax authority based on an information exchange agreement.

    The regulatory framework and supervision of the banking sector is already in compliance with international standards, such as Basel I, II, and III. Abiding by these laws does not eliminate banking secrecy. New regulations just aim to provide a more effective tool to counter the fight against tax evasion and to track suspicious operations for money laundering purposes, or self-laundering, based on tax offenses.

    According to the AEOI, starting from September 2018 Lebanese Tax Authority will exchange information automatically on non-residents, and will have access to information on residents who hold assets abroad. No issues for Lebanese residents.

    The new legislation will impact: banks, brokers, trusts, fiduciaries, insurance companies, although only for a few products, and certain collective investment funds.

    Corporate Governance

    As part of the strategy to integrate Lebanon further into the international community and the global economy, corporate governance in banks is necessary to guarantee fairness, transparency and accountability.

    It is mandatory for banks while optional for other companies. In fact, an innovation took place in the banking sector on July 26, 2006 when the Governor of the Lebanese Central Bank enacted the Basic Decision No. 9382 to order to comply with the banking rules instituted by the Basel Committee.

    Account freedom and flexibility

    Lebanese banks are known for being open to foreign investors and have branches worldwide. Foreign individuals or companies can easily open a bank account in Lebanon in any currency and benefit from all banking advantages offered to Lebanese citizens. Further, amounts deposited in Lebanon are exempt from taxes and the interest received is subject to a tax rate of 5-percent.

    The author of this post is Claudia Caluori.

    From 18 January 2017, the new European Regulation 655/2014 establishing a European Account Preservation Order procedure to facilitate cross-border debt recovery in civil and commercial matters will enter into force.

    The Regulation foresees in a procedure to seize bank accounts of your debtor in other EU Member States (except when your debtor is domiciled in United Kingdom or Denmark), without that the debtor is notified hereof. The debtor will only notice once the seizure is into force.

    Such cross-border seizure can be obtained before the Courts of an EU Member State who would have jurisdiction on the merits of the case under the EU Regulation 1215/2012 (Brussels I bis).

    The seizure can be requested before, during or even after the procedure on the merits of the case. The request has to be filed using a standard document.

    To grant the request, the Court will have to examine 1) if there is urgency (periculum in mora) and 2) if there is on basis of the provided evidence enough reason to assume the Court will also decide in favor of the creditor in the proceedings concerning the merits of the case (fumus boni iuris). Although these principles are not unknown to national legislation, both will have to await the autonomous interpretation by the European Court of Justice.

    The new EU Regulation 655/2014 is however not created to bully any unwilling debtor by filing preservation order after preservation order. The Regulation foresees 2 mechanisms to avoid such practices:

    • According to art. 12, the creditor can be required to provide a security when he has not obtained any judgment in favor yet;
    • The creditor will also receive a fixed delay in which he has to undertake a proceedings about the merits of the case.

    The new European Regulation 665/2014 also foresees a mechanism where a creditor can request information about his debtor’s bank account(s) in a certain Member State. 

    Not unimportant, as the creditor needs to indicate the bank account number in his request for a transnational seizure (under Belgian national law, the indication of the name of the Bank would already be sufficient).

    Art. 14 of the Regulation now foresees what one could call a bank account disclosure mechanism:

    “Request for the obtaining of account information

    Where the creditor has obtained in a Member State an enforceable judgment, court settlement or authentic instrument which requires the debtor to pay the creditor’s claim and the creditor has reasons to believe that the debtor holds one or more accounts with a bank in a specific Member State, but knows neither the name and/or address of the bank nor the IBAN, BIC or another bank number allowing the bank to be identified, he may request the court with which the application for the Preservation Order is lodged to request that the information authority of the Member State of enforcement obtain the information necessary to allow the bank or banks and the debtor’s account or accounts to be identified”.

    In a few Member States (including Belgium), such disclosure mechanism is completely new.  The Regulation leaves it up to the Member States how they will organize this new disclosure, by giving a few examples:

    “Each Member State shall make available in its national law at least one of the following methods of obtaining the information referred to in paragraph 1:

    (a) an obligation on all banks in its territory to disclose, upon request by the information authority, whether the debtor holds an account with them;

    (b) access for the information authority to the relevant information where that information is held by public authorities or administrations in registers or otherwise;

    (c) the possibility for its courts to oblige the debtor to disclose with which bank or banks in its territory he holds one or more accounts where such an obligation is accompanied by an in personam order by the court prohibiting the withdrawal or transfer by him of funds held in his account or accounts up to the amount to be preserved by the Preservation Order; or

    (d) any other methods which are effective and efficient for the purposes of obtaining the relevant information, provided that they are not disproportionately costly or time-consuming.

    Does this mean any creditor can just run to the Court and ask information?

    No, some conditions apply:

    • the creditor needs to be in possession of an enforceable judgment;
    • there need to be reasons to believe the debtor holds bank accounts in this Member State.

    Conclusion: it will be interesting to see how the Member States will apply this new mechanism.  Whether it will be effective, will also depend on the interpretation of ‘reasons to believe the debtor holds bank accounts in this Member State’.  This will probably be the key to the question if this will end the Pyrrhus decisions, where a creditor is accorded his claim but cannot find assets to seize.

    The author of this post is David Diris.

    Roberto Luzi Crivellini

    Áreas de prática

    • Arbitragem
    • Distribuição
    • Comércio internacional
    • Contencioso
    • Imobiliário
    Contato Roberto

    Scrivi a Roberto





      Read the privacy policy of Legalmondo.
      This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

      Brazil – Reforms in Insolvency and Turnaround

      4 de Dezembro, 2022

      • Brasil
      • Banca
      • Insolvência

      The increase in so-called cybercrime in recent years is so significant that it requires strong legislative and judicial responses. Losses from online fraud in Europe exceed $100 billion, according to Nasdaq Ventures, of which $5 billion correspond to Spain.

      In Spain, 192,375 cases of computer fraud were reported in 2019, but by 2023 this figure had risen to 427,448. According to the latest official data available, computer fraud accounts for 90.4% of all cybercrimes, with growth of 378% between 2016 and 2023.

      There are many different types of computer fraud, and they are named in English (after all, the lingua franca of our time), including, among other ingenious methods used by skilled fraudsters, those with curious and amusing names (except for those who suffer from them) such as phishing, pharming, juice jacking, tabnabbing, bluesnarfing, catfishing, spoofing, vishing, smishing, whaling, carding, and the one we are interested in today, man in the middle (MITM).

      Man in the Middle scam: how it works

      This MITM fraud involves intercepting communications between two devices connected to a network, allowing the attacker to alter and divert messages exchanged between users. The fraudster intercepts a communication in which one user requests a payment from another and then modifies the IBAN of the bank account to which the transfer should be made in order to obtain the money. The process generally unfolds as follows:

      • Without the company noticing, an attacker intercepts and manipulates an email, changing the IBAN number of the account to which the payment should be made.
      • The cybercriminal impersonates the supplier, sending the message from an email address that is almost identical to the original, but with a slight alteration that is almost imperceptible.
      • The receiving company, trusting the authenticity of the message, makes the transfer to the fraudulent account.

       

      This results in a transfer of assets to the detriment of the person ordering the transfer and in favor of the cyber thief, so that when the person ordering the transfer notices the error, their first reaction is to try to contact the receiving bank in the hope that the funds can be blocked in time. However, in most cases, the cybercriminal has been quicker: the money has already been transferred to another account or withdrawn, leaving little room for maneuvering, except for the initiation of legal proceedings, which we will discuss below.

      The immediate question is what responsibility the bank that has received the transfer order from the deceived user and credits the cyber fraudster’s account with the amount in question has in cases where the payer identifies not only the (fraudulent) IBAN but also the name of the beneficiary of the payment order, which obviously does not match the name of the holder of the bank account receiving the funds.

      The common-sense answer would be that the bank receiving the transfer should confirm that the holder of the account to which the funds are credited and the individual or entity identified as the beneficiary in the transfer order match; if this is not the case, it should suspend the payment and request clarification from the payer. However, this is not the case in light of EU legislation and its transposition into Spanish law, as we will see below.

      Until October 9, the European banking system operated under the premise that the validity of a transfer was based exclusively on the correctness of the IBAN. In other words, if the account number was correct, the transaction was considered valid, even if the beneficiary’s name did not match. This practice has led to numerous cases of fraud, unintentional errors, and loss of funds, especially in instant transfers, where speed can compromise security.

      The most reasonable option for the defrauded payer to recover their money is to sue the bank receiving the payment order (with which they have no contractual relationship) for non-contractual liability under Article 1124 of the Civil Code; in fact, criminal proceedings against the account holder, who is usually referred to in slang as a “mule,” do not usually have a satisfactory outcome, both because the bird usually flies away and because of its lack of solvency.

      The case law of the Provincial Courts has been divided between rulings that strictly and faithfully applied Article 59 of Royal Decree-Law 19/2018 of November 23, on payment services and other urgent financial measures, dismissing the claims of those defrauded, and others in which arguments were sought under the premise of lack of diligence to condemn the bank to compensate the payer.

      This has led to the establishment of quasi-objective liability for banks in relation to digital fraud, imposing a higher standard of diligence on them and transferring the risk inherent in online banking to them, except in cases of willful misconduct or gross negligence on the part of the customer. This line of reasoning, which has been developed from lower court rulings (AP Madrid 178/2015; AP Alicante 107/2018; AP Valencia 212/2021) to the Supreme Court itself (STS 571/2025, among others), is in line with the idea that it is up to the bank to prove that its systems were secure, up to date, and sufficient to prevent the crime from being committed.

      In this context, the concept of bonus argentarius takes on renewed relevance. This is a principle that was included in Law 57/68 to protect home buyers in the real estate sector, but the Supreme Court has ruled on several occasions that it can also be applied to other financial investments. This means that, in the event of losses due to negligence on the part of the financial institution, the customer can file a claim under Law 57/68 and hold the institution liable.

      The bonus argentarius is based on the presumption of fault on the part of the financial institution, which means that even if the customer has no concrete evidence of negligence, it is assumed due to the duty of care that the institution must exercise in the management of investments.

      Based on this principle, the diligence required of financial professionals is not that of the average trader or pater familias, but that of a qualified expert who assumes the obligation to protect the funds entrusted to them by implementing “necessary and renewable” security mechanisms. This implies not only maintaining basic technical measures for enhanced authentication, but also proactively adopting internationally recognized anti-fraud solutions, such as name-IBAN verification (Confirmation of Payee or IBAN-Naam Check), which have proven effective in comparable jurisdictions.

      In line with that doctrine and case law, it can be said that the omission of beneficiary verification measures today constitutes a breach of the contractual duty of diligence and good faith (Articles 1104 and 1258 of the Civil Code), giving rise to civil liability for the damage caused, such that MITM fraud cannot be considered a residual risk attributable to the customer, but rather a systemic security failure attributable to the financial institution, as the designer and custodian of the electronic payment channel.

      In this state of affairs, the Supreme Court, in its recent ruling of March 27, 2025, opted for the alternative of strict application of Article 59, arguing that “if the payment service user provides additional information to that required (specification of the information or unique identifier that the payment service user must provide for the correct initiation or execution of a payment order), the payment service provider shall only be liable for the execution of payment transactions in accordance with the unique identifier provided by the payment service user… and that the liability of the payment service provider, both at Community and national level, is such that it fulfills its obligation by executing the payment transaction in accordance with the unique identifier, without the addition of further information implying a higher standard of diligence

      It is true that, in conclusion, the Supreme Court offered a glimmer of hope to defrauded users when it stated that “the interpretation set out above does not exempt the payment service provider from liability when circumstances, unrelated to the provision of additional data, are found to have contributed to the defective execution of the transaction, either because an additional requirement or demand (e.g., the identification of the beneficiary), or because the payment service provider of the payer or the beneficiary had taken advantage of the error for their own benefit, or because, once the existence of the error had been communicated without delay, one or the other had not taken the measures required by the diligence of an expert trader to allow retroaction or, where appropriate, to minimize the damage.”

      Regulation (EU) 2024/886: a paradigm shift

      And in this scenario fraught with doubts, Regulation (EU) 2024/886 bursts onto the scene, representing a 180-degree turn and a paradigm shift: the new European Regulation, approved in April 2024 and coming into force on October 9, 2025, establishes a clear obligation for banks: they must verify that the name of the beneficiary provided by the payer matches the IBAN holder before executing an immediate transfer in euros.

      The new features of this regulation are

      • mandatory application to all instant transfers within the SEPA area,
      • the new name matching system: if there is a discrepancy between the name and the IBAN, the bank must alert the customer before executing the transaction, and
      • increased liability for financial institutions in the event of fraud or error due to lack of verification.

      In short, the aim is to reduce the risk of fraud, protect consumers, and increase confidence in digital payments.

      This means that Law 19/2018, which regulates payment services in Spain and does not require verification of the beneficiary’s identity, is now outdated, underscoring the need for a national legislative review to harmonize the legal framework with European requirements.

      In conclusion, the obligation to verify the beneficiary of transfers represents a significant step forward in consumer protection and the fight against financial fraud. Regulation (EU) 2024/886 marks a turning point in banking operations, imposing an active responsibility on institutions to ensure the authenticity of transfers.

      In any case, the question remains open regarding the solution to MITM frauds executed before October 9, 2025, and the responsibility of the banking institution. For the time being, the aforementioned Supreme Court ruling of March 27 closes the door to claims against banks, but it cannot be ruled out that the entry into force of Regulation 2024/886 and the paradigm shift will lead to a rethinking of the Supreme Court’s position in line with the quasi-objective liability that lower courts have been maintaining. We will have to wait and see, but such a change would be a great success for bank users who have suffered from this MITM fraud and all other types of cyber fraud.

      Summary: Corporate fraud has taken new and insidious forms in the digital age. One of these puts multinational groups in the crosshairs: it is the so-called “CEO Fraud.” This type of fraud is based on the fraudulent use of the identity of top corporate figures, such as CEOs or board chairmen. The modus operandi is devious: the fraudsters pose as the CEO or a senior executive of the multinational group and directly contact the Chief Financial Officers (CFOs) of the subsidiaries or affiliates, simulating a nonexistent confidential investment transaction to induce them to make urgent transfers to foreign bank accounts.

      Background and dynamics of the CEO Fraud

      CEO Fraud is a form of scam in which criminals impersonate senior management figures to trick employees, usually CFOs, into transferring funds into bank accounts controlled by the fraudsters. The choice to use the identities of apex figures such as CEOs lies in their perceived authority and ability to order even large payments, requested urgently and with instructions for strict confidentiality, without raising immediate suspicion.

      Fraudsters adopt various communication tools to make their fraud attempts credible: at the starting point is usually a data breach, which allows criminals to gain access to the contact details of the CEO or CFO (email, landline phone number, cell phone number, whatsapp or social media accounts) or other people within the administrative office with operational powers over bank accounts.

      Sometimes knowledge of this information does not even require illegitimate access to the company’s computer systems because those targeted by the scam spontaneously make this information public, for example, by indicating it on their profiles on the company website or by publicly displaying contacts on profiles in social media accounts (LinkedIn, Facebook, etc.) or even on presentations, business cards and company brochures in the context of public meetings.

      Still other times, scammers do not even need to appropriate all the data of the CEO they want to impersonate, but only the recipient’s, and then claim that they are using a personal account with a different number or email address than those usually attributable to the real CEO.

      Contacts are typically made as follows:

      • WhatsApp and SMS: The use of messages allows for immediate and personal communication, often perceived as legitimate by recipients. The fake CEO sends a message to the CFO using a cell phone number from the country where the parent company is based (e.g., +34 in the case of Spain), writing that it is his personal phone number and using a portrait photo of the real CEO in the WhatsApp profile, which reinforces the perception that the fraudster is the real CEO.
      • Phone calls: after the initial contact via text message, a phone call often follows, which may be either directly from the fake CEO or from a self-styled lawyer or consultant instructed by the CEO to give the CFO the necessary information about the fake investment transaction and instructions to proceed with the urgent payment.
      • Email: as an alternative to or in addition to texts and phone calls, communications may also go through emails, often indistinguishable from authentic ones, in which text formats, company logos, signatures, etc. are scrupulously replicated.

      This is possible through various email spoofing techniques in which the sender’s email address is altered to appear as if the rightful owner sent the email. Basically, it is like someone sending a postal letter by putting a different address on the back of the envelope to disguise the true origin of the missive. In our case, this means that the CFO receives an email that-at first glance-appears to come from the CEO and not the scammer.

      We also cannot rule out the possibility of fraudsters taking advantage of security holes in corporate systems, such as directly accessing internal chats within the organization.

      In addition, the increasing popularity of morphing tools (i.e., creating images with human likenesses that can be traced back to real people) may make it even more difficult to unmask the scammer: to messages and phone calls we could, in fact, add video messages or even video lectures apparently given by the real CEO.

      The (fake) takeover of a competitor company in Europe

      Let us look at a real-life example of CEO Fraud to illustrate the practical ways in which these frauds are organized.

      Scammers create a fake WhatsApp profile of the self-styled CEO of a multinational group based in Spain, using a Spanish phone number and reproducing the profile photo of the authentic CEO.

      A message is sent through the fake account to the CFO of a subsidiary in Italy, announcing that a confidential investment transaction is underway to acquire a company in Portugal. This will require transferring a large sum to a Portuguese company the following day at a local bank.

      The message stresses the importance of keeping the transaction strictly confidential, which is why the CFO cannot disclose the payment request to anyone: a confidentiality agreement from a (fake) law firm is even emailed before payment is made, which the CFO is persuaded to sign and return to the phantom lawyer in charge of the transaction.

      Instructions for proceeding with the transfer are emailed to the CFO, again stressing the urgency of making the payment on the same day.

      The day after arranging the transfer, having heard nothing more from the fake CEO, the CFO arranges to contact him at his corporate phone number and discovers the scam: by that time, however, it is too late because the sums have already been transferred by the criminals to one or more current accounts in foreign banks, making it very difficult, if not impossible, to trace the funds.

      The main features of CEO fraud

      • Persuasion: the fact that fraudsters impersonate apex figures and make the CFO feel invested in important duties generates in the victim a desire to please superiors and to let their guard down.
      • Pressure: fraudsters instil a great sense of urgency, demanding payments extremely quickly and intimating secrecy about the transaction; this causes the victim to act without thinking, trying to be as efficient as possible.
      • Speed: It is good to know that a request for an urgent wire transfer cannot be withdrawn, or can be withdrawn by recall only under extremely tight deadlines; fraudsters take advantage of this to pocket the sums at banks that are not too scrupulous or to move them elsewhere, at most within a few days.

      How to prevent these scams

      CEO Fraud schemes can be very sophisticated, but they often have signs that, if recognized, can stop a scam before it causes irreparable damage.

      The main clues are the atypical modes of contact (whatsapp, phone calls, emails from the fake CEO’s personal accounts), the request for strict confidentiality about the transaction, the urgency with which large sums are requested, the fact that the transfer is to be made to banks abroad, and the involvement of companies or individuals never previously mentioned.

      To prevent scams such as CEO Fraud, corporate training of employees on how to recognize and respond to scams is crucial; it is also essential to have robust internal security procedures in place.

      • First, an essential and basic precaution is to adopt verification systems that scan e-mail messages for viruses and flag the origin of the e-mail from an account outside the corporate organization.
      • Second, it is critical that companies implement clear processes for payments to third parties, especially if the arrangements are different from the company’s standard operations. One way to do this is to provide value limits on the powers of disposition over current account operations, beyond which dual signatures with another director are required.
      • Finally, and generally, it is good to adopt all the rules of common sense and diligence in analyzing the case. Better to do one more internal check than one less; for example, in the case of a particularly realistic but nonetheless unusual request, forwarding the exchange with the alleged scammer to the address we believe to be real and asking for further confirmation in the forward email, rather than responding directly in the email loop, allows us to tell if the sender is bogus.

      Legal actions to recover funds.

      After the fraud is discovered, it is crucial to act quickly to increase the chances of recovering lost funds and prosecuting those responsible.

      Possible Legal Actions

      Prompt notification to the company’s bank to block or recall the wire payment, in addition to a timely criminal complaint in the country where the bank receiving the payment is based, are immediate steps that can help contain the damage and begin the recovery process.

      In fact, in many countries, the pattern of CEO Fraud is well known, and specialized law enforcement units have the tools to move in a timely manner following a report of the crime.

      Criminal investigations in the country of payment destination also allow for verification that they are the account holders and the people involved in the scam attempt, in some cases leading to the arrest of those responsible.

      After attempting to obtain a freeze on the transfer or funds, it may then be possible to assess the behavior of the banking institutions involved in the affair, particularly to verify whether the beneficiary bank properly complied with its obligations under anti-money laundering regulations, which impose precise obligations to verify customers and the origin of funds.

      Conclusions

      CEO Fraud is a significant threat to companies of all sizes and industries, made possible and amplified by modern technologies and the globalization of financial markets. Companies must remain vigilant and proactive, continually updating their security procedures to keep pace with fraudsters’ evolving techniques.

      Investment in training, technology and consulting is not just a protective measure, but a strategic necessity for business operations.

      Finally, if the scam is successfully carried out, it is crucial to take prompt action to try to block the funds before they are moved to bank accounts in other countries and thus made untraceable.

      Summary

      The reform of the Brazilian Bankruptcy Act brings forward important changes in both reorganization procedures and liquidation measures.

      When the Brazilian Bankruptcy Act was about to reach its 15th Anniversary, a major amendment was enacted. It was needed, in fact. Over the past 15 years, creations of the Bankruptcy Act have been tested, and practical experiences showed that some tools needed adjustments, and others demanded complete change.

      The goal of this article is to list the top five most relevant novelties.

      #5 – Reorganization plan presented by creditors

      Before: the amendment, the construction of the reorganization plan was exclusively the responsibility of the debtor. If the majority of the creditors’ meeting decided to reject the plan, the automatic consequence would be the conversion into bankruptcy (liquidation).

      Now: in cases like this, the creditors have the right to present an alternative judicial recovery plan. As a result, creditors assume a more relevant role in corporate restructuring.

      #4 – Mediation focusing on the turnaround

      Mediation is now encouraged in ongoing judicial reorganization processes so that creditors and debtors may find a way out to overcome the crisis.

      The most important novelty is the anticipated mediation, which goal is to avoid reorganization and liquidation. In this procedure, the debtor convenes creditors for a mediated negotiation, and they may seek the judge for an order to stay enforcement measures.

      #3 – Distressed assets operations

      The disposal of debtor’s assets is now simplified in both judicial reorganization and bankruptcy. Particularly in bankruptcy – in which case maximizing the use of assets is essential – the law authorizes the anticipated sale, adjudication by creditors, and even the donation of assets that creditors are not interested in acquiring.

      Besides that, the distressed assets acquisitions and M&A deals are now safer, with a clearer legal provision of a liability shield in favour of the purchaser.

      #2 – Debtor-in-Possession (DIP) Financing

      The lack of incentive to finance the debtor undergoing judicial reorganization has always been a reason for criticism by stakeholders. In the absence of legal provisions, potential financiers could be insecure about the risks of the operation and the lack of clear advantages to offset the risk.

      The complaints were addressed with the legal treatment of the debtor’s financing during judicial reorganization. This type of financing is known as Debtor-in-Possession (DIP) Financing.

      The debtor is allowed, through judicial authorization, to conclude financing contracts to pay for the maintenance of his activities and assets, as well as to be liable for restructuring expenses.

      As a guarantee for the financing, the debtor may offer his own assets and rights or those of third parties, even if they belong to non-current assets, that is, assets not originally intended for sale, but which serve the business structure (machinery, for example).

      #1 – Cross-Border Insolvency

      Brazilian law finally incorporated the Uncitral Model Law on Cross-Border Insolvency. An integrated world full of global companies imposes the need to provide for specific rules on cross-border insolvency, which were hitherto non-existent, in order to eliminate the insecurity about the reach of foreign procedures for Brazilian creditors and about the effect of Brazilian procedures for foreign creditors.

      We now have a new panorama, with the possibility of procedures abroad having effects in Brazil and also of Brazilian procedures reaching foreigners.

      There is a detailed treatment of the participation of foreigners in Brazil and the international cooperation between judges and other authorities to put the fundamental principles that govern the entire insolvency system in motion, namely, the improvement of legal certainty, efficient management of the processes, maximization of assets, preservation of the company, and optimization of asset liquidation.

      These are the five main new features, in a nutshell. If you are interested in learning more about any of these topics or if you want to stay updated on insolvency – turnaround in Brazil, please get in touch.

      On 6 January 2022 Ukraine finally cancelled almost a two-year long moratorium for the creditor-trigged insolvencies. The moratorium was imposed in the late spring 2020 as a part of the nation’ response to first wave of COVID pandemic.

      In a nutshell, the moratorium prohibited creditors from requesting insolvency action against those debtors whose obligations matured after 12 March 2020. A separate set of measures also lifted an early warning duty obliging directors of the companies in distress to file for insolvency within one month from a moment when the distress appeared.

      The moratorium was heavily criticized by both domestic and international creditors, who legitimately blamed it for a non-selective approach.

      As further 2021 statistic shown, the moratorium never seemed to reach a goal proclaimed by it authors and made no increase for insolvency relief requests by the debtor companies.

      Instead, the country has been facing a steady increase in “zombie” companies having little to none liquidation value – and their owners clearly intending to get away with no creditor repayment.

      With the moratorium being lifted off the creditors do expect to show no mercy to their Ukrainian debtors. This particularly worries those debtors potentially involved in wrongful trade or fraudulent action. Even with the moratorium in place in 2021 Ukrainian courts confirmed more than UAH 150 mln in creditors loss to be paid by the insolvent companies’ management and owners themselves. This number is expected to triple in 2022 – and there already were Supreme Court’s 2021 judgements confirming liability of the real owners standing behind opaque shareholder company and nominal directors.

      As the creditors’ agitation grows, so do the debtor company owners’ concerns. As the owners\management liability process is extremely bespoke and often requires swift action, it is of crucial importance to get a throughout legal advise on either side – and much better to do that before the actual claim has been brought.

      Lebanon’s secure banking sector plays an important role in the country’s stability and economic status. High liquidity and compliance with all international regulatory standards make it one of the most profitable in the region.

      Stability

      The Lebanese banking sector owes its solidity primarily to the stringent policies applied by the Lebanese Central Bank (LCB). Efforts are constantly being made to fight money laundering and terrorism funding.

      The Lebanese diaspora also contributes to the stability through the flux of transfers and deposits of extraterritorial income. Compared with an estimated population of 4.9 million inhabitants, about 16 million Lebanese live abroad, largely engaged in trade and finance, and mainly concentrated in South America.

      The banking sector’s stability is also bolstered by the currency exchange rate, which has been stable since 1997, when the Lebanese Pound (LBP) was pegged to the United States Dollar (USD) at a rate of 1507.5 LBP to the USD.

      Banking Secret and Automatic exchange of Information

      The Lebanese Banking Secrecy Law of September 3, 1956 was a key aspect in the expansion of the sector. Bank secrecy is applied to any bank operating in Lebanon, local or foreign, and prohibits the disclosure of any details or information about any account or accountholder. For long time this law has increased confidence in Lebanese banking together with the amount of foreign capital coming into the country.

      Before the last economic and financial global shocks, the veil of banking secrecy could be lifted only with prior approval of the accountholder, in case of bankruptcy; for the exchange of information between banks about indebted accounts; and in case of legal actions between a bank and a client or illicit enrichment.

      Nowadays, banking secrecy does not apply to US citizens because of the Foreign Account Tax Compliance Act (FATCA) that requires foreign banks to report American accountholders to the tax authority of the US. Even though Lebanon has not agreed to be FATCA compliant as a whole, individual Lebanon banks have agreed to comply.

      Moreover, in 2016 Lebanon joined the Global Forum on Transparency and the Automatic Exchange of Information (AEOI) for tax purposes, committing to implement a series of regulatory reforms to better comply with the Common Reporting Standards of OECD.

      Consequently, if the requested information is protected under the Banking Secrecy Law of 1956, the request will be forwarded to the Special Investigation Commission (SIC) at the Central Bank with an opinion from the Ministry of Finance for review before it can be disclosed to the foreign tax authority based on an information exchange agreement.

      The regulatory framework and supervision of the banking sector is already in compliance with international standards, such as Basel I, II, and III. Abiding by these laws does not eliminate banking secrecy. New regulations just aim to provide a more effective tool to counter the fight against tax evasion and to track suspicious operations for money laundering purposes, or self-laundering, based on tax offenses.

      According to the AEOI, starting from September 2018 Lebanese Tax Authority will exchange information automatically on non-residents, and will have access to information on residents who hold assets abroad. No issues for Lebanese residents.

      The new legislation will impact: banks, brokers, trusts, fiduciaries, insurance companies, although only for a few products, and certain collective investment funds.

      Corporate Governance

      As part of the strategy to integrate Lebanon further into the international community and the global economy, corporate governance in banks is necessary to guarantee fairness, transparency and accountability.

      It is mandatory for banks while optional for other companies. In fact, an innovation took place in the banking sector on July 26, 2006 when the Governor of the Lebanese Central Bank enacted the Basic Decision No. 9382 to order to comply with the banking rules instituted by the Basel Committee.

      Account freedom and flexibility

      Lebanese banks are known for being open to foreign investors and have branches worldwide. Foreign individuals or companies can easily open a bank account in Lebanon in any currency and benefit from all banking advantages offered to Lebanese citizens. Further, amounts deposited in Lebanon are exempt from taxes and the interest received is subject to a tax rate of 5-percent.

      The author of this post is Claudia Caluori.

      From 18 January 2017, the new European Regulation 655/2014 establishing a European Account Preservation Order procedure to facilitate cross-border debt recovery in civil and commercial matters will enter into force.

      The Regulation foresees in a procedure to seize bank accounts of your debtor in other EU Member States (except when your debtor is domiciled in United Kingdom or Denmark), without that the debtor is notified hereof. The debtor will only notice once the seizure is into force.

      Such cross-border seizure can be obtained before the Courts of an EU Member State who would have jurisdiction on the merits of the case under the EU Regulation 1215/2012 (Brussels I bis).

      The seizure can be requested before, during or even after the procedure on the merits of the case. The request has to be filed using a standard document.

      To grant the request, the Court will have to examine 1) if there is urgency (periculum in mora) and 2) if there is on basis of the provided evidence enough reason to assume the Court will also decide in favor of the creditor in the proceedings concerning the merits of the case (fumus boni iuris). Although these principles are not unknown to national legislation, both will have to await the autonomous interpretation by the European Court of Justice.

      The new EU Regulation 655/2014 is however not created to bully any unwilling debtor by filing preservation order after preservation order. The Regulation foresees 2 mechanisms to avoid such practices:

      • According to art. 12, the creditor can be required to provide a security when he has not obtained any judgment in favor yet;
      • The creditor will also receive a fixed delay in which he has to undertake a proceedings about the merits of the case.

      The new European Regulation 665/2014 also foresees a mechanism where a creditor can request information about his debtor’s bank account(s) in a certain Member State. 

      Not unimportant, as the creditor needs to indicate the bank account number in his request for a transnational seizure (under Belgian national law, the indication of the name of the Bank would already be sufficient).

      Art. 14 of the Regulation now foresees what one could call a bank account disclosure mechanism:

      “Request for the obtaining of account information

      Where the creditor has obtained in a Member State an enforceable judgment, court settlement or authentic instrument which requires the debtor to pay the creditor’s claim and the creditor has reasons to believe that the debtor holds one or more accounts with a bank in a specific Member State, but knows neither the name and/or address of the bank nor the IBAN, BIC or another bank number allowing the bank to be identified, he may request the court with which the application for the Preservation Order is lodged to request that the information authority of the Member State of enforcement obtain the information necessary to allow the bank or banks and the debtor’s account or accounts to be identified”.

      In a few Member States (including Belgium), such disclosure mechanism is completely new.  The Regulation leaves it up to the Member States how they will organize this new disclosure, by giving a few examples:

      “Each Member State shall make available in its national law at least one of the following methods of obtaining the information referred to in paragraph 1:

      (a) an obligation on all banks in its territory to disclose, upon request by the information authority, whether the debtor holds an account with them;

      (b) access for the information authority to the relevant information where that information is held by public authorities or administrations in registers or otherwise;

      (c) the possibility for its courts to oblige the debtor to disclose with which bank or banks in its territory he holds one or more accounts where such an obligation is accompanied by an in personam order by the court prohibiting the withdrawal or transfer by him of funds held in his account or accounts up to the amount to be preserved by the Preservation Order; or

      (d) any other methods which are effective and efficient for the purposes of obtaining the relevant information, provided that they are not disproportionately costly or time-consuming.

      Does this mean any creditor can just run to the Court and ask information?

      No, some conditions apply:

      • the creditor needs to be in possession of an enforceable judgment;
      • there need to be reasons to believe the debtor holds bank accounts in this Member State.

      Conclusion: it will be interesting to see how the Member States will apply this new mechanism.  Whether it will be effective, will also depend on the interpretation of ‘reasons to believe the debtor holds bank accounts in this Member State’.  This will probably be the key to the question if this will end the Pyrrhus decisions, where a creditor is accorded his claim but cannot find assets to seize.

      The author of this post is David Diris.

      Geraldo Fonseca

      Áreas de prática

      • Empresa
      • Cobrança de créditos
      • Insolvência
      • Comércio internacional
      • Contencioso
      Contato Geraldo

      Scrivi a Geraldo





        Read the privacy policy of Legalmondo.
        This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

        Ukraine: new hope for the creditors as the debtors’ concern grows

        17 de Janeiro, 2022

        • Ucrânia
        • Banca
        • Insolvência
        • Contencioso

        The increase in so-called cybercrime in recent years is so significant that it requires strong legislative and judicial responses. Losses from online fraud in Europe exceed $100 billion, according to Nasdaq Ventures, of which $5 billion correspond to Spain.

        In Spain, 192,375 cases of computer fraud were reported in 2019, but by 2023 this figure had risen to 427,448. According to the latest official data available, computer fraud accounts for 90.4% of all cybercrimes, with growth of 378% between 2016 and 2023.

        There are many different types of computer fraud, and they are named in English (after all, the lingua franca of our time), including, among other ingenious methods used by skilled fraudsters, those with curious and amusing names (except for those who suffer from them) such as phishing, pharming, juice jacking, tabnabbing, bluesnarfing, catfishing, spoofing, vishing, smishing, whaling, carding, and the one we are interested in today, man in the middle (MITM).

        Man in the Middle scam: how it works

        This MITM fraud involves intercepting communications between two devices connected to a network, allowing the attacker to alter and divert messages exchanged between users. The fraudster intercepts a communication in which one user requests a payment from another and then modifies the IBAN of the bank account to which the transfer should be made in order to obtain the money. The process generally unfolds as follows:

        • Without the company noticing, an attacker intercepts and manipulates an email, changing the IBAN number of the account to which the payment should be made.
        • The cybercriminal impersonates the supplier, sending the message from an email address that is almost identical to the original, but with a slight alteration that is almost imperceptible.
        • The receiving company, trusting the authenticity of the message, makes the transfer to the fraudulent account.

         

        This results in a transfer of assets to the detriment of the person ordering the transfer and in favor of the cyber thief, so that when the person ordering the transfer notices the error, their first reaction is to try to contact the receiving bank in the hope that the funds can be blocked in time. However, in most cases, the cybercriminal has been quicker: the money has already been transferred to another account or withdrawn, leaving little room for maneuvering, except for the initiation of legal proceedings, which we will discuss below.

        The immediate question is what responsibility the bank that has received the transfer order from the deceived user and credits the cyber fraudster’s account with the amount in question has in cases where the payer identifies not only the (fraudulent) IBAN but also the name of the beneficiary of the payment order, which obviously does not match the name of the holder of the bank account receiving the funds.

        The common-sense answer would be that the bank receiving the transfer should confirm that the holder of the account to which the funds are credited and the individual or entity identified as the beneficiary in the transfer order match; if this is not the case, it should suspend the payment and request clarification from the payer. However, this is not the case in light of EU legislation and its transposition into Spanish law, as we will see below.

        Until October 9, the European banking system operated under the premise that the validity of a transfer was based exclusively on the correctness of the IBAN. In other words, if the account number was correct, the transaction was considered valid, even if the beneficiary’s name did not match. This practice has led to numerous cases of fraud, unintentional errors, and loss of funds, especially in instant transfers, where speed can compromise security.

        The most reasonable option for the defrauded payer to recover their money is to sue the bank receiving the payment order (with which they have no contractual relationship) for non-contractual liability under Article 1124 of the Civil Code; in fact, criminal proceedings against the account holder, who is usually referred to in slang as a “mule,” do not usually have a satisfactory outcome, both because the bird usually flies away and because of its lack of solvency.

        The case law of the Provincial Courts has been divided between rulings that strictly and faithfully applied Article 59 of Royal Decree-Law 19/2018 of November 23, on payment services and other urgent financial measures, dismissing the claims of those defrauded, and others in which arguments were sought under the premise of lack of diligence to condemn the bank to compensate the payer.

        This has led to the establishment of quasi-objective liability for banks in relation to digital fraud, imposing a higher standard of diligence on them and transferring the risk inherent in online banking to them, except in cases of willful misconduct or gross negligence on the part of the customer. This line of reasoning, which has been developed from lower court rulings (AP Madrid 178/2015; AP Alicante 107/2018; AP Valencia 212/2021) to the Supreme Court itself (STS 571/2025, among others), is in line with the idea that it is up to the bank to prove that its systems were secure, up to date, and sufficient to prevent the crime from being committed.

        In this context, the concept of bonus argentarius takes on renewed relevance. This is a principle that was included in Law 57/68 to protect home buyers in the real estate sector, but the Supreme Court has ruled on several occasions that it can also be applied to other financial investments. This means that, in the event of losses due to negligence on the part of the financial institution, the customer can file a claim under Law 57/68 and hold the institution liable.

        The bonus argentarius is based on the presumption of fault on the part of the financial institution, which means that even if the customer has no concrete evidence of negligence, it is assumed due to the duty of care that the institution must exercise in the management of investments.

        Based on this principle, the diligence required of financial professionals is not that of the average trader or pater familias, but that of a qualified expert who assumes the obligation to protect the funds entrusted to them by implementing “necessary and renewable” security mechanisms. This implies not only maintaining basic technical measures for enhanced authentication, but also proactively adopting internationally recognized anti-fraud solutions, such as name-IBAN verification (Confirmation of Payee or IBAN-Naam Check), which have proven effective in comparable jurisdictions.

        In line with that doctrine and case law, it can be said that the omission of beneficiary verification measures today constitutes a breach of the contractual duty of diligence and good faith (Articles 1104 and 1258 of the Civil Code), giving rise to civil liability for the damage caused, such that MITM fraud cannot be considered a residual risk attributable to the customer, but rather a systemic security failure attributable to the financial institution, as the designer and custodian of the electronic payment channel.

        In this state of affairs, the Supreme Court, in its recent ruling of March 27, 2025, opted for the alternative of strict application of Article 59, arguing that “if the payment service user provides additional information to that required (specification of the information or unique identifier that the payment service user must provide for the correct initiation or execution of a payment order), the payment service provider shall only be liable for the execution of payment transactions in accordance with the unique identifier provided by the payment service user… and that the liability of the payment service provider, both at Community and national level, is such that it fulfills its obligation by executing the payment transaction in accordance with the unique identifier, without the addition of further information implying a higher standard of diligence

        It is true that, in conclusion, the Supreme Court offered a glimmer of hope to defrauded users when it stated that “the interpretation set out above does not exempt the payment service provider from liability when circumstances, unrelated to the provision of additional data, are found to have contributed to the defective execution of the transaction, either because an additional requirement or demand (e.g., the identification of the beneficiary), or because the payment service provider of the payer or the beneficiary had taken advantage of the error for their own benefit, or because, once the existence of the error had been communicated without delay, one or the other had not taken the measures required by the diligence of an expert trader to allow retroaction or, where appropriate, to minimize the damage.”

        Regulation (EU) 2024/886: a paradigm shift

        And in this scenario fraught with doubts, Regulation (EU) 2024/886 bursts onto the scene, representing a 180-degree turn and a paradigm shift: the new European Regulation, approved in April 2024 and coming into force on October 9, 2025, establishes a clear obligation for banks: they must verify that the name of the beneficiary provided by the payer matches the IBAN holder before executing an immediate transfer in euros.

        The new features of this regulation are

        • mandatory application to all instant transfers within the SEPA area,
        • the new name matching system: if there is a discrepancy between the name and the IBAN, the bank must alert the customer before executing the transaction, and
        • increased liability for financial institutions in the event of fraud or error due to lack of verification.

        In short, the aim is to reduce the risk of fraud, protect consumers, and increase confidence in digital payments.

        This means that Law 19/2018, which regulates payment services in Spain and does not require verification of the beneficiary’s identity, is now outdated, underscoring the need for a national legislative review to harmonize the legal framework with European requirements.

        In conclusion, the obligation to verify the beneficiary of transfers represents a significant step forward in consumer protection and the fight against financial fraud. Regulation (EU) 2024/886 marks a turning point in banking operations, imposing an active responsibility on institutions to ensure the authenticity of transfers.

        In any case, the question remains open regarding the solution to MITM frauds executed before October 9, 2025, and the responsibility of the banking institution. For the time being, the aforementioned Supreme Court ruling of March 27 closes the door to claims against banks, but it cannot be ruled out that the entry into force of Regulation 2024/886 and the paradigm shift will lead to a rethinking of the Supreme Court’s position in line with the quasi-objective liability that lower courts have been maintaining. We will have to wait and see, but such a change would be a great success for bank users who have suffered from this MITM fraud and all other types of cyber fraud.

        Summary: Corporate fraud has taken new and insidious forms in the digital age. One of these puts multinational groups in the crosshairs: it is the so-called “CEO Fraud.” This type of fraud is based on the fraudulent use of the identity of top corporate figures, such as CEOs or board chairmen. The modus operandi is devious: the fraudsters pose as the CEO or a senior executive of the multinational group and directly contact the Chief Financial Officers (CFOs) of the subsidiaries or affiliates, simulating a nonexistent confidential investment transaction to induce them to make urgent transfers to foreign bank accounts.

        Background and dynamics of the CEO Fraud

        CEO Fraud is a form of scam in which criminals impersonate senior management figures to trick employees, usually CFOs, into transferring funds into bank accounts controlled by the fraudsters. The choice to use the identities of apex figures such as CEOs lies in their perceived authority and ability to order even large payments, requested urgently and with instructions for strict confidentiality, without raising immediate suspicion.

        Fraudsters adopt various communication tools to make their fraud attempts credible: at the starting point is usually a data breach, which allows criminals to gain access to the contact details of the CEO or CFO (email, landline phone number, cell phone number, whatsapp or social media accounts) or other people within the administrative office with operational powers over bank accounts.

        Sometimes knowledge of this information does not even require illegitimate access to the company’s computer systems because those targeted by the scam spontaneously make this information public, for example, by indicating it on their profiles on the company website or by publicly displaying contacts on profiles in social media accounts (LinkedIn, Facebook, etc.) or even on presentations, business cards and company brochures in the context of public meetings.

        Still other times, scammers do not even need to appropriate all the data of the CEO they want to impersonate, but only the recipient’s, and then claim that they are using a personal account with a different number or email address than those usually attributable to the real CEO.

        Contacts are typically made as follows:

        • WhatsApp and SMS: The use of messages allows for immediate and personal communication, often perceived as legitimate by recipients. The fake CEO sends a message to the CFO using a cell phone number from the country where the parent company is based (e.g., +34 in the case of Spain), writing that it is his personal phone number and using a portrait photo of the real CEO in the WhatsApp profile, which reinforces the perception that the fraudster is the real CEO.
        • Phone calls: after the initial contact via text message, a phone call often follows, which may be either directly from the fake CEO or from a self-styled lawyer or consultant instructed by the CEO to give the CFO the necessary information about the fake investment transaction and instructions to proceed with the urgent payment.
        • Email: as an alternative to or in addition to texts and phone calls, communications may also go through emails, often indistinguishable from authentic ones, in which text formats, company logos, signatures, etc. are scrupulously replicated.

        This is possible through various email spoofing techniques in which the sender’s email address is altered to appear as if the rightful owner sent the email. Basically, it is like someone sending a postal letter by putting a different address on the back of the envelope to disguise the true origin of the missive. In our case, this means that the CFO receives an email that-at first glance-appears to come from the CEO and not the scammer.

        We also cannot rule out the possibility of fraudsters taking advantage of security holes in corporate systems, such as directly accessing internal chats within the organization.

        In addition, the increasing popularity of morphing tools (i.e., creating images with human likenesses that can be traced back to real people) may make it even more difficult to unmask the scammer: to messages and phone calls we could, in fact, add video messages or even video lectures apparently given by the real CEO.

        The (fake) takeover of a competitor company in Europe

        Let us look at a real-life example of CEO Fraud to illustrate the practical ways in which these frauds are organized.

        Scammers create a fake WhatsApp profile of the self-styled CEO of a multinational group based in Spain, using a Spanish phone number and reproducing the profile photo of the authentic CEO.

        A message is sent through the fake account to the CFO of a subsidiary in Italy, announcing that a confidential investment transaction is underway to acquire a company in Portugal. This will require transferring a large sum to a Portuguese company the following day at a local bank.

        The message stresses the importance of keeping the transaction strictly confidential, which is why the CFO cannot disclose the payment request to anyone: a confidentiality agreement from a (fake) law firm is even emailed before payment is made, which the CFO is persuaded to sign and return to the phantom lawyer in charge of the transaction.

        Instructions for proceeding with the transfer are emailed to the CFO, again stressing the urgency of making the payment on the same day.

        The day after arranging the transfer, having heard nothing more from the fake CEO, the CFO arranges to contact him at his corporate phone number and discovers the scam: by that time, however, it is too late because the sums have already been transferred by the criminals to one or more current accounts in foreign banks, making it very difficult, if not impossible, to trace the funds.

        The main features of CEO fraud

        • Persuasion: the fact that fraudsters impersonate apex figures and make the CFO feel invested in important duties generates in the victim a desire to please superiors and to let their guard down.
        • Pressure: fraudsters instil a great sense of urgency, demanding payments extremely quickly and intimating secrecy about the transaction; this causes the victim to act without thinking, trying to be as efficient as possible.
        • Speed: It is good to know that a request for an urgent wire transfer cannot be withdrawn, or can be withdrawn by recall only under extremely tight deadlines; fraudsters take advantage of this to pocket the sums at banks that are not too scrupulous or to move them elsewhere, at most within a few days.

        How to prevent these scams

        CEO Fraud schemes can be very sophisticated, but they often have signs that, if recognized, can stop a scam before it causes irreparable damage.

        The main clues are the atypical modes of contact (whatsapp, phone calls, emails from the fake CEO’s personal accounts), the request for strict confidentiality about the transaction, the urgency with which large sums are requested, the fact that the transfer is to be made to banks abroad, and the involvement of companies or individuals never previously mentioned.

        To prevent scams such as CEO Fraud, corporate training of employees on how to recognize and respond to scams is crucial; it is also essential to have robust internal security procedures in place.

        • First, an essential and basic precaution is to adopt verification systems that scan e-mail messages for viruses and flag the origin of the e-mail from an account outside the corporate organization.
        • Second, it is critical that companies implement clear processes for payments to third parties, especially if the arrangements are different from the company’s standard operations. One way to do this is to provide value limits on the powers of disposition over current account operations, beyond which dual signatures with another director are required.
        • Finally, and generally, it is good to adopt all the rules of common sense and diligence in analyzing the case. Better to do one more internal check than one less; for example, in the case of a particularly realistic but nonetheless unusual request, forwarding the exchange with the alleged scammer to the address we believe to be real and asking for further confirmation in the forward email, rather than responding directly in the email loop, allows us to tell if the sender is bogus.

        Legal actions to recover funds.

        After the fraud is discovered, it is crucial to act quickly to increase the chances of recovering lost funds and prosecuting those responsible.

        Possible Legal Actions

        Prompt notification to the company’s bank to block or recall the wire payment, in addition to a timely criminal complaint in the country where the bank receiving the payment is based, are immediate steps that can help contain the damage and begin the recovery process.

        In fact, in many countries, the pattern of CEO Fraud is well known, and specialized law enforcement units have the tools to move in a timely manner following a report of the crime.

        Criminal investigations in the country of payment destination also allow for verification that they are the account holders and the people involved in the scam attempt, in some cases leading to the arrest of those responsible.

        After attempting to obtain a freeze on the transfer or funds, it may then be possible to assess the behavior of the banking institutions involved in the affair, particularly to verify whether the beneficiary bank properly complied with its obligations under anti-money laundering regulations, which impose precise obligations to verify customers and the origin of funds.

        Conclusions

        CEO Fraud is a significant threat to companies of all sizes and industries, made possible and amplified by modern technologies and the globalization of financial markets. Companies must remain vigilant and proactive, continually updating their security procedures to keep pace with fraudsters’ evolving techniques.

        Investment in training, technology and consulting is not just a protective measure, but a strategic necessity for business operations.

        Finally, if the scam is successfully carried out, it is crucial to take prompt action to try to block the funds before they are moved to bank accounts in other countries and thus made untraceable.

        Summary

        The reform of the Brazilian Bankruptcy Act brings forward important changes in both reorganization procedures and liquidation measures.

        When the Brazilian Bankruptcy Act was about to reach its 15th Anniversary, a major amendment was enacted. It was needed, in fact. Over the past 15 years, creations of the Bankruptcy Act have been tested, and practical experiences showed that some tools needed adjustments, and others demanded complete change.

        The goal of this article is to list the top five most relevant novelties.

        #5 – Reorganization plan presented by creditors

        Before: the amendment, the construction of the reorganization plan was exclusively the responsibility of the debtor. If the majority of the creditors’ meeting decided to reject the plan, the automatic consequence would be the conversion into bankruptcy (liquidation).

        Now: in cases like this, the creditors have the right to present an alternative judicial recovery plan. As a result, creditors assume a more relevant role in corporate restructuring.

        #4 – Mediation focusing on the turnaround

        Mediation is now encouraged in ongoing judicial reorganization processes so that creditors and debtors may find a way out to overcome the crisis.

        The most important novelty is the anticipated mediation, which goal is to avoid reorganization and liquidation. In this procedure, the debtor convenes creditors for a mediated negotiation, and they may seek the judge for an order to stay enforcement measures.

        #3 – Distressed assets operations

        The disposal of debtor’s assets is now simplified in both judicial reorganization and bankruptcy. Particularly in bankruptcy – in which case maximizing the use of assets is essential – the law authorizes the anticipated sale, adjudication by creditors, and even the donation of assets that creditors are not interested in acquiring.

        Besides that, the distressed assets acquisitions and M&A deals are now safer, with a clearer legal provision of a liability shield in favour of the purchaser.

        #2 – Debtor-in-Possession (DIP) Financing

        The lack of incentive to finance the debtor undergoing judicial reorganization has always been a reason for criticism by stakeholders. In the absence of legal provisions, potential financiers could be insecure about the risks of the operation and the lack of clear advantages to offset the risk.

        The complaints were addressed with the legal treatment of the debtor’s financing during judicial reorganization. This type of financing is known as Debtor-in-Possession (DIP) Financing.

        The debtor is allowed, through judicial authorization, to conclude financing contracts to pay for the maintenance of his activities and assets, as well as to be liable for restructuring expenses.

        As a guarantee for the financing, the debtor may offer his own assets and rights or those of third parties, even if they belong to non-current assets, that is, assets not originally intended for sale, but which serve the business structure (machinery, for example).

        #1 – Cross-Border Insolvency

        Brazilian law finally incorporated the Uncitral Model Law on Cross-Border Insolvency. An integrated world full of global companies imposes the need to provide for specific rules on cross-border insolvency, which were hitherto non-existent, in order to eliminate the insecurity about the reach of foreign procedures for Brazilian creditors and about the effect of Brazilian procedures for foreign creditors.

        We now have a new panorama, with the possibility of procedures abroad having effects in Brazil and also of Brazilian procedures reaching foreigners.

        There is a detailed treatment of the participation of foreigners in Brazil and the international cooperation between judges and other authorities to put the fundamental principles that govern the entire insolvency system in motion, namely, the improvement of legal certainty, efficient management of the processes, maximization of assets, preservation of the company, and optimization of asset liquidation.

        These are the five main new features, in a nutshell. If you are interested in learning more about any of these topics or if you want to stay updated on insolvency – turnaround in Brazil, please get in touch.

        On 6 January 2022 Ukraine finally cancelled almost a two-year long moratorium for the creditor-trigged insolvencies. The moratorium was imposed in the late spring 2020 as a part of the nation’ response to first wave of COVID pandemic.

        In a nutshell, the moratorium prohibited creditors from requesting insolvency action against those debtors whose obligations matured after 12 March 2020. A separate set of measures also lifted an early warning duty obliging directors of the companies in distress to file for insolvency within one month from a moment when the distress appeared.

        The moratorium was heavily criticized by both domestic and international creditors, who legitimately blamed it for a non-selective approach.

        As further 2021 statistic shown, the moratorium never seemed to reach a goal proclaimed by it authors and made no increase for insolvency relief requests by the debtor companies.

        Instead, the country has been facing a steady increase in “zombie” companies having little to none liquidation value – and their owners clearly intending to get away with no creditor repayment.

        With the moratorium being lifted off the creditors do expect to show no mercy to their Ukrainian debtors. This particularly worries those debtors potentially involved in wrongful trade or fraudulent action. Even with the moratorium in place in 2021 Ukrainian courts confirmed more than UAH 150 mln in creditors loss to be paid by the insolvent companies’ management and owners themselves. This number is expected to triple in 2022 – and there already were Supreme Court’s 2021 judgements confirming liability of the real owners standing behind opaque shareholder company and nominal directors.

        As the creditors’ agitation grows, so do the debtor company owners’ concerns. As the owners\management liability process is extremely bespoke and often requires swift action, it is of crucial importance to get a throughout legal advise on either side – and much better to do that before the actual claim has been brought.

        Lebanon’s secure banking sector plays an important role in the country’s stability and economic status. High liquidity and compliance with all international regulatory standards make it one of the most profitable in the region.

        Stability

        The Lebanese banking sector owes its solidity primarily to the stringent policies applied by the Lebanese Central Bank (LCB). Efforts are constantly being made to fight money laundering and terrorism funding.

        The Lebanese diaspora also contributes to the stability through the flux of transfers and deposits of extraterritorial income. Compared with an estimated population of 4.9 million inhabitants, about 16 million Lebanese live abroad, largely engaged in trade and finance, and mainly concentrated in South America.

        The banking sector’s stability is also bolstered by the currency exchange rate, which has been stable since 1997, when the Lebanese Pound (LBP) was pegged to the United States Dollar (USD) at a rate of 1507.5 LBP to the USD.

        Banking Secret and Automatic exchange of Information

        The Lebanese Banking Secrecy Law of September 3, 1956 was a key aspect in the expansion of the sector. Bank secrecy is applied to any bank operating in Lebanon, local or foreign, and prohibits the disclosure of any details or information about any account or accountholder. For long time this law has increased confidence in Lebanese banking together with the amount of foreign capital coming into the country.

        Before the last economic and financial global shocks, the veil of banking secrecy could be lifted only with prior approval of the accountholder, in case of bankruptcy; for the exchange of information between banks about indebted accounts; and in case of legal actions between a bank and a client or illicit enrichment.

        Nowadays, banking secrecy does not apply to US citizens because of the Foreign Account Tax Compliance Act (FATCA) that requires foreign banks to report American accountholders to the tax authority of the US. Even though Lebanon has not agreed to be FATCA compliant as a whole, individual Lebanon banks have agreed to comply.

        Moreover, in 2016 Lebanon joined the Global Forum on Transparency and the Automatic Exchange of Information (AEOI) for tax purposes, committing to implement a series of regulatory reforms to better comply with the Common Reporting Standards of OECD.

        Consequently, if the requested information is protected under the Banking Secrecy Law of 1956, the request will be forwarded to the Special Investigation Commission (SIC) at the Central Bank with an opinion from the Ministry of Finance for review before it can be disclosed to the foreign tax authority based on an information exchange agreement.

        The regulatory framework and supervision of the banking sector is already in compliance with international standards, such as Basel I, II, and III. Abiding by these laws does not eliminate banking secrecy. New regulations just aim to provide a more effective tool to counter the fight against tax evasion and to track suspicious operations for money laundering purposes, or self-laundering, based on tax offenses.

        According to the AEOI, starting from September 2018 Lebanese Tax Authority will exchange information automatically on non-residents, and will have access to information on residents who hold assets abroad. No issues for Lebanese residents.

        The new legislation will impact: banks, brokers, trusts, fiduciaries, insurance companies, although only for a few products, and certain collective investment funds.

        Corporate Governance

        As part of the strategy to integrate Lebanon further into the international community and the global economy, corporate governance in banks is necessary to guarantee fairness, transparency and accountability.

        It is mandatory for banks while optional for other companies. In fact, an innovation took place in the banking sector on July 26, 2006 when the Governor of the Lebanese Central Bank enacted the Basic Decision No. 9382 to order to comply with the banking rules instituted by the Basel Committee.

        Account freedom and flexibility

        Lebanese banks are known for being open to foreign investors and have branches worldwide. Foreign individuals or companies can easily open a bank account in Lebanon in any currency and benefit from all banking advantages offered to Lebanese citizens. Further, amounts deposited in Lebanon are exempt from taxes and the interest received is subject to a tax rate of 5-percent.

        The author of this post is Claudia Caluori.

        From 18 January 2017, the new European Regulation 655/2014 establishing a European Account Preservation Order procedure to facilitate cross-border debt recovery in civil and commercial matters will enter into force.

        The Regulation foresees in a procedure to seize bank accounts of your debtor in other EU Member States (except when your debtor is domiciled in United Kingdom or Denmark), without that the debtor is notified hereof. The debtor will only notice once the seizure is into force.

        Such cross-border seizure can be obtained before the Courts of an EU Member State who would have jurisdiction on the merits of the case under the EU Regulation 1215/2012 (Brussels I bis).

        The seizure can be requested before, during or even after the procedure on the merits of the case. The request has to be filed using a standard document.

        To grant the request, the Court will have to examine 1) if there is urgency (periculum in mora) and 2) if there is on basis of the provided evidence enough reason to assume the Court will also decide in favor of the creditor in the proceedings concerning the merits of the case (fumus boni iuris). Although these principles are not unknown to national legislation, both will have to await the autonomous interpretation by the European Court of Justice.

        The new EU Regulation 655/2014 is however not created to bully any unwilling debtor by filing preservation order after preservation order. The Regulation foresees 2 mechanisms to avoid such practices:

        • According to art. 12, the creditor can be required to provide a security when he has not obtained any judgment in favor yet;
        • The creditor will also receive a fixed delay in which he has to undertake a proceedings about the merits of the case.

        The new European Regulation 665/2014 also foresees a mechanism where a creditor can request information about his debtor’s bank account(s) in a certain Member State. 

        Not unimportant, as the creditor needs to indicate the bank account number in his request for a transnational seizure (under Belgian national law, the indication of the name of the Bank would already be sufficient).

        Art. 14 of the Regulation now foresees what one could call a bank account disclosure mechanism:

        “Request for the obtaining of account information

        Where the creditor has obtained in a Member State an enforceable judgment, court settlement or authentic instrument which requires the debtor to pay the creditor’s claim and the creditor has reasons to believe that the debtor holds one or more accounts with a bank in a specific Member State, but knows neither the name and/or address of the bank nor the IBAN, BIC or another bank number allowing the bank to be identified, he may request the court with which the application for the Preservation Order is lodged to request that the information authority of the Member State of enforcement obtain the information necessary to allow the bank or banks and the debtor’s account or accounts to be identified”.

        In a few Member States (including Belgium), such disclosure mechanism is completely new.  The Regulation leaves it up to the Member States how they will organize this new disclosure, by giving a few examples:

        “Each Member State shall make available in its national law at least one of the following methods of obtaining the information referred to in paragraph 1:

        (a) an obligation on all banks in its territory to disclose, upon request by the information authority, whether the debtor holds an account with them;

        (b) access for the information authority to the relevant information where that information is held by public authorities or administrations in registers or otherwise;

        (c) the possibility for its courts to oblige the debtor to disclose with which bank or banks in its territory he holds one or more accounts where such an obligation is accompanied by an in personam order by the court prohibiting the withdrawal or transfer by him of funds held in his account or accounts up to the amount to be preserved by the Preservation Order; or

        (d) any other methods which are effective and efficient for the purposes of obtaining the relevant information, provided that they are not disproportionately costly or time-consuming.

        Does this mean any creditor can just run to the Court and ask information?

        No, some conditions apply:

        • the creditor needs to be in possession of an enforceable judgment;
        • there need to be reasons to believe the debtor holds bank accounts in this Member State.

        Conclusion: it will be interesting to see how the Member States will apply this new mechanism.  Whether it will be effective, will also depend on the interpretation of ‘reasons to believe the debtor holds bank accounts in this Member State’.  This will probably be the key to the question if this will end the Pyrrhus decisions, where a creditor is accorded his claim but cannot find assets to seize.

        The author of this post is David Diris.

        Anton Molchanov

        Áreas de prática

        • Agricultura
        • Empresa
        • Cobrança de créditos
        • Financiamento e títulos
        • Insolvência
        Contato Anton

        Scrivi a Anton





          Read the privacy policy of Legalmondo.
          This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

          The Lebanese Banking Sector

          12 de Abril, 2017

          • Líbano
          • Banca
          • Empresa

          The increase in so-called cybercrime in recent years is so significant that it requires strong legislative and judicial responses. Losses from online fraud in Europe exceed $100 billion, according to Nasdaq Ventures, of which $5 billion correspond to Spain.

          In Spain, 192,375 cases of computer fraud were reported in 2019, but by 2023 this figure had risen to 427,448. According to the latest official data available, computer fraud accounts for 90.4% of all cybercrimes, with growth of 378% between 2016 and 2023.

          There are many different types of computer fraud, and they are named in English (after all, the lingua franca of our time), including, among other ingenious methods used by skilled fraudsters, those with curious and amusing names (except for those who suffer from them) such as phishing, pharming, juice jacking, tabnabbing, bluesnarfing, catfishing, spoofing, vishing, smishing, whaling, carding, and the one we are interested in today, man in the middle (MITM).

          Man in the Middle scam: how it works

          This MITM fraud involves intercepting communications between two devices connected to a network, allowing the attacker to alter and divert messages exchanged between users. The fraudster intercepts a communication in which one user requests a payment from another and then modifies the IBAN of the bank account to which the transfer should be made in order to obtain the money. The process generally unfolds as follows:

          • Without the company noticing, an attacker intercepts and manipulates an email, changing the IBAN number of the account to which the payment should be made.
          • The cybercriminal impersonates the supplier, sending the message from an email address that is almost identical to the original, but with a slight alteration that is almost imperceptible.
          • The receiving company, trusting the authenticity of the message, makes the transfer to the fraudulent account.

           

          This results in a transfer of assets to the detriment of the person ordering the transfer and in favor of the cyber thief, so that when the person ordering the transfer notices the error, their first reaction is to try to contact the receiving bank in the hope that the funds can be blocked in time. However, in most cases, the cybercriminal has been quicker: the money has already been transferred to another account or withdrawn, leaving little room for maneuvering, except for the initiation of legal proceedings, which we will discuss below.

          The immediate question is what responsibility the bank that has received the transfer order from the deceived user and credits the cyber fraudster’s account with the amount in question has in cases where the payer identifies not only the (fraudulent) IBAN but also the name of the beneficiary of the payment order, which obviously does not match the name of the holder of the bank account receiving the funds.

          The common-sense answer would be that the bank receiving the transfer should confirm that the holder of the account to which the funds are credited and the individual or entity identified as the beneficiary in the transfer order match; if this is not the case, it should suspend the payment and request clarification from the payer. However, this is not the case in light of EU legislation and its transposition into Spanish law, as we will see below.

          Until October 9, the European banking system operated under the premise that the validity of a transfer was based exclusively on the correctness of the IBAN. In other words, if the account number was correct, the transaction was considered valid, even if the beneficiary’s name did not match. This practice has led to numerous cases of fraud, unintentional errors, and loss of funds, especially in instant transfers, where speed can compromise security.

          The most reasonable option for the defrauded payer to recover their money is to sue the bank receiving the payment order (with which they have no contractual relationship) for non-contractual liability under Article 1124 of the Civil Code; in fact, criminal proceedings against the account holder, who is usually referred to in slang as a “mule,” do not usually have a satisfactory outcome, both because the bird usually flies away and because of its lack of solvency.

          The case law of the Provincial Courts has been divided between rulings that strictly and faithfully applied Article 59 of Royal Decree-Law 19/2018 of November 23, on payment services and other urgent financial measures, dismissing the claims of those defrauded, and others in which arguments were sought under the premise of lack of diligence to condemn the bank to compensate the payer.

          This has led to the establishment of quasi-objective liability for banks in relation to digital fraud, imposing a higher standard of diligence on them and transferring the risk inherent in online banking to them, except in cases of willful misconduct or gross negligence on the part of the customer. This line of reasoning, which has been developed from lower court rulings (AP Madrid 178/2015; AP Alicante 107/2018; AP Valencia 212/2021) to the Supreme Court itself (STS 571/2025, among others), is in line with the idea that it is up to the bank to prove that its systems were secure, up to date, and sufficient to prevent the crime from being committed.

          In this context, the concept of bonus argentarius takes on renewed relevance. This is a principle that was included in Law 57/68 to protect home buyers in the real estate sector, but the Supreme Court has ruled on several occasions that it can also be applied to other financial investments. This means that, in the event of losses due to negligence on the part of the financial institution, the customer can file a claim under Law 57/68 and hold the institution liable.

          The bonus argentarius is based on the presumption of fault on the part of the financial institution, which means that even if the customer has no concrete evidence of negligence, it is assumed due to the duty of care that the institution must exercise in the management of investments.

          Based on this principle, the diligence required of financial professionals is not that of the average trader or pater familias, but that of a qualified expert who assumes the obligation to protect the funds entrusted to them by implementing “necessary and renewable” security mechanisms. This implies not only maintaining basic technical measures for enhanced authentication, but also proactively adopting internationally recognized anti-fraud solutions, such as name-IBAN verification (Confirmation of Payee or IBAN-Naam Check), which have proven effective in comparable jurisdictions.

          In line with that doctrine and case law, it can be said that the omission of beneficiary verification measures today constitutes a breach of the contractual duty of diligence and good faith (Articles 1104 and 1258 of the Civil Code), giving rise to civil liability for the damage caused, such that MITM fraud cannot be considered a residual risk attributable to the customer, but rather a systemic security failure attributable to the financial institution, as the designer and custodian of the electronic payment channel.

          In this state of affairs, the Supreme Court, in its recent ruling of March 27, 2025, opted for the alternative of strict application of Article 59, arguing that “if the payment service user provides additional information to that required (specification of the information or unique identifier that the payment service user must provide for the correct initiation or execution of a payment order), the payment service provider shall only be liable for the execution of payment transactions in accordance with the unique identifier provided by the payment service user… and that the liability of the payment service provider, both at Community and national level, is such that it fulfills its obligation by executing the payment transaction in accordance with the unique identifier, without the addition of further information implying a higher standard of diligence

          It is true that, in conclusion, the Supreme Court offered a glimmer of hope to defrauded users when it stated that “the interpretation set out above does not exempt the payment service provider from liability when circumstances, unrelated to the provision of additional data, are found to have contributed to the defective execution of the transaction, either because an additional requirement or demand (e.g., the identification of the beneficiary), or because the payment service provider of the payer or the beneficiary had taken advantage of the error for their own benefit, or because, once the existence of the error had been communicated without delay, one or the other had not taken the measures required by the diligence of an expert trader to allow retroaction or, where appropriate, to minimize the damage.”

          Regulation (EU) 2024/886: a paradigm shift

          And in this scenario fraught with doubts, Regulation (EU) 2024/886 bursts onto the scene, representing a 180-degree turn and a paradigm shift: the new European Regulation, approved in April 2024 and coming into force on October 9, 2025, establishes a clear obligation for banks: they must verify that the name of the beneficiary provided by the payer matches the IBAN holder before executing an immediate transfer in euros.

          The new features of this regulation are

          • mandatory application to all instant transfers within the SEPA area,
          • the new name matching system: if there is a discrepancy between the name and the IBAN, the bank must alert the customer before executing the transaction, and
          • increased liability for financial institutions in the event of fraud or error due to lack of verification.

          In short, the aim is to reduce the risk of fraud, protect consumers, and increase confidence in digital payments.

          This means that Law 19/2018, which regulates payment services in Spain and does not require verification of the beneficiary’s identity, is now outdated, underscoring the need for a national legislative review to harmonize the legal framework with European requirements.

          In conclusion, the obligation to verify the beneficiary of transfers represents a significant step forward in consumer protection and the fight against financial fraud. Regulation (EU) 2024/886 marks a turning point in banking operations, imposing an active responsibility on institutions to ensure the authenticity of transfers.

          In any case, the question remains open regarding the solution to MITM frauds executed before October 9, 2025, and the responsibility of the banking institution. For the time being, the aforementioned Supreme Court ruling of March 27 closes the door to claims against banks, but it cannot be ruled out that the entry into force of Regulation 2024/886 and the paradigm shift will lead to a rethinking of the Supreme Court’s position in line with the quasi-objective liability that lower courts have been maintaining. We will have to wait and see, but such a change would be a great success for bank users who have suffered from this MITM fraud and all other types of cyber fraud.

          Summary: Corporate fraud has taken new and insidious forms in the digital age. One of these puts multinational groups in the crosshairs: it is the so-called “CEO Fraud.” This type of fraud is based on the fraudulent use of the identity of top corporate figures, such as CEOs or board chairmen. The modus operandi is devious: the fraudsters pose as the CEO or a senior executive of the multinational group and directly contact the Chief Financial Officers (CFOs) of the subsidiaries or affiliates, simulating a nonexistent confidential investment transaction to induce them to make urgent transfers to foreign bank accounts.

          Background and dynamics of the CEO Fraud

          CEO Fraud is a form of scam in which criminals impersonate senior management figures to trick employees, usually CFOs, into transferring funds into bank accounts controlled by the fraudsters. The choice to use the identities of apex figures such as CEOs lies in their perceived authority and ability to order even large payments, requested urgently and with instructions for strict confidentiality, without raising immediate suspicion.

          Fraudsters adopt various communication tools to make their fraud attempts credible: at the starting point is usually a data breach, which allows criminals to gain access to the contact details of the CEO or CFO (email, landline phone number, cell phone number, whatsapp or social media accounts) or other people within the administrative office with operational powers over bank accounts.

          Sometimes knowledge of this information does not even require illegitimate access to the company’s computer systems because those targeted by the scam spontaneously make this information public, for example, by indicating it on their profiles on the company website or by publicly displaying contacts on profiles in social media accounts (LinkedIn, Facebook, etc.) or even on presentations, business cards and company brochures in the context of public meetings.

          Still other times, scammers do not even need to appropriate all the data of the CEO they want to impersonate, but only the recipient’s, and then claim that they are using a personal account with a different number or email address than those usually attributable to the real CEO.

          Contacts are typically made as follows:

          • WhatsApp and SMS: The use of messages allows for immediate and personal communication, often perceived as legitimate by recipients. The fake CEO sends a message to the CFO using a cell phone number from the country where the parent company is based (e.g., +34 in the case of Spain), writing that it is his personal phone number and using a portrait photo of the real CEO in the WhatsApp profile, which reinforces the perception that the fraudster is the real CEO.
          • Phone calls: after the initial contact via text message, a phone call often follows, which may be either directly from the fake CEO or from a self-styled lawyer or consultant instructed by the CEO to give the CFO the necessary information about the fake investment transaction and instructions to proceed with the urgent payment.
          • Email: as an alternative to or in addition to texts and phone calls, communications may also go through emails, often indistinguishable from authentic ones, in which text formats, company logos, signatures, etc. are scrupulously replicated.

          This is possible through various email spoofing techniques in which the sender’s email address is altered to appear as if the rightful owner sent the email. Basically, it is like someone sending a postal letter by putting a different address on the back of the envelope to disguise the true origin of the missive. In our case, this means that the CFO receives an email that-at first glance-appears to come from the CEO and not the scammer.

          We also cannot rule out the possibility of fraudsters taking advantage of security holes in corporate systems, such as directly accessing internal chats within the organization.

          In addition, the increasing popularity of morphing tools (i.e., creating images with human likenesses that can be traced back to real people) may make it even more difficult to unmask the scammer: to messages and phone calls we could, in fact, add video messages or even video lectures apparently given by the real CEO.

          The (fake) takeover of a competitor company in Europe

          Let us look at a real-life example of CEO Fraud to illustrate the practical ways in which these frauds are organized.

          Scammers create a fake WhatsApp profile of the self-styled CEO of a multinational group based in Spain, using a Spanish phone number and reproducing the profile photo of the authentic CEO.

          A message is sent through the fake account to the CFO of a subsidiary in Italy, announcing that a confidential investment transaction is underway to acquire a company in Portugal. This will require transferring a large sum to a Portuguese company the following day at a local bank.

          The message stresses the importance of keeping the transaction strictly confidential, which is why the CFO cannot disclose the payment request to anyone: a confidentiality agreement from a (fake) law firm is even emailed before payment is made, which the CFO is persuaded to sign and return to the phantom lawyer in charge of the transaction.

          Instructions for proceeding with the transfer are emailed to the CFO, again stressing the urgency of making the payment on the same day.

          The day after arranging the transfer, having heard nothing more from the fake CEO, the CFO arranges to contact him at his corporate phone number and discovers the scam: by that time, however, it is too late because the sums have already been transferred by the criminals to one or more current accounts in foreign banks, making it very difficult, if not impossible, to trace the funds.

          The main features of CEO fraud

          • Persuasion: the fact that fraudsters impersonate apex figures and make the CFO feel invested in important duties generates in the victim a desire to please superiors and to let their guard down.
          • Pressure: fraudsters instil a great sense of urgency, demanding payments extremely quickly and intimating secrecy about the transaction; this causes the victim to act without thinking, trying to be as efficient as possible.
          • Speed: It is good to know that a request for an urgent wire transfer cannot be withdrawn, or can be withdrawn by recall only under extremely tight deadlines; fraudsters take advantage of this to pocket the sums at banks that are not too scrupulous or to move them elsewhere, at most within a few days.

          How to prevent these scams

          CEO Fraud schemes can be very sophisticated, but they often have signs that, if recognized, can stop a scam before it causes irreparable damage.

          The main clues are the atypical modes of contact (whatsapp, phone calls, emails from the fake CEO’s personal accounts), the request for strict confidentiality about the transaction, the urgency with which large sums are requested, the fact that the transfer is to be made to banks abroad, and the involvement of companies or individuals never previously mentioned.

          To prevent scams such as CEO Fraud, corporate training of employees on how to recognize and respond to scams is crucial; it is also essential to have robust internal security procedures in place.

          • First, an essential and basic precaution is to adopt verification systems that scan e-mail messages for viruses and flag the origin of the e-mail from an account outside the corporate organization.
          • Second, it is critical that companies implement clear processes for payments to third parties, especially if the arrangements are different from the company’s standard operations. One way to do this is to provide value limits on the powers of disposition over current account operations, beyond which dual signatures with another director are required.
          • Finally, and generally, it is good to adopt all the rules of common sense and diligence in analyzing the case. Better to do one more internal check than one less; for example, in the case of a particularly realistic but nonetheless unusual request, forwarding the exchange with the alleged scammer to the address we believe to be real and asking for further confirmation in the forward email, rather than responding directly in the email loop, allows us to tell if the sender is bogus.

          Legal actions to recover funds.

          After the fraud is discovered, it is crucial to act quickly to increase the chances of recovering lost funds and prosecuting those responsible.

          Possible Legal Actions

          Prompt notification to the company’s bank to block or recall the wire payment, in addition to a timely criminal complaint in the country where the bank receiving the payment is based, are immediate steps that can help contain the damage and begin the recovery process.

          In fact, in many countries, the pattern of CEO Fraud is well known, and specialized law enforcement units have the tools to move in a timely manner following a report of the crime.

          Criminal investigations in the country of payment destination also allow for verification that they are the account holders and the people involved in the scam attempt, in some cases leading to the arrest of those responsible.

          After attempting to obtain a freeze on the transfer or funds, it may then be possible to assess the behavior of the banking institutions involved in the affair, particularly to verify whether the beneficiary bank properly complied with its obligations under anti-money laundering regulations, which impose precise obligations to verify customers and the origin of funds.

          Conclusions

          CEO Fraud is a significant threat to companies of all sizes and industries, made possible and amplified by modern technologies and the globalization of financial markets. Companies must remain vigilant and proactive, continually updating their security procedures to keep pace with fraudsters’ evolving techniques.

          Investment in training, technology and consulting is not just a protective measure, but a strategic necessity for business operations.

          Finally, if the scam is successfully carried out, it is crucial to take prompt action to try to block the funds before they are moved to bank accounts in other countries and thus made untraceable.

          Summary

          The reform of the Brazilian Bankruptcy Act brings forward important changes in both reorganization procedures and liquidation measures.

          When the Brazilian Bankruptcy Act was about to reach its 15th Anniversary, a major amendment was enacted. It was needed, in fact. Over the past 15 years, creations of the Bankruptcy Act have been tested, and practical experiences showed that some tools needed adjustments, and others demanded complete change.

          The goal of this article is to list the top five most relevant novelties.

          #5 – Reorganization plan presented by creditors

          Before: the amendment, the construction of the reorganization plan was exclusively the responsibility of the debtor. If the majority of the creditors’ meeting decided to reject the plan, the automatic consequence would be the conversion into bankruptcy (liquidation).

          Now: in cases like this, the creditors have the right to present an alternative judicial recovery plan. As a result, creditors assume a more relevant role in corporate restructuring.

          #4 – Mediation focusing on the turnaround

          Mediation is now encouraged in ongoing judicial reorganization processes so that creditors and debtors may find a way out to overcome the crisis.

          The most important novelty is the anticipated mediation, which goal is to avoid reorganization and liquidation. In this procedure, the debtor convenes creditors for a mediated negotiation, and they may seek the judge for an order to stay enforcement measures.

          #3 – Distressed assets operations

          The disposal of debtor’s assets is now simplified in both judicial reorganization and bankruptcy. Particularly in bankruptcy – in which case maximizing the use of assets is essential – the law authorizes the anticipated sale, adjudication by creditors, and even the donation of assets that creditors are not interested in acquiring.

          Besides that, the distressed assets acquisitions and M&A deals are now safer, with a clearer legal provision of a liability shield in favour of the purchaser.

          #2 – Debtor-in-Possession (DIP) Financing

          The lack of incentive to finance the debtor undergoing judicial reorganization has always been a reason for criticism by stakeholders. In the absence of legal provisions, potential financiers could be insecure about the risks of the operation and the lack of clear advantages to offset the risk.

          The complaints were addressed with the legal treatment of the debtor’s financing during judicial reorganization. This type of financing is known as Debtor-in-Possession (DIP) Financing.

          The debtor is allowed, through judicial authorization, to conclude financing contracts to pay for the maintenance of his activities and assets, as well as to be liable for restructuring expenses.

          As a guarantee for the financing, the debtor may offer his own assets and rights or those of third parties, even if they belong to non-current assets, that is, assets not originally intended for sale, but which serve the business structure (machinery, for example).

          #1 – Cross-Border Insolvency

          Brazilian law finally incorporated the Uncitral Model Law on Cross-Border Insolvency. An integrated world full of global companies imposes the need to provide for specific rules on cross-border insolvency, which were hitherto non-existent, in order to eliminate the insecurity about the reach of foreign procedures for Brazilian creditors and about the effect of Brazilian procedures for foreign creditors.

          We now have a new panorama, with the possibility of procedures abroad having effects in Brazil and also of Brazilian procedures reaching foreigners.

          There is a detailed treatment of the participation of foreigners in Brazil and the international cooperation between judges and other authorities to put the fundamental principles that govern the entire insolvency system in motion, namely, the improvement of legal certainty, efficient management of the processes, maximization of assets, preservation of the company, and optimization of asset liquidation.

          These are the five main new features, in a nutshell. If you are interested in learning more about any of these topics or if you want to stay updated on insolvency – turnaround in Brazil, please get in touch.

          On 6 January 2022 Ukraine finally cancelled almost a two-year long moratorium for the creditor-trigged insolvencies. The moratorium was imposed in the late spring 2020 as a part of the nation’ response to first wave of COVID pandemic.

          In a nutshell, the moratorium prohibited creditors from requesting insolvency action against those debtors whose obligations matured after 12 March 2020. A separate set of measures also lifted an early warning duty obliging directors of the companies in distress to file for insolvency within one month from a moment when the distress appeared.

          The moratorium was heavily criticized by both domestic and international creditors, who legitimately blamed it for a non-selective approach.

          As further 2021 statistic shown, the moratorium never seemed to reach a goal proclaimed by it authors and made no increase for insolvency relief requests by the debtor companies.

          Instead, the country has been facing a steady increase in “zombie” companies having little to none liquidation value – and their owners clearly intending to get away with no creditor repayment.

          With the moratorium being lifted off the creditors do expect to show no mercy to their Ukrainian debtors. This particularly worries those debtors potentially involved in wrongful trade or fraudulent action. Even with the moratorium in place in 2021 Ukrainian courts confirmed more than UAH 150 mln in creditors loss to be paid by the insolvent companies’ management and owners themselves. This number is expected to triple in 2022 – and there already were Supreme Court’s 2021 judgements confirming liability of the real owners standing behind opaque shareholder company and nominal directors.

          As the creditors’ agitation grows, so do the debtor company owners’ concerns. As the owners\management liability process is extremely bespoke and often requires swift action, it is of crucial importance to get a throughout legal advise on either side – and much better to do that before the actual claim has been brought.

          Lebanon’s secure banking sector plays an important role in the country’s stability and economic status. High liquidity and compliance with all international regulatory standards make it one of the most profitable in the region.

          Stability

          The Lebanese banking sector owes its solidity primarily to the stringent policies applied by the Lebanese Central Bank (LCB). Efforts are constantly being made to fight money laundering and terrorism funding.

          The Lebanese diaspora also contributes to the stability through the flux of transfers and deposits of extraterritorial income. Compared with an estimated population of 4.9 million inhabitants, about 16 million Lebanese live abroad, largely engaged in trade and finance, and mainly concentrated in South America.

          The banking sector’s stability is also bolstered by the currency exchange rate, which has been stable since 1997, when the Lebanese Pound (LBP) was pegged to the United States Dollar (USD) at a rate of 1507.5 LBP to the USD.

          Banking Secret and Automatic exchange of Information

          The Lebanese Banking Secrecy Law of September 3, 1956 was a key aspect in the expansion of the sector. Bank secrecy is applied to any bank operating in Lebanon, local or foreign, and prohibits the disclosure of any details or information about any account or accountholder. For long time this law has increased confidence in Lebanese banking together with the amount of foreign capital coming into the country.

          Before the last economic and financial global shocks, the veil of banking secrecy could be lifted only with prior approval of the accountholder, in case of bankruptcy; for the exchange of information between banks about indebted accounts; and in case of legal actions between a bank and a client or illicit enrichment.

          Nowadays, banking secrecy does not apply to US citizens because of the Foreign Account Tax Compliance Act (FATCA) that requires foreign banks to report American accountholders to the tax authority of the US. Even though Lebanon has not agreed to be FATCA compliant as a whole, individual Lebanon banks have agreed to comply.

          Moreover, in 2016 Lebanon joined the Global Forum on Transparency and the Automatic Exchange of Information (AEOI) for tax purposes, committing to implement a series of regulatory reforms to better comply with the Common Reporting Standards of OECD.

          Consequently, if the requested information is protected under the Banking Secrecy Law of 1956, the request will be forwarded to the Special Investigation Commission (SIC) at the Central Bank with an opinion from the Ministry of Finance for review before it can be disclosed to the foreign tax authority based on an information exchange agreement.

          The regulatory framework and supervision of the banking sector is already in compliance with international standards, such as Basel I, II, and III. Abiding by these laws does not eliminate banking secrecy. New regulations just aim to provide a more effective tool to counter the fight against tax evasion and to track suspicious operations for money laundering purposes, or self-laundering, based on tax offenses.

          According to the AEOI, starting from September 2018 Lebanese Tax Authority will exchange information automatically on non-residents, and will have access to information on residents who hold assets abroad. No issues for Lebanese residents.

          The new legislation will impact: banks, brokers, trusts, fiduciaries, insurance companies, although only for a few products, and certain collective investment funds.

          Corporate Governance

          As part of the strategy to integrate Lebanon further into the international community and the global economy, corporate governance in banks is necessary to guarantee fairness, transparency and accountability.

          It is mandatory for banks while optional for other companies. In fact, an innovation took place in the banking sector on July 26, 2006 when the Governor of the Lebanese Central Bank enacted the Basic Decision No. 9382 to order to comply with the banking rules instituted by the Basel Committee.

          Account freedom and flexibility

          Lebanese banks are known for being open to foreign investors and have branches worldwide. Foreign individuals or companies can easily open a bank account in Lebanon in any currency and benefit from all banking advantages offered to Lebanese citizens. Further, amounts deposited in Lebanon are exempt from taxes and the interest received is subject to a tax rate of 5-percent.

          The author of this post is Claudia Caluori.

          From 18 January 2017, the new European Regulation 655/2014 establishing a European Account Preservation Order procedure to facilitate cross-border debt recovery in civil and commercial matters will enter into force.

          The Regulation foresees in a procedure to seize bank accounts of your debtor in other EU Member States (except when your debtor is domiciled in United Kingdom or Denmark), without that the debtor is notified hereof. The debtor will only notice once the seizure is into force.

          Such cross-border seizure can be obtained before the Courts of an EU Member State who would have jurisdiction on the merits of the case under the EU Regulation 1215/2012 (Brussels I bis).

          The seizure can be requested before, during or even after the procedure on the merits of the case. The request has to be filed using a standard document.

          To grant the request, the Court will have to examine 1) if there is urgency (periculum in mora) and 2) if there is on basis of the provided evidence enough reason to assume the Court will also decide in favor of the creditor in the proceedings concerning the merits of the case (fumus boni iuris). Although these principles are not unknown to national legislation, both will have to await the autonomous interpretation by the European Court of Justice.

          The new EU Regulation 655/2014 is however not created to bully any unwilling debtor by filing preservation order after preservation order. The Regulation foresees 2 mechanisms to avoid such practices:

          • According to art. 12, the creditor can be required to provide a security when he has not obtained any judgment in favor yet;
          • The creditor will also receive a fixed delay in which he has to undertake a proceedings about the merits of the case.

          The new European Regulation 665/2014 also foresees a mechanism where a creditor can request information about his debtor’s bank account(s) in a certain Member State. 

          Not unimportant, as the creditor needs to indicate the bank account number in his request for a transnational seizure (under Belgian national law, the indication of the name of the Bank would already be sufficient).

          Art. 14 of the Regulation now foresees what one could call a bank account disclosure mechanism:

          “Request for the obtaining of account information

          Where the creditor has obtained in a Member State an enforceable judgment, court settlement or authentic instrument which requires the debtor to pay the creditor’s claim and the creditor has reasons to believe that the debtor holds one or more accounts with a bank in a specific Member State, but knows neither the name and/or address of the bank nor the IBAN, BIC or another bank number allowing the bank to be identified, he may request the court with which the application for the Preservation Order is lodged to request that the information authority of the Member State of enforcement obtain the information necessary to allow the bank or banks and the debtor’s account or accounts to be identified”.

          In a few Member States (including Belgium), such disclosure mechanism is completely new.  The Regulation leaves it up to the Member States how they will organize this new disclosure, by giving a few examples:

          “Each Member State shall make available in its national law at least one of the following methods of obtaining the information referred to in paragraph 1:

          (a) an obligation on all banks in its territory to disclose, upon request by the information authority, whether the debtor holds an account with them;

          (b) access for the information authority to the relevant information where that information is held by public authorities or administrations in registers or otherwise;

          (c) the possibility for its courts to oblige the debtor to disclose with which bank or banks in its territory he holds one or more accounts where such an obligation is accompanied by an in personam order by the court prohibiting the withdrawal or transfer by him of funds held in his account or accounts up to the amount to be preserved by the Preservation Order; or

          (d) any other methods which are effective and efficient for the purposes of obtaining the relevant information, provided that they are not disproportionately costly or time-consuming.

          Does this mean any creditor can just run to the Court and ask information?

          No, some conditions apply:

          • the creditor needs to be in possession of an enforceable judgment;
          • there need to be reasons to believe the debtor holds bank accounts in this Member State.

          Conclusion: it will be interesting to see how the Member States will apply this new mechanism.  Whether it will be effective, will also depend on the interpretation of ‘reasons to believe the debtor holds bank accounts in this Member State’.  This will probably be the key to the question if this will end the Pyrrhus decisions, where a creditor is accorded his claim but cannot find assets to seize.

          The author of this post is David Diris.

          The EU Regulation 655/2014 on transnational seizures on bank accounts

          21 de Dezembro, 2016

          • Europa
          • Banca
          • Cobrança de créditos
          • Contencioso

          The increase in so-called cybercrime in recent years is so significant that it requires strong legislative and judicial responses. Losses from online fraud in Europe exceed $100 billion, according to Nasdaq Ventures, of which $5 billion correspond to Spain.

          In Spain, 192,375 cases of computer fraud were reported in 2019, but by 2023 this figure had risen to 427,448. According to the latest official data available, computer fraud accounts for 90.4% of all cybercrimes, with growth of 378% between 2016 and 2023.

          There are many different types of computer fraud, and they are named in English (after all, the lingua franca of our time), including, among other ingenious methods used by skilled fraudsters, those with curious and amusing names (except for those who suffer from them) such as phishing, pharming, juice jacking, tabnabbing, bluesnarfing, catfishing, spoofing, vishing, smishing, whaling, carding, and the one we are interested in today, man in the middle (MITM).

          Man in the Middle scam: how it works

          This MITM fraud involves intercepting communications between two devices connected to a network, allowing the attacker to alter and divert messages exchanged between users. The fraudster intercepts a communication in which one user requests a payment from another and then modifies the IBAN of the bank account to which the transfer should be made in order to obtain the money. The process generally unfolds as follows:

          • Without the company noticing, an attacker intercepts and manipulates an email, changing the IBAN number of the account to which the payment should be made.
          • The cybercriminal impersonates the supplier, sending the message from an email address that is almost identical to the original, but with a slight alteration that is almost imperceptible.
          • The receiving company, trusting the authenticity of the message, makes the transfer to the fraudulent account.

           

          This results in a transfer of assets to the detriment of the person ordering the transfer and in favor of the cyber thief, so that when the person ordering the transfer notices the error, their first reaction is to try to contact the receiving bank in the hope that the funds can be blocked in time. However, in most cases, the cybercriminal has been quicker: the money has already been transferred to another account or withdrawn, leaving little room for maneuvering, except for the initiation of legal proceedings, which we will discuss below.

          The immediate question is what responsibility the bank that has received the transfer order from the deceived user and credits the cyber fraudster’s account with the amount in question has in cases where the payer identifies not only the (fraudulent) IBAN but also the name of the beneficiary of the payment order, which obviously does not match the name of the holder of the bank account receiving the funds.

          The common-sense answer would be that the bank receiving the transfer should confirm that the holder of the account to which the funds are credited and the individual or entity identified as the beneficiary in the transfer order match; if this is not the case, it should suspend the payment and request clarification from the payer. However, this is not the case in light of EU legislation and its transposition into Spanish law, as we will see below.

          Until October 9, the European banking system operated under the premise that the validity of a transfer was based exclusively on the correctness of the IBAN. In other words, if the account number was correct, the transaction was considered valid, even if the beneficiary’s name did not match. This practice has led to numerous cases of fraud, unintentional errors, and loss of funds, especially in instant transfers, where speed can compromise security.

          The most reasonable option for the defrauded payer to recover their money is to sue the bank receiving the payment order (with which they have no contractual relationship) for non-contractual liability under Article 1124 of the Civil Code; in fact, criminal proceedings against the account holder, who is usually referred to in slang as a “mule,” do not usually have a satisfactory outcome, both because the bird usually flies away and because of its lack of solvency.

          The case law of the Provincial Courts has been divided between rulings that strictly and faithfully applied Article 59 of Royal Decree-Law 19/2018 of November 23, on payment services and other urgent financial measures, dismissing the claims of those defrauded, and others in which arguments were sought under the premise of lack of diligence to condemn the bank to compensate the payer.

          This has led to the establishment of quasi-objective liability for banks in relation to digital fraud, imposing a higher standard of diligence on them and transferring the risk inherent in online banking to them, except in cases of willful misconduct or gross negligence on the part of the customer. This line of reasoning, which has been developed from lower court rulings (AP Madrid 178/2015; AP Alicante 107/2018; AP Valencia 212/2021) to the Supreme Court itself (STS 571/2025, among others), is in line with the idea that it is up to the bank to prove that its systems were secure, up to date, and sufficient to prevent the crime from being committed.

          In this context, the concept of bonus argentarius takes on renewed relevance. This is a principle that was included in Law 57/68 to protect home buyers in the real estate sector, but the Supreme Court has ruled on several occasions that it can also be applied to other financial investments. This means that, in the event of losses due to negligence on the part of the financial institution, the customer can file a claim under Law 57/68 and hold the institution liable.

          The bonus argentarius is based on the presumption of fault on the part of the financial institution, which means that even if the customer has no concrete evidence of negligence, it is assumed due to the duty of care that the institution must exercise in the management of investments.

          Based on this principle, the diligence required of financial professionals is not that of the average trader or pater familias, but that of a qualified expert who assumes the obligation to protect the funds entrusted to them by implementing “necessary and renewable” security mechanisms. This implies not only maintaining basic technical measures for enhanced authentication, but also proactively adopting internationally recognized anti-fraud solutions, such as name-IBAN verification (Confirmation of Payee or IBAN-Naam Check), which have proven effective in comparable jurisdictions.

          In line with that doctrine and case law, it can be said that the omission of beneficiary verification measures today constitutes a breach of the contractual duty of diligence and good faith (Articles 1104 and 1258 of the Civil Code), giving rise to civil liability for the damage caused, such that MITM fraud cannot be considered a residual risk attributable to the customer, but rather a systemic security failure attributable to the financial institution, as the designer and custodian of the electronic payment channel.

          In this state of affairs, the Supreme Court, in its recent ruling of March 27, 2025, opted for the alternative of strict application of Article 59, arguing that “if the payment service user provides additional information to that required (specification of the information or unique identifier that the payment service user must provide for the correct initiation or execution of a payment order), the payment service provider shall only be liable for the execution of payment transactions in accordance with the unique identifier provided by the payment service user… and that the liability of the payment service provider, both at Community and national level, is such that it fulfills its obligation by executing the payment transaction in accordance with the unique identifier, without the addition of further information implying a higher standard of diligence

          It is true that, in conclusion, the Supreme Court offered a glimmer of hope to defrauded users when it stated that “the interpretation set out above does not exempt the payment service provider from liability when circumstances, unrelated to the provision of additional data, are found to have contributed to the defective execution of the transaction, either because an additional requirement or demand (e.g., the identification of the beneficiary), or because the payment service provider of the payer or the beneficiary had taken advantage of the error for their own benefit, or because, once the existence of the error had been communicated without delay, one or the other had not taken the measures required by the diligence of an expert trader to allow retroaction or, where appropriate, to minimize the damage.”

          Regulation (EU) 2024/886: a paradigm shift

          And in this scenario fraught with doubts, Regulation (EU) 2024/886 bursts onto the scene, representing a 180-degree turn and a paradigm shift: the new European Regulation, approved in April 2024 and coming into force on October 9, 2025, establishes a clear obligation for banks: they must verify that the name of the beneficiary provided by the payer matches the IBAN holder before executing an immediate transfer in euros.

          The new features of this regulation are

          • mandatory application to all instant transfers within the SEPA area,
          • the new name matching system: if there is a discrepancy between the name and the IBAN, the bank must alert the customer before executing the transaction, and
          • increased liability for financial institutions in the event of fraud or error due to lack of verification.

          In short, the aim is to reduce the risk of fraud, protect consumers, and increase confidence in digital payments.

          This means that Law 19/2018, which regulates payment services in Spain and does not require verification of the beneficiary’s identity, is now outdated, underscoring the need for a national legislative review to harmonize the legal framework with European requirements.

          In conclusion, the obligation to verify the beneficiary of transfers represents a significant step forward in consumer protection and the fight against financial fraud. Regulation (EU) 2024/886 marks a turning point in banking operations, imposing an active responsibility on institutions to ensure the authenticity of transfers.

          In any case, the question remains open regarding the solution to MITM frauds executed before October 9, 2025, and the responsibility of the banking institution. For the time being, the aforementioned Supreme Court ruling of March 27 closes the door to claims against banks, but it cannot be ruled out that the entry into force of Regulation 2024/886 and the paradigm shift will lead to a rethinking of the Supreme Court’s position in line with the quasi-objective liability that lower courts have been maintaining. We will have to wait and see, but such a change would be a great success for bank users who have suffered from this MITM fraud and all other types of cyber fraud.

          Summary: Corporate fraud has taken new and insidious forms in the digital age. One of these puts multinational groups in the crosshairs: it is the so-called “CEO Fraud.” This type of fraud is based on the fraudulent use of the identity of top corporate figures, such as CEOs or board chairmen. The modus operandi is devious: the fraudsters pose as the CEO or a senior executive of the multinational group and directly contact the Chief Financial Officers (CFOs) of the subsidiaries or affiliates, simulating a nonexistent confidential investment transaction to induce them to make urgent transfers to foreign bank accounts.

          Background and dynamics of the CEO Fraud

          CEO Fraud is a form of scam in which criminals impersonate senior management figures to trick employees, usually CFOs, into transferring funds into bank accounts controlled by the fraudsters. The choice to use the identities of apex figures such as CEOs lies in their perceived authority and ability to order even large payments, requested urgently and with instructions for strict confidentiality, without raising immediate suspicion.

          Fraudsters adopt various communication tools to make their fraud attempts credible: at the starting point is usually a data breach, which allows criminals to gain access to the contact details of the CEO or CFO (email, landline phone number, cell phone number, whatsapp or social media accounts) or other people within the administrative office with operational powers over bank accounts.

          Sometimes knowledge of this information does not even require illegitimate access to the company’s computer systems because those targeted by the scam spontaneously make this information public, for example, by indicating it on their profiles on the company website or by publicly displaying contacts on profiles in social media accounts (LinkedIn, Facebook, etc.) or even on presentations, business cards and company brochures in the context of public meetings.

          Still other times, scammers do not even need to appropriate all the data of the CEO they want to impersonate, but only the recipient’s, and then claim that they are using a personal account with a different number or email address than those usually attributable to the real CEO.

          Contacts are typically made as follows:

          • WhatsApp and SMS: The use of messages allows for immediate and personal communication, often perceived as legitimate by recipients. The fake CEO sends a message to the CFO using a cell phone number from the country where the parent company is based (e.g., +34 in the case of Spain), writing that it is his personal phone number and using a portrait photo of the real CEO in the WhatsApp profile, which reinforces the perception that the fraudster is the real CEO.
          • Phone calls: after the initial contact via text message, a phone call often follows, which may be either directly from the fake CEO or from a self-styled lawyer or consultant instructed by the CEO to give the CFO the necessary information about the fake investment transaction and instructions to proceed with the urgent payment.
          • Email: as an alternative to or in addition to texts and phone calls, communications may also go through emails, often indistinguishable from authentic ones, in which text formats, company logos, signatures, etc. are scrupulously replicated.

          This is possible through various email spoofing techniques in which the sender’s email address is altered to appear as if the rightful owner sent the email. Basically, it is like someone sending a postal letter by putting a different address on the back of the envelope to disguise the true origin of the missive. In our case, this means that the CFO receives an email that-at first glance-appears to come from the CEO and not the scammer.

          We also cannot rule out the possibility of fraudsters taking advantage of security holes in corporate systems, such as directly accessing internal chats within the organization.

          In addition, the increasing popularity of morphing tools (i.e., creating images with human likenesses that can be traced back to real people) may make it even more difficult to unmask the scammer: to messages and phone calls we could, in fact, add video messages or even video lectures apparently given by the real CEO.

          The (fake) takeover of a competitor company in Europe

          Let us look at a real-life example of CEO Fraud to illustrate the practical ways in which these frauds are organized.

          Scammers create a fake WhatsApp profile of the self-styled CEO of a multinational group based in Spain, using a Spanish phone number and reproducing the profile photo of the authentic CEO.

          A message is sent through the fake account to the CFO of a subsidiary in Italy, announcing that a confidential investment transaction is underway to acquire a company in Portugal. This will require transferring a large sum to a Portuguese company the following day at a local bank.

          The message stresses the importance of keeping the transaction strictly confidential, which is why the CFO cannot disclose the payment request to anyone: a confidentiality agreement from a (fake) law firm is even emailed before payment is made, which the CFO is persuaded to sign and return to the phantom lawyer in charge of the transaction.

          Instructions for proceeding with the transfer are emailed to the CFO, again stressing the urgency of making the payment on the same day.

          The day after arranging the transfer, having heard nothing more from the fake CEO, the CFO arranges to contact him at his corporate phone number and discovers the scam: by that time, however, it is too late because the sums have already been transferred by the criminals to one or more current accounts in foreign banks, making it very difficult, if not impossible, to trace the funds.

          The main features of CEO fraud

          • Persuasion: the fact that fraudsters impersonate apex figures and make the CFO feel invested in important duties generates in the victim a desire to please superiors and to let their guard down.
          • Pressure: fraudsters instil a great sense of urgency, demanding payments extremely quickly and intimating secrecy about the transaction; this causes the victim to act without thinking, trying to be as efficient as possible.
          • Speed: It is good to know that a request for an urgent wire transfer cannot be withdrawn, or can be withdrawn by recall only under extremely tight deadlines; fraudsters take advantage of this to pocket the sums at banks that are not too scrupulous or to move them elsewhere, at most within a few days.

          How to prevent these scams

          CEO Fraud schemes can be very sophisticated, but they often have signs that, if recognized, can stop a scam before it causes irreparable damage.

          The main clues are the atypical modes of contact (whatsapp, phone calls, emails from the fake CEO’s personal accounts), the request for strict confidentiality about the transaction, the urgency with which large sums are requested, the fact that the transfer is to be made to banks abroad, and the involvement of companies or individuals never previously mentioned.

          To prevent scams such as CEO Fraud, corporate training of employees on how to recognize and respond to scams is crucial; it is also essential to have robust internal security procedures in place.

          • First, an essential and basic precaution is to adopt verification systems that scan e-mail messages for viruses and flag the origin of the e-mail from an account outside the corporate organization.
          • Second, it is critical that companies implement clear processes for payments to third parties, especially if the arrangements are different from the company’s standard operations. One way to do this is to provide value limits on the powers of disposition over current account operations, beyond which dual signatures with another director are required.
          • Finally, and generally, it is good to adopt all the rules of common sense and diligence in analyzing the case. Better to do one more internal check than one less; for example, in the case of a particularly realistic but nonetheless unusual request, forwarding the exchange with the alleged scammer to the address we believe to be real and asking for further confirmation in the forward email, rather than responding directly in the email loop, allows us to tell if the sender is bogus.

          Legal actions to recover funds.

          After the fraud is discovered, it is crucial to act quickly to increase the chances of recovering lost funds and prosecuting those responsible.

          Possible Legal Actions

          Prompt notification to the company’s bank to block or recall the wire payment, in addition to a timely criminal complaint in the country where the bank receiving the payment is based, are immediate steps that can help contain the damage and begin the recovery process.

          In fact, in many countries, the pattern of CEO Fraud is well known, and specialized law enforcement units have the tools to move in a timely manner following a report of the crime.

          Criminal investigations in the country of payment destination also allow for verification that they are the account holders and the people involved in the scam attempt, in some cases leading to the arrest of those responsible.

          After attempting to obtain a freeze on the transfer or funds, it may then be possible to assess the behavior of the banking institutions involved in the affair, particularly to verify whether the beneficiary bank properly complied with its obligations under anti-money laundering regulations, which impose precise obligations to verify customers and the origin of funds.

          Conclusions

          CEO Fraud is a significant threat to companies of all sizes and industries, made possible and amplified by modern technologies and the globalization of financial markets. Companies must remain vigilant and proactive, continually updating their security procedures to keep pace with fraudsters’ evolving techniques.

          Investment in training, technology and consulting is not just a protective measure, but a strategic necessity for business operations.

          Finally, if the scam is successfully carried out, it is crucial to take prompt action to try to block the funds before they are moved to bank accounts in other countries and thus made untraceable.

          Summary

          The reform of the Brazilian Bankruptcy Act brings forward important changes in both reorganization procedures and liquidation measures.

          When the Brazilian Bankruptcy Act was about to reach its 15th Anniversary, a major amendment was enacted. It was needed, in fact. Over the past 15 years, creations of the Bankruptcy Act have been tested, and practical experiences showed that some tools needed adjustments, and others demanded complete change.

          The goal of this article is to list the top five most relevant novelties.

          #5 – Reorganization plan presented by creditors

          Before: the amendment, the construction of the reorganization plan was exclusively the responsibility of the debtor. If the majority of the creditors’ meeting decided to reject the plan, the automatic consequence would be the conversion into bankruptcy (liquidation).

          Now: in cases like this, the creditors have the right to present an alternative judicial recovery plan. As a result, creditors assume a more relevant role in corporate restructuring.

          #4 – Mediation focusing on the turnaround

          Mediation is now encouraged in ongoing judicial reorganization processes so that creditors and debtors may find a way out to overcome the crisis.

          The most important novelty is the anticipated mediation, which goal is to avoid reorganization and liquidation. In this procedure, the debtor convenes creditors for a mediated negotiation, and they may seek the judge for an order to stay enforcement measures.

          #3 – Distressed assets operations

          The disposal of debtor’s assets is now simplified in both judicial reorganization and bankruptcy. Particularly in bankruptcy – in which case maximizing the use of assets is essential – the law authorizes the anticipated sale, adjudication by creditors, and even the donation of assets that creditors are not interested in acquiring.

          Besides that, the distressed assets acquisitions and M&A deals are now safer, with a clearer legal provision of a liability shield in favour of the purchaser.

          #2 – Debtor-in-Possession (DIP) Financing

          The lack of incentive to finance the debtor undergoing judicial reorganization has always been a reason for criticism by stakeholders. In the absence of legal provisions, potential financiers could be insecure about the risks of the operation and the lack of clear advantages to offset the risk.

          The complaints were addressed with the legal treatment of the debtor’s financing during judicial reorganization. This type of financing is known as Debtor-in-Possession (DIP) Financing.

          The debtor is allowed, through judicial authorization, to conclude financing contracts to pay for the maintenance of his activities and assets, as well as to be liable for restructuring expenses.

          As a guarantee for the financing, the debtor may offer his own assets and rights or those of third parties, even if they belong to non-current assets, that is, assets not originally intended for sale, but which serve the business structure (machinery, for example).

          #1 – Cross-Border Insolvency

          Brazilian law finally incorporated the Uncitral Model Law on Cross-Border Insolvency. An integrated world full of global companies imposes the need to provide for specific rules on cross-border insolvency, which were hitherto non-existent, in order to eliminate the insecurity about the reach of foreign procedures for Brazilian creditors and about the effect of Brazilian procedures for foreign creditors.

          We now have a new panorama, with the possibility of procedures abroad having effects in Brazil and also of Brazilian procedures reaching foreigners.

          There is a detailed treatment of the participation of foreigners in Brazil and the international cooperation between judges and other authorities to put the fundamental principles that govern the entire insolvency system in motion, namely, the improvement of legal certainty, efficient management of the processes, maximization of assets, preservation of the company, and optimization of asset liquidation.

          These are the five main new features, in a nutshell. If you are interested in learning more about any of these topics or if you want to stay updated on insolvency – turnaround in Brazil, please get in touch.

          On 6 January 2022 Ukraine finally cancelled almost a two-year long moratorium for the creditor-trigged insolvencies. The moratorium was imposed in the late spring 2020 as a part of the nation’ response to first wave of COVID pandemic.

          In a nutshell, the moratorium prohibited creditors from requesting insolvency action against those debtors whose obligations matured after 12 March 2020. A separate set of measures also lifted an early warning duty obliging directors of the companies in distress to file for insolvency within one month from a moment when the distress appeared.

          The moratorium was heavily criticized by both domestic and international creditors, who legitimately blamed it for a non-selective approach.

          As further 2021 statistic shown, the moratorium never seemed to reach a goal proclaimed by it authors and made no increase for insolvency relief requests by the debtor companies.

          Instead, the country has been facing a steady increase in “zombie” companies having little to none liquidation value – and their owners clearly intending to get away with no creditor repayment.

          With the moratorium being lifted off the creditors do expect to show no mercy to their Ukrainian debtors. This particularly worries those debtors potentially involved in wrongful trade or fraudulent action. Even with the moratorium in place in 2021 Ukrainian courts confirmed more than UAH 150 mln in creditors loss to be paid by the insolvent companies’ management and owners themselves. This number is expected to triple in 2022 – and there already were Supreme Court’s 2021 judgements confirming liability of the real owners standing behind opaque shareholder company and nominal directors.

          As the creditors’ agitation grows, so do the debtor company owners’ concerns. As the owners\management liability process is extremely bespoke and often requires swift action, it is of crucial importance to get a throughout legal advise on either side – and much better to do that before the actual claim has been brought.

          Lebanon’s secure banking sector plays an important role in the country’s stability and economic status. High liquidity and compliance with all international regulatory standards make it one of the most profitable in the region.

          Stability

          The Lebanese banking sector owes its solidity primarily to the stringent policies applied by the Lebanese Central Bank (LCB). Efforts are constantly being made to fight money laundering and terrorism funding.

          The Lebanese diaspora also contributes to the stability through the flux of transfers and deposits of extraterritorial income. Compared with an estimated population of 4.9 million inhabitants, about 16 million Lebanese live abroad, largely engaged in trade and finance, and mainly concentrated in South America.

          The banking sector’s stability is also bolstered by the currency exchange rate, which has been stable since 1997, when the Lebanese Pound (LBP) was pegged to the United States Dollar (USD) at a rate of 1507.5 LBP to the USD.

          Banking Secret and Automatic exchange of Information

          The Lebanese Banking Secrecy Law of September 3, 1956 was a key aspect in the expansion of the sector. Bank secrecy is applied to any bank operating in Lebanon, local or foreign, and prohibits the disclosure of any details or information about any account or accountholder. For long time this law has increased confidence in Lebanese banking together with the amount of foreign capital coming into the country.

          Before the last economic and financial global shocks, the veil of banking secrecy could be lifted only with prior approval of the accountholder, in case of bankruptcy; for the exchange of information between banks about indebted accounts; and in case of legal actions between a bank and a client or illicit enrichment.

          Nowadays, banking secrecy does not apply to US citizens because of the Foreign Account Tax Compliance Act (FATCA) that requires foreign banks to report American accountholders to the tax authority of the US. Even though Lebanon has not agreed to be FATCA compliant as a whole, individual Lebanon banks have agreed to comply.

          Moreover, in 2016 Lebanon joined the Global Forum on Transparency and the Automatic Exchange of Information (AEOI) for tax purposes, committing to implement a series of regulatory reforms to better comply with the Common Reporting Standards of OECD.

          Consequently, if the requested information is protected under the Banking Secrecy Law of 1956, the request will be forwarded to the Special Investigation Commission (SIC) at the Central Bank with an opinion from the Ministry of Finance for review before it can be disclosed to the foreign tax authority based on an information exchange agreement.

          The regulatory framework and supervision of the banking sector is already in compliance with international standards, such as Basel I, II, and III. Abiding by these laws does not eliminate banking secrecy. New regulations just aim to provide a more effective tool to counter the fight against tax evasion and to track suspicious operations for money laundering purposes, or self-laundering, based on tax offenses.

          According to the AEOI, starting from September 2018 Lebanese Tax Authority will exchange information automatically on non-residents, and will have access to information on residents who hold assets abroad. No issues for Lebanese residents.

          The new legislation will impact: banks, brokers, trusts, fiduciaries, insurance companies, although only for a few products, and certain collective investment funds.

          Corporate Governance

          As part of the strategy to integrate Lebanon further into the international community and the global economy, corporate governance in banks is necessary to guarantee fairness, transparency and accountability.

          It is mandatory for banks while optional for other companies. In fact, an innovation took place in the banking sector on July 26, 2006 when the Governor of the Lebanese Central Bank enacted the Basic Decision No. 9382 to order to comply with the banking rules instituted by the Basel Committee.

          Account freedom and flexibility

          Lebanese banks are known for being open to foreign investors and have branches worldwide. Foreign individuals or companies can easily open a bank account in Lebanon in any currency and benefit from all banking advantages offered to Lebanese citizens. Further, amounts deposited in Lebanon are exempt from taxes and the interest received is subject to a tax rate of 5-percent.

          The author of this post is Claudia Caluori.

          From 18 January 2017, the new European Regulation 655/2014 establishing a European Account Preservation Order procedure to facilitate cross-border debt recovery in civil and commercial matters will enter into force.

          The Regulation foresees in a procedure to seize bank accounts of your debtor in other EU Member States (except when your debtor is domiciled in United Kingdom or Denmark), without that the debtor is notified hereof. The debtor will only notice once the seizure is into force.

          Such cross-border seizure can be obtained before the Courts of an EU Member State who would have jurisdiction on the merits of the case under the EU Regulation 1215/2012 (Brussels I bis).

          The seizure can be requested before, during or even after the procedure on the merits of the case. The request has to be filed using a standard document.

          To grant the request, the Court will have to examine 1) if there is urgency (periculum in mora) and 2) if there is on basis of the provided evidence enough reason to assume the Court will also decide in favor of the creditor in the proceedings concerning the merits of the case (fumus boni iuris). Although these principles are not unknown to national legislation, both will have to await the autonomous interpretation by the European Court of Justice.

          The new EU Regulation 655/2014 is however not created to bully any unwilling debtor by filing preservation order after preservation order. The Regulation foresees 2 mechanisms to avoid such practices:

          • According to art. 12, the creditor can be required to provide a security when he has not obtained any judgment in favor yet;
          • The creditor will also receive a fixed delay in which he has to undertake a proceedings about the merits of the case.

          The new European Regulation 665/2014 also foresees a mechanism where a creditor can request information about his debtor’s bank account(s) in a certain Member State. 

          Not unimportant, as the creditor needs to indicate the bank account number in his request for a transnational seizure (under Belgian national law, the indication of the name of the Bank would already be sufficient).

          Art. 14 of the Regulation now foresees what one could call a bank account disclosure mechanism:

          “Request for the obtaining of account information

          Where the creditor has obtained in a Member State an enforceable judgment, court settlement or authentic instrument which requires the debtor to pay the creditor’s claim and the creditor has reasons to believe that the debtor holds one or more accounts with a bank in a specific Member State, but knows neither the name and/or address of the bank nor the IBAN, BIC or another bank number allowing the bank to be identified, he may request the court with which the application for the Preservation Order is lodged to request that the information authority of the Member State of enforcement obtain the information necessary to allow the bank or banks and the debtor’s account or accounts to be identified”.

          In a few Member States (including Belgium), such disclosure mechanism is completely new.  The Regulation leaves it up to the Member States how they will organize this new disclosure, by giving a few examples:

          “Each Member State shall make available in its national law at least one of the following methods of obtaining the information referred to in paragraph 1:

          (a) an obligation on all banks in its territory to disclose, upon request by the information authority, whether the debtor holds an account with them;

          (b) access for the information authority to the relevant information where that information is held by public authorities or administrations in registers or otherwise;

          (c) the possibility for its courts to oblige the debtor to disclose with which bank or banks in its territory he holds one or more accounts where such an obligation is accompanied by an in personam order by the court prohibiting the withdrawal or transfer by him of funds held in his account or accounts up to the amount to be preserved by the Preservation Order; or

          (d) any other methods which are effective and efficient for the purposes of obtaining the relevant information, provided that they are not disproportionately costly or time-consuming.

          Does this mean any creditor can just run to the Court and ask information?

          No, some conditions apply:

          • the creditor needs to be in possession of an enforceable judgment;
          • there need to be reasons to believe the debtor holds bank accounts in this Member State.

          Conclusion: it will be interesting to see how the Member States will apply this new mechanism.  Whether it will be effective, will also depend on the interpretation of ‘reasons to believe the debtor holds bank accounts in this Member State’.  This will probably be the key to the question if this will end the Pyrrhus decisions, where a creditor is accorded his claim but cannot find assets to seize.

          The author of this post is David Diris.