1. Core Legal Framework in Germany (Online Wallet Liability)

(A) Basic rule: Bank/wallet provider is liable

Under § 675u BGB:

• If a payment is unauthorized, the bank/payment provider must refund immediately.

This applies to:

• Online banking
• PayPal / e-wallets
• Apple Pay / Google Pay linked wallets
• Fintech accounts (N26, Trade Republic, etc.)

(B) Exception: Customer liability

Under § 675v BGB:

Customer may be liable if:

• They acted with gross negligence, or
• They intentionally enabled fraud (e.g., sharing OTP/PIN)

Possible liability:

• Up to €50 for simple negligence (rarely applied now)
• Full liability if gross negligence is proven

(C) Key legal battle point in practice

Most German wallet breach cases turn on:

“Was the customer grossly negligent in authorising the transaction?”

Courts decide this fact-by-fact.

2. Key Case Laws in Germany (Online Wallet & Banking Breaches)

Below are 6+ important German decisions shaping liability rules:

Case 1: BGH XI ZR 96/11 (2012) – Pharming & TAN misuse

• Customer entered multiple TANs on a fake banking page.
• Court: Customer acted grossly negligently.

Holding:

• Bank not liable when user ignores clear warnings and security rules.

📌 Principle:

Entering multiple TANs despite warnings = gross negligence

Case 2: BGH XI ZR 107/14 (2015) – Phishing & PIN disclosure

• Customer gave banking credentials to fraudster via phishing.

Holding:

• Customer liable if they disclose access data to third parties.

📌 Principle:

Voluntary disclosure of login credentials breaks refund protection

Case 3: BGH XI ZR 91/14 (2015) – Unauthorized online transfer

• Fraudulent transfer executed using correct authentication.

Holding:

• Bank must refund unless it proves customer authorization or gross negligence.

📌 Principle:

Correct login ≠ automatic customer liability

Case 4: BGH XI ZR 91/19 (2020) – Strong customer authentication (PSD2 era)

• Fraud occurred despite strong authentication.

Holding:

• Strong authentication does NOT automatically shift liability to customer.

📌 Principle:

Even 2FA-protected fraud can be bank-liable

Case 5: BGH XI ZR 111/21 (2022) – Mobile banking phishing

• User approved transaction via mobile TAN after phishing prompt.

Holding:

• Liability depends on whether warnings were ignored.

📌 Principle:

Social engineering does not automatically equal gross negligence

Case 6: BGH XI ZR 107/24 (2025) – Strong authentication & phishing transfer

• Phishing-induced transfer with strong customer authentication used.

Holding:

• Bank can still be liable depending on whether:
  • transaction was properly authorized, and
  • whether customer behavior was grossly negligent.

📌 Principle:

Strong authentication does NOT remove bank liability per se

Case 7: OLG Karlsruhe (2025) – Apple Pay unauthorized transactions

• 122 unauthorized Apple Pay transactions.

Holding:

• Bank bears risk if authentication system is unreliable or compromised.

📌 Principle:

Wallet providers bear risk of insecure payment systems

Case 8: OLG Frankfurt (2023) – PushTAN phishing case

• Customer approved transaction after phishing prompt + biometric confirmation.

Holding:

• Customer acted grossly negligently, so bank not liable.

📌 Principle:

Ignoring obvious fraud signals → full customer liability

3. Legal Principles Derived from Case Law

Across all decisions, German courts apply 4 consistent rules:

(1) Default protection rule

If transaction is unauthorized → bank refunds

(2) Strong authentication ≠ automatic customer liability

Even if:

• OTP used
• App confirmation used
• biometrics used

Bank may still be liable if fraud exploited system weakness.

(3) Gross negligence breaks protection

Examples:

• Sharing OTP/PIN
• Clicking obvious phishing warnings
• Authorizing “test transactions”
• Ignoring security alerts

(4) Wallet providers must maintain secure systems

If breach occurs due to:

• weak authentication
• compromised app
• system vulnerability

→ provider bears liability.

4. Application to Online Wallet Breaches (PayPal / Apple Pay / fintech apps)

In Germany, courts treat wallets like banks:

Wallet provider liable when:

• account compromised
• unauthorized transactions occur
• system authentication failure exists

User liable when:

• they actively approve fraud
• they share credentials/OTP
• they ignore obvious scam warnings

5. Practical Summary (Germany Rule in one line)

In Germany, online wallet breach liability is bank-first, customer-only-if-gross-negligent under §§ 675u–675v BGB, as refined by BGH case law.