Illustration showing a digital bank transfer between two smartphones, with money moving between accounts.
Credit : Freepik
For years, victims of bank transfer fraud in Spain have often hit the same brick wall. The money was sent. The IBAN was correct. End of story.
That excuse has just expired.
Spain’s Supreme Court has issued a clear warning to banks that could change how fraud cases are handled from October 2025 onwards. If a customer is tricked into sending money to the wrong person – and the bank fails to properly verify who that payment is really going to — the bank may be the one footing the bill.
Most Read on Euro Weekly News
The ruling doesn’t rewrite past cases, but it draws a very clear line in the sand for what comes next.
A familiar scam – and a familiar refusal
The case behind the warning is one many businesses will recognise.
A company received an email that appeared to come from a trusted supplier. The message explained that the supplier had changed its bank details and provided a new IBAN. Everything looked legitimate. The company made several transfers. The money vanished.
Only later did it become clear the email was fake and the supplier had been impersonated.
When the company asked its bank for reimbursement, the answer was no. And legally, at the time, the bank was right.
The transfers were made in October 2019, when Spanish payment rules were simple and unforgiving: if the money reached the IBAN provided by the customer, the transfer was considered correctly executed — even if the recipient was a fraudster.
Why banks were protected – until now
Back then, banks relied on the 2018 payment services law, which focused entirely on the account number. There was no obligation to check whether the name of the beneficiary actually matched the IBAN.
As long as the bank sent the money where the customer told it to go, responsibility ended there. Once fraud was discovered, banks were only required to try to recover the funds and provide information so the victim could take legal action.
The Supreme Court has repeatedly backed that interpretation. In fact, it confirmed again that banks are not liable for fraud that occurred under those old rules.
But the judges also made it very clear: those rules are no longer the future.
What changes everything: October 2025
The turning point comes from European Union regulation, not Spanish courts.
In March 2024, the EU updated its payment services framework, introducing a key concept: beneficiary verification. From October 9 2025, banks have been required to check that the IBAN and the named recipient actually correspond.
If there’s a mismatch, the bank must warn the customer before the transfer goes through. And if the bank fails to carry out that verification, it may be held responsible for the loss.
The Supreme Court’s message is blunt: any fraud occurring after that date will be judged under the new rules. Whether banks are ready or not will no longer matter.
A quiet shift with big consequences
Legal experts said this marked a real shift in where responsibility lies.
Until then, banks had been able to shelter behind the IBAN. Even when courts debated whether financial institutions should have exercised greater care, the Supreme Court ultimately ruled that they were not obliged to do so.
That safety net disappeared in October 2025.
From that point on, failing to verify the real recipient of a transfer could mean having to reimburse customers, even when the fraud starts with a convincing email or message.
Why this matters more than ever
This change comes at a time when fraud is booming.
Estimates based on figures from Spain’s National Cybersecurity Institute (INCIBE) and the Bank of Spain suggest phishing and impersonation scams could cost victims around €170 million in 2025 alone.
INCIBE expects around 30,000 phishing cases this year, driven by:
- Mobile banking
- More sophisticated scams
- Artificial intelligence making fake emails harder to spot
Businesses are frequent targets, but individuals are increasingly caught too — especially when fraudsters pose as banks, utility companies or even family members.
What hasn’t changed (yet)
There’s an important caveat.
- Transfers made before 9 October 2025 are still covered by the old rules
- Banks are not automatically liable for past fraud
- Customers still need to act quickly when something looks wrong
The Supreme Court has not opened the door to retroactive claims.
What it has done is send a very loud warning about the future.
Digital banking may feel instant and invisible, but from October 2025 it began to carry new responsibilities, particularly for banks.
For customers, the change won’t stop fraud overnight. But it does mean that if a bank ignores a mismatch between who you think you’re paying and where the money actually goes, the risk may no longer be yours alone.
After years of “IBAN equals your problem”, the rules are finally shifting.