The Intermediate Court has dismissed a negligence claim against Bank Islam Brunei Darussalam Berhad (BIBD) over unauthorised mobile banking transactions totalling about BND160,000, after finding that the losses were caused by the first plaintiff’s disclosure of banking credentials and not by any failure in the bank’s system.
In a written judgment dated January 19, Judge Pengiran Masni Pengiran Haji Bahar held that BIBD was not negligent and had discharged its duty of care, concluding that the bank’s mobile banking system as operated in 2023 was not compromised.
The suit was brought by five plaintiffs — Hajah Siti Fatimah binti Abdullah @ Ling Yen Ling, her husband Haji Mazlan bin Haji Abdul Samad, Aisah binti Ahmat, Muhammad Hayattuddin bin Mohammad Jaylani, and Mohammad Ma’aruf Izzuddin @ Danial bin Mohammad Jaynudden — over a series of unauthorised transfers carried out between May 18 and 22, 2023 from several joint Perdana and savings accounts. The claim was initially pleaded at BND168,549 but later amended to BND160,000.
The plaintiffs alleged that the losses resulted from serious and systemic failures in BIBD’s mobile banking and fraud detection systems, arguing that the bank breached its duty of care by failing to provide a secure banking system and to prevent third-party access.
BIBD denied liability, contending that the first plaintiff had voluntarily disclosed confidential information to third parties posing as bank officers, and relied on fraud advisories issued to customers as well as the mobile banking application’s terms and conditions.
The court heard that the first plaintiff was the primary manager of six accounts, all registered under her mobile banking application on a Vivo device linked to her personal mobile number. She admitted agreeing to the application’s terms and conditions without reading them and acknowledged receiving a general scam advisory from the bank, which she did not read.
Evidence showed that the first plaintiff received scam calls in February, April and again on May 18, 2023 from individuals claiming to be from BIBD and related authorities. During the May incident, she disclosed personal and banking information after being instructed not to contact the bank directly and to communicate instead via Telegram.
On May 23, 2023, the plaintiffs discovered that they were unable to access their mobile banking accounts and found that multiple unauthorised transfers had been made, leaving the accounts with minimal balances. An internal investigation later revealed that 26 transactions across six accounts had been successfully completed, with six reversed.
Crucially, the court accepted BIBD’s system logs showing that an OTP sent to the first plaintiff’s registered mobile number was successfully validated, following which the internet banking credentials were reset and subsequent logins were made from a different device, identified as a Realme phone, rather than the plaintiff’s registered Vivo device.
The court found that these records demonstrated that access to the accounts was achieved using valid credentials, and not through any external breach of the bank’s system. It accepted the bank’s evidence that such access could only have occurred after confidential information was disclosed.
In assessing negligence, the court held that BIBD had exercised its duty of care by issuing advisories warning customers never to disclose sensitive information and by operating a system that required multiple layers of authentication. Responsibility for safeguarding credentials lay with the customer under the contractual terms, unless gross negligence by the bank was proven.
The court found that the first plaintiff’s voluntary disclosure of card details and other banking information directly enabled the unauthorised access, establishing causation. It also noted inconsistencies in the plaintiffs’ initial police reports, which described the accounts as having been “hacked”, and their later admissions regarding communications with the scammers.
The court rejected reliance on subsequent upgrades to the mobile banking application, holding that security must be assessed based on the standards prevailing at the time of the incident.
The claim was dismissed, with the court concluding that the financial losses were attributable to the plaintiffs’ own conduct and not to any negligence or system failure on the part of BIBD.
The plaintiffs were represented by lawyer Harif Ibrahim of Messrs Lt Col (Rtd) Harif Ibrahim, while the defendant, Bank Islam Brunei Darussalam (BIBD), was represented by lawyers Kamal Shari and Lim Li Chyi of Messrs Yusof Halim & Partners.