A UAE-based bank must pay close to Dh5 million to a customer swindled out of his life savings in a Sim card swap scam, after losing an appeal against the landmark ruling. The financial institution was found to be responsible for the victim's Dh4.5 million losses after he fell foul to financial fraudsters by Dubai Commercial Court last October. The court concluded that the victim's personal details had been leaked by an employee at the bank, the name of which was not disclosed to <em>The National</em>. The verdict has now been upheld by Dubai's Court of Appeal. The man, who had once worked in the UAE but was living overseas at the time of the crime, discovered his bank account had been emptied during a visit to the country in 2017. It was found that, using the client’s phone number, tricksters were able to obtain a replacement Sim card, and change the Pin code connected to his bank services before logging him out and stealing the funds in his account. Ghassan El Daye, partner and head of litigation Middle East with the UK-based law firm Charles Russell Speechlys (CRS) who represent the victim, said the bank failed to put in place sufficient security measures to protect their customer. The legal team advised the man to pursue a claim in the civil court to win his money back, arguing failings on the part of the bank had allowed the crime to take place. The bank had argued the account holder was responsible for the loss, since he possessed the original Sim card and Pin number, and had failed to object to the transactions within 30 days from reviewing his account statement. Appeal court judges appointed banking and technical experts to assess the responsibility of the bank in terms of negligence, lack of supervision and control that led to the account being breached. “The experts’ report held the bank responsible for our client’s financial loss due to a lack of technical protection of his confidential data and that of safe electronic procedures and investigations at the bank,” said Mr El Daye. “It also indicated a clear technical failure at the bank by issuing and delivering a credit card to a client who is actually outside the country, in addition to the lack of strong procedures to prevent the breach from happening.” The report stated that an authentication system at the bank to control which employees were allowed access to clients’ accounts and confidential data, did not exist. It also said the absence of an alarm system that monitors suspicious transactions from accounts, especially inactive ones, had contributed to the significant loss of funds. The court was told the money was stolen through a number of cash withdrawals, 15 online transfers, six transfers from his account to another bank account in the UAE, and purchases via the victim’s credit card. “The report’s findings came in favour of our legal team’s argument regarding our client’s confidential data including his official documents and contact numbers, being illegally divulged to others by an employee of the bank," said Mr El Daye. “This case set a precedence in the country, as it holds a financial institution liable for a fraud case involving a replacement Sim card, which is now an important element of banking operations in the country and the world.” The legal expert said the judgment highlighted the need for banks to tighten up security measures, monitor the use of Pin codes rigorously and carry out more extensive background checks on employees. The bank was ordered to pay the man Dh4,677,596, including the full amount of his losses plus Dh100,000 in compensation with 9 per cent interest accrued from the date the case was lodged.