The São Paulo State Court of Appeals (TJSP) upheld the ruling that condemned the financial institution Mercado Pago for failing to provide adequate security in an unauthorized PIX transaction worth R$ 32,000.00. The court recognized that the fraudulent transfer occurred without strong authentication, token, or biometrics, constituting a breach of the security obligations set forth in the Consumer Protection Code and LGPD (Brazil's General Data Protection Law). As a participant in the consumer supply chain, the financial institution bears strict liability for damages caused by flaws in its systems, even when fraud is committed by third parties. The court emphasized the company's obligation to adopt administrative and technical measures capable of identifying and rejecting suspicious transactions, in accordance with BCB Resolution No. 01/2020 and Article 46 of the LGPD, which reinforces the duty to protect users' personal data and transactions.
The ruling highlighted the lack of a coherent justification for blocking the plaintiff's accounts after the fraud was detected, as well as the absence of effective mechanisms to prevent the irregular transaction, demonstrating a failure in the duty of oversight and consumer protection. The court ordered the reimbursement of the debited amount, adjusted for inflation using the IPCA index and interest at the SELIC rate, confirming the financial institution's strict liability and the need for robust security systems to safeguard consumer rights.
From a technical standpoint, the fraud occurred due to the absence of strong authentication, such as token or biometric verification, and the system's failure to detect atypical financial activity that deviated from the customer's transaction profile. Furthermore, the institution did not adopt the preventive measures required by BCB Resolution No. 01/2020, which mandates the rejection of transactions when there is a well-founded suspicion of fraud. Even in the face of clear indicators, the institution failed to preemptively block the transaction, allowing the scam to be carried out. The failure was further evidenced by the contradictory analysis performed by the institution, which initially deemed the transaction legitimate and, days later, blocked the user's accounts without providing a coherent justification. These aspects demonstrate the absence of effective monitoring and control systems required to protect consumers' personal data and assets, as mandated by the LGPD.
This post was summarized from the original court decision using AI, with human review.
TJSP/AC No. 1104919-77.2024.8.26.0100