Aggressive Scam Leads to Compensation

OpenPayd, a Maltese-licensed payment provider, was found liable for crediting the victim's funds to third parties without her knowledge or approval. It transpired that the victim was coached and manipulated by scammers to invest in cryptocurrency and led to believe that the OpenPayd accounts she opened were safe, as they were set up in her own name.  

The arbiter emphasised the importance of stringent internal systems to ensure clarity and security in transactions involving virtual IBANs, including due diligence procedures when onboarding companies such as its merchants. The arbiter rejected the provider’s arguments that there was no commercial agreement between the victim and the provider, simple because the victim may have entered into a commercial agreement with one of its merchants instead.  

The decision noted that OpenPayd failed to implement adequate measures to prevent unauthorized transactions. Additionally, the arbiter noted that the payment provider should have intervened in the payment process or ensured clarity to the user when she had indicated herself as a beneficiary.  

This landmark case highlights the responsibility of payment providers in terms of their obligations under anti-money laundering laws and the revised Payment Services Directive. The decision demonstrates that liability cannot be evaded by payment providers, particularly those enabling services such as virtual IBANs, by arguing that a provider’s merchants were involved in the fraudulent conduct.  

This decision goes further by highlighting the broader issue of protecting vulnerable individuals from sophisticated cybercrime tactics. The fraudsters used remote access software and multiple communications to gain her trust and control her financial actions. The result of such scam left the victim unable to afford to stay in her home. The arbiter's decision clearly underscores the importance of safeguarding vulnerable individuals from such manipulative schemes.

On 25 February 2026, the Court of Appeal (Inferior Jurisdiction) annulled the decision of the Arbiter for Financial Services which had ordered a Maltese-licensed payment institution to compensate a victim of a cryptocurrency investment scam.

The Court held that the complainant did not qualify as an “eligible customer” under the Arbiter for Financial Services Act (Chapter 555 of the Laws of Malta) because she had never requested or received a service from the payment provider and had no contractual or legal relationship with it. The Court further held that the appearance of the complainant’s name as a beneficiary on payment instructions and the use of a virtual IBAN were insufficient to establish such a relationship.

As a result, the Court concluded that the Arbiter had acted outside his statutory jurisdiction, and the compensation award was annulled in full. The Court did not examine the merits of the case, resolving the matter purely on jurisdictional grounds.

For payment providers, the judgment clarifies that liability cannot automatically arise through the indirect use of payment infrastructure such as virtual IBAN arrangements, particularly where no direct customer relationship exists. The decision reinforces the strict statutory limits of the Arbiter’s jurisdiction and confirms that complaints before the Arbiter depend on the existence of an eligible customer relationship with the financial service provider.

At the same time, the Court noted that recent amendments to Chapter 555 have expanded eligibility to include certain victims of financial fraud, signalling a legislative shift that may allow similar complaints to be brought in future cases. However, these amendments do not apply retroactively and therefore did not affect the outcome of this case.

Our cybersecurity lawyers have extensive experience in assisting clients who have fallen victim to cybercrime. Our team of legal experts provides comprehensive support and guidance through the complexities of cybercrime cases. We work diligently to ensure our clients receive the justice and compensation they deserve, leveraging our deep understanding of Maltese laws and regulations. Our firm has handled multiple instances of cybersecurity breaches, including assisting clients with complex cross-border cybersecurity incidents on a local and international level and recovering funds transferred during hacking cases.