The appellant, Sibongile Zimbeva, maintained an account with Kingdom Bank Limited for over eight years and had an ATM card. On 20 January 2013, she attempted to withdraw cash from various ATMs without success. At an Ecobank ATM (which was not on the ZIMSWITCH system), while attempting a transaction, she was disrupted by a man behind her who urged her to hurry. She stepped aside but retained her card. At a fourth ATM at Fife Avenue shopping centre, her card was captured with a message that it was "stolen". She reported this to the security guard who recorded it in the daily occurrence book. The next day (21 January 2013), when attempting a personal withdrawal at the bank, she discovered her account balance had dropped from $9,863.28 to $2,314.00. Unauthorised transactions totaling $7,548.91 had been made at various stores using her card and PIN on 21 January 2013, after the card capture was reported. The card retrieved from the Fife Avenue ATM belonged to Mr G Zimanga, not the appellant. The appellant's card was eventually retrieved from High Glen on 22 January 2013. The appellant had disclosed her PIN to her sister as a backup measure. The magistrate court dismissed her claim for recovery of the unauthorised withdrawals.
The appeal was dismissed with costs.
In the absence of specific legislation governing liability for unauthorised ATM transactions, liability is determined by the contractual relationship between the bank and customer. A customer has a duty to keep their PIN secret and reporting this PIN to third parties constitutes a material breach of the banking contract. Reporting an anomaly to a security guard at an ATM does not constitute adequate notification to the bank as security guards perform surveillance functions and are not agents of the bank. Customers must use the bank's designated reporting channels (such as 24-hour call centers) to protect their accounts. Where both the card and PIN have been used for a transaction, and the bank has not been properly notified of risk to the account, the bank is entitled to process such transactions and debit the customer's account. The customer bears the risk of unauthorised withdrawals until they properly inform the bank of loss or possible unauthorised use of the card.
The court observed that forging a cheque is comparatively easier than conducting unauthorised ATM transactions since cheque fraud involves only forging a signature, whereas ATM fraud requires possession of both the card and knowledge of the PIN. The court noted that had the appellant re-registered for transaction alert messages (which the bank was revamping), she would have been alerted to the first withdrawal and losses could have been minimized, though this alone would not have prevented the transactions entirely. The court expressed that it was lamentable that the fraudster captured on CCTV footage at two supermarkets could not be identified, as this would have clarified the circumstances of the fraud. The court observed that the "stolen card" message should have induced more than just "shock" - it should have prompted immediate and detailed reporting to the bank.
This case establishes important principles in Zimbabwean banking law regarding the allocation of liability for unauthorised ATM and electronic banking transactions. It clarifies the respective duties of banks and customers in the absence of specific legislation governing electronic banking fraud. The case emphasizes that customers must take active protective measures including keeping PINs secret, using proper reporting channels (24-hour banking services rather than security guards), and acting promptly when anomalies occur. It establishes that security guards at ATMs perform surveillance functions and are not agents of the bank for reporting purposes. The case demonstrates judicial acceptance of contractual terms that place risk on customers for transactions made using both their card and PIN, particularly where the customer has breached secrecy obligations.