German LG Berlin II — Apobank ruling sets PSD2 IP-analytics obligation as case law

The Apobank phishing-liability ruling (LG Berlin II, case 38 O 293/25, 2026-04-22; not yet final pending appeal) explicitly places liability on the bank for failing to act on IP / ISP divergence between new-device registration and first login — interpreted under Germany's PSD2 implementation as an obligation to deploy IP-based behavioural analytics and trigger strong-customer-authentication challenges when registration and first-use IPs diverge (heise online, 2026-05-08 · daily 2026-05-09). What changed: even if not yet final on appeal, the ruling is the most explicit case-law statement to date in a PSD2 jurisdiction that failure to act on a fraud signal present in bank-side telemetry shifts liability to the service provider. What defenders need to do differently: EU and Swiss financial-sector and public-sector digital-service providers should treat register-new-device and first-login IP / ISP comparison as a regulatory expectation rather than best practice — and should specifically ensure the SCA-step-up signal can be raised in real time on this anomaly. Anticipate other EU member-state PSD2 jurisdictions following the LG Berlin II reasoning.