German LG Berlin II ruling — Apobank liable for €218,000+ phishing loss; PSD2 IP-analytics obligation clarified

On 2026-04-22 the Landgericht Berlin II (Civil Chamber 38, case 38 O 293/25; not yet final pending appeal) ordered Deutsche Apotheker- und Ärztebank (Apobank) to reimburse €218,000+ in losses from a sophisticated phishing attack combining forged physical bank letters, manipulated online banking interfaces, and spoofed-number phone calls. The court rejected gross-negligence defences, finding the fraud too sophisticated to attribute to customer failure; critically, the ruling found the bank's fraud-detection systems failed to act on a clear anomaly visible in bank-side logs — the new device registration and first login originated from materially different IP addresses and ISPs. The court treated this as an obligation under Germany's PSD2 implementation: an IP-based behavioural analytics duty triggering a strong-customer-authentication challenge when registration and first-use IPs diverge (heise online, 2026-05-08 · ilex Rechtsanwälte case summary · daily 2026-05-09). Defender takeaway: EU and Swiss financial-sector and public-sector digital-service providers should expect this trend of liability lines moving toward the service provider when fraud signals are present in server-side telemetry but not acted on. The defensive engineering implication is concrete: register-new-device and first-login IP / ISP comparison is now a regulatory expectation in PSD2 jurisdictions, not just a best-practice control.