Bankcards have become an indispensable part of our daily lives, facilitating the majority of our transactions. However, with this ease of use comes a growing risk of fraud. When an unauthorised transaction appears on your bank statement, a key question arises: who is responsible? While the law protects the cardholder in principle, this protection is not absolute. The bank can refuse to reimburse the sums stolen on the grounds of gross negligence on your part. This article, which follows on from our legal guide to payment cards and our analysis of general system of liability for fraud, provides details of the key concepts of negligence and strong authentication that determine the outcome of many disputes. Understanding these concepts is essential to effectively defending your rights, and our firm has a recognised practice in bank fraud litigation.
The framework of the holder's liability in the event of unauthorised transactions
In the event of bankcard fraud, the law has established a system of liability designed to protect the user. This system, codified in the French Monetary and Financial Code, lays down clear principles but also includes exceptions that it is essential to be aware of. The way in which financial losses are apportioned depends essentially on the time at which the stop payment is made and the circumstances of the fraud.
The principle of capped liability for the policyholder (€50 excess)
The basic rule protects consumers. Under article L. 133-19 of the French Monetary and Financial Code, bankcard holders who have been subject to unauthorised payment transactions before they have been able to lodge a stop payment are liable for any losses incurred, up to a limit of €50. This excess applies to transactions carried out following the loss or theft of the payment instrument. In practical terms, if a third party uses your card to make purchases before you have blocked the card, your financial loss cannot exceed this amount, and the bank is obliged to reimburse you for any sums in excess of this excess.
Full refunds
In several situations, the €50 deductible is waived and the bank must reimburse the full amount fraudulently debited. These exceptions, set out in the same article L. 133-19 of the French Monetary and Financial Code, cover the most common scenarios of modern fraud. Refunds are made in full when the unauthorised transaction was carried out without using personalised security data. This applies in particular to cases where only the card details (number, expiry date, cryptogram) are pirated for online payments, without the secret code or a strong authentication device being used. Similarly, the cardholder is not liable if the fraud is the result of misappropriation of the card or its data without the cardholder's knowledge. This situation covers phishing and spoofing techniques, where the user is deceived into providing information without being aware of the fraudulent manoeuvre. Finally, in the case of counterfeit cards (skimming, for example), if the cardholder was still in possession of their original card at the time of the crime, they will not suffer any loss.
The concept of gross negligence: an exception unfavourable to the holder
The main exception to the principle of reimbursement is gross negligence. If the bank is able to demonstrate that the cardholder's conduct constitutes a gross breach of his or her security obligations, it may be exempted from its obligation to reimburse. The cardholder would then be liable for all losses incurred prior to the stop payment.
Definition and burden of proof for the issuer (probatio diabolica)
Gross negligence is not precisely defined by law. Case law interprets it as a manifest and serious breach of the obligations of prudence incumbent on all cardholders. Article L. 133-16 of the French Monetary and Financial Code requires payment service users to take "all reasonable steps to preserve the security of their personalised security data". This means, for example, not disclosing their PIN or writing it on their card. The key element of this mechanism is that the burden of proof rests exclusively with the bank. It is up to the bank to prove not only negligence, but also the causal link between that negligence and the fraud. Case law has clarified that the mere use of the card with the PIN is not in itself sufficient to prove that the cardholder was negligent. The bank must provide concrete evidence of the fault, which is often very difficult to prove - a veritable "probatio diabolica".
Case law examples of gross negligence
The courts assess gross negligence on a case-by-case basis. Certain situations have been clearly identified by case law as constituting such negligence. For example, keeping your bank card and PIN, written on the same piece of paper, in an unattended bag constitutes gross negligence. The same applies to the deliberate disclosure of security details to a third party, even someone close to you, who might use them fraudulently. Cases of fake bank advisorThese are at the heart of numerous legal debates to determine whether the manipulation undergone excuses the carelessness committed.
Cases where gross negligence is not accepted
Conversely, gross negligence is systematically ruled out when the fraud is the result of sophisticated manoeuvres that a normally diligent user would not have been able to cope with. This is the case with "skimming" techniques, where data from the card's magnetic strip is copied onto a booby-trapped payment terminal or cash dispenser without the owner's knowledge. Similarly, case law refuses to consider gross negligence for victims of the "Marseilles snare", a device that traps the card in an ATM and steals it after the customer, thinking it has broken down, has moved away. In such cases, it is considered that the security failure is not attributable to the cardholder, but to a flaw in the system that could not have been anticipated.
Strong authentication: a bulwark against serious user negligence
In response to the increase in online fraud, European legislators have tightened security requirements for electronic payments. Strong customer authentication has become the norm, profoundly altering the balance of responsibilities between the bank and its customer.
The requirement for strong authentication (PSD2 and delegated regulation)
The Second Payment Services Directive (PSD2), which has been transposed into French law, has made it compulsory to introduce "strong authentication" for most online payment transactions. Article L. 133-4 of the French Monetary and Financial Code defines this as authentication based on the use of at least two of the following three elements, which must be independent of each other: an element that only the user knows ("knowledge" category, such as a password or code), an element that only the user possesses ("possession" category, such as a mobile phone or physical card), and an element that is unique to the user ("inherence" category, such as a fingerprint or facial recognition). This procedure, often materialised by the validation of a transaction via a smartphone banking application, is designed to ensure that it is the legitimate cardholder who is behind the payment order.
The impact of the absence of strong authentication on the banker's liability (case law 2023)
The introduction of strong authentication has a major legal consequence. Article L. 133-19 of the French Monetary and Financial Code now stipulates that the cardholder bears no financial consequences if the unauthorised transaction was carried out without the bank requiring strong authentication. This provision represents a turning point: even if the customer has been grossly negligent, for example by disclosing his or her identifiers after having been the victim of phishing, the bank that did not apply a strong authentication procedure to validate the fraudulent payment will have to reimburse the customer in full. The Court of Cassation confirmed this logic in a 2023 ruling. The final responsibility for securing the payment lies with the payment service provider. If it fails to implement the security measures required by law, it can no longer take action against its customer, regardless of the latter's imprudence.
The special case of contactless payment
Contactless payment is exempt from the strong authentication principle for practical reasons. Transactions involving individual amounts of less than €50 can be made without this procedure. However, there are safeguards to limit the risks of theft. Strong authentication becomes compulsory again as soon as the cumulative amount of successive contactless payments reaches a certain ceiling, generally set at 150 euros, or after a defined number of consecutive transactions (often five). Once these thresholds have been reached, the user must authenticate again, for example by entering their PIN, to reset the ceilings and be able to use contactless payment again.
Bankcard fraud highlights a complex division of responsibilities, where the cardholder's duty of care is weighed against the bank's duty of security. While gross negligence remains an argument often used by credit institutions to refuse reimbursement, the requirement to introduce strong authentication has considerably strengthened consumer protection. The burden of proof and the assessment of the facts remain technical issues that require precise legal analysis. If your bank refuses to reimburse you, the assistance of a lawyer is often decisive in asserting your rights. Do not hesitate to contact our firm for an analysis of your situation.
Sources
- Monetary and Financial Code, in particular Articles L. 133-1 to L. 133-24
- Consumer Code
- Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market (PSD 2).
- Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366
EN 
FR