Bank fraud in France: reimbursement rights and defences

Published on 21 avril 2026 · Updated on 21 avril 2026

Your card has been debited for an amount you do not recognise. A scammer posing as your bank advisor persuaded you to validate a transfer. Your online banking space was hacked and an unknown beneficiary added. In each case, the reflex is the same: call the bank, hope the operation is cancelled, and face a predictable response – “we must examine your file” followed, weeks later, by a letter invoking your “gross negligence” to refuse reimbursement.

Bank fraud is one of the most common disputes in contemporary French banking law. Its legal framework was profoundly renewed by the PSD2 directive, transposed by the ordonnance of 9 August 2017, and the commercial chamber of the Cour de cassation delivered between 2023 and 2026 a series of rulings clarifying the gross negligence regime, the scope of strong authentication, and reporting deadlines.

The critical legal distinction

The expression “bank fraud” covers two situations with radically different consequences.

Unauthorised payment operations (Article L. 133-18 CMF): Operations executed without the payer’s consent – payment with a stolen or cloned card, transfer ordered from a hacked account, direct debit using fraudulently obtained details. The protective regime of Articles L. 133-18 to L. 133-24 applies: the bank must reimburse, and bears the burden of proving any exception.

Authorised orders executed under fraudulent manoeuvre: The victim is deceived but clicks, validates, applies their electronic signature. The classic example is investment fraud. The L. 133-18 regime does not apply. Redress requires establishing a breach of the bank’s general duty of vigilance on the basis of ordinary contractual liability (Article 1231-1 Code civil).

The right to immediate reimbursement

Article L. 133-18 CMF is unambiguous: once you report the operation, the bank must reimburse you “immediately” and at the latest by the end of the first business day following receipt of your contestation. It must also restore your account to the state it would have been in had the operation not occurred – including reimbursing overdraft interest, charges and incident fees.

Article L. 133-18 CMF

“In case of an unauthorised payment operation reported by the user under the conditions of Article L. 133-24, the payment service provider reimburses the payer immediately… and restores the debited account to the state in which it would have been had the unauthorised operation not taken place.”

Three exceptions only: suspicion of the payer’s own fraud (communicated in writing to the Banque de France); gross negligence (Article L. 133-19 IV); forfeiture of the reporting deadline.

Gross negligence: the bank’s principal refusal ground

Article L. 133-19 IV provides that the payer bears all losses if they result from failure, intentionally or by gross negligence, to meet the obligations under Articles L. 133-16 (preserving security of personalised security devices) and L. 133-17 (reporting without delay).

For phishing, the landmark ruling is Cass. com., 28 March 2018, no. 16-20.018: gross negligence is committed by a user who communicates security data “in response to an email containing indicia enabling a normally attentive user to doubt its provenance”. The criterion is objective: ignorance of phishing risk does not save the user.

For spoofing (fake bank advisor calls), case law pivoted with Cass. com., 23 October 2024, no. 23-16.267: no gross negligence where the victim, contacted by a person impersonating a bank employee whose number displayed on screen, used security devices at their request to “secure” the account. This was nuanced by Cass. com., 4 March 2026, no. 24-19.588: the mere coincidence of the displayed number does not automatically exclude gross negligence; the trial judge must assess the specific circumstances including contractual warnings about social engineering.

A transversal rule from Cass. com., 20 November 2024, no. 23-15.099: before debating gross negligence, the bank must first prove authentication, recording and absence of technical deficiency. Discussion must always begin with the bank’s evidentiary burden, never with the client’s fault.

Strong authentication: the payer’s decisive weapon

Since Article L. 133-44 CMF (effective 14 September 2019), the payment service provider must require strong authentication combining at least two of three elements: knowledge (code), possession (phone), inherence (fingerprint/facial recognition). For remote payments, a “dynamic link” specific to the transaction is required.

The sanction for failure is radical: under Article L. 133-19 V, the payer bears “no financial consequence” if the unauthorised operation was executed without strong authentication. The gross negligence debate disappears entirely. Confirmed by Cass. com., 30 August 2023, no. 22-11.707.

The systematic reflex facing a refusal: demand in writing that the bank prove, with evidence, that strong authentication compliant with L. 133-44 was implemented. Its absence opens a near-unconditional right to reimbursement.

Burden of proof in two stages

Article L. 133-23 CMF organises proof in two stages. Stage one (always incumbent on the bank): prove authentication, proper recording, accounting, and absence of technical deficiency. Until this is established, no discussion of client fault occurs. Stage two (only if stage one is established): the bank may attempt to demonstrate fraud or gross negligence. The effective use of the payment instrument does not suffice to prove authorisation or gross negligence.

Deadlines

Article L. 133-24 CMF fixes an absolute deadline of thirteen months from the debit date (seventy days for operations outside the EEA). But since CJEU, 1 August 2025 (Veracash, C-665/23), confirmed by Cass. com., 14 January 2026, no. 22-14.822, reporting must occur “without delay” from the date of actual knowledge, not the debit. A late report, even within thirteen months, may constitute gross negligence and forfeit the right to reimbursement.

For contested SEPA direct debits: Article L. 133-25 CMF offers an unconditional right to reimbursement within eight weeks of the debit, independent of the fraud regime (confirmed Cass. com., 2 July 2025, no. 24-11.680).

Steps to take

Three immediate parallel actions: opposition on the payment instrument (card blocking, interbank opposition server); written report to the bank triggering the L. 133-18 obligation; criminal complaint via Perceval (fraudulent card use), Thesee (online fraud) or directly to the police/prosecutor.

Remedies if the bank refuses

Formal complaint to customer services by registered letter, demanding reimbursement under L. 133-18 and production of strong authentication proof. Banking mediator (free, suspends limitation, ninety-day deadline). ACPR reporting (cannot order individual reimbursement but sanctions professional failures). Court proceedings: tribunal de proximite (up to 10,000 euros), tribunal judiciaire above; interim relief (refere) available where the L. 133-18 obligation is not seriously contestable.

Solent Avocats assists individuals and businesses through the full range of these proceedings. See our banking law guide and bank liability guide for the broader context.

Sources

Legislation

Articles L. 133-16 to L. 133-25 CMF – Payment operations regime
Article L. 133-44 CMF – Strong authentication (PSD2)
Ordonnance no. 2017-1252 of 9 August 2017 – PSD2 transposition
Law no. 2025-1058 of 6 November 2025 – Anti-fraud measures

Case law

Cass. com., 28 March 2018, no. 16-20.018 – Phishing: objective standard
Cass. com., 30 August 2023, no. 22-11.707 – Failure of strong authentication: full reimbursement
Cass. com., 23 October 2024, no. 23-16.267 – Spoofing: no gross negligence
Cass. com., 14 January 2026, no. 22-14.822 – Reporting deadline from knowledge
Cass. com., 4 March 2026, no. 24-19.588 – Spoofing nuance

Let us discuss your case

We are here to listen.

+33 7 56 28 34 30