Bank fraud: your rights to reimbursement and case law 2024-2026

Your bank refuses to reimburse you for a fraudulent transaction, citing your gross negligence. The dividing line between ordinary imprudence and gross negligence within the meaning of the Monetary and Financial Code is at the heart of the dispute. Since the DSP2 directive, the case law of the Commercial Chamber has profoundly reshuffled the cards on phishing, spoofing with false advisers and strong authentication. This guide sets out the full regime - burden of proof, time limits, appeals - so that you know what the law owes you, and under what conditions.

Published on 16 April 2026 - Updated on 16 April 2026

Your card has been debited for an amount you don't recognise. A telephone scammer has pretended to be your bank adviser and tricked you into approving a transfer. Your online customer area has been hacked and an unknown beneficiary added. In each of these cases, the reflex is the same: call the bank, hope that the transaction will be cancelled, and be met with an often predictable response - «we'll have to look into your case» - and then, a few weeks later, a letter invoking your «gross negligence» to refuse reimbursement.

Bank fraud is one of the most common types of litigation in contemporary banking law. Its legal mechanism has been profoundly renewed by the European Directive PSD2, transposed into French law by the Order of 9 August 2017, and between 2023 and 2026 the Commercial Chamber of the Court of Cassation handed down a series of rulings that shed light on the gross negligence regime, the scope of strong authentication and the time limit within which the payer must report. This guide sets out this regime in a straightforward manner, with its pitfalls and arguments - those that your bank will not readily point out to you.

Bank fraud: what are we talking about in legal terms?

In everyday language, the term «bank fraud» covers any fraudulent operation affecting an account or a means of payment. In law, a distinction must be made between two situations with radically different consequences, which dictate the choice of applicable text and, behind it, the balance of responsibilities between the bank and its customer.

The first situation is that of the’unauthorised payment transaction within the meaning of the’Article L. 133-18 of the Monetary and Financial Code. This category includes all transactions carried out without the payer's consent, such as payments made with a stolen or cloned card, transfers ordered from a hacked customer area, direct debits made using a fraudulently obtained IBAN, or the addition of a beneficiary by a third party who has obtained the identifiers. In all these cases, the protective regime set out in articles L. 133-18 to L. 133-24 applies, with its cardinal principle: the bank must reimburse, and the onus is on it to prove the exception.

The second situation is that of the’authorised order executed as a result of a fraudulent manoeuvre. The victim is indeed deceived, but it is the victim who clicks, validates, signs electronically and enters the code. The most common example today is investment fraud, in which the victim makes several transfers to a foreign account, only to discover too late that no investment existed. The L. 133-18 regime does not apply: the transaction is technically authorised. To obtain compensation, the victim must rely on the ordinary law of contractual liability (article 1231-1 of the Civil Code) and demonstrate that the bank failed in its duty of vigilance in the face of obvious anomalies.

This dividing line is the key to the guide. The most common mistake is to claim automatic reimbursement on the basis of L. 133-18 when in fact you are dealing with a case of fraudulent misrepresentation of a valid order. This leads to a legal impasse. On the other hand, if you allow the bank to classify your file as a simple authorised order when it is a case of genuine usurpation of a security device, you are giving up the major advantage that the law gives you.

Types of fraud and how they are dealt with

Each type of fraud, once defined, is subject to a separate legal regime. The boundaries are not always clear-cut, and a single operation may combine several techniques. Here are the most common cases, with the applicable civil law and the corresponding criminal law classification.

La card fraud without physical theft is by far the most common. The fraudster obtains the card details - number, date, cryptogram - by whatever means (hacking into a merchant site, compromising a database, phishing) and uses them to make a remote payment. The victim has never lost his or her card. The applicable regime is that of article L. 133-18: immediate reimbursement, unless the bank can demonstrate gross negligence (article L. 133-19 IV) or, more often since 2019, invoke the performance of strong authentication.

Le phishing or phishing is the technique whereby the victim enters their own details on a fraudulent form, imitated from a legitimate site. Channels vary: email, SMS (this is called smishing), private messaging, fake QR code. The legal analysis is always the same: the subsequent transaction is an unauthorised transaction within the meaning of L. 133-18, and the debate shifts to gross negligence - has the victim shown carelessness that exceeds the tolerable threshold?

Le voice spoofing - also known as the «false adviser» scam - is the fraud that has seen the most development in terms of case law. The scammer calls the victim using the bank branch's telephone number, presents himself as a customer adviser who detects a suspicious transaction, and asks the victim to "secure" his account by validating transactions on his mobile application. This technique, because it combines the compromise of strong authentication with the trust induced by the display of the bank's number, has given rise to several rulings that make it one of the most closely watched legal areas.

Le skimming consists of cloning the magnetic strip of a bank card using a device installed on an ATM, then making a copy which is then used to withdraw cash. The card has remained in the possession of the payer: this is an exception under article L. 133-19 II, which provides for full reimbursement, unless the payer is grossly negligent in keeping the confidential code.

La fake courier fraud - or fake policeman scam - involves convincing the victim to physically hand over their card and PIN to a supposed police officer who comes to their home. The loss is often considerable. Case law usually finds gross negligence, given that the means of payment and its authentication code are handed over at the same time.

La fake bank details fraud or bank transfer fraud mainly affects businesses. The fraudster poses as a regular supplier and obtains a change in the bank details for a forthcoming payment. The transfer order is duly carried out by the victim: this falls outside the scope of the L. 133-18 regime. The recourse is against the bank on the grounds of its duty of vigilance, and against the fraudster on criminal grounds (fraud). Since 9 October 2025, European regulation 2024/886 has required payment service providers to check that the beneficiary's name corresponds to the IBAN given for all transfers in euros within the EU, opening up a new avenue for liability in the event of failure to carry out this check.

The investment scams - Miracle investments, cryptoactives, online trading - also fall under the authorised order regime. The victim himself makes the transfers to a foreign account, often several times over several weeks. There is no right of recourse under L. 133-18, but the bank may be held liable if obvious anomalies - unusual accumulation of transactions, beneficiary located in a high-risk country, inconsistency with the saver's profile - have not been detected. In a recent ruling handed down on 4 March 2026, the Commercial Chamber ruled that the obligation to combat money laundering (articles L. 561-4-1 et seq. of the CMF) does not give rise to a right to individual compensation: it serves a public policy purpose and does not provide a basis for an action for damages by the victim. The basis must be found elsewhere, in the general duty of banking vigilance.

L'identity theft, Finally, it allows an account to be opened or a loan to be taken out in the name of a victim who has never had any knowledge of it. The victim signed nothing and authorised nothing. The recourse concerns the liability of the institution that accepted the opening without sufficient verification, coupled with a criminal complaint for identity theft (article 226-4-1 of the French Penal Code). The law of 6 November 2025 created a national file of accounts reported as being at risk of fraud, which will be operational in May 2026 and should strengthen prevention tools.

The right to immediate reimbursement by the bank

When an unauthorised transaction has been carried out on your account, the rule is not debate, but repayment. L’Article L. 133-18 of the Monetary and Financial Code lays down a very clear principle: as soon as you report the transaction, the bank must reimburse you «immediately» and, at the latest, by the end of the first working day following receipt of the objection. The bank must also restore your account to the state it would have been in had the transaction not taken place, which means not only crediting the amount again but also reimbursing any debit interest, agios and incidental charges that may have resulted.

Article L. 133-18 of the Monetary and Financial Code

«In the event of an unauthorised payment transaction reported by the payment service user under the conditions set out in Article L. 133-24, the payer's payment service provider shall reimburse the payer for the amount of the unauthorised transaction immediately after becoming aware of the transaction or after being informed of it, and in any event no later than the end of the next business day, unless it has good reason to suspect fraud by the payment service user and it notifies the Banque de France of these reasons in writing. Where applicable, the payer's payment service provider shall restore the debited account to the state it would have been in had the unauthorised payment transaction not taken place.»

There are three exceptions to this principle, and three only. The first is the suspicion of fraud on the part of the payer that the bank communicates in writing to the Banque de France: this covers the marginal case of a customer who would stage a false fraud in order to obtain an undue refund. The second is the gross negligence of article L. 133-19 IV, which is discussed below. The third is the foreclosure the notification period, the contours of which were redrawn by the Commercial Chamber in 2026.

Apart from these exceptions, repayment is a right, not a favour. The law of 16 August 2022 introduced automatic penalties for late repayment by the bank, in addition to the re-crediting of the principal, making delaying practices all the more questionable. Demand that you do this in writing - a registered letter with acknowledgement of receipt is better than a simple message in the customer area - and keep proof of the date of your dispute, as this will be essential in the event of a dispute.

Gross negligence: where can the bank refuse?

Gross negligence is by far the most common ground for refusal by banks. It is set out in IV of article L. 133-19 of the CMF, in a wording that may appear simple but which the Commercial Chamber has built up over the years into a meticulous analytical grid.

Article L. 133-19, IV of the Monetary and Financial Code

«The payer shall bear all losses incurred as a result of unauthorised payment transactions if such losses are the result of fraudulent conduct on his part or if he has intentionally or through gross negligence failed to comply with the obligations set out in Articles L. 133-16 and L. 133-17.»

Two obligations are at stake. L’article L. 133-16 requires the payer to take all reasonable steps to maintain the security of their personalised security devices - their codes, their identifiers, their phone that receives authentication notifications. L’article L. 133-17 requires the bank to be informed «without delay» when a fraudulent transaction is detected. Gross negligence, within the meaning of IV, may therefore result either from carelessness in keeping the devices (giving out codes, leaving the telephone unprotected) or from a faulty delay in reporting the situation.

Litigation focuses on two fraud techniques, because they are also the most common: phishing and spoofing.

In terms of phishing, the ruling in principle is Cass. com. 28 March 2018, no. 16-20.018. The Court ruled that it is gross negligence for a user to communicate his or her security details «in response to an e-mail which contains clues that would enable a normally attentive user to doubt its origin, regardless of whether or not he or she has been warned of the risks of phishing». The contribution is twofold. Firstly, the criterion is objective: we are not measuring the actual digital literacy of the victim, but the attention that a normally diligent user would have paid. On the other hand, ignorance of the risk of phishing does not save the day: the Court expressly ruled it out as a mitigating circumstance. This line was confirmed by Cass. com., 1st July 2020, no. 18-21.487, which adds that good faith is exclusive of any assessment: a customer who acted in good faith but was unaware of the indications of suspicion is still deemed to have committed gross negligence.

In terms of voice spoofing, jurisprudence has shifted with Cass. com. 23 October 2024, no. 23-16.267. In this ruling, the Court held that no gross negligence could be imputed to the holder of an account who, contacted by telephone by a person posing as an employee of his bank - whose number was displayed on the screen - used, at his request, his personalised security device to delete and then re-register the beneficiaries of transfers, with the alleged aim of avoiding malicious transactions. The combination of the display of a legitimate number and the staging of a security operation was deemed sufficiently misleading to rule out any serious fault.

The judgment was qualified, but not overturned, by Cass. com., 4 March 2026, no. 24-19.588. The Commercial Chamber specifies that the mere coincidence of the number displayed with that of the agency is not sufficient, on its own, to rule out gross negligence: the trial judge must give reasons for his decision in the light of the contractual warning usually signed by the customer, alerting him to social engineering techniques. The assessment becomes in concreto, and the analysis must be carried out on a case-by-case basis. In practice, the combination of the two rulings creates a favourable ground for the payer when the scenario combines displaying the branch number, opening hours, a professional tone and a security scenario - but caution is called for in cases where the fraudster has crossed too many obviously suspicious thresholds.

Finally, there is a cross-cutting rule to bear in mind, recalled by Cass. com. 20 November 2024, no. 23-15.099 Before even discussing gross negligence, the bank must first prove authentication, registration and the absence of technical deficiencies. In this case, the Court of Cassation ruled against the bank even though the customer's negligence appeared obvious - he had given his card and codes to a stranger he had met online - because the Court of Appeal had failed to check the prior chain of evidence. This is a valuable lesson: the discussion must always begin with the formalism of the evidence incumbent on the bank, never with the customer's fault.

Strong authentication, a decisive weapon for payers

Since the’Article L. 133-44 of the Monetary and Financial Code On 14 September 2019, the payment service provider will be obliged to require strong authentication when the payer accesses their account online, initiates an electronic payment or carries out an action by a remote means that could involve a risk of fraud. Strong authentication is defined as the combination of at least two elements from three categories: knowledge (a code), possession (a telephone or personal object) and inherence (a fingerprint, facial or voice recognition). For remote electronic payments, the text goes further by requiring a «dynamic link» between the transaction and the amount and beneficiary: the code received must be specific to the current transaction, and not a generic code that can be reused.

The penalty for failure to provide strong authentication is set out in Article L. 133-19 V and is radical: apart from the fraudulent act of the payer himself, the payer bears «no financial consequences» if the unauthorised transaction was carried out without his payment service provider having required strong authentication. The debate on gross negligence disappears: the bank can no longer rely on article L. 133-19 IV to refuse reimbursement, since the technical prerequisite required by law had not been met. The scope of this rule was confirmed by Cass. com., 30 August 2023, no. 22-11.707, which is now the benchmark ruling on the subject.

The reflex response to a refusal of reimbursement is therefore always the same: demand in writing that the bank provide evidence that strong authentication in accordance with L. 133-44 was implemented at the time of the disputed transaction. The absence of such proof - or its inadequacy, for example a generic SMS code with no dynamic link - gives rise to an almost unconditional right to reimbursement.

A two-stage burden of proof

L'article L. 133-23 of the CMF organises the burden of proof according to a two-stage mechanism that it is useful to master. This mechanism has been constructed methodically by the Commercial Chamber since Cass. com. 18 January 2017, no. 15-18.102 to Cass. com., 12 November 2020, no. 19-12.112.

Article L. 133-23 of the Monetary and Financial Code

«Where a Payment Service User denies having authorised a payment transaction which has been executed, or claims that the payment transaction has not been executed correctly, it shall be for his Payment Service Provider to prove that the transaction in question has been authenticated, properly recorded and accounted for and that it has not been affected by a technical or other deficiency.

The use of the payment instrument as recorded by the payment service provider is not necessarily sufficient in itself to prove that the transaction was authorised by the payer or that the payer intentionally or through gross negligence failed to fulfil his obligations.»

The first step is systematically the bank's responsibility: it must prove that the transaction was authenticated, duly recorded and accounted for, and that it was not affected by any technical fault. As long as this first stage has not been completed, there can be no discussion of the customer's fault. It is only at a second stage, if and only if the first stage is established, that the bank can attempt to demonstrate fraud or gross negligence on the part of the payer.

The rule is all the more protective because the second paragraph locks in a long-standing practice of banks: the actual use of the payment instrument or related data is never enough to prove either that the transaction was authorised or that the customer was grossly negligent. In other words, the fact that a code was entered correctly does not prove that it was the customer who entered it. This principle, consistently reiterated by the Cour de cassation, is a central argument in all litigation.

Deadlines that kill your right

The right to repayment is locked into a set of time limits, failure to observe which can jeopardise everything, even if the fraud is obvious and the bank is at fault. The rule was radically changed by the Cour de cassation in 2026, following a ruling by the Court of Justice of the European Union.

L'article L. 133-24 of the CMF sets an absolute time limit of thirteen months from the debit date, reduced to seventy days for transactions carried out outside the European Economic Area. Once this period has elapsed, the dispute is inadmissible. But the real operational rule is stricter: the payer must report the unauthorised transaction «without delay», and this period runs not from the debit date, but from the moment he becomes aware of it.

This solution, which could be deduced from the wording of the text, was enshrined by the Court of Justice in its judgment CJEU, 1 August 2025, Veracash, C-665/23, then taken up by the Commercial Chamber in Cass. com. 14 January 2026, no. 22-14.822. This has two implications. On the one hand, the court must ascertain the date on which the payer actually became aware of the first fraudulent transaction - generally, the date on which he consulted his account online and was able to detect the anomaly. On the other hand, a late report, even if it is made within the legal thirteen-month period, may deprive the payer of his right to reimbursement if it is the result of gross negligence in monitoring his accounts. A ruling dated 4 February 2026 (no. 22-22.609) drew the practical consequence of this rule: the claim is rejected if the user is unable to justify the date on which he reported the transaction to his bank.

There is one final deadline worth mentioning, which concerns disputed direct debits rather than fraudulent transactions in the strict sense of the term.’article L. 133-25 of the CMF gives the payer an unconditional right to reimbursement of any authorised SEPA direct debit within eight weeks of the debit. This right, reiterated by Cass. com. 2 July 2025, no. 24-11.680, is independent of the fraud regime and is of considerable practical use when an undue deduction has been made, even in the absence of proven fraud.

Steps to take: objection, report, complaint

As soon as a suspicious transaction is detected, three steps must be taken immediately and in parallel - none of the three waits for another.

The first is the’stop payment. You can do this by contacting your bank via your customer area or by telephone, or by contacting the interbank stop payment server (0 892 705 705, available 24 hours a day). Stopping payment freezes the debit: beyond that point, any transactions attempted with the card are legally chargeable to you, up to a limit of fifty euros (article L. 133-19, I). Always confirm your stop payment in writing - by e-mail in the customer area and, if possible, by registered letter with acknowledgement of receipt - because the precise date of your stop payment will be an essential piece of evidence.

The second is the notifying the bank, This triggers the repayment obligation under article L. 133-18. It is distinct from an objection: an objection secures the future, while an alert gives you the right to correct past transactions. Make it in writing, date it and describe each disputed transaction in detail (date, amount, beneficiary shown). This is the document that will then be used to start the one working day period provided for in article L. 133-18.

The third is the filing a complaint, which runs in parallel with the civil proceedings. Three options are available. The Perceval is accessible online via FranceConnect and enables you to report fraudulent use of your bankcard if you are still in possession of it. The system Theseus covers scams committed electronically and also allows online reporting. In the event of significant loss or sophisticated fraud, it is still advisable to lodge a complaint with a police station or send a registered letter with acknowledgement of receipt to the public prosecutor. The receipt of the complaint will be attached to the request for reimbursement from the bank and, where applicable, to the legal protection insurance.

Never make the lodging of a complaint conditional on the bank's prior agreement: the complaint is independent of the civil proceedings and the bank has no say in the matter. On the contrary, experience has shown that filing a complaint quickly is a useful tool for obtaining amicable repayment.

Recourse if the bank refuses to repay

If the bank refuses to make the repayment - or is slow to do so - a range of remedies is available, from amicable settlement to litigation.

The first stage is the formal complaint to customer services the bank, by registered letter with acknowledgement of receipt. In precise terms, demand immediate reimbursement based on article L. 133-18 and, where strong authentication is in question, the production of proof that this has actually been demanded in accordance with article L. 133-44. Give a reasonable timeframe for a response - fifteen days would seem to be an acceptable basis for negotiation - and announce the subsequent stages in the event of failure.

If you receive no reply or a negative response, contact the banking mediator. Each bank has an independent ombudsman, whose contact details are given in the account agreement. Referral to the ombudsman is free of charge, suspends the statute of limitations and the ombudsman must give his or her opinion within ninety days. The ombudsman's opinion is not legally binding on either party, but the vast majority of banks comply with it.

Reporting to the’Autorité de contrôle prudentiel et de résolution is another, parallel and complementary route. The ACPR does not have the power to order individual reimbursements - that is not its remit - but it can penalise an institution's professional failings, and repeated reports are taken into account in the assessment of the sector's practices. To understand its precise role, consult our guide dedicated to the’ACPR.

When the amicable route has been exhausted, legal recourse is required. There are two options, depending on the amount in dispute: the local court for claims of ten thousand euros or less, the judicial tribunal beyond that. Proceedings on the merits can take several months. It can be accelerated by a referral, Case law has accepted - under certain conditions - that the repayment obligation set out in article L. 133-18 is not seriously disputable when the facts of the case are clear. This approach is particularly suited to emergency situations, for example where a refusal to repay jeopardises a company's cash flow.

These disputes are at the crossroads of banking law, consumer law and civil procedure. They involve a technical system of proof - two-stage burden of proof, linkage with strong authentication, analysis of e-mails and authentication logs - which the lower courts are applying with increasing rigour. Solent Avocats assists individuals and businesses with all of these steps in order to structure a claim for reimbursement or legal action effectively. To place this subject in its wider context, consult our complete guide to banking law and on the general bank liability, the dedicated guide. If you would like to discuss a specific situation, you can use our banking and finance law describes how it works.

Sources

Legal texts

Article L. 133-16 of the Monetary and Financial Code - Security obligation of the payer
Article L. 133-17 of the Monetary and Financial Code - Obligation to inform without delay
Article L. 133-18 of the Monetary and Financial Code - Immediate repayment of the unauthorised transaction
Article L. 133-19 of the Monetary and Financial Code - Liability regime (€50 ceiling, gross negligence, lack of strong authentication)
Article L. 133-23 of the Monetary and Financial Code - Burden of proof
Article L. 133-24 of the Monetary and Financial Code - Thirteen-month foreclosure period
Article L. 133-25 of the Monetary and Financial Code - Right to reimbursement of an authorised SEPA direct debit (eight weeks)
Article L. 133-44 of the Monetary and Financial Code - DSP2 strong authentication
Article 313-1 of the Criminal Code - Swindling
Article 226-4-1 of the Criminal Code - Identity theft
Article 323-1 of the Criminal Code - Fraudulent access to or maintenance of an automated data processing system
Order no. 2017-1252 of 9 August 2017 - Transposition of the PSD2 directive
Law no. 2025-1058 of 6 November 2025 - Combating bank fraud and creating the FNC-RF

Case law

Cass. com. 18 January 2017, no. 15-18.102 - Burden of proof of gross negligence on the payment service provider
Cass. com. 28 March 2018, no. 16-20.018 - Phishing: objective criteria for the normally attentive user
Cass. com., 1st July 2020, no. 18-21.487 - Gross negligence rules out any assessment of good faith
Cass. com., 12 November 2020, no. 19-12.112 - Double burden of proof: authentication followed by gross negligence
Cass. com., 30 August 2023, no. 22-11.707 - Failure to provide strong authentication: full refund (L. 133-19 V)
Cass. com. 23 October 2024, no. 23-16.267 - Spoofing using false advisers: no gross negligence in displaying the branch number
Cass. com. 20 November 2024, no. 23-15.099 - Probationary order: authentication before gross negligence
Cass. com. 2 July 2025, no. 24-11.680 - Unconditional right to reimbursement of a SEPA direct debit
Cass. com. 14 January 2026, no. 22-14.822 - Starting point for the period for notifying knowledge (CJEU Veracash)
Cass. com., 4 March 2026, no. 24-19.588 - Spoofing: nuance to the 2024 ruling on contractual warnings
CJEU, 1^er August 2025, Veracash, C-665/23 - Concept of gross negligence within the meaning of the PSD2 directive

Doctrine and reports

Banque de France, Rapport annuel de l'Observatoire de la sécurité des moyens de paiement (latest published report)
T. Bonneau, Droit bancaire, LGDJ, 14^e ed. 2024 - chapter on liability for means of payment
J. Lasserre Capdeville, «Fraude à la carte bancaire et négligence grave : état de la jurisprudence», RDBF 2025, no. 2, study 7.
H. Synvet, «Authentification forte et charge de la preuve», RTD com. 2024, p. 685

Frequently asked questions about bank fraud

How do I get my money back after a bank fraud?

Where the transaction has not been authorised, article L. 133-18 of the French Monetary and Financial Code requires the bank to reimburse the amount immediately, and no later than the end of the first working day following receipt of the objection. The account must be restored to its previous state, including charges and incident fees. The bank can only refuse in three cases: suspicion of fraud on the part of the payer notified to the Banque de France, gross negligence established (article L. 133-19 IV), or the time limit for notifying the bank has expired. The best thing to do is to send a written request for reimbursement, dated and detailing each disputed transaction, and to demand proof that strong authentication had indeed been implemented within the meaning of article L. 133-44.

What is gross negligence within the meaning of the Monetary and Financial Code?

Gross negligence, within the meaning of article L. 133-19 IV, is a breach by the payer of its obligation to maintain the security of its authentication systems (article L. 133-16) or to report the fraudulent transaction without delay (article L. 133-17). The case law applies an objective criterion: it is not a question of measuring the actual digital culture of the victim, but the attention that a normally diligent user would have paid. For phishing, Cass. com. 28 March 2018, no. 16-20.018 requires evidence to cast doubt on the origin of the email. In the case of spoofing using a fake adviser, Cass. com. 23 October 2024, no. 23-16.267, on the other hand, ruled out gross negligence when the agency's number was displayed on the screen. The good faith of the customer, the Court points out, is inoperative: it does not save the payer who ignored obvious signals.

How long does it take to report bank fraud?

Article L. 133-24 sets an absolute time limit of thirteen months from the debit (seventy days outside the European Economic Area). However, since the CJEU, 1^er August 2025, C-665/23 Veracash, upheld by Cass. com. 14 January 2026, no. 22-14.822, notification must be made «without delay» from the time of knowledge of the transaction, not the debit. Late notification, even within thirteen months, may be deemed to constitute gross negligence and deprive the payer of his right to reimbursement. In practice, you need to act as soon as you detect a debit, keep the exact date of the report and send it by a channel you can prove (registered letter with acknowledgement of receipt or time-stamped message in the customer area).

What should I do if the bank refuses the refund, citing strong authentication?

Proof must first be required in writing that strong authentication within the meaning of article L. 133-44 has actually been implemented: combination of at least two independent factors from among knowledge, possession and inherence, and, for remote payments, existence of a dynamic link between the code received and the transaction in progress. In the absence of compliant strong authentication, article L. 133-19 V requires full reimbursement in the absence of fraud on the part of the payer, regardless of his or her behaviour. The Court of Cassation enshrined this rule in its ruling of 30 August 2023 (no. 22-11.707), which is now the benchmark in this area. If the bank maintains its refusal, take your case to the bank ombudsman, then to the court, if necessary by way of summary proceedings if the repayment obligation is not seriously disputable.

Do I have to lodge a complaint before requesting reimbursement?

No - the two procedures are independent. Filing a complaint is a criminal matter (fraud, breach of an automated data processing system, identity theft), while the repayment is a civil matter (article L. 133-18). You can - and should - take both actions at the same time. There are three channels for making a complaint: Perceval for fraudulent use of bankcards that have not been lost or stolen, Thésée for electronic fraud, and the police station or the public prosecutor for more serious cases. The complaint receipt is a useful piece of evidence to support your request for reimbursement from the bank.

What should I do if I validated the fraudulent transfer myself?

If you have approved the transaction yourself, even if it was done maliciously (sentiment scam, investment fraud, false supplier), you are not covered by the protective provisions of article L. 133-18, which only applies to unauthorised transactions. The recourse is then to the ordinary law of contractual liability (article 1231-1 of the Civil Code), against your bank if it has failed in its duty of vigilance in the face of obvious anomalies: unusual accumulation of transfers, unknown beneficiary located abroad, inconsistency with your savings profile. Please note: the obligation to combat money laundering does not give rise to a right to individual compensation, as recalled by Cass. com, 4 March 2026, no. 24-19.588. The basis must be sought in the general duty of banking vigilance, which is assessed on a case-by-case basis.

Guides - Banking and financial law

Banking and finance law ->

Banking law is both a law of regulation - that which governs the activities of banks under the supervision of the ACPR - and a law of litigation: that of disputes between the bank and its customer. This guide explains both sides, the sources, the players, the banker's obligations and the main areas of dispute.

77 articles on this theme ->

Our resources

629

Articles

Analyses, feedback and legal news. Updated daily.

See the blog ->

Files

Encyclopaedic treatises of 80 to 150 pages from our professional training courses.

See the files ->

Training

Qualiopi-certified, delivered by law schools and training organisations.

See the courses ->

Let's talk about your file

We look forward to hearing from you.

07 56 28 34 30