The dematerialisation of banking and the proliferation of online transactions have unfortunately paved the way for an upsurge in fraud, particularly fraudulent transfers. Whether individuals or businesses, no-one is immune to these sophisticated schemes, which can cause considerable financial damage. Once the irreparable has happened and an unauthorised transfer has been debited from your account, the question of the bank's liability arises sharply. The aim of this article is to explain to victims the mechanisms of fraud, the liability of banks, the contribution of recent case law and the practical remedies available.
Identifying a fraudulent transfer
Recognising a fraudulent transfer is not always easy, given the ingenuity of fraudsters. These illicit transactions can take a variety of forms, but certain techniques are frequently used. It is important to understand these mechanisms so that you can protect yourself and react quickly. Rapid detection is often a decisive factor in limiting the damage, although recovering the funds once the transfer has been made is a complex matter.
Phishing, spoofing, changing the recipient
The methods used by con artists are varied and constantly evolving. Among the most widespread are :
- Phishing Fraud: This technique involves luring the victim by pretending to be a trusted organisation (bank, tax authority, energy supplier, etc.) via an email, text message or phone call. The aim is to obtain sensitive personal information, such as online banking login details, credit card numbers or security codes. Once this information has been obtained, the fraudster can initiate transfers without the account holder's knowledge. These fraudulent communications often imitate official communications perfectly, making them difficult to detect for the untrained eye.
- Identity theft Fraudsters can use the identity of a third party to obtain a transfer. This could be the identity of a relative asking for urgent financial assistance, or, in the professional world, that of a manager (chairman fraud), a supplier (false RIB scam) or even a bank adviser. In the case of the fake supplier scam, the fraudster contacts the company pretending to be a regular supplier and asks them to change their bank details (RIB) for future payments. The transfers are then diverted to the fraudster's account.
- Changing the recipient This fraud, which is often linked to identity theft or computer hacking, involves intercepting a communication relating to a payment and changing the legitimate beneficiary's bank details to those of the fraudster. The company or individual thinks they are making a transfer to a known creditor, but the funds are actually directed to an account controlled by the fraudster. This type of fraud is particularly pernicious because it exploits the trust established with regular partners.
What these different techniques have in common is that they exploit credulity, lack of vigilance or security flaws to achieve their ends. Vigilance and the implementation of robust verification procedures are the first lines of defence.
Bank liability regime
When a fraudulent transfer is detected, the question of the bank's liability is central. Visit legal framework for transfers is mainly defined by the French Monetary and Financial Code, which imposes specific obligations on banks in terms of the security of payment transactions and reimbursement in the event of unauthorised transactions. Understanding these rules is essential if customers are to assert their rights.
Art. L. 133-18 CMF and burden of proof
Article L. 133-18 of the French Monetary and Financial Code is the cornerstone of the system for protecting payment service users. It stipulates that in the event of an unauthorised payment transaction reported by the user under the conditions laid down by law (in particular within 13 months of the debit), the payment service provider (the bank) must immediately reimburse the payer for the amount of the unauthorised transaction. The bank must also restore the debited account to the state it would have been in had the disputed transaction not taken place.
However, there are exceptions to this principle of reimbursement. The bank is not obliged to reimburse if the transaction has been authenticated and the losses are the result of fraudulent conduct on the part of the user, or if the user has failed, intentionally or through gross negligence, to comply with their obligations to secure their personalised security devices (such as their access codes) or their obligation to report the unauthorised transaction without delay.
This is where the burden of proof comes in. It is up to the bank refusing reimbursement to prove that the user committed fraud, acted with gross negligence, or failed to report the transaction in time. The bank must also demonstrate that the transaction in question was duly authenticated, correctly recorded and accounted for, and that it was not affected by a technical fault. The mere use of the payment instrument or personalised security data is not necessarily sufficient to prove that the transaction was authorised by the customer or that the customer acted fraudulently or with gross negligence. The the bank's vigilance in detecting atypical transactions may also be taken into account by the courts. It should be noted that problems can also arise in the case of transfer not executed or delayed, although this article focuses on fraudulently executed transfers.
The concept of "gross negligence" is assessed by the courts on a case-by-case basis. It implies a particularly serious breach of the obligations of prudence and diligence. For example, communicating one's secret codes in response to a crude phishing email could be considered grossly negligent, but the complexity and sophistication of some frauds make this assessment tricky.
Recent case law
The courts, and in particular the Cour de cassation, regularly refine the interpretation of the texts relating to banking liability in matters of fraud. An analysis of recent case law provides a clearer picture of what constitutes gross negligence on the part of the customer and the obligations of banking institutions.
Cass. Com. 1ᵉʳ June 2023, no. 21-19.289
In a ruling handed down on 1 June 2023 (Cass. Com., 1 June 2023, no. 21-19.289), the Court of Cassation ruled on the liability of a bank in a complex fraud case. This ruling is a frequent reminder that the burden of proving gross negligence on the part of the customer lies with the bank. If the bank is unable to prove that the customer acted in a way that went beyond mere carelessness, it may be required to repay the sums fraudulently debited. Judges look closely at the security measures put in place by the bank and whether these were state of the art at the time of the fraud. A failure in the bank's fraud detection systems can work against it, even if the customer may have been careless at the outset.
Cass. Com. 30 August 2023, no. 22-11.707
The judgment of 30 August 2023 (Cass. Com., 30 August 2023, no. 22-11.707) illustrates another aspect of these disputes. In this case, the discussion focused on whether the authentication system used by the bank was sufficiently robust or on the way in which the customer reacted after becoming aware of suspicious elements. The Cour de cassation is careful to apply the rules in a balanced way, seeking to protect users of payment services without exonerating from liability those who demonstrate passivity or gross carelessness. The sophistication of the fraud is a determining factor: the more elaborate the fraud and the more difficult it is for a normally diligent user to detect, the less gross negligence will be accepted.
Cass. Com. Oct. 2, 2024, no. 23-13.282
A very recent decision, handed down by the Commercial Chamber of the Court of Cassation on 2 October 2024 (Cass. Com., 2 Oct. 2024, no. 23-13.282), continues to clarify banks' obligations. This type of decision may, for example, insist on the bank's obligation to implement personalised security measures and strong authentication procedures adapted to the risks. If a fraud was perpetrated by exploiting a known flaw in the bank's authentication system, or if the bank did not sufficiently alert its customers to emerging and particularly dangerous types of fraud, its liability could be more easily incurred. These rulings underline the importance of banks constantly adapting their security measures and information to customers in the face of evolving fraud techniques. However, each situation remains unique and is assessed on its own merits. in concreto by the lower courts.
Practical remedies for customers
When a customer discovers that they have been the victim of a fraudulent transfer, it is imperative that they react quickly and methodically. Several steps must be taken to try to limit the damage and seek compensation.
Immediate objection & complaint
Customers must take immediate action as soon as they notice a suspicious or unauthorised transfer on their account statements.
- Contact your bank The first thing to do is to inform your bank immediately. You should report the fraudulent transaction and ask for any compromised means of payment to be blocked. It is also possible to ask the bank if a "recall" procedure can be attempted, although its success is uncertain, especially if the funds have already been transferred to another bank, potentially abroad. It is advisable to confirm this action in writing (by registered letter with acknowledgement of receipt or via the bank's secure messaging system) to keep proof of the date on which the report was made. This is an essential step if you are to contesting a transfer.
- Making a complaint It is essential to lodge a complaint with the police or gendarmerie as soon as possible. This report is often required by the bank in order to process the request for reimbursement. It also serves to formalise the fraud and initiate an investigation. You need to have all the available evidence at hand: account statements, screenshots of fraudulent messages or emails, transaction references, etc.
Liability action / provisional injunction
If the bank refuses to reimburse the sums misappropriated, for example on the grounds of gross negligence on the part of the customer, there are a number of legal remedies available.
- Banking mediation Before taking legal action, you can - and often must - refer the matter to the Banking Ombudsman. This procedure is free and can help to find an amicable solution to the dispute.
- Liability action Mediation: If mediation fails, or if the bank continues to refuse, the customer may bring an action against the bank in the courts. The aim will be to show that the conditions for repayment under article L. 133-18 of the French Monetary and Financial Code have been met, and that the bank has not proved gross negligence on the part of the customer. The assistance of a banking lawyer is therefore strongly recommended in order to build a solid case and defend the client's interests as effectively as possible. The lawyer will be able to analyse the bank's arguments, examine its security measures and the applicable case law.
- Provisional injunction Summary proceedings: In certain situations where the bank's obligation to repay does not appear to be seriously questionable, summary proceedings may be considered. This emergency procedure allows you to quickly obtain a provisional payment from the judge (an advance on the total amount owed) while awaiting a ruling on the merits of the case. To do this, the existence of the bank's obligation must be clear and not seriously disputable.
The complexity of bank fraud and the often high financial stakes involved can make the process difficult for victims. A good understanding of their rights and the remedies available to them is a major asset.
If you are faced with a fraudulent transfer situation and your bank refuses your request for reimbursement, our firm can analyse your case and advise you on the steps to take. For an in-depth analysis of your situation and tailored advice, contact our team of lawyers.
Sources
- Monetary and Financial Code (in particular articles L. 133-16, L. 133-17, L. 133-18, L. 133-19, L. 133-23, L. 133-24)
- Case law of the Cour de cassation and the Courts of Appeal on payment fraud.
EN 
FR