EU court adviser says banks must immediately refund phishing victims
Source: Bleeping Computer
Background
Athanasios Rantos, Advocate General of the Court of Justice of the EU (CJEU), issued a formal opinion suggesting that banks must immediately refund account holders affected by unauthorized transactions, even when the customer’s fault contributed to the loss.
The opinion responds to a request for a preliminary ruling from the District Court in Koszalin, Poland, concerning a dispute between PKO BP S.A. and one of its customers.
The Phishing Fraud Scenario
- The customer listed an item for sale on an auction platform.
- A fraudster sent a malicious link that mimicked the bank’s login page.
- The customer entered their banking credentials on the fake site.
- The fraudster used those credentials to execute an unauthorized payment.
The victim reported the transaction the next day to both the bank and the police. The fraudsters were not identified, and the bank refused to refund the lost amount, prompting the customer to sue.
Bank’s Argument
The bank argued it could deny a refund if the customer’s negligence caused the loss.
Advocate General Rantos’s Opinion
Rantos states that under the EU Payment Services Directive (2015/2366 / PSD2), a bank cannot refuse an immediate refund to victims unless it has reasonable grounds to suspect fraud.
“Advocate General Athanasios Rantos considers that EU law requires the bank, as a first step, to refund immediately the amount of the unauthorised transaction, unless it has good reason to suspect fraud, which it must communicate in writing to the competent national authority.”
Press release PDF
Recovery of Losses
Banks may still seek recovery from the customer if they can prove gross negligence or intentional misconduct:
“If the bank establishes that the customer has failed, intentionally or through gross negligence, to fulfil one of the obligations relating, in particular, to personalised security data, it may require the customer to bear the corresponding losses.”
“If the customer refuses to reimburse the amount of the unauthorised transaction, it is up to the bank to take legal action against that person to obtain payment.”
Legal Status
The opinion is not a CJEU ruling; it is an indication of the direction the court may take when the matter reaches that stage. The Advocate General’s opinion (full text here) is a legal recommendation to the CJEU judges. The final CJEU ruling will be binding on all EU courts.