Athanasios Rantos, the Advocate General of the Court of Justice of the EU, has issued a legal opinion stating that banks should immediately refund victims of unauthorized transactions even if the customer's negligence is suspected. This preliminary guidance suggests that the burden of proof rests with the financial institution, which must first restore the funds before pursuing legal action to prove a customer's gross negligence.
This legal opinion originated from a specific dispute in Poland between PKO BP S.A. bank and a customer who fell victim to a phishing scam. While attempting to sell an item on an auction site, the customer clicked a malicious link provided by a fraudster that led to a fake banking login page. After the victim unwittingly entered their credentials, the fraudster executed an unauthorized payment, leading the customer to report the incident to both the bank and the police the following day.
Because the perpetrators could not be identified, the bank refused to cover the loss, arguing that the customer was responsible for the security breach. This prompted a lawsuit and a subsequent request for a ruling from the Court of Justice of the EU to clarify how consumer protection laws should be applied. The central conflict involves whether a bank can preemptively withhold a refund based on its own assessment of a customer's level of care.
The Advocate General argued that under the EU Payment Services Directive, the primary obligation of a bank is to provide an immediate refund once an unauthorized transaction is reported. The only exception to this immediate repayment is if the bank has legitimate grounds to suspect that the customer is committing fraud. In such cases, the bank is required to formally communicate those suspicions to the appropriate national authorities in writing rather than simply denying the claim.
However, the opinion does not grant customers total immunity from the consequences of their actions. If a bank can later prove that the user acted with intent or gross negligence regarding their security data, it has the right to seek recovery of those funds. Essentially, the bank must pay first and then initiate its own legal proceedings to win the money back, rather than forcing the customer to sue to receive their initial refund.
It is important to note that this opinion serves as a non-binding recommendation to the judges of the Court of Justice of the EU. While the court often follows the direction suggested by the Advocate General, a final and binding ruling has not yet been issued. If the court adopts this stance, it will set a significant precedent for how fraud cases are handled by financial institutions across all member states.
Source: EU Court Adviser Rules Banks Must Immediately Refund Phishing Attack Victims