A bank must immediately refund a fraudulent payment to the customer. This also applies when the bank suspects that the customer was negligent in protecting their banking details, according to an Advocate General in an opinion.
A bank may not refuse the immediate refund of a fraudulent payment because the customer may have been negligent. This is stated by Advocate General Athanasios Rantos in an opinion to the Court of Justice of the European Union. The opinion follows a Polish case concerning phishing fraud.
Login details
The case revolves around a customer who became a victim of phishing. A scammer posed as a buyer on an online sales platform. The fraudster sent a link that resembled her bank’s website. The customer entered her login details there. This allowed the fraudster to transfer money from her account.
The customer reported the payment to her bank the following day. The bank refused to refund the amount. According to the bank, the customer had disclosed her banking details herself and had therefore acted with gross negligence. The customer then took the matter to court. The court asked the Court of Justice how European legislation on this matter should be interpreted.
Immediate refund mandatory
According to the Advocate General, European regulations require banks to immediately refund an unauthorized payment. This must happen as soon as the bank is aware of the transaction. An exception only applies when the bank has a well-founded suspicion of fraud and reports this to the competent national authority.
The rules are set out in the European Payment Services Directive (PSD2). According to the opinion, this leaves no room for member states to provide for other exceptions. Banks must therefore refund first, regardless of any potential error by the customer.
Bank can recover amount later
However, the refund does not mean that the customer is always allowed to keep the money. “If the bank determines that the customer, intentionally or through gross negligence, has failed to fulfill one of the obligations regarding personalized security data, it can require the customer to bear the associated losses,” according to the press release. If the customer refuses, the bank can take legal action to recover the money.
The opinion of an Advocate General is not binding. The judges of the Court of Justice are now considering the case. The final ruling will follow at a later date. The verdict will provide guidance on how banks in the European Union handle refunds in cases of online fraud.