When it comes to bank fraud, victims sometimes find themselves doubly helpless: not only are they robbed of large sums of money, but they often hit a wall when they request a refund from their bank. And the Court of Cassation, the highest civil court, issued an important ruling on this matter on April 30. In this case, the victim, in the middle of a meeting, opened an email that appeared to come from their bank – but which was actually from a scammer. They then clicked on a fraudulent link.
Thanks to this operation, a new beneficiary was added to the company's account, before seven transfers, each worth nearly €20,000, were made. The victim (a manager of an LLC) only realized this a few days later. He notified his bank, which managed to recover part of the sum (nearly €90,000) – an amount that was indeed returned to him. But for the remaining €50,000, the money had indeed been debited; the sums had vanished into thin air. The bank considered that its client had acted with gross negligence, and that it did not have to reimburse him for this sum. A decision that the SARL challenged in court.
"Easily detectable inconsistencies" in the email for the appeal court
And while the commercial court ruled in its favor at first instance, the Rennes Court of Appeal overturned this ruling, finding that the company had indeed demonstrated gross negligence. Particularly because the email in question "contained easily detectable inconsistencies" and that a "first attempted fraud brought to the attention of (the victim) a few days earlier" should have made her all the more vigilant.
The Court of Cassation has overturned this ruling, recalling the steps to be followed by the trial judges. Before asking whether the victim was grossly negligent or not, banks must first prove that the "disputed payment transactions (were) authenticated, duly recorded and accounted for, and that they were not affected by a technical or other deficiency."
Before gross negligence, strong authentication must be proven
As a reminder, in French law, the law requires banks to reimburse their customers, from their own funds, for any sum unduly withdrawn from their bank account. It does not matter if the fraudster and the stolen sums are never found. But there are two exceptions: if the customer is an accomplice in the fraud, or if they were "grossly negligent." It is up to the banking institution to provide proof of these two elements, which allow it to dodge the issue.
And in this case, the Court of Cassation has "simply reminded us what the law says": before talking about "gross negligence, the question of strong authentication first arises," explains lawyer Arnaud Delomel, who regularly defends victims of financial fraud. So "first, we take the time to check whether the transfer transactions have been properly authenticated and secured by the bank" - whether they have been validated by a "double authentication" system by the victim - the fact of combining two identification elements, such as their smartphone and a password or code. And here too, it is up to the banking institution to provide this proof.
Good news for consumers
"Why this prerequisite? Because in fact, when there is no strong authentication, gross negligence is not enough to dismiss the person's claim (Editor's note:). That is to say, when the bank is unable to prove that there was strong authentication, the only case in which the consumer is not reimbursed is when he is a fraudster, the burden of proof being on the bank to prove it," continues MaƮtre Arnaud Delomel. For the lawyer specializing in credit and consumer law, this is not strictly speaking a reversal: "the Court of Cassation had already reiterated this rule in its landmark ruling of 2020, repeated in August 2023."
The ruling therefore serves as a reminder that the ball is first in the bank's court, which must prove, before invoking the possible serious negligence of its customer, that the transfer transaction – as well as the addition of the beneficiary – went through the banking institution's strong authentication process: good news for victims of banking scams and consumers, who should not, however, relax their vigilance in the face of the thousand and one attempted scams.
0 Comments