Landmark Opinion by CJEU Advocate General on Refunding Money from Fraud

The Advocate General of the Court of Justice of the European Union has taken a clear stance in a high-profile case concerning banks' liability for refunding funds from unauthorized payment transactions. In a published opinion, he stated that a financial institution has an unconditional obligation to refund the customer's money, even if that customer – falling victim to fraud – themselves provided criminals with confidential data, such as online banking access codes. This opinion is a response to a preliminary reference question from an Austrian court, which is hearing the case of a female customer who was a phishing victim. The woman received an email, purportedly from her bank, requesting her to urgently log in via an attached link to "unlock her account." After entering her login credentials on the spoofed website, the scammers gained access to them and made an unauthorized transfer. The bank refused to refund the money, citing the customer's gross negligence and her alleged involvement in authorizing the transaction. The Payment Services Directive (PSD2), which came into force in January 2018, aimed to increase the security of electronic transactions and strengthen consumer rights. Its provisions strictly regulate, among other things, liability for operations performed without the user's consent. Article 74 of the directive establishes the general principle that the payment service provider (e.g., a bank) is liable for an unauthorized payment transaction and must immediately refund the funds to the payment account. In his analysis, the Advocate General emphasized that the aim of the PSD2 directive is to ensure a high level of consumer protection, as the consumer is the weaker party in the relationship with a professional financial services provider. Therefore, exceptions to the refund principle must be interpreted narrowly. He found that even a customer's gross negligence, consisting of disclosing data as a result of fraud, cannot be equated with authorizing the transaction nor release the bank from its fundamental obligation. „Even if the payment service user acted with gross negligence by disclosing confidential personalised security credentials, this does not mean that they authorised the payment transaction.” — CJEU Advocate General (in brief) The key distinction highlighted by the Advocate General lies in separating the disclosure of data from the expression of will to make a specific payment. Phishing, although it uses social engineering, does not change the fact that the final decision to execute the transfer was made by the fraudster, not by the customer. Thus, the transaction remains unauthorized under the law. This position could constitute a significant breakthrough in jurisprudence, as banks have often used the argument of customer negligence to refuse refunds in similar cases. The final decision now rests with the full panel of judges of the Court of Justice of the EU, which typically, though not always, follows the opinions of its Advocates General. The ruling will be binding for all courts of the member states, including Poland, and will establish a uniform interpretation of EU regulations. For millions of consumers in the EU, this potentially means stronger protection against the financial consequences of increasingly sophisticated cyberattacks. For the banking sector, it may entail revising procedures and potentially higher costs due to refunds, which could prompt institutions to invest in even more effective systems for detecting and blocking suspicious transactions in real-time.