Breakthrough opinion from CJEU Advocate General on refunding money after banking fraud

The Advocate General of the Court of Justice of the European Union has issued a groundbreaking opinion on banks' responsibility for refunding funds lost by customers due to fraud. According to his position, a financial institution is obliged to refund the money, even if the execution of an unauthorised payment transaction was due to the customer's own fault. The opinion concerns a specific case from Austria, but its consequences will affect the entire European Union, including Poland. Although the Advocate General's opinion is not a binding ruling, it is crucial for the CJEU's judicial practice. The Court in Luxembourg follows the Advocate General's position in the vast majority of cases when issuing final rulings. This means the interpretation presented in the opinion is highly likely to become EU law. The case in question began with a "BLIK" scam. A customer of an Austrian bank fell victim to phishing – fraudsters, impersonating the bank, tricked him into revealing the codes needed to authorise a transfer. As a result, a significant sum of money disappeared from his account. The bank refused to refund the funds, arguing that the customer himself disclosed the authentication data, and therefore the transaction was properly authorised. The national court in Austria, handling the customer's complaint, referred a preliminary question to the CJEU regarding the interpretation of the EU's Payment Services Directive (PSD2). The PSD2 Directive, in force since 2018, aimed to increase the security of payment transactions in the EU and protect consumers. It introduced, among other things, the requirement for strong customer authentication (SCA). However, in cases of fraud where a customer is tricked into revealing data, responsibility often remained unclear, and banks frequently refused refunds, citing customer negligence or fault. The Advocate General in his opinion clearly sided with the consumer. In his view, a transaction executed as a result of fraudulently obtaining authentication credentials cannot be considered to have been authorised by the customer within the meaning of the directive. Even if the customer was misled and provided the codes themselves, the actions of the fraudsters mean the transaction remains unauthorised. In such a situation, the bank bears the obligation to refund it. The Advocate General's opinion also emphasises that EU regulations are meant to protect consumers, who are the weaker party in the relationship with financial institutions. Shifting the risk of fraud onto customers could undermine trust in the entire electronic payment system. „A transaction executed as a result of fraudulently obtaining the customer’s authentication credentials cannot be considered to have been authorised by the customer.” (A transaction executed as a result of fraudulently obtaining the customer’s authentication credentials cannot be considered to have been authorised by the customer.) — CJEU Advocate General The final ruling in this case will be issued within the coming months. If the Court of Justice of the EU shares the Advocate General's position, it will have far-reaching consequences for banks across the Union. They will have to change their practice and refund funds to fraud victims more often, which may translate into higher costs for insurance and security procedures. For consumers, this means strengthened legal protection and a greater chance of recovering lost money if they fall victim to cybercrime.