An adviser to the Court of Justice of the European Union has stated that banks should refund customers who lose money to phishing scams, even if the customer may have contributed to the incident.
The opinion was issued by Athanasios Rantos, Advocate General at the Court of Justice of the European Union, the EU’s highest court responsible for interpreting European Union law. The opinion concerns how banks should handle unauthorized transactions carried out after customers are deceived by phishing attacks. It relates to the interpretation of rules set out in the EU Payment Services Directive, which regulates electronic payments across the European Union.
According to the opinion, banks must reimburse customers immediately after an unauthorized payment unless there are reasonable grounds to suspect that the customer committed fraud. In such cases, the bank must notify the relevant national authority in writing.
The opinion follows a request for clarification from the District Court in Koszalin, Poland. The court asked the EU court to interpret the directive in a dispute involving PKO Bank Polski, a state-controlled Polish bank, and one of its customers.
The case concerns a phishing incident involving a customer who was selling an item through an online platform. The customer received a message from a person posing as a buyer who sent a link that imitated the bank’s website. After clicking the link, the customer entered banking credentials on the fraudulent page.
The information allowed the attacker to access the customer’s bank account and initiate an unauthorized transfer. The customer discovered the transaction and reported it to the bank the following day.
PKO Bank Polski refused to reimburse the funds. The bank argued that the customer had shown gross negligence by providing login credentials on the fraudulent website. The customer then brought the case before the Polish court.
In his opinion, Rantos stated that under EU payment rules, the bank must first refund the amount of the unauthorized transaction. If the bank believes the customer intentionally violated security obligations or acted with gross negligence, it may later attempt to recover the funds.
According to the opinion, the burden of pursuing repayment would fall on the bank. If the customer refuses to return the funds, the bank may initiate legal action to recover the amount.
The opinion states that authentication of a transaction using correct login credentials does not automatically prove that the payment was authorized by the customer. Banks must demonstrate that the customer acted fraudulently or with serious negligence if they intend to deny reimbursement.
An Advocate General opinion is not a final ruling. It is a legal recommendation provided to assist the judges of the Court of Justice of the European Union as they prepare a decision. The court will issue its judgment at a later date.