When must a bank reimburse a customer scam victim in France?

People who fall victim to scams in France may not be entitled to a refund from their bank, the Court of Cassation (supreme court) has ruled, depending on the circumstances of the scam.

In a decision from January 15, the court ruled that a scam victim’s bank was not obliged to reimburse stolen sums. It found that there had been “gross negligence” on the part of the victim, as the email at the source of the fraud was “manifestly fraudulent”.

The case centred on an accountant who received an email written in English, which infected his computer with a ‘Trojan’ virus that allowed the scammers to retrieve bank details of two client companies, from which money was withdrawn. The companies identified six unknown transactions.

The accountant asked their bank for a refund but it refused and the court agreed the refusal was valid. 

Previously, the Paris Court of Appeal had stated that the bank had also been negligent, and had not taken notice of computer attack alerts, nor the numerous connection attempts made on the day of the scam. The bank had previously been required to reimburse the victims 50% of the money stolen.

Yet, the supreme court overturned this ruling, and said that the accountant’s “gross negligence” released the bank from any responsibility.

Reimbursements and exceptions: What does the law say? 

The decision has helped to clarify the situations in which banks must reimburse victims of scams.

In principle, banks are required to reimburse their customers who are victims of fraud, as stated in the monetary and financial code (code monétaire et financier, article L.133-18).

However, there are exceptions. For example, in the above case, the court looked to article L.133-19 of the same code.

This stipulates that “the payer shall bear all the losses caused by unauthorised payment transactions if such losses result from fraudulent behaviour on their part or if they have failed to fulfil the above-mentioned obligations intentionally or through gross negligence”.

The victim’s bank is therefore not required to reimburse its customer in the event of a clearly misleading email or an email that could be reasonably identified as “phishing”.

Read also: Scam email alert for clients of three leading French banks
Read more: New telephone law aims to reduce bank fraud in France
Read also: Seven much-used scams to watch out for in France 

In contrast, a recent telephone scam case had the opposite outcome.

In this case, the court of Cassation ruled that the victim’s bank should reimburse the victim, after he was defrauded by a fake banking adviser who had used his bank number. 

The victim’s bank had previously refused to reimburse him because the customer had validated the transactions. It said that this amounted to “gross negligence”.

However, the court disagreed. 

It said that “in view of the circumstances in which the fraud took place, the client cannot be accused of gross negligence”, and so should be reimbursed as a result.

Fraud reimbursement recommendations

Banks in France reimburse the victims of scams in around two-thirds of cases, mainly in the event of a stolen card. The average amount per instance of bank card fraud is €168, show figures from la Banque de France.

New authentication systems are designed to make bank fraud more difficult, including a one-time passcode through a smartphone, or biometric approval such as facial recognition or a fingerprint. Yet, these methods are not completely infallible.

Last year, payment security body l’Observatoire de la sécurité des moyens de paiement issued recommendations to banks on how to assess scam victims.

Director Julien Lasalle said the context of the fraud was paramount.

He told RMC Conso: “If the customer was manipulated with the aim of tricking them, the bank must take this into account. If there is an inconsistency between the origin of the payments and the location of the customer at that time, it must also take this into account, because it could have been alerted to that.”

In addition, the bank must have provided its customer with an exit route: a button, on the mobile phone app for example, that allows them to cancel the transaction and not just validate it.