The European Payment Services Directive (PSD2) (transposed into French Law by Ordinance no. 2017-1252 of August 9, 2017) is aimed at managing cyber risks and strengthening the protection of payment service users. It institutes strong authentication for customers, while modifying payment dispute procedures. The Dircetive has slowed the growth of banking fraud in France, but fraud techniques have evolved to bypass prevention measures.
According to a July 10, 2024, report by the French Ministry of the Interior, the number of banking fraud victims in 2023 was 1.6 times higher than in 2016, with damages doubling. It is reported that credit cards are the most frequently defrauded payment method, followed by cheques, transfers, and direct debits.
“Bank fraud” refers to the use of illegal means or false or misleading statements to obtain money from a victim. To steal funds, fraudsters attack their targets' means of payment, banking data and identity. They use increasingly sophisticated techniques to bypass the security and prevention measures put in place by banks (which are also increasingly reinforced).
Two types of fraud coexist:
- Social engineering manipulations aim to contact the victim directly, usurping the identity of a third party and placing them in a situation of urgency in order to convince them to carry out various manipulations. By way of illustration, the fraudster may assume the identity of a senior company official in order to obtain an urgent bank transfer or that of a supplier, landlord or other creditor in order to misappropriate an invoice by sending the victim new bank details. The fraudster can also usurp telephone numbers, particularly those of banking establishments - using the spoofing technique - in order to present themselves as an advisor and manipulate their victim, or usurp the identity of the victim themselves, in order to be issued with a new SIM card linked to the victim's number (SIM swapping fraud); and
- Through computer attacks, the fraudster uses the phishing technique to collect personal and banking data from unsolicited e-mails or SMS messages. The fraudster also uses malicious software - known as malware - installed on the victim's computer equipment to retrieve banking data in transit.
The “strong authentication” system to secure payment instruments
Article L.133-44, I. of the French Monetary and Financial Code requires banks to set up “strong authentication” when users “access their account online, initiate an electronic payment transaction or carry out a transaction using a remote communication method likely to involve a risk of payment fraud or any other fraudulent use”. This system for securing payment instruments makes it possible to control access to sensitive payment data likely to be used to commit fraud. In short, strong authentication applies to all transactions carried out by remote means of communication, and results from the combination of two elements, namely an element that the user knows (generally a password or code) and an element that the user possesses (generally a mobile device on which the device is installed) (art. L. 133-4 of the French Monetary and Financial Code). By way of illustration, to make an online payment using a bank card, a payment service user will receive a notification to be validated (in several stages) on his or her cell phone, using a confidential code that only he or she knows.
The French legal framework
As a matter of principle, the bank is obliged to reimburse the payment service user, subject to notification by the customer within 13 months and except in cases of gross negligence on the part of the customer.
When an unauthorized payment transaction is reported by the payment service user, article L.133-18 of the French Monetary and Financial Code requires the bank to reimburse the amount immediately. If the bank fails to do so, penalties apply: the sums due bear interest at the legal rate plus 5 points, then 10 points after 7 days' delay, and 15 points after 30 days' delay.
However, this immediate reimbursement by the bank is not automatic. Article L.133-24 of the French Monetary and Financial Code, resulting from the transposition of EU Directive 2007/64/EC (PSD1), requires payment service users to report unauthorized transactions to their service provider “without delay”, “at the latest within 13 months of the debit date, failing which the transaction will be time barred”.
In the context of a preliminary ruling on interpretation, the European Court of Justice (ECJ) will soon rule on whether the victim should be deprived of their right to reimbursement in such a case, and whether this delay constitutes gross negligence on their part (case C-665/23).
The bank's obligation to immediately reimburse the user for unauthorized transactions is also tempered by article L.133-19 of the French Monetary and Financial Code, which stipulates that the payer shall bear all losses caused by fraudulent transactions if these result from fraudulent action on their part, or if they have failed, intentionally or through gross negligence, to comply with the obligations set out in articles L.133-16 (obligation for the user to take all reasonable measures to preserve the security of their personalized security devices) and L.133-17 of the same Code (obligation to inform, as soon as they become aware of the loss, theft, misappropriation or any unauthorized use of their payment instrument or data). Proof of fraudulent or grossly negligent behaviour must be provided by the bank.
A bank intending to contest the reimbursement of a disputed transaction must establish that the transaction was authenticated, duly recorded and accounted for, and that it was not affected by a technical or other deficiency (art. L.133-23 of the French Monetary and Financial Code): in other words, it must demonstrate that the order did indeed originate from the user. However, proof of the user's consent to the transaction cannot be deduced from the use of the payment instrument alone (art. L.133-23, al.2), or from the authentication or security of the transaction alone, or even from the use of the customer's identifiers.
Although it is relatively straightforward for banks to demonstrate the regularity of the transaction, proving gross negligence is much more challenging. Indeed, it is up to banks to prove that the holder of the payment instrument has breached their security obligation, even though they are, in most cases, still in possession of their means of payment. Similarly, if the victim does not acknowledge that they have been phished: it is impossible for the bank to prove that their data has been disclosed, since they cannot access their mailbox to check the existence of the fraudulent e-mail or SMS.
The French courts are rigorous in their assessment of proof of gross negligence: the bank cannot proceed by assumption and a strong evidence base, in the absence of evidence to the contrary from the user, cannot suffice to characterize gross negligence. Even in the event of destruction of the bankcard chip used, making it impossible to record the examination of this chip, the bank is not relieved of the burden of proof. The production of precise computer traces is not sufficient to call into question the sovereign assessment of judges. Proof of the use of customer identifiers is not sufficient to relieve the PSP of its liability.
This hard to get proof (dealt with by authors as “probatio diabolica”) is, in most cases, provided by banks through the production of a chronological table of the transactions carried out, with supporting evidence. This involves computer traces, attesting to the need to disclose the user's data to the fraudster, or the need for the latter to validate the transaction. Providing proof is a particularly delicate task for banks who, even if they succeed in proving that the transaction was duly authorized by their customer and that the latter allowed it to take place, may be ordered to reimburse the sums fraudulently debited.
In many cases, the bank is merely obliged to seek the client's admission of gross negligence. The bank then endeavors to provide additional evidence to demonstrate that the fraudster could not have carried out the disputed payment transaction without the disclosure of confidential information by the victim themselves.
A bank did attempt to invoke the principle of equality of arms, arguing that the evidential regime adopted by case law placed it at a distinct disadvantage compared to the user. However, the French High Court dismissed this argument, holding that the lower courts simply applied the rules of ordinary law relating to the burden and methods of proof, so that banking establishments were not placed at a disadvantage (Cass. Com, May 29, 2019, n°18-10.147).
A payment service user seeking reimbursement for fraudulent transactions may not hold the bank liable on the basis of a regime other than that of PSD1.
When suing their bank for the repayment of sums fraudulently debited, payment service users frequently seek, in addition to repayment, an award of damages on a basis other than that of the PSD1, usually by raising the bank's ordinary civil liability.
It emerges unequivocally from ECJ rulings that the user cannot bring an action on a basis other than that of the PSD1, if the action is aimed at reimbursing unauthorized transactions that are not covered by the provisions of the PSD1 (ECJ, September 2, 2021, aff. C-337-20, §42 and ECJ, March 16, 2023, aff. C-351-21 Beobank, §37). The French High Court explicitly referred to the ECJ rulings and ruled that, in the event of an unauthorized or improperly executed transaction, the user may only seek to hold their banking institution liable on the basis of the bank civil liability regime defined in articles L.133-18 to L.133-24 of the French Monetary and Financial Code, to the exclusion of any alternative liability regime (Cass. Com., March 27, 2024, n° 22-21.200).
The exclusion of any alternative regime is a matter of common sense: the civil liability regime places the - difficult - burden of proof of gross negligence on banks. In return, payment service users are required to report fraudulent transactions within 13 months. This enables banks to collect the data needed to verify the regularity of the payment transaction and to prove any negligence on the part of the user. Granting a right of action on the basis of an alternative civil liability regime, subject to the statute of limitations under ordinary law, would place banks at a distinct disadvantage compared with payment service users.
As banking fraud continues to evolve, it is crucial for banks, clients and regulators to stay informed and proactive. By understanding the legal challenges and obligations involved in fraud cases, stakeholders can better navigate this complex landscape and work towards more effective solutions.
Authors
Published date
29 Jul 2024