The use of mobile payment services, such as Apple Pay, simplifies our daily transactions. However, in the event of fraud, the fight for reimbursement can prove long and arduous for consumers. A recent decision of the Court of Appeal of Chambery (CA Chambery, 1re ch., 9 September 2025, No. 23/00184) serves as a forceful reminder of the burden of proof that lies on banking institutions and severely sanctions their lack of diligence and their “abusive resistance” (resistance abusive).
The Facts: Apple Pay fraud and persistent bank refusal
The case involved Mrs. [K] [X], holder of an account at Credit Agricole des Savoie, against her bank. Between 8 and 16 February 2021, Mrs. [X] was the victim of 15 fraudulent transactions, totaling 1,800.95 euros. These transactions took place while she was in Haute-Savoie and she claimed to have remained in possession of her bank card. The disputed purchases involved various amounts (including two large and unusual transactions of 809.00 EUR and 549.00 EUR) and were located in the vicinity of [Localite 12].
Despite filing a complaint on 9 March 2021 and referring the matter to the French Banking Federation Mediator, the bank refused to cover this claim. Worse, the refusal to reimburse led to the worsening of Mrs. [X]’s overdraft, leading to her registration on the FICP (National File of Incidents of Repayment of Credits to Individuals) on 13 July 2021.
The core of the dispute: the burden of proof and gross negligence
At first instance, the Tribunal Judiciaire d’Annecy had already ordered the bank to reimburse the 1,800.95 euros and to pay 1,000 euros for abusive resistance.
On appeal, the Caisse Regionale de Credit Agricole Mutuel des Savoie argued that the negligent fault of Mrs. [X] was the exclusive cause of her loss, in particular because she had activated the Apple Pay service, thereby enabling the disputed purchases. The bank advanced that the payments had been “duly authenticated” within the meaning of the Code monetaire et financier (CMF).
The Court of Appeal of Chambery recalled the fundamental principles of the CMF, notably Articles L133-10 IV and L133-23. While the user must take reasonable measures to secure their personalized security devices (Art. L133-16 and L133-17 CMF), it is for the payment service provider to prove that the user who denies having authorized a transaction acted fraudulently or failed intentionally or through gross negligence (negligence grave) to fulfill their obligations. The provider must also prove that the disputed transaction was authenticated, duly recorded and accounted for, without being affected by a technical failure.
The bank’s lack of evidence regarding Apple Pay
The Court found that Credit Agricole had provided no technical details linking the 15 specific transactions to the use of Apple Pay.
Although the bank produced evidence showing that a one-time code had been sent to Mrs. [X]’s phone on 7 February 2021 at 14:24, enabling the activation of the Apple Pay service on her Wallet, this was not sufficient to relieve the bank of its liability.
The Court of Chambery was categorical:
- No proven link: It was in no way established that the 15 disputed transactions had been carried out via this service. The provider merely advanced a hypothesis (that Mrs. [X] had left her Apple phone at the disposal of a third party) without providing concrete evidence.
- Failure of Strong Customer Authentication (SCA): In the presence of transactions of a significant and unusual amount (849 EUR and 549 EUR), carried out by means of remote communication susceptible of involving a risk of fraud, it was incumbent upon Credit Agricole to require strong identification of the payer (based on two or more elements belonging to the categories of knowledge, possession, or inherence, and independent – L133-4 CMF). The lack of proof of this strong authentication was upheld by the Court.
Having failed to demonstrate the regularity of the transactions, the fraud, or the gross negligence of its client, the bank was upheld in its condemnation to reimburse 1,800.95 euros.
Condemnation for abusive resistance and bank charges
The Court confirmed the condemnation of 1,000 euros in damages for abusive resistance. This sanction is justified by the fact that Credit Agricole had not fully justified the grounds for its refusal despite Mrs. [X]’s numerous steps (complaint, mediator), thereby aggravating her loss.
Regarding the bank charges levied, the Court corrected the amount awarded at first instance, ruling anew. It calculated that if the fraudulent transactions had not occurred, certain charges (intervention fees, debit interest) would have been avoided. The bank was ordered to reimburse 250 euros in improperly charged bank fees, instead of the initial unspecified amount or the 364.31 euros claimed by Mrs. [X].
FAQ: Victims of Apple Pay Fraud – Your Rights and Steps
This FAQ is based on the legal principles stated in the Court of Appeal of Chambery ruling of 9 September 2025.
What should I do immediately if I notice fraudulent transactions via a service like Apple Pay?
You must inform your payment service provider without delay of any unauthorized use of the payment instrument or data related to it. In the case at hand, the victim filed a complaint and contacted her bank, as well as the French Banking Federation Mediator.
My banker claims I am liable because the transaction was authenticated. Is this sufficient to refuse reimbursement?
No. As a payment provider, the bank must provide proof not only that the transaction was authenticated, duly recorded and accounted for, but also that it was not affected by a technical failure. Above all, if you deny having authorized the transaction, it is for the bank to prove that you acted fraudulently or failed intentionally or through gross negligence to fulfill your obligations. The mere activation of a service (such as Apple Pay) is not sufficient proof that the specific transactions were carried out through this means, nor that there was gross negligence on your part.
What is “gross negligence” in this context?
The law requires the bank to prove that you did not fulfill intentionally or through gross negligence your obligations. The Court of Chambery held that the bank could not simply advance a hypothesis that the client had left a phone at the disposal of a third party. The provider must demonstrate the client’s negligence to be exonerated from its liability.
What is Strong Customer Authentication (SCA) and when must it be used?
Strong authentication relies on the use of at least two elements belonging to the following categories: knowledge (information held by the client), possession (something in the client’s possession), and inherence (something the user is). These elements must be independent. This authentication must be mandatorily used for electronic payment transactions and for any transaction by means of remote communication, especially if the transaction is of a significant or unusual amount.
Can the bank be condemned for abusive resistance?
Yes. If the bank refuses reimbursement without full justification of the grounds, forcing the client to undertake lengthy and costly steps (complaint, mediation, court action), this attitude may be sanctioned by the award of damages for abusive resistance (such as the 1,000 euros awarded in the Chambery ruling).
If the fraudulent transactions caused me an overdraft, can I demand reimbursement of bank charges?
Yes. The bank must restore bank charges (intervention fees, debit interest) that were caused by these fraudulent transactions. The aim is to fictionally restore the operation of your account as if these transactions had never existed. However, the Court may revise this amount if it considers that certain charges would have been levied even in the absence of the fraud.
