The rapid development of digital payment services, such as the integration of bank cards into mobile application “wallets,” exposes consumers to new forms of fraud. Recently, the Paris Court of Appeal issued an important decision, reversing a first-instance judgment and firmly reminding a major bank (LCL – Le Credit Lyonnais) of its security obligation and the burden of proof regarding strong authentication.
The Background: A Disputed Debt and an Accusation of Gross Negligence
The case concerns Mr. [C] [X], holder of a bank account at LCL since January 2022. Between 16 and 21 July 2022, 64 transactions, totaling 7,300.24 euros, were fraudulently carried out on his account. The disputed transactions resulted from the registration of his bank card in the “Apple Pay wallet.”
At first instance, the consumer protection judge of Nogent-sur-Marne held that Mr. [X] had demonstrated gross negligence by failing to protect his personalized security data. The judgment of 30 July 2024 consequently ordered Mr. [X] to pay LCL the sum of 10,039.01 euros (debit balance) and dismissed his claims for damages and removal from the FICP (national register of household credit repayment incidents).
Mr. [X] appealed, disputing any negligence and emphasizing that it is the bank’s obligation to ensure security.
Strong Authentication: The Burden of Proof Lies with the Bank
At the heart of the dispute lies the question of strong authentication and proof of authorization of the transactions.
The Bank’s Obligations
The Monetary and Financial Code (Articles L. 133-23, L. 133-16, L. 133-44) imposes strict obligations on payment service providers. The bank must implement strong authentication when the payer accesses their online account, initiates an electronic payment transaction, or executes a remote transaction that may involve a risk of fraud.
In the event of a transaction being disputed by the user, the law is clear: it is incumbent upon the payment service provider to prove that the transaction in question was authenticated, duly recorded and accounted for, and that it was not affected by any technical or other deficiency. The mere use of the payment instrument is not sufficient to prove authorization by the payer or gross negligence on the payer’s part.
The Flaw in LCL’s System
The Court of Appeal found that the first-instance judge had reversed the burden of proof by focusing solely on the alleged negligence of Mr. [X].
The Court identified the following failures by LCL:
- Lack of irrefutable proof of authentication: LCL did not provide concrete and irrefutable proof of the proper functioning of the authentication system set up for Mr. [X]’s account or of the absence of any technical deficiency. The bank merely provided general documents with no connection to Mr. [X]’s specific case.
- The enigma of the six devices: LCL had however admitted before the mediator that the secret code, sent to the customer, had been communicated to third parties and registered on six different devices. The Court found it “surprising” that a single-use code would allow the registration of the bank card on six different devices, five of which were not the trusted phone declared by the customer, and this without proof of electronic validation for each one.
- Breach of the duty of vigilance: Mr. [X] highlighted flagrant anomalies that should have alerted the bank, triggering its duty of vigilance. Specifically, 64 transactions were carried out in only five days, for a total amount of 7,300.24 euros, which was disproportionate to Mr. [X]’s usual spending habits (32 transactions and 1,144.78 euros in average monthly expenditure). Moreover, 43 of the transactions took place in bars or tobacconists with PMU betting, which did not correspond to his habits. Finally, the transactions occurred in France, while Mr. [X] established that he was in Sweden during that period.
The bank thus failed to meet its obligations by not requiring strong authentication of the payer and by not carrying out a careful examination of the apparent anomalies on the account.
Reimbursement of Unauthorized Transactions
The Paris Court of Appeal reversed the initial judgment.
- Reimbursement: LCL was ordered to reimburse Mr. [X] the amount wrongfully debited, namely 7,685.80 euros (covering the 7,300.24 euros of fraudulent transactions, plus fees and interest).
- Confirmed debt: Mr. [X]’s initial liability was reduced to the remaining undisputed balance, namely 2,353.21 euros.
- Damages: The bank’s resistance being deemed abusive given its inability to prove negligence or the absence of a technical failure, LCL was ordered to pay 1,000 euros in damages to Mr. [X] for moral harm.
- FICP: The request to remove Mr. [X]’s registration from the FICP was rejected, as he was in default (debtor of 2,353.51 euros) even before the fraud, justifying his registration.
In conclusion, this ruling reaffirms that the use of dematerialized payment instruments, such as Apple Pay, requires banks to demand strong authentication and, in the event of a dispute, to provide tangible evidence of the use of personalized data and the absence of technical failure. The burden of proof remains on the bank, even in the presence of indications of fraud.
