55logo mikael le bot avocat

Apple Pay / Google Pay: Obtain Reimbursement of Your Unauthorized Transactions When the Fraud Did Not Occur from Your Device

  • Banking Law

Mobile payment services like Apple Pay are revolutionizing our habits, but they also expose us to new forms of fraud. A frequent situation is one where a fraudster uses your banking information to make payments via Apple Pay from their own device. French case law is very clear: the bank has strict obligations, and the mere transmission of data is not always sufficient to prove gross negligence.

Mobile payment services such as Apple Pay are revolutionizing our habits, but they also expose us to new forms of fraud. A frequent situation is one where a fraudster manages to use your banking information to make payments via Apple Pay, not from your phone, but from their own device. Fortunately, French case law is very clear: the bank has strict obligations, and the mere transmission of data is not always sufficient to prove your gross negligence.

1. The remote fraud scenario: Your device is intact, your account is debited

Imagine the classic situation: you are contacted by an individual posing as your bank (often through “vishing” – telephone identity theft). Under the pretext of blocking fraudulent transactions or confirming the order of a new card, this fraudster manipulates you into providing an SMS code. This code, in reality, enables the activation of an Apple Pay service linked to your card, not on your phone, but on the fraudster’s iPhone.

You, the victim, may not even own an iPhone, or may be completely unaware of what Apple Pay is, thinking for example you are confirming a transaction via another service like PayPal. The result is the same: your account is debited by transactions you never authorized, carried out from a device that is not yours.

2. The legal framework: The payer’s protection is paramount

The Code monetaire et financier (CMF) is your ally. Several articles are determinative in understanding your rights and your bank’s obligations:

  • The bank’s obligation to reimburse immediately (Article L. 133-18 CMF): As soon as you report an unauthorized transaction, your bank is obligated to reimburse you immediately, and no later than the end of the first business day following. It can only avoid this obligation if it has “good reasons to suspect fraud by the user” and communicates them in writing to the Banque de France.
  • The principle of the payer’s absence of liability (Article L. 133-19 CMF): You bear no financial consequence if the unauthorized transaction was carried out without your knowledge, particularly if the payment instrument or the data related to it were misappropriated. The bank can only hold you liable if the losses result from fraudulent conduct on your part or from gross negligence in your security obligations.
  • The burden of proof lies with the bank (Article L. 133-23 CMF): This is a fundamental provision. When you deny having authorized a transaction, it is for your payment service provider (the bank) to prove that the transaction was authenticated, duly recorded and accounted for, and that it was not affected by a technical deficiency. The use of the payment instrument alone is not sufficient to prove your authorization or gross negligence. The bank must provide additional evidence to prove your fraud or gross negligence.

3. “Gross negligence”: A concept strictly interpreted by judges, especially in cases involving a different device

The bank will often attempt to discharge its liability by invoking your “gross negligence.” However, courts are very demanding and only find gross negligence in specific and manifest cases:

  • Absence of a link with the victim’s usual device: Judges consider that gross negligence cannot be inferred from the mere use of confidential data to carry out fraudulent transactions. What is crucial is whether you voluntarily or through gross imprudence made available to the fraudster a “payment instrument” that the bank had provided to you.
  • Case of Mr. [J] (Court of Appeal of Rouen, Civil and Commercial Chamber, 16 May 2024, No. 23/01917): The court held that Mr. [J] had not committed gross negligence. The Court emphasized that no “Apple Pay” payment instrument had been provided by the bank to Mr. [J], and that he was unaware that such a system had been opened in his name and linked to his bank card. The fact that the fraudster used their own iPhone, “entirely separate” from Mr. [J]’s, was a key element. The communication of the SMS code in this context did not constitute a breach of his obligations.
  • Case of Mrs. [Z] (Tribunal Judiciaire de Bordeaux, Protection and Proximity Division, 14 January 2025, No. 23/03800): The victim had an Android smartphone and not an iPhone, making the use of Apple Pay incompatible with her own device. The fact that she may have confused Apple Pay with PayPal and entered her details in error was not deemed gross negligence by the court, which concluded there was no proof of such negligence.
  • Case of Mrs. [P] (Tribunal Judiciaire de Marseille, Proximity Division, 30 June 2025, No. 23/03281): The bank failed to prove that the transactions had been carried out via Mrs. [P]’s “trusted” device. The court noted that “the recording of these transactions does not demonstrate that the device used is the trusted device designated by Mrs. [M] [P], the mobile phone number not being displayed anywhere”. Moreover, the bank did not establish that “the transaction authorization message was sent to Mrs. [P] and accepted by her”.
  • Case of Mr. [U] (Tribunal Judiciaire de Paris, Civil Proximity Division, 17 December 2024, No. 23/07071): Despite the transmission of codes following a vishing scam, the court noted that Mr. [U] “was not subsequently alerted about the registration of a new phone linked to his bank card, since the prevention messages were then only addressed to the fraudster.” The bank did not sufficiently demonstrate the client’s gross negligence.
  • Case of Mr. [P] (Tribunal Judiciaire de Paris, 9th Chamber, 2nd Section, 10 September 2024, No. 23/10492): The fact that Mr. [P] did not immediately react to a fraud suspicion SMS of 5 July 2022 was not deemed gross negligence, especially as another alert had proved inaccurate and the fraudulent transactions only began more than a month later.
  • The level of sophistication of the fraud: If the fraud is particularly sophisticated, notably with the display of a phone number identical to the bank’s or the fraudster’s knowledge of personal information, the client’s gross negligence is even more difficult for the bank to prove.

4. The bank’s duty of strong authentication: a crucial flaw in cases of third-party devices

The bank has a paramount obligation: that of requiring strong authentication of the payer for remote electronic payment transactions or those presenting a risk of fraud.

  • Consequences of the absence of strong authentication: If the bank does not apply strong authentication, you bear no financial consequence, unless fraudulent conduct on your part is proven.
  • Proof of strong authentication: It is for the bank to prove that the transaction was authenticated and was not affected by a technical deficiency.

In cases where a fraudulent device is used, the bank often has difficulty proving that this strong authentication was indeed carried out by the genuine account holder. Courts require the bank to prove that “the transaction authorization message was sent to Mrs. [P] and accepted by her”. Similarly, it was incumbent upon Bforbank “to require strong identification of the payer, in this case Mr. [J], it being noted that it is undisputed that the iPhone used by the fraudster to make these multiple payments was entirely separate from the one used by Mr. [J].” The bank’s failure to prove this strong authentication on the victim’s legitimate device, or its acceptance, is often the key to the victim’s success.

For example, in a case decided by the TAE de BOBIGNY, the Court fully reimbursed the client, finding that “In pleading negligence pursuant to Article L133-17 of the Code monetaire et financier, LCL points to the client’s lack of reaction to the SMS and the entire beneficiary addition process, but does not corroborate this, nor the absence of anomaly, with probative evidence despite the invitation to do so; In this case, it does not produce new evidence, and does not justify the electronic certification or the sending of the SMS on which it relies to plead strong authentication. Consequently, the Court will order CREDIT LYONNAIS to pay Mr. [F] [G] the sum of 12,308.98 euros” (T. com. Bobigny, ch. 07, 22 July 2025, No. 2023F00924).

5. Steps to follow to obtain your reimbursement

Faced with Apple Pay fraud carried out from a device that is not yours, every step matters:

  • Report immediately: As soon as you notice unauthorized transactions, contact your bank to block your card and report the transactions. The faster you act, the better.
  • File a complaint: Go to the gendarmerie or police station. Insist on the fact that the transactions were not carried out from your device, and if you do not have an iPhone, mention it specifically.
  • Refer to the Tribunal Judiciaire: If the previous steps fail, you will need to summon your bank before the court.

In conclusion: Do not give in to the bank’s pressure!

French case law is in your favor when the bank fails to prove that the unauthorized transactions resulted from gross negligence on your part, and especially when the payments are carried out via a device that is not yours or whose link to your account was not strongly authenticated by you.

If your bank refuses reimbursement, do not hesitate to consult LE BOT AVOCAT, a banking law firm. They can analyze the specifics of your situation and support you in the necessary steps to obtain the restitution of sums unduly debited from your account. Courts are increasingly attentive to security flaws and banks’ attempts to too easily shift liability onto their clients.

Banking Fraud and Third-Party Devices: Your Rights to Reimbursement

Have you been the victim of banking fraud and the unauthorized transactions were carried out via a device (phone, computer, etc.) that is not yours? This is a key argument for obtaining reimbursement from your bank. Discover how the courts assess this situation and what your rights are.

1. What is an unauthorized payment transaction and why is the device used crucial?

A payment transaction is considered unauthorized if you did not consent to its execution. Your bank is obligated to reimburse you the full amount of the transaction immediately after being informed, unless it has “good reasons to suspect fraud by the user.”

The fact that the transaction was initiated or validated from a device that is not yours is an essential element in demonstrating that you did not consent to the transaction and that you did not commit gross negligence.

2. How does the fact that the device used for the fraud is not mine help me obtain reimbursement?

This fact is determinative because it considerably weakens the bank’s position if it attempts to attribute gross negligence to you or assert that the transaction was authenticated:

  • Absence of payment instrument or associated system: If the bank has not proved that a payment instrument (such as Apple Pay) was provided to you or that you opened such a system in your name, the communication of a code to a fraudster to activate an Apple Pay account on their device does not constitute a breach of your obligations.
  • Device incompatibility: If you do not own the type of phone compatible with the system used by the fraudster (for example, an Android phone when the fraud was carried out via Apple Pay on iPhone), this demonstrates that you could not have initiated the transaction via that device.
  • Fraudster’s distinct device: The fact that the phone used by the fraudster for the payments is entirely separate from yours is a major argument. The fact that the fraudster used their own fingerprint on their own phone to authenticate the transactions is not strong authentication of the legitimate payer.
  • Geographical location: If you can prove that you were not at the locations where the disputed transactions were recorded, this reinforces the argument that the device used was not yours and that you could not have initiated these payments.

3. Can my bank allege “gross negligence” against me if the transaction was carried out from a third-party device?

No, in many cases, the fact that the transaction was carried out from a device you do not own or control makes it difficult for the bank to prove your gross negligence:

  • Burden of proof on the bank: It is for the bank to prove your gross negligence. This proof cannot be inferred from the mere fact that the payment instrument or personal data related to it were used.
  • Confusion or sophistication of the fraud: Having committed a confusion between payment systems (e.g. Apple Pay and PayPal) or having been the victim of a particularly sophisticated scam (such as “vishing” where the fraudster impersonates the bank and manipulates the victim) is not considered gross negligence, especially if you had no knowledge of the opening of a system in your name on a third-party device.
  • Misdirected security alerts: If the prevention messages concerning the registration of a new phone linked to your bank card were addressed to the fraudster and not to you, the bank cannot hold you at fault for not having been alerted.

4. What is strong authentication and how does the use of a third-party device impact this requirement for the bank?

Strong customer authentication is a mandatory security measure for your bank during remote electronic payment transactions. It must establish a dynamic link between the transaction, the amount, and the given beneficiary.

  • Absence of strong authentication of the legitimate payer: When transactions are carried out from the fraudster’s device, even if the fraudster uses their own fingerprint or a code they managed to obtain, this does not constitute strong authentication of the legitimate payer (you).
  • Bank’s obligation to prove authentication: Your bank must prove that the transaction was “authenticated, duly recorded and accounted for and that it was not affected by a technical or other deficiency.” If it cannot demonstrate that the transaction was validated from your trusted device, or that an authorization message was sent to you and accepted by you, it has not met its strong authentication obligation.
  • Consequences of the failure of strong authentication: If the transaction was carried out without the bank requiring strong authentication on your part, you bear no financial consequence, unless fraudulent conduct on your part is proven (which is different from gross negligence).

5. What evidence can I provide to demonstrate that the device was not mine?

To support your case, consider the following elements:

  • Invoice or proof of purchase of your phone: To demonstrate that you own an incompatible model (e.g. Android if the fraud is via Apple Pay).
  • Account statements or usage histories: To show that you do not habitually use the payment service in question (e.g. habitual use of PayPal, no Apple Pay).
  • Proof of your location: If you were physically absent from the locations where the transactions were carried out, this suggests that the device used was not yours.
  • Absence of notification of new device registration: If your bank could not prove that it alerted you to the registration of a new device on your account, this strengthens your position.

6. What are the consequences for my bank if it fails to prove my gross negligence or proper authentication on my device?

If the bank fails to prove your gross negligence or that the transactions were strongly authenticated without technical deficiency, it will be ordered to:

  • Reimburse the full amount of the stolen sums: The bank must restore the amount of the unauthorized transactions. These sums will be increased by interest at the statutory rate from the date of formal notice.
  • Cover your legal costs (Article 700 CPC): The bank will generally be ordered to pay you a sum to cover part of your lawyer’s fees and other costs not included in the court costs.
  • Bear the court costs: The procedural costs (depens) will be borne by the bank.
  • Provisional enforcement of the judgment: The first instance judgment will be enforceable as of right, meaning the bank will have to reimburse you without awaiting the outcome of a possible appeal, unless the judge decides otherwise for exceptional reasons.

Important: Claims for damages for “abusive resistance” or “moral prejudice” are often rejected if reimbursement of the stolen sums is granted, as courts consider that this already repairs the direct financial loss.

1521 2281 max

Need Personalized Legal Advice?

Don’t face your questions alone. A lawyer can call you back for free to review your situation.

Be Contacted by a Lawyer

Need Personalized Legal Advice?

GDPR:

Similar Articles

délai pour agir

The Veracash Case (Continued): Towards Strengthened Reimbursement Rights for Unauthorised Transactions – Cass. com., 14 January 2026, No. 22-14.822

On 14 January 2026, the Commercial Chamber of the Court of Cassation delivered a major decision (No. 22-14.822). Published in the Bulletin, this ruling clarifies ...
1x1 vieil avocat tr s surpris tenant

Nullification of a One-Million-Euro Protective Seizure

In the context of a dispute relating to a loan agreement, Le Bot Avocat represented the interests of a company subject to a protective seizure ...

assets task 01jwrq9pdjfa8sga5c49zttjvv 1748881531 img 1

Suretyship: What Business Leaders Need to Know About Proportionality (Recent French Supreme Court Decisions)

As a business leader, you frequently face the need to secure financing to grow your business. These transactions very often involve guarantees, and the personal ...