The judgment rendered by the Court of Appeal of Paris (pole 4 ch. 9 a) on 25 September 2025 (No. 24/13440) provides an interesting illustration concerning the liability of payment service providers in the face of unauthorized transactions, particularly those involving the use of dematerialized instruments such as Apple Pay. This decision underscores the importance of strong authentication and the rigorous nature of the burden of proof resting on banks.
I. Factual Context and First Instance Decision
The case involved Mr. [C] [X], holder of an account opened with LCL – Le Credit Lyonnais since 28 January 2022, against his bank, concerning disputed payment transactions. Between 16 and 22 July 2022, 64 transactions totaling 7,300.24 euros were made on Mr. [X]’s account via the Apple Pay application. Mr. [X] disputed these transactions on 26 July 2022 and filed a complaint on 3 October 2022.
The consumer protection judge (juge des contentieux de la protection) of Nogent-sur-Marne, initially seized by LCL seeking payment, rendered a judgment on 30 July 2024. This judgment ordered Mr. [X] to pay LCL the sum of 10,039.01 euros as the debit balance of the account. The first judge held that Mr. [X] had shown gross negligence by failing in his obligation to preserve the security of his personalized data. This negligence, according to the first judge, deprived him of his right to reimbursement of the disputed 7,300.24 euros. To support this decision, it had been noted that the bank card had been activated on the “Apple Pay wallet” of a phone he did not dispute possessing, and that a one-time code had been entered to authorize the card registration.
Mr. [X] appealed on 1 August 2024, contesting the gross negligence found against him.
II. The Legal Framework of Authentication and the Burden of Proof
The Court of Appeal recalls the strict legal regime governing payment services, deriving in particular from the Monetary and Financial Code (CMF).
A. The Obligations of the Payment Service Provider
Pursuant to Article L. 133-44 of the CMF, the payment service provider (PSP) is required to apply strong customer authentication (two-factor) when the customer accesses their online account, initiates an electronic payment transaction, or executes a transaction by remote communication means that may involve a risk of fraud.
Furthermore, Articles L. 133-16 and L. 133-17 of the CMF require the bank to ensure that personalized security data are accessible only to the authorized user and to implement the appropriate means for blocking the instrument in the event of loss, theft, or unauthorized use.
B. The Burden of Proof Incumbent on the Bank
Article L. 133-23 of the CMF is at the heart of the dispute and imposes on the PSP a dual burden of proof when the payer denies having authorized a transaction:
- Technical proof of the transaction: It is incumbent on the PSP to prove that the disputed transaction was authenticated, duly recorded and accounted for, and that it was not affected by a technical deficiency or otherwise.
- Proof of the client’s fault: The mere use of the payment instrument is not sufficient to prove authorization by the payer or his gross negligence. The PSP must provide evidence to prove the user’s fraud or gross negligence.
The Court notes that the payer bears no financial consequence if the unauthorized transaction was carried out in a case where the PSP did not require strong authentication, unless the payer acted fraudulently.
III. Analysis of the Court of Appeal of Paris Decision
The Court of Appeal held that the first judge had reversed the burden of proof by finding Mr. [X] negligent without first requiring the bank to prove proper authentication and the absence of technical deficiency.
A. Failure of Proof of Authentication and Technical Deficiency
LCL claimed to have implemented an enhanced security system (two-factor strong authentication). However, the Court found that the bank provided no concrete and irrefutable evidence of the proper functioning of the authentication it had specifically implemented for Mr. [X]’s account in July 2022, nor of the absence of technical deficiency. It merely submitted general documents.
A key element noted by the Court is LCL’s own acknowledgment that the card had been registered on six different devices with a single code, without proof of electronic validation for each device. The Court considered it “surprising” that a degree of strong authentication would allow such multiple registration. This failure to meet the strong authentication requirement for an electronic payment system such as Apple Pay engages the PSP’s liability.
B. Absence of Proof of Client’s Gross Negligence
The Court notes that LCL also fails to establish that Mr. [X] voluntarily or through gross negligence handed over his confidential information to the fraudster. The consumer mediator, although having rejected the recourse, did not call into question Mr. [X]’s good faith, referring to “fraud induced by the use of the Apple Pay application without his knowledge.”
Furthermore, Mr. [X] established that he was in Sweden from 20 July 2022, while the 64 disputed transactions took place in France between 16 and 22 July 2022.
C. Breach of the Bank’s Duty of Vigilance
The Court also held that the bank had breached its duty of vigilance by failing to examine Mr. [X]’s account. It should have noticed apparent anomalies, such as:
- An abnormally high number of card payments (64 transactions in five days, versus an average of 32 per month).
- Expenditure totaling over 7,000 euros in five days, an amount disproportionate to his habits (average monthly amount of 1,144.78 euros).
- Transactions made for the benefit of recipients never used before.
IV. Ruling and Consequences
Consequently, the Court of Appeal of Paris reversed the first instance judgment:
- Reimbursement of fraudulent sums: LCL is ordered to reimburse Mr. [X] the sum of 7,685.80 euros (i.e., 7,300.24 euros unduly debited, plus fees and interest).
- Debit balance maintained: Mr. [X]’s initial order to pay his bank balance is reduced to 2,353.21 euros, corresponding to transactions of which he is the author.
- Damages: LCL is ordered to pay 1,000 euros to Mr. [X] in damages for moral harm resulting from the bank’s abusive resistance.
- FICP Registration: The request for removal of Mr. [X]’s registration with the FICP (national register of defaulting borrowers) is rejected. The Court recalled that Mr. [X] was in default of his obligations and his account had been in debit since 10 March 2022, justifying the registration well before the fraud.
In conclusion, this ruling recalls the strict liability of the PSP in the event of unauthorized payment transactions, and reaffirms that proof of the client’s gross negligence cannot be inferred from the mere fact that the payment instrument or the personal data linked to it were used. The PSP must positively and irrefutably demonstrate the proper technical execution of the strong authentication operations it implemented, as well as the absence of any system deficiency, an obligation which LCL failed to meet in this case.
