Cass. com., 26 March 2025, No. 23-21.299
The Court of Cassation, in a judgment rendered by its Commercial, Financial and Economic Chamber on 26 March 2025, had the opportunity to reiterate the criteria for gross negligence of the payment services user, in the context of unauthorized payment transactions. This decision, although classified as “Unpublished,” strengthens the protection of the user against their payment service provider (the bank) in matters of liability.
The Facts Giving Rise to the Case
The case originates from an unfortunately common situation: fraudulent cash withdrawals made from a bank client’s account.
- The Victim and the Bank: The user concerned, Ms [U], held an account with Societe Generale.
- The Disputed Transactions: Between 2 December 2019 and 19 June 2020, numerous cash withdrawals were made at automated teller machines. These transactions were debited from Ms [U]’s account.
- The Instrument Used: Notably, these withdrawals were carried out using four bank cards successively held by Ms [U] during this period. The total amount of the disputed withdrawals was 3,290 euros.
- The Client’s Responses: Ms [U] blocked her bank cards on several occasions: on 15 February 2020, 19 April 2020, 28 April 2020 and 20 June 2020. With each blocking, she disputed the withdrawals that had been made. An important detail highlighted by the judgment is that the PIN associated with the fourth bank card was changed.
- The Refusal to Reimburse: Faced with these unauthorized withdrawals, Ms [U] requested that Societe Generale refund the debited amounts. However, the bank refused to proceed with the reimbursement.
It was this refusal that led Ms [U] to take legal action to obtain the bank’s condemnation.
The Proceedings Before the District Court
Ms [U] summoned Societe Generale before the Lille District Court.
The court, in its judgment of 22 November 2022, dismissed Ms [U]’s claims. To justify its decision, the court found that the bank had established Ms [U]’s “gross negligence” based on the following elements:
- The bank produced card authentication certificates establishing that the cards had not been counterfeited.
- The PIN had been used for each withdrawal.
- The disputed withdrawals (24 in total) and undisputed withdrawals (17) had been made at the same ATMs.
- The disputed withdrawals were sometimes followed or preceded by undisputed withdrawals, using the four different bank cards.
- Ms [U] had only changed her PIN with the fourth card, after its issuance, and even after this change, a new disputed withdrawal had taken place (on 19 June 2020).
- The time periods for Ms [U]’s disputes of the withdrawals varied (2 and a half months, 25 days, 11 days, 20 days).
- The two criminal complaints filed by Ms [U] with the authorities had not led to prosecution.
In the court’s view, all of these facts demonstrated that Ms [U] had failed in her obligation to take all measures to safeguard the security of her personalized security credentials.
The Appeal and the Court of Cassation’s Position
Ms [U] filed an appeal in cassation against this judgment. She argued that while the user does have security obligations, it is for the payment service provider (the bank) to prove fraud or gross negligence. Above all, she relied on the argument that such proof cannot be inferred from the mere fact that the payment instrument or the data associated with it (the PIN) were effectively used. She maintained that the court had based its decision precisely on this mere effective use.
The Court of Cassation ruled in her favor. Recalling the provisions of Articles L. 133-23, L. 133-19, IV, and L. 133-16, paragraph 1 of the French Monetary and Financial Code, the Court confirms that it is indeed for the payment service provider to prove the user’s fraud or gross negligence.
Above all, it states a clear principle: “Gross negligence cannot be inferred from the mere fact that the payment instrument or the personal data associated with it were effectively used.”
The Court then observes that the Lille District Court dismissed Ms [U]’s claims on the basis that the cards had not been counterfeited and that the PIN had been used, as well as on the circumstances surrounding these withdrawals (similarity with undisputed withdrawals, successive use of cards, PIN change, dispute time periods, absence of prosecution).
In ruling thus, i.e., by inferring gross negligence from elements relating to the effective use of the payment instruments and the security data, the court violated the provisions of the French Monetary and Financial Code.
Significance of the Decision
This judgment is important because it sanctions the practice of quasi-automatically inferring the user’s gross negligence from the mere use of the PIN or the payment instrument by a third party. The Court of Cassation reaffirms that the burden of proof weighs heavily on the bank. The bank must demonstrate a breach by the user of their security obligations that is of particular gravity (gross negligence) or intentional, and this breach must result from specific elements other than the mere observation of fraudulent use.
In this case, although the court had listed several facts (dispute time periods, judicial outcomes, etc.), the Court of Cassation considers that the essence of its reasoning rested on the effective use of the PIN and cards, which is deemed insufficient to characterize gross negligence.
The Court therefore quashed and set aside the judgment of the Lille District Court and remanded the case to the Douai District Court for rehearing in light of the principles it reiterated.
In conclusion, this decision reminds payment service providers of the requirement for solid and specific proof in order to attribute liability for unauthorized transactions to their client’s gross negligence. The mere use of the payment instrument and security data by a fraudster is not sufficient to exempt the bank from its obligation to reimburse.
