The question of reimbursement of sums debited following unauthorized transfers, often linked to fraud such as phishing, is at the heart of numerous disputes between users and their banks.
Two rulings by the Cour de cassation, handed down on 30 April 2025, provide an opportunity to illustrate the requirements set by the highest court when a bank seeks to invoke the gross negligence of its customer (Cass. com., 30 avr. 2025, n 24-10.149, Published in the Bulletin; Cass. com., 30 avr. 2025, n 24-13.663, Unpublished).
The Code monetaire et financier, in particular articles L. 133-19, IV, and L. 133-23, alinea 1er, provides that if a payment service provider (PSP) intends to make the user of a payment instrument bear the losses caused by an unauthorized transaction — even if it was made possible by an intentional breach or gross negligence on the part of the user with respect to the obligations under articles L. 133-16 and L. 133-17 — it must first prove that the transaction in question was authenticated, duly recorded and posted, and that it was not affected by a technical or other deficiency.
This prior proof requirement weighs heavily on PSPs, and the Cour de cassation has consistently reinforced this burden of proof through its rulings. The characterization of the user’s gross negligence can only occur after the PSP has fulfilled this primary obligation.
Two Complementary Decisions of 30 April 2025: Principle and Illustration
The two rulings of the Commercial Chamber of the Cour de cassation of 30 April 2025 are particularly instructive and complement each other.
The Affirmation of the Principle: The Cour de cassation Censures the Failure to Provide Prior Proof (Cass. com., 30 avr. 2025, n 24-10.149, Published in the Bulletin)
In this case, the company [M] [H] held an account with Credit agricole mutuel du Finistere. Following the addition of a beneficiary and seven unauthorized transfers between 27 November and 3 December 2020, the company sued the bank for reimbursement of the debited sums. The Court of Appeal of Rennes had dismissed the claim, finding that Mr. [H] had shown gross negligence by clicking on a fraudulent email containing easily detectable inconsistencies, after having already been warned by his adviser.
However, the Cour de cassation quashed and set aside the ruling of the Court of Appeal of Rennes. The reason? The court of appeal had not verified whether the transfers had been properly authenticated, duly recorded and posted, and that they had not been affected by a technical or other deficiency. The mere fact of establishing the user’s gross negligence is not sufficient if the bank has not first proven the technical regularity of the transactions. The case was referred back to the Court of Appeal of Angers. This decision firmly reaffirms the heightened burden of proof on PSPs.
The Proof Is “Heavy but Not Impossible”: Dismissal of the Appeal for Lack of Sufficient Prior Proof by the Bank (Cass. com., 30 avr. 2025, n 24-13.663, Unpublished)
The second ruling illustrates that, although the proof requirement is demanding, it is not insurmountable. Mr. [U] challenged a transfer made on his account with Milleis banque, claiming to have been the victim of fraud and requesting reimbursement. The bank had refused, invoking gross negligence on the part of Mr. [U]. The Tribunal judiciaire de Nantes had dismissed Mr. [U]’s claim, considering that he had clearly neglected the bank’s SMS warnings and that the bank had proven it had implemented the necessary security measures.
The Cour de cassation dismissed the appeal of Mr. [U]. It noted that the findings of the tribunal, based in particular on the “log files” produced by the bank, established that Mr. [U] had validated all of the operations that enabled the disputed transfer, including the modification of his secret code and the validation of the transfer using a temporary secret code with a warning. These elements made it possible to rule out that the transfer could have resulted from a technical deficiency and confirmed that the transactions had been authenticated, duly recorded and posted.
Implications for Payment Service Providers and Users
These decisions highlight the paramount importance of technical evidence. PSPs can no longer simply establish their customer’s gross negligence to reject a reimbursement request. They must first demonstrate the reliability of their system and of the transactions by proving:
- The authentication of the transaction.
- The recording and posting of the transaction.
- The absence of any technical or other deficiency having affected the transaction.
“Log files” and other technical data are becoming decisive elements in these disputes. It is imperative for PSPs to meticulously preserve these technical records, as they are the key to providing the prior proof required by the Cour de cassation. The Cour de cassation thus calls for a shift in the debate: the question of the user’s gross negligence is only relevant once the bank has established its own technical diligence.
Conclusion
These two rulings of 30 April 2025, although distinct in their outcome, send a clear message: the protection of payment service users is strengthened. The Cour de cassation maintains a firm line regarding the burden of proof on PSPs. Before being able to invoke the user’s gross negligence, banks must imperatively demonstrate the regularity and technical integrity of the transaction. This approach ensures greater transparency and better security for consumers, while encouraging financial institutions to exercise heightened vigilance and maintain impeccable technical documentation.
