Payment services law, governed by the Monetary and Financial Code (CMF), rests on a delicate balance between user protection and the liability of the payment service provider. While the principle is that of immediate reimbursement for unauthorised transactions, recent case law has tightened the evidentiary requirements imposed on victims. The judgment rendered by the Commercial Chamber of the Court of Cassation on 4 February 2026 (No. 22-22.609) clarifies that the right to reimbursement is conditional upon proof of the user’s diligence.
Cass. com., 4 February 2026, No. 22-22.609
I. The Facts: A Late and Incomplete Report
In this case, a couple (the [U] or [L] spouses, depending on the documents) discovered four fraudulent debits on their bank account between June and August 2018, totalling more than 3,500 euros. These transactions had been validated through the 3D Secure authentication system.
The victims filed a complaint with the National Gendarmerie on 13 July 2018, nearly a month after the first debits of 1,500 euros. Faced with their bank’s (Credit Agricole) refusal to reimburse them, they initiated legal proceedings. The Toulouse Court of Appeal dismissed their claims on 7 September 2022, a decision upheld on appeal to the Court of Cassation.
II. The Legal Reasoning of the Court of Cassation
The victims’ appeal was based on a challenge to the burden of proof. They argued that by requiring them to prove the date on which they had notified the bank, the lower court judges had violated Articles L. 133-17 and L. 133-19 of the CMF. However, the Court of Cassation upheld the reasoning of the lower court judges according to a rigorous legal framework.
1. Notification: A Prerequisite for Reimbursement
The Court recalls that under Articles L. 133-18 and L. 133-24 of the CMF, the user must report an unauthorised transaction “without undue delay” upon becoming aware of it. The Supreme Court states, in an unprecedented manner, that:
“The user must have reported it without undue delay to their payment service provider from the moment they became aware of it and, at the latest, within thirteen months of the date of the debit.”
The notification is not a mere formality but a “prerequisite for immediate reimbursement”. Accordingly, it falls upon the user to prove not only that they made this notification, but also the exact time at which it was made.
2. The Insufficiency of Reporting to Law Enforcement Authorities
The Court of Cassation upheld the finding of the Court of Appeal: the report filed with the gendarmerie, made belatedly relative to the debits, does not substitute for the notification owed to the bank. The judges found that debits of 1,500 euros “could not have gone unnoticed” and that the absence of proof of an immediate alert to the bank constituted a breach of duty.
III. The Burden of Proof: An Apparent Reversal?
The appellants argued that the burden of proving negligence lies with the bank under Article L. 133-23 of the CMF. However, the Court of Cassation draws a distinction: while the bank must prove negligence in order to be released from liability, the user must first demonstrate that they have fulfilled their own statutory obligations (prompt notification) in order to be eligible for the reimbursement regime.
In this case, since the spouses “failed to provide evidence of the date on which they had notified the bank of the fraudulent use”, they could not claim reimbursement, regardless of the other grounds raised.
Practical Advice for Victims of Banking Fraud
To avoid being met with a similar decision, here are the essential recommendations drawn from case law:
- Act immediately: As soon as you discover a suspicious transaction, contact your bank. A delay of a few weeks is now deemed excessive by the courts, especially for significant amounts.
- Secure proof of your notification: Avoid phone calls that leave no trace. Sending by registered letter with return receipt or by email should be systematically preferred in order to officially date your notification.
- Be thorough in your declaration: To be admissible, your notification must be precise. Specify the account number, the date, the exact amount and the beneficiary of each disputed transaction. However, exercise caution: there is no need to provide additional details, particularly regarding your exchanges with the fraudsters, and do not mention that you validated the transactions, as all such information may be used against you by the bank to refuse reimbursement and invoke your gross negligence before the court.
- Distinguish between a complaint and a notification: Filing a complaint with the police is useful, but it is legally distinct from notifying your bank. The latter is the only action that triggers the obligation to reimburse.
