55logo mikael le bot avocat

Banking Fraud and Phone Number Change: When the Bank Must Reimburse – Court of Appeal of Paris, Pôle 5 Chamber 6, 18 February 2026, No. 24/13029

  • Banking Law

In a notable ruling of 18 February 2026, the Court of Appeal of Paris reversed a first-instance decision and ordered BNP Paribas to reimburse a client who was the victim of fraudulent transactions following a phone number change that the bank failed to properly verify.

In a notable ruling dated 18 February 2026, the Paris Court of Appeal overturned a first-instance decision and ordered BNP Paribas to fully reimburse a client who was a victim of banking fraud. This decision clearly illustrates the burden of proof that rests on banking institutions: it is not sufficient to merely assert that a client was negligent—such negligence must be proven in a tangible manner. For victims of sophisticated fraud involving, in particular, a fraudulent change of phone number, this ruling constitutes an important victory and serves as a reminder of the limits of the client’s liability.

Paris Court of Appeal, Division 5 Chamber 6, 18 February 2026, No. 24/13029

Table of Contents

The Facts: Remote Fraud During a Holiday

The case concerns Mr K., holder of a Visa Classic bank card issued by BNP Paribas. In July 2022, while he was abroad on holiday, he fell victim to a particularly sophisticated banking fraud. Three fraudulent transactions were carried out on 8, 9 and 11 July 2022, for amounts of €2,908.94, €2,079.85 and €5,342.54 respectively, representing a total loss of €10,331.33.

📅 Timeline of Events
7 July 2022, 11:52 PM
Phone number changed on the online banking account
8, 9 and 11 July 2022
Three fraudulent transactions → €10,331.33
13 and 15 July 2022
Payments disputed with the bank (4 days later)
1 August 2022
Online fraud report filed

The distinctive feature of this fraud lies in its technique: the fraudster first changed the phone number registered on Mr K.’s online banking account, then carried out the payment transactions using the complete data from his bank card (card number, expiry date, security code). This method, which is becoming increasingly common, allows fraudsters to bypass SMS-based validation systems.

Faced with BNP Paribas’s refusal to reimburse him, Mr K. brought proceedings against the bank before the Paris Judicial Court on 11 August 2023. At first instance, the court dismissed all his claims, finding that he had committed gross negligence. Unsatisfied with this decision, Mr K. lodged an appeal on 15 July 2024.

The Principle: The Bank Must Reimburse Unauthorised Transactions

The French Monetary and Financial Code establishes a principle of consumer protection against fraudulent banking transactions. Article L. 133-6 of the Monetary and Financial Code clearly states that a payment transaction is authorised only if the payer has given consent to its execution. Conversely, any transaction carried out without such consent is deemed unauthorised.

Article L. 133-18, paragraph 1, of the same code sets out the fundamental principle of reimbursement:

“In the event of an unauthorised payment transaction reported by the user under the conditions provided for in Article L. 133-24, the payer’s payment service provider shall reimburse the payer for the amount of the unauthorised transaction immediately after becoming aware of the transaction or after being informed thereof, and in any event no later than the end of the first business day following.”

In the present case, several essential elements were established and uncontested between the parties: the three transactions had indeed been carried out using Mr K.’s bank card data, without him being the author. The bank never disputed the fraudulent nature of these transactions. Mr K. had also complied with the dispute time limit, having reported the fraudulent transactions only four days after the first one—well within the thirteen-month legal time limit provided for in Article L. 133-24.

The Burden of Proof Rests on the Bank

Article L. 133-23 of the Monetary and Financial Code reverses the burden of proof in a manner particularly favourable to the client. Once a user disputes a payment transaction, it is for the bank to demonstrate that the transaction was authenticated, duly recorded and accounted for, and that it was not affected by any technical deficiency.

⚖️ Distribution of the Burden of Proof
CLIENT
Disputes the transaction

Presumed to be acting in good faith
BANK
Must prove:
✓ Authentication
✓ Recording
✓ No technical failure
✓ Client negligence

Most importantly, the statute adds a crucial clarification that played a decisive role in this case: “The use of the payment instrument as recorded by the payment service provider does not necessarily in itself constitute sufficient proof that the transaction was authorised by the payer or that the payer failed intentionally or through gross negligence to fulfil their obligations in this regard.”

In other words, the mere fact that the bank’s computer systems recorded a transaction proves nothing in itself. The bank must go further and demonstrate either that the client authorised the transaction, or that the client committed a sufficiently serious fault to justify the refusal of reimbursement.

The Exception: Gross Negligence by the Client

What Constitutes Gross Negligence?

Article L. 133-19 IV of the Monetary and Financial Code provides an exception to the reimbursement principle: the client bears the losses if they result from fraudulent conduct on their part or if they intentionally or through gross negligence failed to fulfil their obligations.

These obligations are defined in Article L. 133-16 of the Monetary and Financial Code: the client must take all reasonable measures to preserve the security of their personalised security data and use their payment instrument in accordance with the conditions governing its issuance and use.

The concept of “gross negligence” is not precisely defined by statute, but case law interprets it strictly. It does not mean simple carelessness or an ordinary lack of vigilance. Gross negligence implies conduct characterised by such recklessness, carelessness or imprudence as to reveal a complete indifference to the consequences of one’s actions.

⚠️
Examples of gross negligence recognised by case law:
  • Writing one’s PIN code on the bank card
  • Voluntarily sharing login credentials with a third party
  • Responding to a phishing email by providing all banking details
  • Leaving one’s card and PIN code accessible to others

In this case, BNP Paribas accused Mr K. of several alleged acts of negligence. The bank argued that the transactions could only have been carried out because Mr K. had necessarily:

– Validated the phone number change by clicking on a link received by SMS on 7 July 2022 at 11:52 PM
– Disclosed his username and password granting access to his online banking account
– Disclosed the complete data of his bank card (card number, security code, expiry date)
– Delayed in reporting the fraudulent transactions (four days after the first one)

Mere Assertions Are Not Sufficient

The Paris Court of Appeal swept aside the bank’s arguments with remarkable firmness. It held that “this simple reasoning does not in any way constitute proof that [Mr K.] committed any negligence whatsoever”.

The judges noted that the bank “fails to demonstrate the existence of any positive act that can be attributed with certainty to [Mr K.] and that would constitute negligence on his part”. The court continued: “It merely attributes actions to him that it fails to prove and that he disputes, and asserts that he received text messages and emails without even proving that they were sent, let alone received.”

🔍 Legal Analysis: The Requirement for Concrete Evidence
What the bank asserts:
“The client necessarily clicked on the SMS, communicated his login credentials, disclosed his banking data…”
What the bank actually proves:
Nothing tangible. No SMS produced, no trace of validation, no evidence of any positive act by the client.

This position is consistent with the settled case law of the Cour de cassation, which requires tangible and objective evidence. Logical deductions or scenarios reconstructed by the bank are not sufficient. Material evidence is required: screenshots, detailed computer logs, proof of sending and receiving messages, and demonstration of a voluntary and identifiable action by the client.

In this case, the bank produced only tables that it had itself prepared, without any external or objective evidence. No SMS was produced, no proof of its sending or receipt was provided, and no trace of a validation click by Mr K. was demonstrated.

The court also noted an important contextual element: Mr K. was abroad on holiday at the time of the events. He did not necessarily have daily access to his online bank statements, and his response within four days appeared, in this context, entirely diligent and reasonable.

The Decision: The Bank Is Ordered to Pay

Full Reimbursement

The Paris Court of Appeal therefore overturned the first-instance judgment and ordered BNP Paribas to reimburse Mr K. the total sum of €10,331.33, corresponding to the exact amount of the three fraudulent transactions.

This order is based on a strict application of Article L. 133-18 of the Monetary and Financial Code: as long as no gross negligence is proven and the transactions are clearly unauthorised, the bank must fully reimburse the client. There is no room for any proportional reduction or sharing of liability.

✓ Ruling of the Court
Reversal of the first-instance judgment
BNP Paribas ordered to reimburse €10,331.33
Interest at the statutory rate from 11 August 2023 (date of the summons)
Capitalisation of interest granted
Legal costs: €2,000 awarded to the client
Court costs: borne by the bank

Interest and Capitalisation

Beyond the reimbursement of the principal, the court awarded Mr K. interest at the statutory rate from 11 August 2023, the date the court proceedings were initiated. This starting date is significant: it corresponds to the moment when the bank was formally put on notice by judicial process to proceed with the reimbursement.

Mr K. had sought the application of enhanced late-payment penalties provided for by a legislative amendment that came into force on 18 August 2022. However, the court rejected this claim on the grounds that the disputed transactions dated from July 2022, i.e. before the new regime came into force. The principle of non-retroactivity of legislation requires this outcome.

On the other hand, the court granted the request for capitalisation of interest on the basis of Article 1343-2 of the Civil Code. This mechanism allows interest that has accrued for at least one year to itself produce interest, thereby increasing the amount owed to the creditor. This decision is consistent with recent case law from the Cour de cassation (3rd Civil Chamber, 20 March 2025, No. 23-16.765).

The court also ordered BNP Paribas to pay Mr K. the sum of €2,000 in respect of irrecoverable costs (Article 700 of the Code of Civil Procedure), as well as all court costs. These sums compensate the legal fees and other procedural costs incurred by the client in obtaining a favourable ruling.

The court, however, rejected the claim for damages for non-pecuniary harm. On this occasion, it reiterated a well-established principle of case law: when the liability of a payment service provider is sought in connection with an unauthorised or improperly executed transaction, only the specific liability regime of the Monetary and Financial Code (Articles L. 133-18 to L. 133-24) applies, to the exclusion of any other general law regime. This rule, affirmed by several decisions of the Commercial Chamber of the Cour de cassation (27 March 2024, No. 22-21.200; 2 May 2024, No. 22-18.074; 15 January 2025, No. 23-13.579), prevents victims from combining the reimbursement provided for by the Monetary and Financial Code with damages based on the general law of civil liability.

A Debatable Position on Non-Pecuniary Damages

While one can only welcome the firmness with which the Paris Court of Appeal defended the rights of the fraud victim, the systematic rejection of any compensation for non-pecuniary harm nevertheless warrants certain critical observations.

By relying on the exclusive nature of the special regime of the Monetary and Financial Code, case law disregards the reality of the suffering experienced by victims of banking fraud. It is not merely a temporary financial loss that will be reimbursed: being a victim of banking fraud generates intense stress, a feeling that one’s privacy has been violated, a loss of confidence in banking institutions and, very often, a considerable mental burden linked to the dispute process and the litigation that follows.

In the case under review, Mr K. found himself deprived of over €10,000 during a holiday abroad, had to undertake complex procedures with his bank, file a criminal complaint, and then conduct legal proceedings for more than two and a half years before obtaining a favourable ruling on appeal. These inconveniences, this anxiety and this lost time indisputably constitute non-pecuniary harm distinct from the mere financial loss.

The argument based on the exclusive nature of the special regime is legally well-founded but questionable from the standpoint of fairness. The Monetary and Financial Code does organise a protective regime regarding the reimbursement of unauthorised transactions, but nothing in this legislation expressly states that this protection must be exclusive and preclude any supplementary compensation. The exclusivity results from a construction of case law which, while it may be justified by a concern for consistency and predictability, in practice deprives victims of full compensation for their losses.

One could moreover argue that when a bank unjustifiably and without tangible evidence refuses to reimburse a client who is a victim of fraud, thereby compelling them to bring lengthy and costly legal proceedings, this constitutes a separate fault that could give rise to general law liability. This fault would lie not in the payment transaction itself, but in the bad faith or manifest carelessness with which the banking institution handled its client’s complaint.

A development in case law or legislation allowing compensation for the non-pecuniary harm suffered by victims of banking fraud, at least in cases where the bank manifestly and abusively refused to proceed with reimbursement, would be desirable. It would send a strong signal to banking institutions, encouraging them to treat their clients’ complaints with greater diligence and goodwill, rather than systematically forcing them to resort to the courts to assert their rights.

Practical Lessons from This Decision

This ruling by the Paris Court of Appeal of 18 February 2026 constitutes an instructive decision that reaffirms several essential principles in the area of banking fraud.

**First lesson: consumer protection remains the rule.** The regime of the Monetary and Financial Code was designed to protect users of payment services against the risks inherent in dematerialised payment methods. This protection is not merely theoretical: it requires the bank to reimburse as a matter of principle, unless it can demonstrate a characterised fault on the part of the client.

**Second lesson: the burden of proof weighs heavily on the bank.** It is not enough to invoke hypothetical negligence or reconstruct a logical scenario. The bank must produce concrete, objective and verifiable evidence of positive acts committed by the client. Internal tables, general assertions or logical deductions do not constitute sufficient evidence.

**Third lesson: gross negligence is assessed strictly.** Courts do not readily accept the existence of gross negligence. The mere fact of having been a victim of fraud, even sophisticated fraud, does not automatically mean the client was negligent. Fraudsters use increasingly elaborate techniques (phishing, social engineering, identity theft) that can deceive even prudent and vigilant individuals.

**Fourth lesson: the dispute time limit is assessed flexibly.** In this case, a delay of four days between the first fraudulent transaction and the dispute was deemed entirely reasonable, given that the client was abroad on holiday. Courts take concrete circumstances into account and do not penalise a client who acts with normal diligence having regard to their personal situation.

**Fifth lesson: the special regime of the Monetary and Financial Code is exclusive.** Fraud victims cannot combine the reimbursement provided for by this code with claims for damages based on other legal grounds (contractual or tortious liability under general law). This exclusivity is both an advantage (simplified procedure, quasi-automatic reimbursement) and a limitation (inability to obtain compensation for non-financial losses).

For victims of banking fraud, this decision is particularly encouraging. It demonstrates that appellate courts can correct first-instance decisions when they have been overly harsh towards the client. It also underscores the importance of promptly disputing suspicious transactions and gathering all factual evidence to demonstrate one’s good faith and absence of negligence.

⚡ In Practice: What to Do in Case of Fraud
1. Immediately block the bank card
2. Dispute the fraudulent transactions in writing (registered letter or email) with the bank
3. File a criminal complaint with the police
4. Gather all evidence (statements, screenshots, suspicious emails)
5. If reimbursement is refused, do not hesitate to consult a specialist lawyer and bring legal proceedings

This case also illustrates the evolution of fraud techniques. The fraudulent change of phone number is now a standard preliminary step allowing fraudsters to intercept validation SMS messages and bypass strong customer authentication. Banks must adapt their security systems accordingly, for example by requiring enhanced verification for any change to sensitive contact details.

Finally, this ruling is part of a consistent body of case law from the Cour de cassation that requires banks to rigorously prove the client’s gross negligence. This evidentiary requirement constitutes an essential safeguard to prevent banking institutions from too easily shifting their liability onto their clients, even when security flaws or shortcomings in surveillance systems may be at fault.

For BNP Paribas and other banking institutions, this decision serves as a reminder of the need to improve both their real-time fraud detection systems and their client complaint handling procedures. The cost of legal proceedings (reimbursement of the principal, interest, capitalisation, legal fees) is generally higher than the cost of a swift amicable reimbursement. A more conciliatory approach at the amicable stage would avoid numerous disputes.

## Conclusion

The ruling handed down by the Paris Court of Appeal on 18 February 2026 constitutes an exemplary application of the protective regime established by the Monetary and Financial Code for the benefit of banking fraud victims. By overturning the first-instance judgment, the court firmly reaffirms that the mere assertion of negligence is not sufficient: the bank must provide concrete and tangible proof.

This decision sends a clear message to banking institutions: they cannot simply reconstruct a theoretical scenario to attribute fault to the client. The burden of proof rests entirely with them and such proof must be rigorous, objective and incontrovertible. Logical deductions, however plausible, are no substitute for material evidence.

For victims of banking fraud, this ruling is an important victory that reminds them that they have effective rights and that the courts are prepared to enforce them. One should not hesitate to firmly contest refusals of reimbursement and, if necessary, to bring legal proceedings with the assistance of a lawyer specialising in banking law.

At Lebot Avocat, we regularly assist victims of banking fraud in their claims against their banking institution. Our expertise in banking law and fraud litigation enables us to analyse your situation, build a strong case and effectively defend your interests before the competent courts. Do not wait for the dispute time limits to expire: contact us promptly for an initial assessment of your situation.

FAQ

What is the time limit for disputing a fraudulent transaction on my bank account?
You have a period of 13 months from the date of the debit to dispute an unauthorised transaction with your bank, in accordance with Article L. 133-24 of the Monetary and Financial Code. After this period, you are time-barred, meaning you lose your right to dispute. However, it is strongly advised to act as quickly as possible as soon as you notice a suspicious transaction. In the case discussed, the client disputed within four days, which was deemed perfectly reasonable. The faster you react, the more you demonstrate your good faith and vigilance.
Can the bank refuse to reimburse me if I have been a victim of fraud?
In principle, no. The bank has a legal obligation to immediately reimburse you for unauthorised transactions as long as you dispute them within the prescribed time limits. However, it may refuse reimbursement in two cases: if you acted fraudulently or if you committed gross negligence. But be aware: it is for the bank to prove such fraud or gross negligence. As the ruling of 18 February 2026 reaffirms, mere assertions or assumptions are not sufficient. The bank must provide concrete and objective evidence of your fault. In the absence of such evidence, reimbursement is mandatory.
What constitutes gross negligence that could justify my bank’s refusal to reimburse?
Gross negligence is a concept strictly assessed by judges. It does not mean simple carelessness, but rather conduct revealing a total disregard for the consequences of one’s actions. Examples include: writing your PIN code on your bank card, voluntarily sharing all your login credentials with a third party, leaving your card and PIN code accessible to others, or responding to an obvious phishing email by disclosing all your data. Conversely, the mere fact of having been deceived by a sophisticated fraud technique (such as identity theft or a fraudulent phone number change) does generally not constitute gross negligence, particularly if you took the usual precautions.
My bank refuses to reimburse me despite my dispute: what are my options?
If your bank refuses reimbursement, you have several remedies. First step: submit a formal written complaint to the bank’s complaints department by registered letter with acknowledgement of receipt. Second step: if the response is unsatisfactory or if you receive no response within two months, you may refer the matter free of charge to the banking ombudsman (contact details are available on the bank’s website and contractual documents). Third step: in the absence of an amicable resolution, you may bring legal proceedings before the judicial court. As this ruling demonstrates, the chances of success are real if the bank cannot prove your gross negligence. The assistance of a lawyer specialising in banking law is strongly recommended to maximise your chances.
Can I obtain damages in addition to the reimbursement of the defrauded sums?
In principle, no. Case law is now well established on this point: the special regime provided for by the Monetary and Financial Code (Articles L. 133-18 to L. 133-24) is exclusive. You cannot combine the reimbursement of the defrauded sums with damages for non-pecuniary harm or other losses based on the general law of civil liability. This is what the Paris Court of Appeal reaffirmed in its ruling of 18 February 2026, dismissing the client’s claim for non-pecuniary damages. However, you can obtain interest at the statutory rate on the unreimbursed amount, as well as reimbursement of your legal fees (Article 700 of the Code of Civil Procedure) if you obtain a favourable ruling.
How can I prove I was not negligent if my bank accuses me of having disclosed my codes?
Good news: it is not for you to prove that you were not negligent; it is for the bank to prove that you were. This is the principle of reversal of the burden of proof provided for in Article L. 133-23 of the Monetary and Financial Code. However, to strengthen your case, you can: keep all evidence demonstrating your usual vigilance (history of secure connections, regular password changes, no prior negligence); gather evidence of the fraud technique used (copies of phishing emails, suspicious text messages, screenshots); file a criminal complaint promptly with the police (the receipt will constitute evidence of your good faith); and document your swift reaction upon discovering the fraud. The more your behaviour demonstrates your normal vigilance, the less the bank will be able to attribute gross negligence to you.
1521 2281 max

Need Personalized Legal Advice?

Don’t face your questions alone. A lawyer can call you back for free to review your situation.

Be Contacted by a Lawyer

Need Personalized Legal Advice?

GDPR:

Similar Articles

assets task 01jwrq9pdjfa8sga5c49zttjvv 1748881531 img 1

Blocked Retirement Savings and Guarantee: Assets Count Despite Unavailability – Cass. com., 5 November 2025, No. 24-16.389, Published in the Bulletin

In a ruling of 5 November 2025, the Court of Cassation restricts the protection of guarantors by requiring that funds placed in a retirement savings ...

assets task 01jx05vcemetna0vzmvyjsc7ad 1749131663 img 0

Sale-Loan Interdependence: Is the Repayment of Capital an Unfair Burden on the Buyer Who Is the Victim of Fraud?

Consumer law has long developed the concept of contractual interdependence to ensure better protection for consumers. This approach allows several contracts, such as a sale ...

contrat

Law No. 2025-1058 of 6 November 2025: New Developments in the Fight Against Banking Fraud

The legislator has recently shown a very marked interest in the crucial question of combating banking fraud. Law No. 2025-1058 of 6 November 2025, published ...