55logo mikael le bot avocat

Banking Fraud: Conditions for the Right to Reimbursement Clarified by the CJEU (Veracash Ruling – CJEU, 1 August 2025, C-665/23)

  • Banking Law

An important decision of the Court of Justice of the European Union (CJEU) was rendered on 1 August 2025 in Case C-665/23 concerning Veracash. This ruling clarifies crucial points of the Payment Services Directive regarding the right to reimbursement for unauthorized payment transactions.

An important decision of the Court of Justice of the European Union (CJEU) has just been rendered, on 1st August 2025, in Case C-665/23 concerning Veracash. This ruling clarifies crucial points of Directive 2007/64/EC, known as the Payment Services Directive in the internal market (PSD1), notably with regard to the right to reimbursement for unauthorized payment transactions.

CJEU, 1st August 2025, C-665/23

The Context: a dispute between a consumer and Veracash SAS

The case involved a consumer against Veracash SAS, a company with which he held a gold deposit account. In March 2017, Veracash sent a new withdrawal and payment card to the consumer. Between late March and mid-May 2017, daily withdrawals were made from this account. The consumer maintained that he had never received the card nor authorized these withdrawals.

The crux of the problem lay in the reporting delay. The consumer reported the withdrawals on 23 May 2017, nearly two months after the first disputed withdrawal. The French first instance and appeal courts dismissed his reimbursement claim, holding that the report had not been made “without delay” as required by the Code monetaire et financier (which transposes PSD1), even though it had been made within the maximum thirteen-month period provided by law.

The French Court of Cassation, seized of the consumer’s appeal, decided to refer preliminary questions to the CJEU to clarify the interpretation of the directive. The stakes were high: could a late report, even within the 13-month period, deprive a consumer of their right to reimbursement? And if so, under what conditions and to what extent?

The CJEU Decision: a double condition, but crucial nuances

The CJEU, in its ruling of 1 August 2025, provided essential clarifications, structured around the three questions posed:

1. The obligation to report “without delay” and the “thirteen-month” period: two distinct and cumulative conditions

The Court first confirmed the literal interpretation of Article 58 of Directive 2007/64/EC. To obtain the correction of an unauthorized transaction, the payment service user must report it to their provider “without delay” AND “no later than thirteen months after the debit date”.

  • The “without delay” period: This is a subjective obligation, triggered as soon as the user becomes aware of the unauthorized transaction. It requires acting as soon as possible, given the circumstances. This objective is preventive, aimed at reducing the risks and consequences of unauthorized transactions.
  • The “thirteen-month” period: This is an objective obligation, running from the debit date of the transaction. It is a maximum period beyond which any action is time-barred, ensuring legal certainty for both parties.

The CJEU emphasizes that considering compliance with the thirteen-month period alone as sufficient would undermine the preventive purpose of the “without delay” reporting and the balance of interests established by the directive.

In substance, a user is in principle deprived of their right to reimbursement if they did not report the transaction “without delay,” even if they did so within the thirteen months.

2. Deprivation of the right to reimbursement: only in the case of intention or gross negligence

This is where the decision provides a fundamental and protective nuance for the consumer. The Court specified that deprivation of the right to reimbursement is NOT automatic in the event of a simple delay.

When an unauthorized transaction results from the loss, theft, misappropriation, or any unauthorized use of a payment instrument (such as a bank card), the payer is deprived of their right to reimbursement only if they delayed reporting the transaction intentionally or as a result of gross negligence.

  • Gross negligence: The Court defines it as a characterized breach of a duty of diligence. The assessment must take into account all circumstances, in accordance with national law.
  • Fraudulent conduct: If the payer has acted fraudulently, they bear all losses. Apart from fraud, the payer bears no financial consequence for the use of the instrument after notification of loss/theft/misappropriation.

This interpretation is essential to preserve the practical effect of Article 61(2) of the directive, which limits the payer’s liability to cases of fraud or intentional/gross negligence misconduct. It reflects the EU legislator’s intention to promote greater user protection in cases of theft or loss of a payment instrument.

3. Successive transactions: liability linked to causation

Regarding successive unauthorized payment transactions resulting from the same loss, theft, or misappropriation of the instrument, the Court ruled that the payer is deprived of their right to reimbursement only for the losses resulting from the transactions they intentionally or through gross negligence delayed reporting.

This approach recognizes a direct causal link between the payer’s conduct (intentional or grossly negligent delay) and the specific losses they will not be able to recover. The assessment of the tardiness and the negligence must be made for each individual transaction.

The Court recalls that Article 61(2), which establishes the payer’s liability, is a derogatory provision from the principle of provider liability (Article 60(1)) and must therefore be subject to strict interpretation. This means that the burden of proving the payer’s fraud or gross negligence rests on the payment service provider.

Practical implications for consumers:

  • The incentive to promptly report any unauthorized transaction or the loss/theft of the payment instrument remains paramount. It is your duty to report “without delay.”
  • However, this decision offers you enhanced protection. A simple unintentional delay not due to gross negligence will no longer, in principle, suffice to deprive you of your right to reimbursement.
  • Be aware that if your delay is intentional or the result of gross negligence (for example, if you manifestly ignored flagrant warnings), you could lose your right to reimbursement, including for all amounts if fraud or gross negligence is established.
  • Banks can no longer systematically refuse reimbursement by invoking a simple reporting delay (even if it is beyond the “without delay” but within the 13 months).
  • To discharge their liability, banks will have to prove the payer’s fraudulent conduct or their intentional gross negligence in reporting.
  • The burden of proof lies with the bank to demonstrate that the transaction was authenticated, recorded, and not affected by a technical failure, as well as, where applicable, the payer’s intentional fault or gross negligence.
  • The banks’ obligation to make available appropriate means for notification remains essential. In the event of a failure by the bank, the payer is not required to bear the losses (except in case of fraud).

In Conclusion

This CJEU ruling is a clear reminder of the delicate balance the European legislator intended to establish between the liability of users and that of payment service providers. It reinforces consumer protection by requiring the provider to prove a characterized fault (intention or gross negligence) on the part of the payer to deprive them of their right to reimbursement in the event of a late but within-13-months report. It also underscores that, even in the case of fault, only the losses directly linked to that fault can be charged to the payer.

FAQ: Banking fraud and your rights to reimbursement

Have you been the victim of an unauthorized payment transaction? Has your bank card been lost or stolen? Understand your rights through the recent CJEU decision that strengthens consumer protection against banking fraud.

Am I obligated to report “without delay” an unauthorized transaction to my bank?

Yes, in principle, you have a dual reporting obligation:

  1. “Without delay”: You must report the transaction as soon as you become aware of it. This is a “subjective” obligation, triggered by your awareness of the unauthorized transaction.
  2. “No later than thirteen months following the debit date”: This is a maximum “objective” period for legal certainty.

The CJEU confirmed that the right to correction of a transaction is, in principle, lost if the report is not made “without delay,” even if it is made within the thirteen months. Non-compliance with the “without delay” obligation may compromise the preventive objective of this obligation.

Can my bank refuse to reimburse me if my report is deemed “late”?

This is where the CJEU decision significantly strengthens your rights. No, your bank cannot refuse reimbursement simply because your report was “late,” if this delay was neither intentional nor the result of gross negligence on your part.

This principle applies specifically to unauthorized payment transactions resulting from the loss, theft, misappropriation, or any unauthorized use of your payment instrument.

Your right to reimbursement can only be set aside if:

  • You acted fraudulently.
  • Your delay in reporting the transaction was intentional.
  • Your delay was due to gross negligence, i.e. a “characterized breach of a duty of diligence” on your part.

The Court underscores that the directive’s objective is to promote greater user protection in the event of theft or loss of a payment instrument. A simple delay, if it is not intentional or does not stem from gross negligence, can therefore no longer justify a refusal to reimburse.

Who must prove “gross negligence” or “fraudulent conduct”?

The burden of proof lies with your payment service provider (your bank). If you deny having authorized a transaction, it is for the bank to prove that the transaction was authenticated, duly recorded, and not affected by a technical failure.

The use of your payment instrument, as recorded by the bank, is not sufficient on its own to prove that you authorized the transaction, that you acted fraudulently, or that you breached your obligations intentionally or through gross negligence. The bank must provide concrete evidence of your characterized fault.

What happens if there are several successive unauthorized transactions?

If several unauthorized transactions follow one another, all linked to the same loss, theft, or misappropriation of your payment instrument, you will only be deprived of reimbursement for the losses resulting DIRECTLY from the transactions you intentionally or through gross negligence delayed reporting.

The Court insisted that the payer’s liability is a derogation from the general principle of bank liability and must be strictly interpreted. This means the bank cannot hold you liable for all losses if your fault (intentional or gross negligence) only concerned part of the reporting or did not cause all the losses.

What should I do if I am the victim of an unauthorized transaction?

  1. Immediately report the loss, theft, or misappropriation of your payment instrument to your bank or the designated entity. Your bank is obligated to make appropriate means available to you to do so at any time.
  2. Report “without delay” any unauthorized transaction you discover, and no later than thirteen months following the debit date.
  3. If your bank refuses reimbursement citing a late report (but within the 13 months), remind it of the CJEU decision (Case C-665/23, Veracash, 1 August 2025). Insist that it must prove your fraudulent conduct or your intentional gross negligence to justify a refusal.
  4. Know that, except for fraudulent conduct on your part, you bear no financial consequence resulting from the use of a lost, stolen, or misappropriated payment instrument, occurring after you have notified it.
  5. If your bank has not provided you with appropriate means to report the loss or theft of your payment instrument, you are not required to bear the financial consequences, except in the case of fraud on your part.
1521 2281 max

Need Personalized Legal Advice?

Don’t face your questions alone. A lawyer can call you back for free to review your situation.

Be Contacted by a Lawyer

Need Personalized Legal Advice?

GDPR:

Similar Articles

assets task 01jwrq9pdjfa8sga5c49zttjvv 1748881531 img 1

When Is the Guarantor ‘Called Upon’ by the Creditor? (Com. 9 July 2025, 24-18.368, Unpublished)

As a guarantor (caution), you play an essential role in the financing of a business or project. However, the guarantee commitment carries serious consequences, and ...

délai pour agir

Unauthorized Transactions: Reporting Within 13 Months, Legal Action Within 5 Years – The Cour de Cassation Clarifies the Rules – Com. July 2, 2025, No. 24-16.590

In cases of banking fraud, the speed of the victim’s reaction is often crucial, and it is indeed required by European legislation to dispute unauthorized ...

1x1 vieil avocat tr s surpris tenant

Nullification of a One-Million-Euro Protective Seizure

In the context of a dispute relating to a loan agreement, Le Bot Avocat represented the interests of a company subject to a protective seizure ...