Tribunal Judiciaire de Nice, 4th Civil Chamber, 10 February 2026, No. 24/00689
Table of Contents ▼
- The facts: a fraud orchestrated through the fraudulent enrollment of Secur’Pass
- The applicable legal framework: protection of the account holder in case of unauthorized payment
- The principle of reimbursement in case of an unauthorized transaction
- The burden of proof rests with the bank
- Strong authentication is not sufficient to prove consent
- The court’s analysis: the bank’s double failure in meeting the burden of proof
- The absence of proof of authorization by the account holder
- The insufficiency of computer logs to prove consent
- The absence of proof of the client’s gross negligence
- Practical consequences: full reimbursement and compensation for non-pecuniary damage
- Conclusion
The facts: a fraud orchestrated through the fraudulent enrollment of Secur’Pass
Mrs. [N] [L], a client of the Caisse d’Épargne Côte d’Azur, was the victim of a sophisticated banking fraud in June 2023. The scheme began with the receipt of a first email on 20 June 2023, informing her that her strong authentication system “Secur Pass” had been registered on a new mobile phone. Alerted by this, she contacted her bank advisor the following day.
Three days later, on 23 June 2023, two new emails were received: the first, at 4:43 PM, confirmed the effective transfer of the Secur Pass system to another device; the second, at 4:52 PM, informed her of a temporary increase in the limit of her bank card. Mrs. [N] [L] reacted immediately by sending an email to her advisor at 5:51 PM to report that she was not the originator of these requests. Unfortunately, it was already too late: between 4:49 PM and 4:51 PM, three fraudulent payments had been made for a total amount of 9,150.99 euros.
📊 Chronology of the fraud
1st email: Secur Pass registration in progress → Client alert
Contact with bank advisor (disputed version)
4:43 PM: Secur Pass transfer confirmed
4:49-4:51 PM: 3 fraudulent payments (€9,150.99)
4:52 PM: Card limit increase
5:51 PM: Client alert (too late)
Despite filing a complaint for fraud on 19 July 2023, the Caisse d’Épargne refused to reimburse the amounts debited, considering that the payments had been duly authorized through the Secur Pass strong authentication system. Faced with this refusal, Mrs. [N] [L] brought the matter before the Judicial Court of Nice in February 2024.
The applicable legal framework: protection of the account holder in case of unauthorized payment
The principle of reimbursement in case of an unauthorized transaction
The Monetary and Financial Code establishes a protective regime for users of payment services who are victims of fraudulent transactions. Article L. 133-18 of the Monetary and Financial Code sets forth the principle that the payment service provider must immediately reimburse the amount of the unauthorized transaction and, where applicable, restore the debited account to the state it would have been in had the transaction not taken place.
This reimbursement must take place no later than the end of the first business day following the observation or notification of the transaction. Failing this, the amounts are subject to the enhanced statutory rate of interest, which constitutes a genuine penalty for the bank’s delay.
The burden of proof rests with the bank
Article L. 133-23 of the Monetary and Financial Code organizes the allocation of the burden of proof in a manner that is highly favorable to the client. When a user denies having authorized a payment transaction, it is incumbent upon the payment service provider to prove that the transaction in question was authenticated, duly recorded and booked, and that it was not affected by a technical deficiency or other failure.
In practice, the client victim need only challenge the transaction debited from their account. They are not required to demonstrate how the fraud occurred or to prove their own diligence. It is for the bank to establish the regularity of the transaction.
⚖️ Reversal of the burden of proof
Denies having authorized
the transaction
Must prove:
• Authentication
• Regularity
• Fraud or gross negligence
Strong authentication is not sufficient to prove consent
A crucial point of this judgment: Article L. 133-23 of the Monetary and Financial Code specifies that “the use of the payment instrument as recorded by the payment service provider does not necessarily in itself suffice to prove that the transaction was authorized by the payer or that the latter failed intentionally or through gross negligence to fulfill the obligations incumbent upon them in this regard.”
In other words, even if the bank can demonstrate that its strong authentication system was used, this does not in itself constitute sufficient proof of the account holder’s consent. The bank must go further and establish either that the client acted fraudulently or that they committed gross negligence.
This case law is in line with an important ruling by the Court of Cassation of 5 March 2025 (No. 23-22.687), which held that the user’s gross negligence cannot be inferred from the enrollment by a fraudster of a digital strong authentication key on a new device, even if this enrollment could only have occurred after the account holder disclosed a code known only to them.
The court’s analysis: the bank’s double failure in meeting the burden of proof
The absence of proof of authorization by the account holder
The court found that third parties had enrolled the Secur Pass on a new mobile phone, thereby removing Mrs. [N] [L]’s access to her own device. It was this new phone that received the validation codes for the disputed payment transactions as part of the strong authentication process.
The court logically concluded that Mrs. [N] [L] had not authorized the disputed payment transactions, since the enhanced validation code was received on a device other than her own. She was therefore not the person who completed the final step of the strong authentication process, which involved entering a code received by SMS.
The Caisse d’Épargne attempted to infer its client’s consent from the fact that the enrollment of Secur Pass on a new device had only been possible through the disclosure of her access codes and identifiers to a third party, following receipt of a fraudulent email in the name of the merchant site Amazon. However, the court rejected this argument: this presumed disclosure does not prove that Mrs. [N] [L] actually authorized the payments.
The insufficiency of computer logs to prove consent
The Caisse d’Épargne relied on its computer logs to attempt to demonstrate that the disputed transactions had been duly authorized by Mrs. [N] [L]. The court conducted a detailed analysis of these technical elements and concluded that they were insufficient as evidence.
The logs produced by the bank established that the Secur Pass strong authentication system had indeed been used during the disputed transactions. They also revealed that the device had been previously enrolled on a new mobile phone on 23 June 2023 at 4:43 PM, and that it was this new device that received the validation codes necessary for authenticating the payments made between 4:49 PM and 4:51 PM.
However, the court noted that these computer logs did not make it possible to identify with certainty the person who enrolled the Secur Pass on the new device, nor the person who subsequently entered the validation codes to authorize the payments. The logs attest only to the technical use of the device, but do not in any way prove that this use originated from Mrs. [N] [L] herself.
💻 Analysis of computer logs by the court
| What the logs prove | What the logs do not prove |
| ✓ Use of the Secur Pass system ✓ Enrollment on a new device ✓ Receipt of codes on this new device ✓ Entry of validation codes |
✗ Identity of the person who performed the enrollment ✗ Consent of Mrs. [N] [L] ✗ Actual authorization by the account holder |
The court emphasized that the Caisse d’Épargne cannot merely produce logs demonstrating the technical use of its security device. In accordance with Article L. 133-23 of the Monetary and Financial Code, this recorded use “does not necessarily in itself suffice” to establish that the transaction was authorized by the account holder.
In other words, even if the logs attest to the proper functioning of the strong authentication system and its use in compliance with the technical procedures, they do not constitute sufficient proof of Mrs. [N] [L]’s consent. The bank was required to go beyond this simple technical evidence to demonstrate that it was indeed the client who voluntarily carried out the disputed transactions.
The court underlined the fact that the logs, on the contrary, revealed a decisive element: the enrollment of Secur Pass on a device distinct from that of Mrs. [N] [L], which corroborates the client’s statements that she was not the originator of this enrollment or of the subsequent transactions. The bank’s computer data therefore confirms that the validation codes were received and entered on a phone that did not belong to the account holder.
The absence of proof of the client’s gross negligence
The court recalled that, pursuant to Article L. 133-19 of the Monetary and Financial Code, the payer bears the losses resulting from unauthorized transactions only if these losses result from fraudulent conduct on their part, or if they intentionally or through gross negligence failed to meet the obligations under Article L. 133-16 (the obligation to take all reasonable measures to preserve the security of the personalized security device).
The Caisse d’Épargne maintained that Mrs. [N] [L] had “necessarily been an actor, albeit unwilling, in the fraud” by communicating her confidential data, which would constitute gross negligence. The court dismissed this argument: the bank provided no concrete proof of this disclosure, and such disclosure cannot be inferred from the mere fact that the payment instrument and the personal data associated with it were effectively used.
🔍 Double failure of proof
| What the bank had to prove | Result |
| 1. That the transactions were authorized by Mrs. [N] [L] | ✗ FAILURE |
| 2. That Mrs. [N] [L] demonstrated gross negligence | ✗ FAILURE |
The court noted that Mrs. [N] [L] “vigorously” denies having communicated her personal data, and states that she only provided her bank card number to make an online purchase on Amazon, but not her login credentials. In the absence of evidence to the contrary from the bank, the court ruled in favor of the client.
Practical consequences: full reimbursement and compensation for non-pecuniary damage
Pursuant to Article L. 133-18 of the Monetary and Financial Code, the court ordered the Caisse d’Épargne to reimburse Mrs. [N] [L] the sum of 9,150.99 euros, together with the statutory rate of interest enhanced by fifteen percentage points. This enhancement constitutes a genuine penalty for the delay in reimbursement, which should normally have taken place on the first business day following notification of the disputed transaction.
Beyond the reimbursement of the fraudulently debited amounts, the court also awarded Mrs. [N] [L] the sum of 1,000 euros in compensation for her non-pecuniary damage. This harm resulted from the difficulties caused by the failure to provide immediate reimbursement, despite the client having promptly reported the disputed transactions to her bank.
The court noted that Mrs. [N] [L] was compelled to send several letters to the Caisse d’Épargne, which responded on 25 July 2023 that she had “certainly been negligent in communicating sensitive personal data without which these transactions would not have been possible” and that she had “necessarily been an actor, albeit unwilling, in the fraud.” These accusations, unfounded according to the court, caused Mrs. [N] [L] non-pecuniary damage distinct from that resulting from the mere delay in reimbursement.
The court also noted the material harm suffered by the client: while she was managing her accounts properly and had only an authorized overdraft of 1,000 euros, the debit of nearly 10,000 euros placed her in a situation of great financial hardship, with all her direct debit payments being rejected.
Finally, the Caisse d’Épargne was ordered to pay costs as well as to pay Mrs. [N] [L] the sum of 2,000 euros under Article 700 of the Code of Civil Procedure, to compensate for the irrecoverable costs incurred by the client.
Conclusion
This judgment of the Judicial Court of Nice illustrates the rigor of the protective framework established by the Monetary and Financial Code in favor of clients who are victims of unauthorized payment transactions. It recalls that the use of a strong authentication system, even a sophisticated one, is not sufficient to prove the consent of the account holder or to establish their gross negligence.
The decision highlights a particularly important lesson concerning the evidentiary value of computer logs: these technical data may establish the use of a security device, but they do not prove the identity of the person who used it or their consent. Banks therefore cannot hide behind their computer records to refuse reimbursement: they must provide concrete, rather than presumed, proof either of effective authorization by the client or of their gross negligence.
For clients who are victims of fraud, this case law is reassuring: it confirms that they benefit from robust protection, even when fraudsters manage to divert strong authentication devices and the bank’s logs attest to the technical use of those devices. For banks, it underscores the importance of precisely documenting any failures by their clients beyond the mere production of their computer records, or else face bearing the full consequences of fraudulent transactions.
If you are the victim of banking fraud and your bank refuses to reimburse you, do not hesitate to assert your rights. The Lebot-Avocat firm specializes in banking law and assists individuals in their proceedings against their banking institution.
