Banking Phishing: The Burden of Proving Gross Negligence Lies with the Bank – CA Besançon, 1st Civil and Commercial Chamber, 10 February 2026, No. 24/01852

When faced with a fraudulent transfer on your bank account, can your bank refuse to reimburse you by invoking your « gross negligence » (négligence grave)? The Court of Appeal of Besançon has just recalled that this concept, which protects banks, must be interpreted strictly. In this decision of 10 February 2026, it confirms that a mere click on a fraudulent link does not, in itself, constitute a fault sufficiently serious to release the institution from its liability. An important decision for all clients who are victims of banking fraud.

Court of Appeal of Besançon, 1st Civil and Commercial Chamber, 10 February 2026, No. 24/01852

Table of Contents ▼

The Background: SMS Fraud and an Unauthorised Transfer
The Bank’s Refusal: Invoking Gross Negligence
The Applicable Legal Framework
Strong Authentication: A Requirement for the Bank
Gross Negligence: A Strict Concept
The Burden of Proof: On the Bank to Prove
The Court’s Decision: Confirmation of Reimbursement
The Bank’s Failure to Prove
A Mere Click Is Not Gross Negligence
Practical Lessons from This Decision
Conclusion
FAQ

The Background: SMS Fraud and an Unauthorised Transfer

On 25 April 2023, Mrs Z received an SMS allegedly sent by her bank, the Banque Populaire de Bourgogne Franche-Comté (BPBFC), informing her of a supposed block on her bank card. This type of fraudulent message is known as « phishing ». Mrs Z then clicked on the link contained in this SMS. A few days later, on 28 April 2023, she noticed that a transfer of 4,998 euros had been debited from her account without her authorisation. She immediately contacted her bank on 29 April to report this fraudulent transaction and request reimbursement of the stolen sum. She also filed a complaint with the gendarmerie.

The Bank’s Refusal: Invoking Gross Negligence

By letter dated 15 May 2023, the BPBFC refused to reimburse Mr and Mrs Z. The bank acknowledged that the transaction had not been authorised by the clients, but considered that Mrs Z had committed « gross negligence » by clicking on the fraudulent link. According to the bank, the fraudulent transaction was carried out via strong authentication from the mobile application, which would mean that the identifiers and passwords had been used. The BPBFC deduced that Mrs Z had necessarily communicated these confidential elements to the fraudsters, which, in its view, constituted a fault sufficiently serious to release it from all liability.

Faced with this refusal, Mr and Mrs Z brought proceedings before the Judicial Court of Besançon. On 3 December 2024, the court ruled in their favour and ordered the bank to reimburse them the 4,998 euros plus 3 euros in transfer-related fees. The BPBFC then appealed this decision.

The Applicable Legal Framework

To properly understand this case, one must know the legal framework that protects victims of banking fraud. This framework rests primarily on the Monetary and Financial Code, which transposed the European PSD2 Directive (Payment Services Directive 2) of 25 November 2015.

Strong Authentication: A Requirement for the Bank

Articles L. 133-4 and L. 133-44 of the Monetary and Financial Code require banks to implement a strong authentication system to secure remote payment transactions. Strong authentication generally relies on two elements from the following three: something the client knows (a password), something they possess (their phone), and something they are (fingerprint, facial recognition).

🔐 The Strong Authentication System

🧠

Knowledge

Code, password

📱

Possession

Phone, card

👤

Inherence

Fingerprint, face

Principle: At least 2 of these 3 elements must be verified to validate a sensitive transaction

This system is designed to ensure that only the genuine account holder can make payments. In this case, the BPBFC used a system called « Secur’Pass » based on this enhanced authentication principle.

Gross Negligence: A Strict Concept

Even if strong authentication is properly in place, the bank may still be released from liability in the event of a fraudulent payment if it proves that the client committed « gross negligence ». But what exactly constitutes gross negligence? Recital 72 of the PSD2 Directive provides guidance: « gross negligence should imply more than mere negligence and involve a characterised lack of vigilance. »

In other words, a simple mistake or ordinary lack of care is not sufficient. There must be a significant, manifest failure to follow the security rules that any reasonable user should observe. For example: writing one’s secret code on a piece of paper stuck to one’s bank card, voluntarily communicating one’s credentials to a trusted third party who turns out to be a fraudster, or deliberately ignoring clear and repeated security alerts from one’s bank.

The Burden of Proof: On the Bank to Prove

A crucial point: it is for the bank to prove the client’s gross negligence. Articles L. 133-19 III and V, together with L. 133-23 of the Monetary and Financial Code, are clear on this point. The bank must demonstrate that the transaction was correctly authenticated, recorded, and accounted for, and that no technical deficiency in its system contributed to the fraud.

⚖️ Reversal of the Burden of Proof

Article L. 133-23 of the Monetary and Financial Code specifies that « the use of the payment instrument as recorded by the PSP does not necessarily in itself suffice to prove that the transaction was authorised by the payer, or that the latter intentionally or through gross negligence failed to meet their obligations. »

In plain terms, the bank cannot simply say: « Our system recorded the transaction with the correct codes, so it must be the client’s fault. » It must provide concrete evidence proving gross negligence. Reasoning by presumption is not sufficient, as recalled by the Court of Cassation in a ruling of 18 January 2017 (No. 15-18.102).

The Court’s Decision: Confirmation of Reimbursement

The Court of Appeal of Besançon fully upheld the first-instance judgment. It thus ruled in favour of Mr and Mrs Z and ordered the BPBFC to reimburse them the 4,998 euros as well as procedural costs.

The Bank’s Failure to Prove

According to the court, the bank failed to meet its burden of proof. It merely invoked the reliability of its « Secur’Pass » system and deduced from this that Mrs Z must necessarily have communicated her credentials to the fraudsters. But this reasoning remains purely presumptive: it relies solely on the fact that the transaction was recorded by the banking system, which is legally insufficient.

The court firmly recalled that « the mere fact that the security protocol provides for the use of two passwords to proceed with payment from a mobile phone cannot, in itself, lead to the unequivocal inference of gross negligence on the part of the payer. »

A Mere Click Is Not Gross Negligence

The central element of the case lies in Mrs Z’s conduct: she clicked on a link contained in a fraudulent SMS. For the bank, this action constitutes gross negligence because it enabled the fraudsters to obtain her credentials.

The Court of Appeal rejected this analysis. It considered that Mrs Z was the victim of an « erroneous action » consisting of « digitally pressing a link that appeared in the message », without any intention of validating a payment. This action, while admittedly careless, does not, according to the judges, constitute a « characterised lack of vigilance » within the meaning of the European directive.

📊 Scale of Severity of Conduct

Gross negligence recognised

• Writing one’s secret code on the bank card
• Voluntarily communicating codes to a third party
• Deliberately ignoring repeated alerts from the bank

⚠️ Grey area (assessed on a case-by-case basis)

• Responding to a fraudulent email with personal data
• Following phone instructions from a fake adviser

Not gross negligence

• Inadvertently clicking on a fraudulent link
• Failing to verify the identity of an SMS sender
• Being the victim of a sophisticated phishing technique

The court also noted that no breach of the security recommendations provided by Article L. 133-16 of the Monetary and Financial Code was established. Admittedly, Mrs Z did not verify the identity of the message sender, but this omission constitutes ordinary carelessness, not gross negligence.

Practical Lessons from This Decision

This decision of the Court of Appeal of Besançon provides several important lessons for victims of banking fraud.

First, banks cannot simply invoke the theoretical reliability of their security systems to refuse reimbursement. They must provide concrete and specific evidence of the client’s gross negligence. The mere fact that the system recorded the transaction with the correct credentials is not sufficient.

Second, the concept of gross negligence is interpreted strictly by the courts, in a manner favourable to consumers. Clicking on a fraudulent link, even if careless, is not automatically considered a fault sufficiently serious to deprive the victim of all protection. Judges take into account the increasing sophistication of fraud techniques and the fact that even vigilant individuals can be deceived.

Third, this decision reminds banks of their obligations regarding strong authentication and securing transactions. If a fraudulent transfer is possible despite strong authentication, this may reveal a flaw in the bank’s own system, which prevents it from being released from liability.

Conclusion

When faced with a fraudulent transfer, you are not defenceless. French and European legislation protects you, and banks can only refuse reimbursement by proving gross negligence on your part, which is far from straightforward for them. This decision of the Court of Appeal of Besançon confirms this: a mere click on a fraudulent link, however regrettable, does not in itself constitute a fault sufficiently serious to deprive you of your rights.

If your bank refuses to reimburse you following fraud, do not hesitate to challenge this decision, potentially with the help of a lawyer specialising in banking law. Courts generally apply a consumer-protective interpretation, and the burden of proof weighs heavily on financial institutions.

FAQ

How long do I have to report a fraudulent transfer to my bank?

You must report any unauthorised transaction to your bank as soon as you become aware of it, and no later than 13 months after the debit date. However, for a swift and uncontested reimbursement, it is strongly recommended to act immediately, ideally within 48 hours. The longer you wait, the more the bank may suspect that you validated the transaction or failed to monitor your account properly.

My bank is refusing to reimburse me, citing my negligence. What are my options?

If your bank refuses to reimburse you, you may first attempt free banking mediation through your institution’s ombudsman (whose contact details must be provided by the bank). If this fails or does not satisfy you, you may bring proceedings before the Judicial Court of your domicile. You are not required to engage a lawyer for disputes under 10,000 euros, but it is strongly advised to maximise your chances of success. Remember: it is for the bank to prove your gross negligence, not for you to prove your innocence.

What types of conduct actually constitute « gross negligence »?

Gross negligence requires a characterised breach of your security obligations, well beyond mere carelessness. The following are generally recognised as gross negligence: writing your secret code directly on your bank card, voluntarily communicating your credentials to a third party (even a trusted one), lending your card with the PIN code, or deliberately ignoring repeated security alerts from your bank. Conversely, clicking on a fraudulent link, responding to a phishing SMS or email without consciously disclosing all your codes, or being the victim of sophisticated fraud are generally not considered gross negligence by the courts.

Can I be reimbursed even if I clicked on a phishing link?

Yes, as confirmed by this ruling of the Court of Appeal of Besançon. Clicking on a fraudulent link, even if careless, does not automatically constitute gross negligence. Phishing techniques are becoming increasingly sophisticated, and judges take this into account. What matters is whether you voluntarily communicated all of your codes and credentials knowingly, or whether you were simply trapped by a fraudulent manipulation. In the latter case, the bank remains liable and must reimburse you.

What are my chances of winning a lawsuit against my bank for a fraudulent transfer?

Your chances depend on the precise circumstances of the fraud and the evidence the bank can bring against you. Overall, case law is rather favourable to victims of banking fraud, as the burden of proof lies with the bank. If you promptly reported the fraudulent transaction, filed a complaint, and your conduct does not reveal manifest negligence (codes written in plain view, voluntary communication of all your data), you have good chances of success. A lawyer specialising in banking law can precisely assess your situation and support you in your proceedings.

Can I obtain damages beyond the simple reimbursement of the transfer?

In principle, you are entitled to full reimbursement of the fraudulently debited sum, as well as any bank charges related to this transaction. Additional damages may be obtained if you prove distinct harm: for example, overdraft charges or bank fees caused by the overdraft resulting from the fraud, particular non-pecuniary damage (anxiety, numerous procedures), or if the bank’s refusal to reimburse was abusive and caused you aggravated harm. In all cases, you may obtain reimbursement of your legal costs under Article 700 of the Code of Civil Procedure, as in this case where Mr and Mrs Z were awarded 1,500 euros on this basis both at first instance and on appeal.