On 19 November 2025, the Commercial, Financial and Economic Chamber of the Court of Cassation delivered three landmark rulings (Nos. 24-17.056, 24-17.780 and 24-19.776) concerning the liability of payment service providers (banks) in the face of so-called “CEO fraud” schemes involving authorised payment orders. These decisions, informed by the reports of Mr. Calloch (Reporting Judge) and the opinions of Mr. de Monteynard (Advocate General), help clarify the applicable legal framework and the scope of the banker’s duty of vigilance.
1. The Applicable Liability Regime: Common Law versus Special Law
An essential preliminary question in these disputes is whether the bank’s liability should be assessed under the special regime of the Monetary and Financial Code (CMF), which transposes European directives (PSD1 and PSD2), or under the common law regime of contractual liability (former Article 1147, now Article 1231-1 of the Civil Code).
The Limited Exclusivity of Payment Services Law
In each of the appeals, the bank argued that the CMF regime (Articles L. 133-18 et seq.) was exclusive of any competing regime based on national law, including the common law duty of vigilance.
However, the Court of Cassation consistently recalls, relying on the case law of the CJEU (notably the Beobank ruling of 16 March 2023), that the liability regime defined by Articles L. 133-18 to L. 133-24 of the CMF only applies to unauthorised or improperly executed payment transactions.
In all three cases (Rulings 24-17.056, 24-17.780 and 24-19.776), the disputed transactions, although fraudulent (CEO fraud), were transmitted and validated by a contractually authorised employee (often the secretary or accountant). Consequently, these transactions were classified as authorised transactions.
Since the transaction was authorised and no improper execution was alleged, the special regime does not apply. The Court of Cassation therefore upheld the approach of the lower courts, which had examined whether the bank had breached its contractual duty of vigilance under common law.
2. The Duty of Vigilance: Apparent Anomaly and Non-Interference
If common law applies, the bank’s liability rests on a breach of its duty of vigilance. This duty is, however, circumscribed by the principle of non-interference (or non-intrusion). The banker is only required to alert the client in the presence of apparent anomalies (material or intellectual) that are easily detectable by a reasonably diligent professional.
Advocate General Mr. de Monteynard emphasises that CEO fraud, being a variety of spoofing, is part of the ordinary landscape of the banking profession, and that the duty of vigilance of a professional banker must be assessed in light of their professional expertise, independently of the duty of non-interference.
However, in two of the three cases, the Court of Cassation adopted a strict interpretation of the notion of apparent anomaly, quashing the rulings that had found the bank liable.
Ruling No. 24-17.056 (Credit cooperatif / APMG)
In this case, a significant wire transfer to Portugal had been ordered during the summer period by a non-executive employee.
The Court of Cassation quashed the ruling. It held that the grounds relied upon by the Court of Appeal (size of the transfer, new counterparty, summer period) were insufficient to establish the existence of apparent anomalies. The Court notably observed that the company had previously made a large wire transfer and had already had dealings with a company headquartered in Portugal.
Advocate General Mr. de Monteynard had moreover issued an opinion in favour of quashing, considering that the fact that the wire transfer originated from a country with which the defrauded company had already regularly issued transfers undermined the entire reasoning of the Court of Appeal on the apparent abnormality.
Ruling No. 24-17.780 (Banque europeenne du credit mutuel / Nausicaa medical)
In this case, the Court of Appeal had identified as anomalies the high amount of the transfer (EUR 231,078), the new beneficiary, the account opened in Hungary (an Eastern European country), and the registration of the bank details simultaneously with the payment order.
The Court of Cassation also quashed the ruling. It held these grounds to be insufficient, since the Court of Appeal had itself noted that a single large-amount transfer had already been ordered in favour of a foreign beneficiary (Belgium).
Conversely, Advocate General Mr. de Monteynard had proposed dismissing the appeal, arguing that the combination of elements — sudden transfer of funds abroad outside the usual zone, to an unknown partner, for unusual amounts, and registration of bank details at the same time as the order — constituted all the hallmarks of a classic CEO fraud scheme that should necessarily have alerted a professional banker.
3. The Verification Protocol: Whom to Contact in Case of Doubt?
Ruling No. 24-19.776 (Banque CIC Sud-Ouest / Groupement d’etudes electrotechniques) focused on the procedure to be followed by the bank when it detects an apparent anomaly, in particular the question of whom should be contacted to confirm the order.
In this case, the company’s accounting secretary had transmitted twelve wire transfer orders totalling EUR 922,894.48 to Hungary. The Bordeaux Court of Appeal had held the bank liable, finding that beyond the first three transfers, the repetition should have led the bank to verify with the company’s legal representative, Mr. [X], the regularity of the transactions.
The Position of the Court of Cassation
The Court of Cassation quashed this decision. It held that, in the presence of apparent anomalies, the bank is required to verify the regularity of the orders with the person contractually authorised to transmit them. Having noted that the accounting secretary (Ms. [Y]) was contractually authorised to create beneficiaries and to carry out external transfers without any amount limit, the Court of Appeal could not require verification with the company director.
The Dissenting Opinion of the Advocate General
Mr. de Monteynard, while acknowledging that prior case law was ambiguous, strongly argued for dismissal of the appeal (i.e. upholding the Court of Appeal ruling). In his view, seeking confirmation from the duped party (the employee who was manipulated) would be ineffective. Effective combating of CEO fraud, and holding professional banks accountable, requires promoting an effective response, which means seeking the opinion of another person, necessarily the head of the company. For the Advocate General, the verification must be carried out with the company president precisely because of their position and because they are not the duped account holder.
Conclusion: A Strict and Limited Duty of Vigilance
The three rulings of 19 November 2025 confirm that if payment transactions are considered authorised (even under the influence of CEO fraud), the common law of banker liability applies. However, the Court of Cassation appears to insist on a restrictive interpretation of the duty of vigilance. It quashes the Court of Appeal rulings (24-17.056 and 24-17.780) that had relied on overly broad sets of indicators to establish an apparent anomaly. Furthermore, it limits the bank’s verification obligation to the person contractually authorised to transmit the order (Ruling 24-19.776), even though, as the Advocate General points out, this risks rendering the bank’s response to fraud futile.
