The recent decision of the Court of Appeal of Paris of 1 October 2025 (Court of Appeal of Paris, Pole 5 chambre 6, 1 October 2025, No. 23/12393), opposing Credit Industriel et Commercial (CIC) against the companies Action d’eclat and Think Meded, provides an interesting illustration of the interplay between the special liability regime of payment service providers and the general law regime based on the duty of vigilance.
When a company is the victim of a “CEO fraud” (fraude au president) leading to fraudulent transfers, the first question that courts must decide is the applicable liability regime. This distinction is decisive for the outcome of the dispute.
1. The Exclusive Liability Regime for Unauthorized Transactions (Monetary and Financial Code)
As a primary argument, victims of fraudulent transactions often invoke the provisions of the Monetary and Financial Code (CMF), particularly Articles L. 133-1 et seq.
The CMF establishes a strict liability regime for payment service providers (PSPs) in the event of unauthorized payment transactions or improperly executed transactions. Pursuant to Article L. 133-6 of the CMF, a payment transaction is authorized if the payer has given consent to its execution, in the form agreed upon with the PSP.
It should be noted that this regime, deriving from European Directive 2007/64/EC, is subject to total harmonization. The Court of Justice of the European Union (CJEU) has clearly established that a parallel or concurrent liability regime based on national law is incompatible with the directive where liability is sought on the basis of an unauthorized or improperly executed transaction.
Consequence: If the transfer is classified as an unauthorized transaction, only the regime of Articles L. 133-18 to L. 133-24 of the CMF applies, to the exclusion of any other liability regime under national law.
2. The Obstacle of Authorization in the Case of CEO Fraud
In the Action d’eclat and Think Meded case, the companies fell victim to a fraud that led their accountant, [V] [P], to carry out seven transfer orders between September and October 2019.
The bank (CIC) argued that the transactions were authorized, invoking the use of the contractual online banking devices (Filbanque) and strong authentication (Safetrans).
The Court found that the disputed transfers had been issued and validated by [V] [P] using the unique Filbanque identifier, password, and Safetrans card and card reader. The use of this payment instrument, recorded by CIC and in accordance with the parties’ agreement, proved that the disputed payment transactions had been authorized by the client companies.
This finding is essential: once the transfers are established as having been authorized and properly executed, the exclusive liability regime of the Monetary and Financial Code (designed for unauthorized or improperly executed transactions) is no longer applicable.
3. The Return to General Law: Application of the Duty of Vigilance
Given that CIC’s liability was not sought on the basis of an unauthorized or improperly executed payment transaction, the companies Action d’eclat and Think Meded were able to engage the bank’s liability on the basis of the general contractual liability regime (former Article 1147 of the Civil Code).
This shift to general law allows examination of the bank’s duty of vigilance (or monitoring duty).
Limit of the Duty of Vigilance: The Obligation of Non-Interference
In principle, the bank is bound by an obligation of non-interference (non-ingerence) in the affairs of its client and is not required to investigate the origin or significance of funds, absent a contrary legal provision. Nor is it required to ensure that the transactions requested are not harmful to the client or third parties, provided they appear regular.
Application of the Duty of Vigilance: The Apparent Anomaly
However, this duty of non-interference finds a limit if the transaction “conceals an apparent anomaly, whether material or intellectual” (anomaly in the documents provided, the nature of the transaction, or the functioning of the account).
In the present case, the plaintiff companies raised several apparent intellectual anomalies, including:
- Disproportionate amounts relative to the company’s activity.
- Unusual and high-risk foreign destinations (Hong Kong, China).
- The return of the first two transfers on 11 September 2019 following a fraud alert from the receiving bank.
The Court held that the succession of disputed transfers, combined with the rejection of the first two payments and the unusual nature of the recipients, characterized an apparently abnormal functioning of the account, justifying CIC’s duty to carry out verifications.
Shared Liability
Despite initial diligence (CIC having contacted the accountant and the finance director [N] [X] for confirmation of the transfer orders), the Court found a breach of vigilance by the bank from 3 October 2019. On that date, a fake email address used to copy the director in correspondence was “apparent” to the bank, which failed to detect this anomaly.
However, Action d’eclat and Think Meded were not exonerated from all liability. The Court found serious negligence on the part of the companies and their employee, including:
- The accountant’s lack of vigilance in the face of unusual amounts and destinations.
- Failure to notice the falsified email address.
- The submission of supporting documents (pro forma invoices) containing anomalies (misspelled, without invoice numbers or payment deadlines, with descriptions unrelated to the business such as “Hedge funds”).
- Insufficient oversight by the directors over their employee’s activity during the one-month period of fraudulent payments.
Considering the respective faults of the parties that contributed to the dissipation of funds, CIC was ordered to pay reduced damages to Action d’eclat (147,770.63 euros) and to Think Meded (15,135 euros), the total damages being reduced due to the shared liability.
Conclusion
This judgment of the Court of Appeal of Paris confirms that, in the case of “CEO fraud” carried out via strong authentication instruments and therefore classified as an authorized transaction, the payment service user can only obtain compensation by invoking the bank’s general contractual liability. The success of this action then depends on proof of the provider’s breach of its duty of vigilance, triggered by the existence of an apparent anomaly in the functioning of the account or in the transactions. The bank can only be held liable for transfers made from 3 October 2019, the date on which the breach of vigilance is established.
