55logo mikael le bot avocat

Disclosure of Security Codes Under Manipulation: Fraud Victims Protected – CA Rouen, Civil and Commercial Chamber, 19 February 2026, No. 25/01563

  • Banking Law
The Court of Appeal of Rouen has upheld a judgment in favor of a client who fell victim to a sophisticated banking fraud. The ruling clarifies the boundaries of the concept of “gross negligence” and reaffirms that the mere disclosure of personal security codes, when it occurs in the context of psychological manipulation orchestrated by a fraudster impersonating a bank adviser, is not sufficient to deprive the victim of her right to a refund. This decision illustrates the ongoing tension between consumer protection and client accountability in the fight against fraud.

Court of Appeal of Rouen, Civil and Commercial Chamber, 19 February 2026, No. 25/01563

Table of Contents

The facts: a well-rehearsed fraud scenario

On 25 October 2023, Ms. [M], a 25-year-old client of Societe Generale, received several persistent calls from the same telephone number. Alarmed by the unusual repetition, she eventually answered. The caller introduced himself as an adviser from her bank’s card opposition department, informing her that a fraudulent purchase had been detected on her account and that immediate action was needed to block it and protect her funds.

The fraudster, who was particularly skilled, invited Ms. [M] to verify for herself online that the number he was calling from matched that of Societe Generale. The verification appeared to confirm his claims, which fully convinced the client that she was speaking with a genuine adviser. The supposed adviser then asked her to provide her client code in order to access her personal online banking space, before giving her a new code. He activated the security pass and guided his client step by step through the actions she needed to perform, supposedly to block a fraudulent transaction.

SEQUENCE OF THE FRAUD
1
Repeated calls creating a sense of urgency
2
Identity theft: the fraudster poses as a bank adviser
3
Building trust: the victim is invited to verify the caller’s number
4
Obtaining personal security codes under the pretext of securing the account
Fraudulent transactions validated by the manipulated victim

In reality, the fraudster managed to carry out two transactions: first, a transfer of 3,500 euros from Ms. [M]’s savings account to her current account, followed by a payment of 4,631.64 euros to a mysterious company, Grand Store LLC, domiciled in a foreign country. A third attempted debit, for a much higher amount (17,997.50 euros), failed.

Immediately after these transactions, Ms. [M] contacted her bank’s genuine opposition department to ensure that the block had been properly applied. It was at this point that the operator revealed to her that she had just fallen victim to a scam. She immediately placed a hold on her card and filed a police complaint that same day.

Despite her swift reaction, Societe Generale refused to reimburse the 4,631.64 euros that had been debited, arguing that their client had been grossly negligent. Ms. [M] then brought the matter before the Bernay Proximity Court, which, by judgment of 26 March 2025, ordered the bank to provide full reimbursement, together with interest and damages.

Societe Generale decided to appeal this decision. The case was brought before the Court of Appeal of Rouen, which rendered its judgment on 19 February 2026.

The legal framework: protecting banking clients against unauthorized transactions

The principle of immediate reimbursement

French banking law, through the Monetary and Financial Code, establishes strong protection for clients who are victims of unauthorized payment transactions. This protection stems in particular from the transposition of European directives aimed at harmonizing rules across the European Union.

Article L133-18 of the Monetary and Financial Code sets out the fundamental principle: in the event of an unauthorized payment transaction reported by the client, the bank must reimburse the client immediately, no later than the end of the first business day following its awareness of the fraudulent transaction. The account must be restored to the state it would have been in had the disputed transaction never taken place.

This rapid and automatic reimbursement is the rule. It is then for the bank, if it considers that the client committed a fault, to prove that fault in order to escape liability.

The exception: gross negligence of the client

Article L133-19 of the same Code provides an exception to this reimbursement principle: the client bears the losses if they result from fraudulent conduct on the client’s part, or if the client has failed intentionally or through gross negligence to comply with their security obligations.

These obligations are defined in Articles L133-16 and L133-17 and essentially consist of taking all reasonable measures to preserve the security of personalized security data (codes, identifiers, etc.) and promptly informing the bank in the event of loss, theft, or unauthorized use of the payment instrument.

The concept of gross negligence

Gross negligence is a fault of particular severity, going beyond mere carelessness. It implies conduct revealing a complete disregard for or indifference to the consequences of one’s actions. The client must have flagrantly and inexcusably failed to meet their basic duty of care.

The burden of proof lies with the bank

Article L133-23 of the Monetary and Financial Code makes an essential point: the use of the payment instrument as recorded by the bank does not, in itself, suffice to prove that the transaction was authorized by the client or that the client committed gross negligence.

In other words, even if the bank’s IT systems show that the correct codes were used and that strong authentication was completed, this does not exempt the bank from providing positive proof that the client acted fraudulently or committed gross negligence.

ALLOCATION OF THE BURDEN OF PROOF
CLIENT
Must report the unauthorized transaction
BANK
Must prove fraud or gross negligence on the part of the client
If the bank fails to provide this proof → Reimbursement is mandatory

This rule is protective for the consumer because it prevents the bank from simply noting the effective use of the codes to reject all liability. Recent case law from the Court of Cassation (notably the judgment of 5 March 2025, No. 23-22.687) has confirmed that this rule applies even where a strong authentication system is in place.

The court’s analysis: no gross negligence in cases of psychological manipulation

Building trust through identity theft

The Court of Appeal of Rouen carefully examined the circumstances in which Ms. [M] was led to disclose her personal security codes. It identified several decisive factors that preclude a finding of gross negligence.

First factor: the fraudster’s telephone number was almost identical (differing by just one digit) to the official number of Societe Generale’s opposition department. Ms. [M] had even taken the precaution of checking online that the number matched her bank’s, which reinforced her belief that she was speaking with a genuine adviser.

Second factor: the caller expressly identified himself as an employee of the bank’s card opposition department, citing the detection of a fraudulent purchase requiring immediate blocking. This staging created a sense of urgency conducive to psychological manipulation.

Third factor: the modus operandi relied on identity theft, a sophisticated technique that diminished the victim’s vigilance. The court observed that Ms. [M] genuinely believed she was blocking a fraudulent payment by following the instructions of a bank employee.

A swift reaction by the victim

The court also highlighted Ms. [M]’s responsiveness as soon as she became aware of the fraud. Immediately after the disputed transactions, she contacted the genuine opposition department to verify that the block had been properly applied. It was at this point that she discovered she had been deceived.

Without delay, she requested that all transactions on her card be blocked, which prevented a third debit attempt for a much larger amount (nearly 18,000 euros). That same day, she filed a police complaint for fraud.

This diligence demonstrates that Ms. [M] did not act with recklessness or indifference, but rather that she was the victim of manipulation that occurred within a very short timeframe, conducive to the state of panic deliberately sought by the fraudsters.

The court’s reasoning

“The modus operandi, namely identity theft, put her at ease and diminished her vigilance, it being noted that this was a telephone call suddenly alerting her to an attempted fraud, these events unfolding within a short timeframe which is conducive to manipulation due to the victim’s state of panic, upon which the fraudster relies to achieve his ends.”

The court thus acknowledges that the sophistication of the fraud and the rapidity of events impaired the victim’s judgment, without this constituting gross negligence on her part.

The insufficiency of the evidence provided by the bank

Societe Generale attempted to put forward several arguments to demonstrate their client’s gross negligence. In particular, the bank pointed out that Ms. [M] had disclosed her client code and her online banking access code, thereby enabling the validation of the fraudulent transaction. The bank also emphasized that the transaction had been duly authenticated through the strong authentication system (Securipass), with a code sent by SMS to the client’s registered mobile phone.

According to the bank, Ms. [M] should have suspected the deception and realized that her caller was not a genuine adviser. She should have known that it was not necessary to block the entire account for a single suspicious transaction, and that she could have performed these steps directly through her mobile application without disclosing her personal data.

The court rejected these arguments. It held that the fact of having disclosed personal security codes, in a context where the client believed she was dealing with a bank employee and was following their instructions to block a fraud, does not constitute gross negligence.

The existence of strong authentication and the effective use of the correct codes are not, on their own, sufficient to establish the client’s gross negligence. The court thus strictly applied Article L133-23 of the Monetary and Financial Code, which provides that the use of the payment instrument as recorded by the bank does not suffice to prove that the client committed a fault.

The practical consequences: the bank is ordered to pay

Finding that Societe Generale failed to prove their client’s gross negligence, the Court of Appeal of Rouen upheld the first-instance judgment in its entirety. The bank was ordered to reimburse Ms. [M] the sum of 4,631.64 euros, with interest at the statutory rate from 26 October 2023, i.e., the day after the fraud.

The court also confirmed the award of 150 euros in damages for the moral harm suffered by the victim. This moral harm arises from the stress, anxiety, and sense of personal security violation caused by such a scam.

FINANCIAL PENALTIES
Nature Amount
Reimbursement of the fraud 4,631.64 EUR
Interest at the statutory rate From 26/10/2023
Damages (moral harm) 150 EUR
Legal fees (first instance) 1,000 EUR
Legal fees (appeal) 2,500 EUR
Court costs To be borne by the bank

Regarding legal costs, Societe Generale was ordered to pay 1,000 euros under Article 700 of the Code of Civil Procedure for the first instance, and an additional 2,500 euros for the appeal proceedings. These sums represent a contribution toward the legal fees incurred by Ms. [M] in asserting her rights.

Finally, the bank was ordered to pay the court costs, i.e., the procedural expenses (court registry fees, bailiff fees, etc.) of both instances.

In total, this decision will have cost Societe Generale over 8,000 euros, not including its own legal fees and the interest that has continued to accrue since October 2023.

Conclusion

The judgment of the Court of Appeal of Rouen of 19 February 2026 falls within an increasingly protective body of case law for victims of sophisticated banking fraud. It reaffirms that the burden of proving gross negligence rests entirely on the bank and that such proof cannot result from the mere observation that personal security codes were used.

The decision recognizes that social engineering techniques (psychological manipulation, identity theft, creation of a sense of urgency) constitute mitigating circumstances that may preclude a finding of gross negligence, even where the client has actually disclosed their personal security codes.

This case law position is significant because it prevents banks from systematically hiding behind the argument of client negligence to escape their obligation to reimburse. It serves as a reminder that strong authentication, while necessary, is not an absolute safeguard against increasingly sophisticated fraud.

For victims of banking fraud, this judgment confirms the importance of several key reflexes: reacting immediately upon discovering the fraud, contacting the bank’s opposition department without delay, filing a police complaint promptly, and not hesitating to challenge the bank’s refusal to reimburse by bringing the matter before the courts if necessary.

If you are the victim of banking fraud and your bank refuses to reimburse you by invoking alleged negligence on your part, do not hesitate to consult a specialist lawyer. The chances of a successful outcome are real, as this decision of the Court of Appeal of Rouen demonstrates.

FAQ

My bank refuses to reimburse a fraud because I disclosed my codes. What can I do?
The mere disclosure of your codes is not sufficient to establish gross negligence. If you were manipulated by a fraudster impersonating a bank adviser, you can challenge this refusal. Start by sending a registered letter to your bank explaining the precise circumstances of the fraud and citing Articles L133-18 and L133-23 of the Monetary and Financial Code. If the bank maintains its refusal, you can refer the matter to the banking ombudsman (a free procedure), and ultimately to the courts. Recent case law, such as this judgment of the Court of Appeal of Rouen, is favorable to victims who have been deceived by identity theft techniques.
Within what timeframe must I report a fraudulent transaction to my bank?
You must report the unauthorized transaction to your bank as soon as possible, ideally immediately after its discovery. Article L133-24 of the Monetary and Financial Code provides a maximum period of 13 months from the debit date to dispute a transaction. However, the sooner you react, the better: this limits the damage, may enable the blocking of further fraudulent transactions, and demonstrates your good faith. Contact the opposition department (available 24/7) as soon as you discover the fraud, then confirm in writing. Also remember to file a police complaint promptly.
What are the reimbursement deadlines imposed on banks in cases of fraud?
Under Article L133-18 of the Monetary and Financial Code, the bank must reimburse you immediately after becoming aware of the fraudulent transaction, and in any event no later than the end of the first business day following notification. If the bank fails to meet this deadline, significant penalties apply: interest at the statutory rate plus 5 percentage points for up to 7 days’ delay, plus 10 points for delays between 7 and 30 days, and plus 15 points for delays exceeding 30 days. In practice, banks often take a few days to analyze the case, but they must comply with the one-business-day deadline if they do not suspect fraud on the client’s part.
Can I obtain damages in addition to reimbursement of the fraudulent amount?
Yes, you can seek damages to compensate for the moral harm suffered (stress, anxiety, sense of insecurity) and potentially other losses (inability to pay certain expenses due to the fraudulent debit, resulting bank charges, etc.). In the case decided by the Court of Appeal of Rouen, the victim was awarded 150 euros in damages for moral harm. The amounts vary depending on the circumstances and the extent of the harm. You can also obtain reimbursement of part of your legal fees under Article 700 of the Code of Civil Procedure, as in this case where the victim was awarded 1,000 euros at first instance and 2,500 euros on appeal.
What are my chances of winning if my bank refuses to reimburse me?
Your chances depend on the precise circumstances of the fraud. If you were the victim of a sophisticated social engineering technique (impersonation of a bank adviser, spoofed telephone number, psychological manipulation creating a sense of urgency), you reacted quickly by contacting your bank and filing a complaint, and you did not act with blatant recklessness, your chances are good. Recent case law is generally favorable to victims. The bank must prove your gross negligence, which is difficult in these cases. On the other hand, if you disclosed your codes in a clearly imprudent manner (for example, by responding to a suspicious email, by writing them down on paper left in plain sight, etc.), your chances are more limited. A specialist lawyer will be able to analyze your specific situation.
Do I necessarily need a lawyer to challenge my bank’s refusal to reimburse?
No, you can first attempt an amicable resolution. Start by challenging the refusal by registered letter to your bank’s complaints department. If this is unsuccessful, refer the matter to the banking ombudsman: this procedure is free, fast (90 days maximum), and does not require a lawyer. If the ombudsman does not rule in your favor, you can then bring the matter before the courts. For disputes up to 10,000 euros, you are not required to engage a lawyer, but it is strongly recommended as the legal arguments are technical. In the case decided by the Court of Appeal of Rouen, the victim was represented by a lawyer and obtained reimbursement of a substantial part of her legal fees (3,500 euros in total). A good lawyer specializing in banking law will maximize your chances of success.
1521 2281 max

Besoin de conseils juridiques personnalisés ?

Ne restez pas seul face à vos questions. Un avocat peut vous rappeler gratuitement pour faire le point sur votre situation.

Être recontacté par un avocat

Besoin de conseils juridiques personnalisés ?

RGPD :

Articles similaires

emxn1y8qxwogdxbsb2fkeg55bgfilxn0dw50lxnncbpfa2xpbmcvyzytwjhoeuzpqudtsvbkvnlycvprqs8zedjfqv9yzwfsaxn0awnfyw5kx2vszwdhbnrfc2nlbmvfaw4ucg5n

Unfair Acceleration Clause and Judicial Termination – CA Colmar, ch. 3 a, June 16, 2025, No. 24/02617

Consumer credit law is a field where the contractual balance between the professional lender and the consumer borrower is constantly examined by the courts. A ...

avocat spécialisé en droit bancaire à paris : expertise juridique et conseils personnalisés

Banking Law Attorney in Paris: Legal Expertise and Personalised Advice

Banking law is a complex field that requires specialised expertise. In Paris, Le Bot Avocat stands out for its expertise in banking law, offering personalised ...

assets task 01jwreep41e6sshen0x1x7b6k5 1748872242 img 1

Apple Pay Fraud: Insufficient Proof of Strong Authentication – Court of Appeal of Paris, Division 4, Chamber 9a, 25 September 2025, No. 24/13440

The rapid development of digital payment services, such as the integration of bank cards into mobile application “wallets,” exposes consumers to new forms of fraud. ...