55logo mikael le bot avocat

EBICS Protocol and Contractual Scope: Unauthorised International Transfers – CA Paris, Pôle 5 ch. 6, 4 February 2026, No. 23/16958

  • Banking Law

In a ruling of 4 February 2026, the Court of Appeal of Paris partially reversed a judgment of the Commercial Court of Paris and ordered the bank to bear liability for unauthorised international transfers carried out via the EBICS protocol outside the contractual scope.

In a ruling handed down on 4 February 2026, the Paris Court of Appeal partially overturned a judgment of the Paris Commercial Court and ordered Banque Palatine to fully reimburse four fraudulent wire transfers totalling €2,910,215.04. This decision illustrates the rigour with which French courts apply the rules protecting banking clients against unauthorised payment transactions, particularly when security protocols are not followed or when strong customer authentication is lacking.

Paris Court of Appeal, Division 5 Chamber 6, 4 February 2026, No. 23/16958

Table of Contents

The Factual and Contractual Background

A Long-Standing Banking Relationship and Evolving Payment Methods

Vocalcom, a company specialising in digital “cloud contact centre” solutions, had maintained a banking relationship with Banque Palatine since July 2010. This relationship had been built around several mechanisms for securing payment transactions, which had evolved over time.

From November 2010 onwards, Vocalcom had subscribed to the secure EBICS version T protocol (Electronic Banking Internet Communication Standard). This system required a connection to the banking platform via confidential credentials and the submission of payment orders in the form of electronic files, confirmed by sending a system-generated slip, signed by an authorised signatory of the company, via fax. However, in day-to-day practice, Vocalcom continued to use paper-based payment orders, reflecting a certain inertia in adopting new digital tools.

In 2017, the EBICS TS (Secure Transfer) protocol was introduced. It enabled orders to be validated by electronic signature, thereby enhancing transaction security. However, Vocalcom did not migrate to this new protocol. Faced with this situation, Banque Palatine proposed a derogatory solution on 28 August 2018: the signing of a “Request for Execution of Instructions Transmitted by Fax or Email” for all types of wire transfers. This notice specified the email addresses authorised for transmitting payment orders. Vocalcom accepted this derogatory arrangement.

EVOLUTION OF PAYMENT PROTOCOLS
2010
EBICS T
+ fax
2017
EBICS TS
(electronic signature)
2018
Derogatory notice
(email/fax)
⚠️ Vocalcom never migrated to EBICS TS, the most secure protocol

CEO Fraud: Four Suspicious Wire Transfers

It was in this context that, in September 2020, four fraudulent wire transfers were executed to the detriment of Vocalcom, for a total amount of €2,910,215.04. These transactions fell within what is commonly known as “CEO fraud” or “bogus transfer order scam”, a well-known manipulation technique familiar to economic crime investigators.

The first two transfers, dated 2 and 7 September 2020, for amounts of €456,770.26 and €977,148.26 respectively, were transmitted by email. They came from an email address belonging to Vocalcom, but which was not among the three addresses authorised in the derogatory notice of 28 August 2018. The orders bore a signature resembling that of Vocalcom’s director and referred to the payment of fictitious invoices to a Hungarian company, Webmek Czako Tanya KFT, whose account was held at the Hungarian bank K and H Bank ZRT.

The third and fourth transfers, dated 14 and 21 September 2020, for €979,148.26 and €497,148.26 respectively, were transmitted electronically via the secure EBICS T protocol, accompanied by slips sent by email bearing a signature similar to that of the director. These transfers were also directed to the same Hungarian beneficiary.

The fraudulent scheme was based on identity theft. A fraudster alternately impersonated Vocalcom’s president (using a forged email address) and a lawyer from the KPMG audit firm. He thus convinced Vocalcom’s chief accountant, Mr Y.P., to participate in an alleged “confidential financial transaction to acquire a company based abroad”. The employee, deceived, executed the transfer orders without suspecting the fraud.

It was not until 23 September 2020, during a routine bank reconciliation, that Vocalcom discovered the fraud. The company immediately reported the facts to Banque Palatine, filed a complaint at the police station in the 8th arrondissement of Paris, and then with the Hungarian police on 3 October. Despite the bank’s efforts with its Hungarian counterpart to repatriate the funds, the time that had elapsed between the execution of the transfers and the return request rendered these efforts unsuccessful. The funds had already been dispersed.

🚨 CHRONOLOGY OF THE FRAUD
2 September 2020: 1st transfer of €456,770.26 (email)
7 September 2020: 2nd transfer of €977,148.26 (email)
14 September 2020: 3rd transfer of €979,148.26 (EBICS T)
21 September 2020: 4th transfer of €497,148.26 (EBICS T)
23 September 2020: Fraud discovered and reported to the bank
Total misappropriated: €2,910,215.04

Classification of the Payment Transactions: Authorised or Not?

The dispute between Vocalcom and Banque Palatine raised a fundamental legal question: should the four disputed transfers be classified as authorised or unauthorised payment transactions within the meaning of the Monetary and Financial Code? This distinction is far from trivial, as it determines the applicable liability regime and, consequently, whether or not the bank is obliged to reimburse the misappropriated sums.

Article L. 133-6 of the Monetary and Financial Code sets out the principle that “a payment transaction is authorised if the payer has given consent to its execution”. This consent must, under the terms of Article L. 133-7 of the same code, be given “in the form agreed between the payer and their payment service provider”. The statute expressly provides that in the absence of such consent, “the payment transaction or series of payment transactions shall be deemed unauthorised”.

This presumption of non-authorisation in the absence of consent complying with the agreed terms is reinforced by Article L. 133-23 of the Monetary and Financial Code, which establishes a reversal of the burden of proof. When a payment services user denies having authorised a transaction, it falls to the payment service provider to prove that the transaction in question was authenticated, duly recorded and accounted for, and was not affected by any technical deficiency. The statute adds that “the use of the payment instrument as recorded by the payment service provider does not necessarily in itself constitute sufficient proof that the transaction was authorised by the payer”.

In short, the legislature has established a protective system for the client, requiring the bank to demonstrate not only the technical execution of the transaction, but also strict compliance with the contractually agreed authorisation procedures.

The Transfers of 2 and 7 September 2020: Non-Compliance with Agreed Terms

With regard to the first two transfers, the Paris Court of Appeal upheld the analysis of the Commercial Court. These transactions had been carried out in execution of orders transmitted by email from an email address that did indeed belong to Vocalcom, but which was not among the three addresses expressly listed in the derogatory notice of 28 August 2018.

This contractual document was clear. It provided that, “on an exceptional basis”, the bank agreed to execute instructions “transmitted through the following two channels”: by fax, or “by email with a scanned copy of the signed orders as an attachment”. The text further specified that “these instructions shall be sent to you from the following email address”, and listed three authorised addresses by name. However, the email address of Mr Y.P., the chief accountant who had transmitted the fraudulent orders, was not among them.

Banque Palatine attempted to argue that an established practice between the parties had authorised the use of this address. The Court of Appeal dismissed this argument. It noted that Vocalcom did not demonstrate a consistent practice under which Mr Y.P.’s address had been used to transmit payment instructions by email. The fact that this employee had communicated with the bank regarding transactions transmitted through another channel (EBICS T), that he had been copied on emails exchanged on other matters, or that the bank held a signature card in his name, did not establish such a practice.

The Court therefore concluded, as the Commercial Court had before it, that the parties’ agreement had not been complied with. Consequently, the payer’s consent had not been given in the agreed form, and the first two transfers had to be classified as unauthorised transactions.

The Transfers of 14 and 21 September 2020: Transactions Outside the Contractual Scope

On this point, the Court of Appeal departed from the Commercial Court. At first instance, the judges had found that the last two transfers, transmitted via the EBICS T protocol, were authorised transactions. The Court of Appeal overturned this analysis and held, on the contrary, that these transfers were also unauthorised.

The Court’s reasoning was based on a careful reading of the contracts governing the use of the EBICS T service. Two documents were at issue: the “Palatine Comptes Entrepreneurs – Palatine Comptes Entreprises” subscription contract signed on 15 July 2010, and the electronic data interchange contract under the EBICS version T protocol, signed on 4 November 2010.

The “Subscription and Options” section of the special conditions of the remote banking service contract revealed that Vocalcom had selected the “Palatine Comptes Entreprises 2” option, but had expressly excluded the “Cross-border and International Transfers” functionality (the answer “no” had been ticked). This exclusion was confirmed by Annex 4 of the EBICS-T contract, entitled “Exchangeable Electronic Data”, Article 1 “Issuing Orders” of which specified the list of services used: the “International Transfers” box had not been ticked, thereby expressly excluding this service from the contractual scope.

The transfers of 14 and 21 September 2020 were international transfer requests to Hungary. They therefore did not fall within the scope of the electronic payment services provided by Banque Palatine to Vocalcom. By executing these orders, the bank exceeded the framework of the contractual authorisations granted by its client.

The Court deduced that the payer’s consent had not been given in the agreed form, since the EBICS T system did not cover this type of transaction. It accordingly dismissed the bank’s reliance on Article 7 of the EBICS-T contract concerning proof of exchanges, which provided in particular that “since the electronic files are transmitted and confirmed by the client using transport certificates simultaneously, the client is deemed to be the author thereof”. This evidential clause could not apply to transactions that, by their nature, fell outside the contractual scope of the EBICS T protocol.

⚖️ COMPARATIVE ANALYSIS OF THE TWO SERIES OF TRANSFERS
Criterion Transfers of 2 & 7 Sept. Transfers of 14 & 21 Sept.
Channel used Email EBICS T
Ground for non-authorisation Unauthorised email address International transfers excluded from contract
Commercial Court decision Unauthorised ✓ Authorised ✗
Court of Appeal decision Unauthorised ✓ (upheld) Unauthorised ✓ (overturned)

The Requirement for Strong Customer Authentication

The PSD2 Directive and the 2018 Delegated Regulation

Beyond the contractual analysis, the Court of Appeal relied on a weighty legal argument drawn from European regulation on payment services. It invoked Article L. 133-44, paragraph 1, tertio, of the Monetary and Financial Code, as amended by Ordinance No. 2017-1252 of 9 August 2017, transposing Directive No. 2015/2366 of the European Parliament and of the Council of 25 November 2015, known as the PSD2 Directive (Payment Services Directive 2).

This provision came into force on 14 September 2019, i.e. eighteen months after the entry into force of Commission Delegated Regulation (EU) 2018/389 of 27 November 2017. This regulation supplements the PSD2 Directive with regulatory technical standards on strong customer authentication (SCA) and common and secure open standards of communication.

Under Article L. 133-44, the payment service provider must apply strong customer authentication, as defined in point (f) of Article L. 133-4, “when the payer executes a transaction through a remote means of communication that may involve a risk of payment fraud or any other fraudulent use”.

Strong customer authentication is based on the use of two or more elements belonging to the following categories: knowledge (something only the user knows, such as a password), possession (something only the user possesses, such as a mobile phone), and inherence (something the user is, such as a fingerprint). These elements must be independent of one another, so that the compromise of one does not undermine the reliability of the others.

The Obligation Incumbent on the Bank

The Court of Appeal noted that email, the means by which the disputed payment instructions were transmitted to Banque Palatine for the first two transfers, undeniably constitutes “a remote means of communication that may involve a risk of payment fraud or any other fraudulent use”. This finding is all the more self-evident given that email address spoofing and email forgery are favoured vectors of banking cybercrime.

Consequently, Banque Palatine was required to apply strong customer authentication before executing the disputed transactions. However, the bank neither claimed nor demonstrated that it had been authorised to derogate from this obligation, nor that it had actually implemented strong authentication when executing the transfers of 2 and 7 September 2020.

Having failed to prove that the transactions in question were duly authenticated in accordance with the applicable standards, Banque Palatine could not demonstrate that they were authorised by the payer. The absence of strong authentication therefore constitutes a fatal flaw that seals the fate of the first two transfers.

Although the Court did not explicitly develop this reasoning for the next two transfers (14 and 21 September), one may consider that the requirement for strong authentication also applied to those transactions, all the more so as they exceeded the authorised contractual scope.

💡 STRONG AUTHENTICATION IN PRACTICE
Strong authentication requires the combination of at least two independent factors from among:

  • Knowledge: PIN code, password, security question
  • Possession: bank card, mobile phone, physical token
  • Inherence: fingerprint, facial recognition, iris

A simple signature verification on an email does not constitute strong authentication.

The Bank’s Strict Liability

The Regime Under Article L. 133-18 of the Monetary and Financial Code

Once the unauthorised nature of the four disputed transfers was established, Banque Palatine’s liability followed automatically from the provisions of Article L. 133-18 of the Monetary and Financial Code. This provision establishes a regime of objective liability that is particularly protective for the client.

Under the first paragraph of this article, “in the event of an unauthorised payment transaction reported by the user under the conditions provided for in Article L. 133-24, the payer’s payment service provider shall reimburse the payer for the amount of the unauthorised transaction immediately after becoming aware of the transaction or after being informed thereof, and in any event no later than the end of the first business day following, unless it has good reason to suspect fraud on the part of the payment service user and communicates such reasons in writing to the Banque de France”.

This mechanism therefore imposes on the bank an obligation of immediate reimbursement, without the client needing to demonstrate any fault on the bank’s part or any loss distinct from the loss of the misappropriated sums. The liability is strict: it suffices that the transaction be classified as unauthorised and that it has been reported within the prescribed time limits.

In this case, Vocalcom had reported the fraud to Banque Palatine on 23 September 2020, immediately upon its discovery. The reporting conditions provided for in Article L. 133-24 were therefore satisfied. The Court accordingly ordered Banque Palatine to reimburse the full amount of the misappropriated sums, namely €1,433,918.52 for the first two transfers and €1,476,296.52 for the following two, with interest at the statutory rate from 23 September 2020.

The Ineffectiveness of Limitation of Liability Clauses

Faced with this statutory obligation to reimburse, Banque Palatine attempted to invoke several contractual clauses designed to limit or exclude its liability. This argument was dismissed by the Court of Appeal, which recalled the strict limits placed by the legislature on freedom of contract in the area of payment services.

With regard to the first two transfers, the bank invoked the following clause from the “Request for Execution of Instructions Transmitted by Fax or Email” of 28 August 2018: “we [Vocalcom] undertake not to dispute the authenticity of an instruction transmitted through one of the channels indicated above provided that it was sent from the fax number or email address mentioned above and that it bears the appearance of the specimen signature deposited with the bank”.

The Court of Appeal held this clause to be inoperative. First, because, as we have seen, the instructions had not been sent from one of the email addresses mentioned in the document of 28 August 2018. Second, and more fundamentally, because Article L. 133-2 of the Monetary and Financial Code does not permit contractual derogation from the provisions of Article L. 133-18.

It is true that Article L. 133-2 authorises the parties to derogate by agreement from certain provisions of the Monetary and Financial Code, including those of Article L. 133-19 relating to losses resulting from unauthorised transactions. However, this faculty of derogation is expressly excluded “in cases where the user is a natural person acting for non-professional purposes”. While Vocalcom is admittedly not a natural person acting for non-professional purposes, Article L. 133-18 is not among the provisions from which contractual derogation is permitted, even between professionals.

This regime of objective, mandatory liability reflects the intention of the European and French legislatures to guarantee a high level of protection for users of payment services, in the face of increasingly sophisticated fraud and the information asymmetry between banking institutions and their clients.

The Client’s Faults Do Not Release the Bank

In a final attempt, Banque Palatine sought to rely against Vocalcom on the faults that it considered had been committed either by the company itself or by its employee, Mr Y.P., the chief accountant who had been deceived by the fraudsters.

The bank accused Vocalcom, among other things, of having failed to safeguard the confidentiality of the credentials and certificates required for using the EBICS T system, of having neglected to regularly check its bank statements, and of having failed to migrate to the EBICS TS system enabling payment by enhanced electronic signature, even though this more secure protocol had been available since 2017. It further denounced the credulity and lack of vigilance of Mr Y.P., who had allowed himself to be manipulated by the fraudsters without carrying out the usual checks.

The Court of Appeal rejected these arguments firmly. It first noted that, with regard to the transfers of 14 and 21 September 2020, the EBICS T credentials and certificates had not been stolen by a third party. No breach of the confidentiality of this data could therefore be attributed to Vocalcom. It was the employee himself who, having been deceived, had placed the fraudulent orders, without disclosing the authentication elements he legitimately held.

Next, and above all, the Court observed that while the bank denounced the negligence and imprudence of Vocalcom and its employee, it did not establish any “fraudulent conduct” on the part of the payer. Article L. 133-19, paragraph V, of the Monetary and Financial Code expressly provides that, “except in the case of fraudulent conduct on their part, the payer shall bear no financial consequences if the unauthorised payment transaction was carried out without the payer’s payment service provider having required the strong authentication of the payer provided for in Article L. 133-44”.

It is therefore not sufficient to invoke negligence, even gross negligence, on the part of the client. Only deliberate fraudulent conduct would be such as to prevent full reimbursement. In this case, Vocalcom and its chief accountant had been victims of a skilful and sophisticated manipulation. Their credulity, regrettable as it may have been, did not constitute personal fraud justifying that they bear the financial consequences of the bank’s failure.

⚠️ FUNDAMENTAL DISTINCTION
CLIENT NEGLIGENCE
• Lack of vigilance
• Delay in verification
• Credulity in the face of fraud
• Failure to update protocols

≠ Does not release the bank
FRAUDULENT CONDUCT
• Complicity with the fraudsters
• Deliberate deceitful manoeuvres
• Intent to deceive the bank
• Active participation in the fraud

= Sole ground for exemption

The Practical Significance of This Decision

Lessons for Banks

The ruling of the Paris Court of Appeal of 4 February 2026 sends banking institutions several unequivocally clear messages. These lessons form part of a consistent body of case law that places the security of payment transactions and client protection at the heart of the obligations of payment service providers.

First, banks must scrupulously comply with the authorisation procedures contractually agreed with their clients. When an agreement provides that payment orders may only be transmitted from specifically designated email addresses, the bank cannot execute orders from other addresses, even from within the same company, without carrying out additional verification or obtaining a formal amendment to the contract. Invoking an alleged “practice” that has not been formalised is not sufficient.

Second, institutions must ensure that the scope of services actually provided corresponds exactly to the options subscribed to by the client. If a contract expressly excludes international transfers, the bank cannot execute such transactions without first consulting its client and obtaining their formal agreement to extend the scope of services. This requirement of contractual consistency is not a mere formality: it constitutes an essential element in classifying the transaction as authorised or not.

Third, and this is undoubtedly the most sensitive point, banks must imperatively implement strong customer authentication for all payment transactions carried out through a remote means of communication that may involve a risk of fraud. This obligation, derived from the PSD2 Directive and the 2018 Delegated Regulation, is not optional. It has been binding on all payment service providers since September 2019. Derogatory arrangements based on earlier authorisation methods (email with a scanned copy of a signed order, for example) cannot substitute for strong authentication where this is legally required.

Fourth, contractual clauses designed to limit or exclude the bank’s liability in the event of an unauthorised transaction are, in most cases, inoperative. The liability regime under Article L. 133-18 of the Monetary and Financial Code is mandatory and cannot be set aside by agreement, even between professionals. Banks therefore cannot rely on contractual stipulations purporting to impose on the client the consequences of unauthorised transactions, provided that the legal conditions for reimbursement are met.

Finally, any negligence on the part of the client, however obvious, does not release the bank from its obligation to reimburse, unless deliberate fraudulent conduct by the client is demonstrated. The credulity of an employee in the face of CEO fraud, the failure to regularly check bank statements, or the failure to migrate to a more secure security protocol do not constitute faults such as to exempt the payment service provider from liability.

Lessons for Victim Companies

For corporate clients of banking institutions, this ruling constitutes an important victory and a reassuring precedent. It confirms that French law, in application of European regulation, offers robust protection against the misappropriation of funds resulting from unauthorised payment transactions.

Victims of CEO fraud or other forms of banking scams should take several lessons from this case. First, it is imperative to report any suspicious transaction to the banking institution without delay. The starting point for the one-business-day reimbursement deadline runs from the moment the bank is informed. Any delay may complicate the recovery of funds and weaken the client’s position.

Furthermore, companies must carefully preserve all contractual documents governing their banking relationships: account opening agreements, remote banking service user guides, amendments, and correspondence. These documents constitute the essential evidence base for demonstrating, where necessary, that the agreed terms were not complied with by the bank.

Moreover, even though case law proves protective, it remains prudent for companies to implement internal procedures for controlling and validating payment orders, particularly for large amounts or unusual transactions. The fact that client negligence does not release the bank does not mean that all vigilance should be abandoned. Rigorous organisation not only helps prevent fraud but also enables a faster response when it does occur.

Finally, companies must be aware that, while the bank is required to reimburse the misappropriated sums, effective recovery from the fraudsters themselves is often illusory. Fraudsters generally organise a rapid dispersal of funds across accounts located abroad, making their tracing and seizure extremely difficult. Reimbursement by the bank therefore often represents the only realistic avenue for compensation.

✅ PRACTICAL RECOMMENDATIONS FOR COMPANIES
1. Immediately report any suspicious transaction to the bank
2. Preserve all contractual documents and correspondence
3. Regularly check bank statements
4. Implement dual-validation procedures for significant transfers
5. Train staff in fraud techniques (phishing, identity theft)
6. Prefer strong authentication protocols (EBICS TS, electronic signature)
7. Promptly consult a specialist lawyer in the event of a dispute with the bank

Conclusion

The ruling handed down by the Paris Court of Appeal on 4 February 2026 in the case between Vocalcom and Banque Palatine marks an important milestone in the application of payment services law derived from the PSD2 Directive. By partially overturning the first-instance judgment and ordering the bank to reimburse all four fraudulent transfers, the Court firmly asserts the protective principles governing the relationship between clients and their payment service providers.

This decision illustrates the rigour with which French courts monitor banks’ compliance with the contractual terms for authorising payment transactions. It also underscores the crucial importance of strong customer authentication, a security mechanism now mandatory for transactions carried out remotely that may involve a risk of fraud. The failure to implement such authentication is in itself sufficient to establish that the transaction was unauthorised and to trigger the bank’s strict liability.

Furthermore, the ruling reaffirms that contractual clauses limiting or excluding liability are largely ineffective in the face of the mandatory regime established by Articles L. 133-18 and L. 133-19 of the Monetary and Financial Code. Banks can only escape their obligation to reimburse by demonstrating fraudulent conduct on the part of the client, which requires far more than mere negligence or credulity.

This case law forms part of a broader movement which, at both European and national level, aims to strengthen users’ confidence in dematerialised payment methods. Faced with increasingly sophisticated fraud and the accelerating digitalisation of banking services, the legislature and the courts maintain a high standard of security and diligence incumbent upon financial institutions.

For companies that have been victims of misappropriation of funds, this ruling constitutes an encouraging precedent. It confirms that French law offers effective mechanisms for protection and compensation, provided that victims act promptly and seek the assistance of competent advisers in banking law. Specialist firms, such as lebot-avocat.com, assist companies on a daily basis in these complex disputes, where technical mastery of monetary and financial law rules is a prerequisite for a successful legal action.

FAQ

What are the time limits for disputing a fraudulent wire transfer with my bank?
You must report any unauthorised payment transaction to your bank without delay as soon as you become aware of it. Article L. 133-24 of the Monetary and Financial Code requires the user to inform their payment service provider “without undue delay” and “no later than thirteen months after the date of the debit”. After this thirteen-month period, you forfeit your right to reimbursement. In practice, the sooner you react, the greater your chances of recovering the misappropriated funds and facilitating your bank’s efforts with the beneficiary institutions.
My bank refuses to reimburse me, citing my negligence. Can it do so?
No, in most cases. As illustrated by the ruling of 4 February 2026, the mere negligence of the client, even if established, is not sufficient to release the bank from its obligation to reimburse when a payment transaction is unauthorised. Only “fraudulent conduct” on your part, meaning deliberate and conscious participation in the fraud, could release the bank. Credulity in the face of CEO fraud, failure to regularly check statements, or failure to update security protocols do not constitute fraudulent conduct. If your bank cites your negligence to refuse reimbursement, it is strongly recommended that you consult a lawyer specialising in banking law.
What is strong authentication and why is it so important?
Strong Customer Authentication (SCA) is a mandatory security mechanism since September 2019, imposed by the European PSD2 Directive. It is based on the use of at least two independent elements belonging to the following categories: knowledge (a password), possession (a mobile phone, a card), and inherence (a fingerprint). The legal significance of this mechanism is crucial: Article L. 133-19 of the Monetary and Financial Code provides that if an unauthorised payment transaction was carried out without strong authentication, the client bears no financial consequences, except in the case of fraudulent conduct on their part. The absence of strong authentication can therefore in itself found the bank’s liability.
Clauses in my banking contract limit the bank’s liability. Are they valid?
In respect of unauthorised payment transactions, such clauses are generally unenforceable. The liability regime under Article L. 133-18 of the Monetary and Financial Code is mandatory: the bank must immediately reimburse unauthorised transactions, and this obligation cannot be set aside by a contractual clause. Even if you are a company (rather than an individual), you benefit from this protection. The ruling of 4 February 2026 confirmed this: Banque Palatine could not invoke the clauses of its contract to avoid reimbursement. If your bank relies on such clauses, do not hesitate to challenge their validity with the help of a lawyer.
How much can I expect to recover if I win my case against my bank?
If the court or Court of Appeal finds that the disputed transactions are unauthorised, you are entitled to full reimbursement of the misappropriated sums, with interest at the statutory rate from the date on which you reported the fraud to your bank. Interest may be capitalised in accordance with Article 1343-2 of the Civil Code. In the Vocalcom case, the company obtained reimbursement of €2,910,215.04, representing the full amount of all four fraudulent transfers, plus interest from 23 September 2020. You may also claim reimbursement of your legal fees under Article 700 of the Code of Civil Procedure (in the Vocalcom case, €10,000 was awarded on this basis).
What are my chances of success if I sue my bank for an unauthorised transfer?
Your chances of success essentially depend on two elements: demonstrating that the transaction was unauthorised, and the absence of fraudulent conduct on your part. If you can prove that the contractual authorisation procedures were not followed (unauthorised email address, absence of strong authentication, transaction outside the contractual scope), your chances are excellent. The ruling of 4 February 2026 shows that the courts rigorously apply the rules protecting payment services users. Companies and individuals who can demonstrate a clear breach of the agreed contractual terms and the absence of strong authentication are in a very strong legal position. The assistance of a specialist banking law firm is nevertheless essential for building a solid case and maximising your chances of success.
1521 2281 max

Need Personalized Legal Advice?

Don’t face your questions alone. A lawyer can call you back for free to review your situation.

Be Contacted by a Lawyer

Need Personalized Legal Advice?

GDPR:

Similar Articles

fraude carte bancaire 2

Strong Authentication: Strict Burden of Proof in Banking Fraud – CA Reims, 1st Civil and Commercial Chamber, 18 November 2025, No. 24/01347

The Court of Appeal of Reims, in a ruling delivered on 18 November 2025, adjudicated a dispute between Banque Populaire Alsace Lorraine Champagne and two ...
usurpation identite 2

Phone Spoofing and Client Liability: Enhanced Protection for Banking Customers

Cass. com., 23 Oct. 2024, no. 23-16.267 Introduction The security of electronic payments is a major concern for both consumers and banks. Phone spoofing, where ...

assets task 01k868mq2xfg7s5sjyjk5stazm 1761147075 img 1

Factoring and VAT: When a Receivable Becomes Irrecoverable, Who Gets the Recovered Tax? – Cass. com., 22 October 2025, No. 24-19.201

Factoring is an essential corporate financing tool. However, when an assigned receivable proves to be definitively irrecoverable, complex tax mechanisms come into play, raising a ...