The legislator has recently shown a very marked interest in the crucial question of combating banking fraud. In this context, Law No. 2025-1058 of 6 November 2025, published in the Official Journal of the French Republic (JORF) on 7 November 2025, introduces several measures designed to protect consumers more effectively. Drawing on the European framework (in particular Regulation (EU) 2024/886 on instant transfers and the DSP2 Directive), this law addresses several shortcomings identified in practice.
Loi n° 2025-1058 du 6 novembre 2025
I. Creation of a Register of Persons Declared Victims of Payment Fraud
The law creates a new register managed by the Banque de France, centralising information on persons who have been identified as victims of payment fraud (new Article L. 141-4-2 of the Monetary and Financial Code).
Purpose: This register is designed to enable payment service providers to detect accounts frequently used as conduits for fraud (“mule” accounts). The data recorded includes:
- Account numbers used as the destination of fraudulent funds.
- The identity of the holders of these accounts (subject to strict conditions regarding data protection).
Access: Only payment service providers, the public prosecution service, criminal investigation officers and the Banque de France itself will have access to this register. The duration of data retention is set at five years, with the possibility for the person concerned to request rectification or deletion under certain conditions.
Practical significance: For fraud victims, this mechanism should accelerate the blocking of mule accounts. For payment service providers, the obligation to consult this register before executing certain transfers constitutes a new due diligence requirement.
II. Enhancement of Strong Authentication: Towards Greater Security in Remote Payments
The law reinforces the requirements in terms of strong customer authentication for remote payment operations, by requiring payment service providers to:
- Display clearly, at the time of authentication, the amount and the beneficiary of the transaction, so that the user can verify that the operation matches their intention.
- Implement enhanced detection mechanisms for suspicious transactions, in particular by cross-referencing authentication data with behavioural data (usage habits, geolocation, device used).
The purpose is to combat the increasingly sophisticated techniques used by fraudsters who intercept authentication codes or manipulate clients into validating fraudulent transactions through spoofing or phishing.
III. Regulation of Instant Transfers: Beneficiary Verification and Anomaly Detection
In line with the European Regulation on instant transfers (EU) 2024/886, the law introduces a mechanism for verification of the concordance between the name and the IBAN of the beneficiary before execution of the transfer:
- The payment service provider of the payer must inform the latter, before execution, if there is a discrepancy between the name indicated by the payer and the name of the actual holder of the beneficiary account.
- In the event of a discrepancy, the payer must be given the opportunity to confirm or cancel the transaction before it is executed.
- If the provider fails to carry out this verification and a fraud occurs, it may be held liable for the resulting loss.
This provision responds directly to the growing problem of wire transfer fraud, where victims are tricked into transferring funds to accounts whose holder identity does not match the expected beneficiary.
IV. Extension of the Right to Reimbursement in Cases of Spoofing (Bank Agent Identity Theft)
The law codifies a right to reimbursement specifically adapted to spoofing fraud scenarios. A new Article L. 133-19-1 of the Monetary and Financial Code provides that:
- When a payer has been the victim of identity theft by a person impersonating an employee or agent of the payment service provider, the provider must reimburse the amount of the unauthorised transaction within a set timeframe.
- The provider may only escape this obligation if it proves fraud by the payer (not mere negligence).
- The reimbursement is subject to a cap (the amount to be determined by decree).
This provision constitutes a significant advance for victims of spoofing, as it shifts the burden of proof more clearly onto banks and limits the scope of the “gross negligence” defence that has traditionally been used to refuse reimbursement.
V. Implementation Timeline and Practical Significance
The various provisions of this law will enter into force according to a staggered timeline:
- The fraud victim register: entry into force on a date to be set by decree, no later than six months after publication of the law.
- The IBAN/name verification: entry into force from 1 October 2026, consistent with the European regulation timeline.
- The spoofing reimbursement mechanism: applicable to fraud committed from the date the law enters into force.
This law represents a paradigm shift in the allocation of fraud risk between banks and their customers. By strengthening prevention mechanisms and facilitating reimbursement, the legislator sends a clear signal: payment service providers must invest more in fraud detection and can no longer rely solely on authentication procedures to deflect responsibility.
