In two rulings dated January 15, 2025 (Com. Jan. 15, 2025, FS-B, No. 23-13.579; Com. Jan. 15, 2025, FS-B, No. 23-15.437), the Commercial Chamber of the Court of Cassation confirmed its case law regarding the liability of payment service providers. These decisions, accompanied by a press release, highlight the importance attached to certain solutions in matters of banking fraud.
The Exclusivity of Special Law in Banking Liability
The Court of Cassation reiterated that the rules set out in Articles L. 133-18 to L. 133-24 of the French Monetary and Financial Code are exclusively applicable in matters of payment service provider liability. General law, such as Article 1231-1 of the Civil Code, is therefore precluded whenever the specific provisions of the Monetary and Financial Code are applicable. This position is consistent with recent case law from the Commercial Chamber (Com. May 2, 2024, No. 22-18.074 F-B; Com. Mar. 27, 2024, No. 22-21.200 FS-B). It also aligns with the Beobank ruling of the Court of Justice of the European Union, which excludes the joint application of liability regimes in order to preserve the harmonization intended by European directives (CJEU Mar. 16, 2023, Beobank, Case C-351/21; CJEU Sept. 2, 2021, CRCAM, Case C-337/20).
Case Study: Two Banking Fraud Cases
The January 15, 2025 rulings concern two separate cases:
- Trojan horse fraud: In the first case (Com. Jan. 15, 2025, FS-B, No. 23-13.579), companies were victims of fraudulent wire transfers following the infection of their accountant’s computer by a “Trojan horse” virus. The press release notes that the email containing the virus was manifestly deceptive (p. 1). The Court of Appeal had found gross negligence on the part of the companies (L. 133-19, IV of the Monetary and Financial Code), but had also identified a breach of the bank’s duty of vigilance.
- Fraudulent IBAN modification: In the second case (Com. Jan. 15, 2025, FS-B, No. 23-15.437), a married couple found that a seller’s IBAN had been substituted by a third party in their email correspondence. In this case, Article L. 133-21 of the Monetary and Financial Code was at the heart of the dispute. Under this provision, the payment service provider is not held liable for an error in the IBAN or bank details transmitted by the service user (cf. regarding the modification of an IBAN without the payer’s knowledge, the Commercial Chamber had previously held that “a wire transfer order that was regular at the time of its drafting but whose destination account IBAN number was subsequently modified by a third party without the payer’s knowledge does not constitute an authorized transaction” Com. June 1, 2023, No. 21-19.289 F-B). However, despite the incorrect IBAN provided by the users, the Court of Appeal had held the bank liable under general law for breach of its duty of vigilance, considering that it should have verified the absence of any apparent anomaly.
The Decision of the Commercial Chamber of the Court of Cassation: A Reminder of Banks’ Obligations
The Court of Cassation quashed both appellate rulings for violation of the law. It held that if the lower courts establish gross negligence on the part of the client (Com. Mar. 27, 2024, No. 22-21.200 FS-B; Com. June 1, 2023, No. 21-19.289 F-B) or an incorrect IBAN (Com. May 2, 2024, No. 22-18.074 F-B), they cannot simultaneously invoke the general law regime to sanction the banking institution’s conduct. According to the Commercial Chamber, gross negligence established on the basis of Article L. 133-19, IV of the Monetary and Financial Code, or the regime applicable to an incorrect IBAN (L. 133-21 of the Monetary and Financial Code) cannot, in short, be neutralized or even circumvented by reverting to general law.
Impact of These Decisions on Banking Reimbursements
These decisions by the Commercial Chamber appear to close the door to a distributive application of rules between general law and special law, in the continuation of the Beobank ruling. The Commercial Chamber favors a strict interpretation of the provisions of the Monetary and Financial Code, which is particularly favorable to banks.
In the era of artificial intelligence, this case law raises significant questions about what remains of the banker’s duty of vigilance.
Indeed, according to BPI, “Banks invested more than 150 billion euros in artificial intelligence in 2024, according to figures from IDC. This represents 13% of AI investments worldwide” and “Through the application of machine learning algorithms, artificial intelligence systems are capable of analyzing transactions in real time, a solution that facilitates the identification of new fraud patterns and suspicious behavior” (source: BPI).
Given the technological tools available to both banks and fraudsters, the duty of vigilance remains, today, the last and most powerful safeguard against banking fraud, as it allows for escaping fraudulent schemes. Yet case law seems to want to lower the level of user protection to the authorized/unauthorized transaction dichotomy, in order to ensure complete harmonization.
One wonders whether, ultimately, this desire for excessive harmonization does not lead to a race to the bottom to the detriment of users, losing sight of the directive’s objectives. It must be kept in mind that trust in the banking system is an indispensable pillar for the proper functioning of the economy. The level of user protection is therefore a particularly sensitive parameter, and it risks being put to the test by the development of new technologies related to artificial intelligence.
