Since the entry into force of the provisions arising from PSD2, the question of remote payment security and banking liability in the face of fraud has been at the center of legal debates. The obligation of strong authentication (C. mon. fin., art. L. 133-44 and L. 133-19, V) is an essential pillar of this legislation, expressly aimed at combating unauthorized transactions. The Court of Cassation, by its ruling of 22 October 2025 (No. 24-19.749), forcefully reaffirms the primacy of this legal obligation.
Summary of the Facts
The fight against unauthorized payment transactions relies heavily on strong authentication. This legal requirement obliges banks to implement robust security mechanisms for remote transactions. However, fraud persists.
The case opposes the Caisse de credit agricole mutuel des Savoie against its client, Mr. [J]. On 6 March 2021, Mr. [J] was the victim of phishing. He responded to an email he believed to be authentic, prompting him to disclose confidential data to “activate” his strong authentication system. The following day, an unauthorized transfer was detected.
The bank refused reimbursement, arguing that Mr. [J] had committed gross negligence (negligence grave).
The bank contended that the client had himself enabled the fraud by communicating confidential codes (including those allowing the validation of adding a beneficiary and the transfer) after responding to an email presenting anomalies.
The Court of Cassation Reaffirms the Primacy of Strong Authentication
The Court of Cassation rejects the bank’s appeal and orders it to reimburse the fraudulent transactions. Why such rigor, even in the face of serious fault by the client?
The central question is not whether the client was negligent – it is acknowledged that he was grossly so. The real question is whether the payment service provider fulfilled its obligation to require strong authentication.
Article L. 133-19, V of the Monetary and Financial Code provides that “Except in the case of fraudulent conduct on his part, the payer shall not bear any financial consequences if the unauthorized payment transaction was carried out without the payer’s payment service provider requiring strong authentication of the payer.”
In other words, the burden of proof lies with the provider. The bank must be able to prove that it actually applied and required strong authentication during the contested payment transaction.
The ruling explicitly notes that, although Mr. [J] committed gross negligence by communicating confidential data after responding to an email presenting flagrant anomalies, the bank failed to prove that it had required the activation of strong authentication.
The court correctly deduced that, in the absence of the bank proving compliance with its legal obligation to require strong authentication, the payer’s gross negligence is not such as to exempt it from the obligation to reimburse.
In clear terms, the a contrario interpretation of Article L. 133-19, V of the CMF is validated: the client’s gross negligence, even if established, is not sufficient if the bank fails to prove the implementation of strong authentication at the time of the transaction. In other words, the client’s fault becomes secondary as long as the bank does not provide proof that it applied the level of security required by law. Strong authentication thus constitutes the prerequisite and indispensable condition enabling the banking institution to exclude its liability; failing this, the bank remains obliged to reimburse the fraudulently debited sums, even if the client’s behavior facilitated the fraud.
Consequently, the bank was ordered to reimburse Mr. [J] and to pay him 3,000 euros under Article 700 of the Code of Civil Procedure.
