In a ruling dated 27 January 2026, the Angers Court of Appeal reversed a first-instance decision and ordered Credit Agricole to reimburse 11,593 euros to a limited liability company (SARL) that fell victim to a particularly elaborate telephone scam. This decision illustrates the limits of the concept of “gross negligence” in banking fraud cases.
CA Angers, Commercial Chamber, 27 January 2026, No. 21-02328
The facts: a sophisticated scam
On 4 November 2019, Ms [R], manager of SARL Reception Val de Loire, received a telephone call that would devastate her company’s cash flow. The caller introduced himself as an adviser from her Credit Agricole branch and claimed to need to set up the “SecuriPass” service, a security feature actually used by the bank.
The scam was formidably well prepared. The call appeared to come from the bank branch’s number, which was saved in the manager’s phone. Moments later, she received two confidential codes in succession: the first by SMS at 3:29 PM, the second by email at 3:31 PM. Under pressure from the caller, Ms [R] disclosed both codes, despite the warnings accompanying them.
The consequences were immediate: four new beneficiaries were created in the manager’s “Credit Agricole en ligne” online banking space, and six fraudulent transfers were made totalling nearly 26,000 euros, four of which were debited from the company’s business account (20,885 euros).
The bank’s initial position: unforgivable negligence
Faced with its client’s reimbursement request, Credit Agricole categorically refused. Its argument relied on Article L. 133-19 IV of the Monetary and Financial Code, which provides that the client bears the losses in cases of “gross negligence”.
For the bank, the case was clear-cut: Ms [R] had received two explicit messages stating “NEVER DISCLOSE THIS TO ANYONE.” The second email even specified that “this code will never be requested from you (neither by phone, nor by email, nor by any other means) by a Credit Agricole representative.” By disclosing these codes regardless, the manager had allegedly committed an inexcusable error.
This position was upheld at first instance. On 26 July 2021, the Le Mans Commercial Court dismissed the company’s claims in their entirety, holding that the fraudulent transfers were “solely the result of the manager’s gross and culpable negligence.” A legal rebuff for the victim company, which was additionally ordered to pay 500 euros to the bank in legal costs.
The turning point on appeal: putting the facts in context
SARL Reception Val de Loire filed an appeal on 29 October 2021. Its argument took a different approach: rather than denying having disclosed the codes, it challenged the characterisation of “gross negligence” in light of the exceptional circumstances of the fraud.
The Angers Court of Appeal, in its ruling of 27 January 2026, meticulously reconstructed this context to assess the victim’s behaviour. It identified several decisive elements:
Telephone number spoofing: the fraudster used “spoofing” techniques to display the bank branch’s actual phone number, creating an appearance of legitimacy that was difficult for an unsuspecting user to detect.
Temporal consistency: the first confidential code was sent by SMS from a number actually used by Credit Agricole, appearing as a continuation of previous legitimate messages from the bank, which could only reinforce the manager’s trust.
The apparent authenticity of the communications: the second code was sent from an email address “[Email 5]” displaying all the characteristics of the bank’s usual messages, with a perfectly consistent subject line (“registration for the SecuriPass service”).
Immediate confirmation: one minute after disclosing the second code, Ms [R] received a new email, apparently sent by the bank and signed with her adviser’s name, confirming “the successful activation of the SecuriPass service.”
The timing of the scam: the new beneficiaries were registered between 10:35 PM and 12:23 AM, at late hours preventing any immediate reaction from the victim.
The Court’s decision: error is not gross negligence
For the Court of Appeal, these elements were decisive. It first recalled the fundamental principle regarding the burden of proof: it is for the bank to demonstrate the client’s gross negligence, in accordance with Article L. 133-23 of the Monetary and Financial Code.
In its reasoning, the Court drew a subtle but essential distinction between “an error that was admittedly gross in hindsight” and “gross negligence.” It acknowledged that Ms [R] did indeed make an error in disclosing the codes despite the warnings. However, this error was explained by a “climate of trust” artificially created by the fraudster.
The Court particularly emphasised that the victim was deprived of the “necessary time for reflection and critical distance” by the use of a “telephone process lasting only a few minutes.” Faced with the convergence of multiple consistent factors (displayed phone number, coherent narrative, apparently authentic messages), the manager’s reaction appeared understandable.
The bank therefore failed to prove gross negligence in the legal sense of the term. Consequently, it had to assume its responsibility and reimburse the fraudulently debited funds.
The limits of the decision
SARL Reception Val de Loire also claimed 1,000 euros in damages for non-pecuniary harm. On this point, the Court dismissed the claim, holding that the company “failed to prove the existence of the alleged non-pecuniary harm.”
This distinction is noteworthy: while the manager did not commit gross negligence justifying that she bear the financial losses, she likewise did not suffer compensable non-pecuniary harm as a result of the bank’s reproaches or its potential failures in IT security.
Practical lessons from this case
This decision provides several important lessons for businesses and individuals:
The sophistication of the fraud is taken into account: judges do not mechanically apply the concept of gross negligence but concretely examine the circumstances of the scam. The more elaborate the fraud, the less likely the client is to be deemed grossly negligent.
Warnings are not always sufficient: even if messages contained explicit warnings, these can be neutralised by a sufficiently convincing array of indicators of legitimacy.
The burden of proof lies with the bank: this is a crucial legal point, often overlooked. It is not for the client to prove that they were not negligent, but for the bank to demonstrate gross negligence.
The speed of the scam matters: the fact that the victim was put under pressure within a very short timeframe works in their favour, as they did not have the time necessary to verify the information.
Partial recovery does not erase liability: although the bank recovered a significant portion of the funds (14,292 euros out of 26,885 euros misappropriated), it remains liable to reimburse the balance.
Conclusion: towards a better balance between security and victim protection
This ruling by the Angers Court of Appeal forms part of a body of case law that seeks to strike a balance between holding clients accountable and protecting the victims of increasingly sophisticated scams.
It serves as a reminder that banks cannot systematically avoid their liability by invoking client negligence merely because the client disclosed a confidential code. The assessment must be contextualised, taking into account all the circumstances that led to the error.
For businesses, this decision represents a positive signal: even in cases of clear error, the courts may recognise that it does not necessarily constitute gross negligence when it results from a particularly elaborate manipulation exploiting human rather than technical vulnerabilities.
Nevertheless, the best protection remains vigilance: even a call from a known number or an apparently authentic email should arouse suspicion whenever it leads to a request to disclose confidential codes, regardless of the justifications offered.
