Cass. com., 23 Oct. 2024, no. 23-16.267
Introduction
The security of electronic payments is a major concern for both consumers and banks. Phone spoofing, where a fraudster impersonates a bank advisor, raises crucial questions about client liability and the obligations of payment service providers. The recent decision of the Court of Cassation (Cass. com., 23 Oct. 2024, no. 23-16.267) provides important clarifications on the concept of “gross negligence” within the meaning of Article L. 133-19 of the French Monetary and Financial Code.
A case of phone spoofing
In this case, a client was deceived by a fake bank advisor using a number that appeared to be that of his actual bank advisor. Convinced that his account had been hacked, he followed the fraudster’s instructions, resulting in fraudulent debits. BNP PARIBAS refused to reimburse, alleging gross negligence on the part of the client, but the lower courts (Court of Appeal of Versailles, 13th chamber, 28 March 2023, no. 21/07299) and the Court of Cassation rejected this argument.
The concept of gross negligence in question
The Court of Cassation reiterates that the burden of proving gross negligence lies with the payment service provider.
The ruling notes that the number displayed on Mr. [J]’s phone matched that of his bank advisor, Ms. [Y], which led him to believe that he was actually interacting with a bank employee. Under this trust, he re-registered and validated transfer beneficiaries he knew, thinking he was performing a secure operation on the bank’s application. The Court emphasizes that the spoofing method of operation reduced his vigilance, unlike email fraud where a more careful analysis of anomalies would have been possible.
The Court also emphasizes that:
- Gross negligence is not limited to mere fault.
- Specific circumstances play a key role in its assessment. In this case, the Court of Appeal had notably found that the number displayed on the victim’s phone matched that of their bank advisor, which led them to believe they were actually interacting with a bank employee. Under this trust, they re-registered and validated transfer beneficiaries they knew, thinking they were performing a secure operation on the bank’s application.
- The method of operation of spoofing reduces the victim’s vigilance, unlike other forms of fraud such as phishing, where the victim would have had more time to notice potential anomalies revealing the fraudulent origin of the email.
Strict case law on payer liability
The decision falls within a strict line of case law, where the payer’s absence of liability is set aside only sparingly. For example, in the area of phishing (Cass. com., 2 Oct. 2007, no. 05-19.899), particular circumstances are required to establish gross negligence.
A welcome ruling
As a lawyer defending the interests of bank clients, one can obviously only be satisfied with the solution provided by the Commercial Chamber of the Court of Cassation. It is a strong signal sent to banks but also to public authorities, who have finally taken action, notably with the implementation of the *STIR/SHAKEN* protocol, which came into force last year, helping to reduce phone scams by authenticating incoming calls (STIR/SHAKEN refers to a set of protocols and methods developed to authenticate the caller and associated data during calls made over the VoIP network).
Beyond this perspective, it is important to highlight the reasons why this decision of the Court of Cassation is welcome, particularly with regard to the stakes involved in the protection of users of the banking system.
Indeed, with the development of technological tools available to fraudsters, their ease of access, and their speed, businesses and individuals will become increasingly vulnerable to increasingly sophisticated identity theft. The technological revolution we are currently experiencing with the rise of artificial intelligence and all the dangers it harbors, such as deepfakes in particular, necessarily makes us more vulnerable to this type of fraud.
To deny this and simply rely entirely on the personal responsibility of each user to thwart such schemes would ultimately undermine the essential trust that all economic actors must have in the banking system as a whole.
Trust in the banking system is a fundamental pillar of economic and social stability. Banks play a central role as financial intermediaries, enabling the collection of savings and their allocation in the form of loans to finance the projects of individuals, businesses, and institutions. This trust rests on several elements: the security of deposits, the integrity of transactions, the confidentiality of personal data, and the reliability of advice provided. Fraud such as spoofing and fake bank advisor scams erode this trust by exposing clients to significant financial losses and undermining their sense of security.
A banking system perceived as vulnerable to cyberattacks or identity theft can lead to a reluctance to use online services, slow technological innovation, and limit economic flows. This is why it is imperative for banks to strengthen their security and transparency measures, while educating their clients on the behaviors to adopt in the face of digital threats. Trust is not a given, but a fragile balance that must be protected to ensure the resilience and sustainability of the banking system.
Impact for consumers and banks
This case law strengthens consumer protection against sophisticated fraud, while imposing heightened vigilance on banks in securing payments. It underscores the importance for clients of promptly reporting any suspicion of fraud.
Conclusion
Recent case law shows that courts carefully examine each case of banking fraud to determine whether gross negligence can be established. Consumers, for their part, must remain cautious, but they benefit from strong legal protection in the event of fraud.
