The landscape of online payments is governed by strict rules aimed at protecting consumers against fraud. At the heart of these rules lies the crucial concept of strong authentication (authentification forte). Recently, the Court of Appeal of Rennes (2nd ch., 18 November 2025, No. 23/02948) delivered an important decision confirming the order against the Caisse Régionale de Crédit Agricole Mutuel d’Ille et Vilaine (CRCAM d’Ille et Vilaine) to reimburse a client who was the victim of an unauthorised transaction. This ruling underscores the burden of proof borne by payment service providers when they allege gross negligence on the part of their clients.
CA Rennes 2e ch., 18 novembre 2025, RG n° 23/02948
The Facts: A Disputed Debit of €4,950
The case involved Mr [N] [B] against the CRCAM d’Ille et Vilaine. Mr [B], holder of a deposit account, contacted his bank on 25 June 2022 after receiving emails relating to transactions he had not authorised. On 28 June 2022, a debit of €4,950 was recorded, which Mr [B] formally denied having initiated.
Having failed to obtain reimbursement of this sum, Mr [B] sued the bank and was successful at first instance before the Tribunal de proximité of Fougères on 14 April 2023. The tribunal ordered the CRCAM d’Ille et Vilaine to reimburse the €4,950, together with €800 under Article 700 of the Code of Civil Procedure. The bank lodged an appeal against this judgment on 23 May 2023.
The Heart of the Debate: Strong Authentication and Gross Negligence
On appeal, the CRCAM d’Ille et Vilaine sought to reverse the judgment. It argued that Mr [B] had committed gross negligence (négligence grave) by communicating information relating to his account, thereby enabling the disputed debit. The bank maintained that the disputed payment transaction, carried out on 24 June 2022 for €4,950, had been completed following strong authentication.
In the event of an unauthorised payment transaction, Article L. 133-19 of the Monetary and Financial Code provides that the payer bears no financial consequences if the payment service provider did not require strong authentication. Strong authentication, as defined by Article L. 133-4 of the same code, must rely on the use of at least two or more elements belonging to the following categories:
- “Knowledge” (something only the user knows);
- “Possession” (something only the user possesses);
- “Inherence” (something the user is).
These elements must be independent, such that the compromise of one does not undermine the reliability of the others.
The Failure of the “Securipass” System
The bank presented its “Securipass” system as meeting the criteria for strong authentication. According to the bank, the transaction had combined:
- The knowledge criterion, corresponding to Mr [B]’s confidential code.
- The possession criterion, as Mr [B] would have used his mobile phone on which the “Ma banque/Securipass” application was installed to authorise the transaction.
However, the Court of Appeal of Rennes methodically dismantled this argument. Although the transaction record indicated that the €4,950 debit had been authenticated by Securipass, the Court held that this did not demonstrate that it constituted strong authentication within the meaning of Article L. 133-4.
The Court notably found that the bank:
- Failed to prove that the transaction had been validated by a second criterion (possession or inherence).
- Did not demonstrate in any way that the disputed payment transaction had been carried out from Mr [B]’s mobile phone or that validation by the holder of the phone was a condition of the transaction’s authentication.
- Contradicted itself by explaining that, since Mr [B] had never been dispossessed of his phone, the codes had “necessarily” been communicated. The Court held that this reasoning confirmed that possession of the phone was not a condition of effective authentication.
Moreover, the general terms and conditions for the bank’s online accounts merely “reserved the possibility” of subjecting certain transactions to checks requiring the use of a mobile device, which indicated that mobile phone authentication was by no means systematic.
The Court’s Decision and Its Consequences
Consequently, the Court of Appeal of Rennes held that the CRCAM d’Ille et Vilaine failed to establish that the disputed transaction had been validated by strong authentication of Mr [B]. In this context, the grounds raised by the bank concerning the negligence attributed to Mr [B] were deemed inoperative.
The Court therefore delivered its ruling on 18 November 2025:
- It upheld the first-instance judgment regarding the reimbursement of the €4,950 debited.
- It upheld the dismissal of the additional damages claim (moral damages and loss of enjoyment) made by Mr [B].
- It ordered the CRCAM d’Ille et Vilaine, as the unsuccessful appellant, to pay Mr [B] an additional sum of €2,000 under Article 700 of the Code of Civil Procedure, together with the full costs of the proceedings.
This ruling reaffirms the rigour demanded by case law regarding the application of security systems. For a bank to be exonerated from liability in the event of fraud, it must not only prove the existence of a strong authentication system, but above all demonstrate irrefutably that this independent two-factor process was actually implemented and successfully completed during the disputed transaction. The mere existence of an application or the communication of codes (even through the client’s negligence) is not sufficient to discharge the bank from its security obligation.
