55logo mikael le bot avocat

Strong Authentication: Strict Burden of Proof in Banking Fraud – CA Reims, 1st Civil and Commercial Chamber, 18 November 2025, No. 24/01347

  • Banking Law
The Court of Appeal of Reims, in a ruling delivered on 18 November 2025, adjudicated a dispute between Banque Populaire Alsace Lorraine Champagne and two of its clients regarding unauthorised payment transactions. The court reinforces the strict burden of proof: technical authentication logs alone do not prove client consent, and the bank bears the burden of establishing gross negligence.

The Court of Appeal of Reims, in a ruling delivered on 18 November 2025, adjudicated a dispute between S.A. Banque Populaire Alsace Lorraine Champagne (BPALC) and two of its clients, Mr [O] and Ms [A], regarding unauthorised payment transactions totalling €6,590.

CA Reims, Chambre 1 civile et commerciale, 18 novembre 2025, n° 24/01347

I. Recap of the Legal Framework

The legal framework applicable to disputes over unauthorised payment transactions rests on several key provisions of the Monetary and Financial Code (Code monétaire et financier):

  • Article L. 133-18: When a payment transaction is executed without the payer’s authorisation, the payment service provider must immediately reimburse the payer the amount of the unauthorised transaction. There is no exception to this principle other than fraud or late reporting.
  • Article L. 133-19: The payer bears all losses if they result from fraudulent acts on their part. However, mere negligence — even gross negligence — does not exonerate the bank from its reimbursement obligation under the regime introduced by the DSP2 Directive. The bank must prove that the payer acted fraudulently or committed gross negligence.
  • Article L. 133-23: When a payer denies having authorised a payment transaction, the fact that the payment instrument was used and strong authentication applied does not in itself constitute sufficient proof that the transaction was authorised. The provider must produce additional evidence proving the payer’s authorisation, authentication, accurate recording and absence of technical failure.

II. Analysis by the Court of Appeal of Reims

1. Restatement of the Burden of Proof

The Court begins by recalling the strict burden of proof regime established by Articles L. 133-18 and L. 133-23 of the Monetary and Financial Code:

The mere fact that a payment instrument was used, or that strong authentication was completed, is insufficient on its own to establish that the transaction was duly authorised by the client or that the client committed gross negligence.

In other words, the bank cannot simply point to the technical validation logs as proof that the client consented to the disputed transactions.

2. Analysis of the Evidence Presented by the Bank

The BPALC produced several types of evidence to justify its refusal to reimburse:

  • Technical logs showing that the transactions had been authenticated through the “SécuriPass” application on the clients’ registered device.
  • General terms and conditions specifying the client’s obligations regarding the safeguarding of authentication credentials.
  • A chronology of events suggesting that the clients had themselves validated the transactions.

The Court held that these elements were insufficient. In particular:

  • The technical logs merely demonstrated that the authentication process was completed, but did not prove that the clients had personally and voluntarily initiated or confirmed the transactions.
  • The bank failed to produce any evidence of a technical investigation into the possibility that the authentication data had been compromised by a third party (for example, through SIM swapping, phishing or malware).
  • The bank did not establish that the clients had communicated their credentials to a third party or had failed to comply with specific security obligations.

3. Assessment of the Client’s Alleged Negligence

The bank also argued that the clients had been grossly negligent by failing to secure their authentication devices and by not alerting the bank immediately. The Court rejected this argument, holding that:

  • The bank did not identify any concrete act of negligence attributable to the clients.
  • The fact that the clients did not immediately detect the fraud does not in itself constitute gross negligence, particularly where the transactions occurred in rapid succession and the clients were not alerted by the bank’s own fraud detection systems.
  • The burden of proving gross negligence rests exclusively on the bank, and this burden was not discharged.

III. The Award and Its Lessons

The Court of Appeal of Reims reversed the first-instance judgment and ordered BPALC to reimburse the full amount of the unauthorised transactions (€6,590), plus:

  • Interest at the statutory rate from the date of formal notice.
  • €2,000 under Article 700 of the Code of Civil Procedure.

Key lessons from this ruling:

  • Technical authentication logs do not constitute proof of client consent.
  • Banks must investigate the possibility of third-party compromise of authentication data before refusing reimbursement.
  • The burden of proving gross negligence rests squarely on the bank and requires concrete, specific evidence.
  • Victims of banking fraud should not hesitate to challenge refusals of reimbursement, as the case law increasingly favours consumer protection.
1521 2281 max

Need Personalized Legal Advice?

Don’t face your questions alone. A lawyer can call you back for free to review your situation.

Be Contacted by a Lawyer

Need Personalized Legal Advice?

GDPR:

Similar Articles

fraude carte bancaire 1

What to Do in Case of Bank Card Fraud?

Bank card fraud is a problem affecting an increasing number of people. According to statistics, losses due to this phenomenon in France have risen significantly ...

crédit à la consommation

Consumer Credit: Proof of Delivery of the Withdrawal Form and Forfeiture of Interest (Cass. 1re civ., 28 May 2025, No. 24-14.679)

Consumer law grants borrowers a fundamental right: the right to withdraw after signing a credit offer. But how can it be proven that this right ...

radiation du ficp suite à une usurpation d'identité

Sumsub Data Breach: When a Cyberattack Exposes the Risks of the KYC Chain

A Security Breach with Potentially Devastating Consequences In early February 2026, Sumsub, one of the world’s leading online identity verification providers, disclosed that it had ...