55logo mikael le bot avocat

Strong Authentication: Strict Burden of Proof in Banking Fraud – CA Reims, 1st Civil and Commercial Chamber, 18 November 2025, No. 24/01347

  • Banking Law
The Court of Appeal of Reims, in a ruling delivered on 18 November 2025, adjudicated a dispute between Banque Populaire Alsace Lorraine Champagne and two of its clients regarding unauthorised payment transactions. The court reinforces the strict burden of proof: technical authentication logs alone do not prove client consent, and the bank bears the burden of establishing gross negligence.

The Court of Appeal of Reims, in a ruling delivered on 18 November 2025, adjudicated a dispute between S.A. Banque Populaire Alsace Lorraine Champagne (BPALC) and two of its clients, Mr [O] and Ms [A], regarding unauthorised payment transactions totalling €6,590.

CA Reims, Chambre 1 civile et commerciale, 18 novembre 2025, n° 24/01347

I. Recap of the Legal Framework

The legal framework applicable to disputes over unauthorised payment transactions rests on several key provisions of the Monetary and Financial Code (Code monétaire et financier):

  • Article L. 133-18: When a payment transaction is executed without the payer’s authorisation, the payment service provider must immediately reimburse the payer the amount of the unauthorised transaction. There is no exception to this principle other than fraud or late reporting.
  • Article L. 133-19: The payer bears all losses if they result from fraudulent acts on their part. However, mere negligence — even gross negligence — does not exonerate the bank from its reimbursement obligation under the regime introduced by the DSP2 Directive. The bank must prove that the payer acted fraudulently or committed gross negligence.
  • Article L. 133-23: When a payer denies having authorised a payment transaction, the fact that the payment instrument was used and strong authentication applied does not in itself constitute sufficient proof that the transaction was authorised. The provider must produce additional evidence proving the payer’s authorisation, authentication, accurate recording and absence of technical failure.

II. Analysis by the Court of Appeal of Reims

1. Restatement of the Burden of Proof

The Court begins by recalling the strict burden of proof regime established by Articles L. 133-18 and L. 133-23 of the Monetary and Financial Code:

The mere fact that a payment instrument was used, or that strong authentication was completed, is insufficient on its own to establish that the transaction was duly authorised by the client or that the client committed gross negligence.

In other words, the bank cannot simply point to the technical validation logs as proof that the client consented to the disputed transactions.

2. Analysis of the Evidence Presented by the Bank

The BPALC produced several types of evidence to justify its refusal to reimburse:

  • Technical logs showing that the transactions had been authenticated through the “SécuriPass” application on the clients’ registered device.
  • General terms and conditions specifying the client’s obligations regarding the safeguarding of authentication credentials.
  • A chronology of events suggesting that the clients had themselves validated the transactions.

The Court held that these elements were insufficient. In particular:

  • The technical logs merely demonstrated that the authentication process was completed, but did not prove that the clients had personally and voluntarily initiated or confirmed the transactions.
  • The bank failed to produce any evidence of a technical investigation into the possibility that the authentication data had been compromised by a third party (for example, through SIM swapping, phishing or malware).
  • The bank did not establish that the clients had communicated their credentials to a third party or had failed to comply with specific security obligations.

3. Assessment of the Client’s Alleged Negligence

The bank also argued that the clients had been grossly negligent by failing to secure their authentication devices and by not alerting the bank immediately. The Court rejected this argument, holding that:

  • The bank did not identify any concrete act of negligence attributable to the clients.
  • The fact that the clients did not immediately detect the fraud does not in itself constitute gross negligence, particularly where the transactions occurred in rapid succession and the clients were not alerted by the bank’s own fraud detection systems.
  • The burden of proving gross negligence rests exclusively on the bank, and this burden was not discharged.

III. The Award and Its Lessons

The Court of Appeal of Reims reversed the first-instance judgment and ordered BPALC to reimburse the full amount of the unauthorised transactions (€6,590), plus:

  • Interest at the statutory rate from the date of formal notice.
  • €2,000 under Article 700 of the Code of Civil Procedure.

Key lessons from this ruling:

  • Technical authentication logs do not constitute proof of client consent.
  • Banks must investigate the possibility of third-party compromise of authentication data before refusing reimbursement.
  • The burden of proving gross negligence rests squarely on the bank and requires concrete, specific evidence.
  • Victims of banking fraud should not hesitate to challenge refusals of reimbursement, as the case law increasingly favours consumer protection.
1521 2281 max

Need Personalized Legal Advice?

Don’t face your questions alone. A lawyer can call you back for free to review your situation.

Be Contacted by a Lawyer

Need Personalized Legal Advice?

GDPR:

Similar Articles

le sms peut il vraiment être un « facteur de possession »

Undetermined Authentication on Apple Pay: Full Reimbursement of the Client – CA Paris, Pôle 5 ch. 6, 11 February 2026, No. 24/12670

In a ruling dated 11 February 2026, the Paris Court of Appeal ordered the Caisse d’Epargne to fully reimburse a client who was the victim ...

assets task 01jwrg8hjcen69pzvz5hbfwdx7 1748874082 img 1

Fake Bank Adviser: The Court of Appeal of Paris Confirms Bank Liability and Victim Reimbursement (CA Paris, 22 May 2025, RG No. 24/02286 and 24/02984)

The Court of Appeal of Paris rendered two decisions following the victim-favorable jurisprudential trend initiated by the Court of Cassation on 23 October 2024 (Cass. ...

img 2862

My Insurer Applies the Concours Medical Scale to Reduce My Disability Rate: How to Challenge It?

The Court of Cassation recalls that ambiguous insurance contract clauses must be interpreted in favour of the consumer. When a disability insurance policy fails to ...