55logo mikael le bot avocat

Strong Authentication: Strict Burden of Proof in Banking Fraud – CA Reims, 1st Civil and Commercial Chamber, 18 November 2025, No. 24/01347

  • Banking Law
The Court of Appeal of Reims, in a ruling delivered on 18 November 2025, adjudicated a dispute between Banque Populaire Alsace Lorraine Champagne and two of its clients regarding unauthorised payment transactions. The court reinforces the strict burden of proof: technical authentication logs alone do not prove client consent, and the bank bears the burden of establishing gross negligence.

The Court of Appeal of Reims, in a ruling delivered on 18 November 2025, adjudicated a dispute between S.A. Banque Populaire Alsace Lorraine Champagne (BPALC) and two of its clients, Mr [O] and Ms [A], regarding unauthorised payment transactions totalling €6,590.

CA Reims, Chambre 1 civile et commerciale, 18 novembre 2025, n° 24/01347

I. Recap of the Legal Framework

The legal framework applicable to disputes over unauthorised payment transactions rests on several key provisions of the Monetary and Financial Code (Code monétaire et financier):

  • Article L. 133-18: When a payment transaction is executed without the payer’s authorisation, the payment service provider must immediately reimburse the payer the amount of the unauthorised transaction. There is no exception to this principle other than fraud or late reporting.
  • Article L. 133-19: The payer bears all losses if they result from fraudulent acts on their part. However, mere negligence — even gross negligence — does not exonerate the bank from its reimbursement obligation under the regime introduced by the DSP2 Directive. The bank must prove that the payer acted fraudulently or committed gross negligence.
  • Article L. 133-23: When a payer denies having authorised a payment transaction, the fact that the payment instrument was used and strong authentication applied does not in itself constitute sufficient proof that the transaction was authorised. The provider must produce additional evidence proving the payer’s authorisation, authentication, accurate recording and absence of technical failure.

II. Analysis by the Court of Appeal of Reims

1. Restatement of the Burden of Proof

The Court begins by recalling the strict burden of proof regime established by Articles L. 133-18 and L. 133-23 of the Monetary and Financial Code:

The mere fact that a payment instrument was used, or that strong authentication was completed, is insufficient on its own to establish that the transaction was duly authorised by the client or that the client committed gross negligence.

In other words, the bank cannot simply point to the technical validation logs as proof that the client consented to the disputed transactions.

2. Analysis of the Evidence Presented by the Bank

The BPALC produced several types of evidence to justify its refusal to reimburse:

  • Technical logs showing that the transactions had been authenticated through the “SécuriPass” application on the clients’ registered device.
  • General terms and conditions specifying the client’s obligations regarding the safeguarding of authentication credentials.
  • A chronology of events suggesting that the clients had themselves validated the transactions.

The Court held that these elements were insufficient. In particular:

  • The technical logs merely demonstrated that the authentication process was completed, but did not prove that the clients had personally and voluntarily initiated or confirmed the transactions.
  • The bank failed to produce any evidence of a technical investigation into the possibility that the authentication data had been compromised by a third party (for example, through SIM swapping, phishing or malware).
  • The bank did not establish that the clients had communicated their credentials to a third party or had failed to comply with specific security obligations.

3. Assessment of the Client’s Alleged Negligence

The bank also argued that the clients had been grossly negligent by failing to secure their authentication devices and by not alerting the bank immediately. The Court rejected this argument, holding that:

  • The bank did not identify any concrete act of negligence attributable to the clients.
  • The fact that the clients did not immediately detect the fraud does not in itself constitute gross negligence, particularly where the transactions occurred in rapid succession and the clients were not alerted by the bank’s own fraud detection systems.
  • The burden of proving gross negligence rests exclusively on the bank, and this burden was not discharged.

III. The Award and Its Lessons

The Court of Appeal of Reims reversed the first-instance judgment and ordered BPALC to reimburse the full amount of the unauthorised transactions (€6,590), plus:

  • Interest at the statutory rate from the date of formal notice.
  • €2,000 under Article 700 of the Code of Civil Procedure.

Key lessons from this ruling:

  • Technical authentication logs do not constitute proof of client consent.
  • Banks must investigate the possibility of third-party compromise of authentication data before refusing reimbursement.
  • The burden of proving gross negligence rests squarely on the bank and requires concrete, specific evidence.
  • Victims of banking fraud should not hesitate to challenge refusals of reimbursement, as the case law increasingly favours consumer protection.
1521 2281 max

Need Personalized Legal Advice?

Don’t face your questions alone. A lawyer can call you back for free to review your situation.

Be Contacted by a Lawyer

Need Personalized Legal Advice?

GDPR:

Similar Articles

assets task 01jwreep41e6sshen0x1x7b6k5 1748872242 img 1

Apple Pay Fraud: When Activating Apple Pay Is Not Enough to Prove Client Negligence (CA Chambery, 1st Ch., 9 Sept. 2025, No. 23/00184)

The use of mobile payment services such as Apple Pay simplifies daily transactions. However, in case of fraud, the fight for reimbursement can be arduous. ...

authentification forte

Transactions Validated by Secur’Pass and Bank Liability – Court of Appeal of Rouen, 25 September 2025, No. 24/02415

The judgment of the Court of Appeal of Rouen of 25 September 2025 constitutes an illustration of the rules governing unauthorized payment transactions and the ...
usurpation identite 2

White Paper: Essential Guide to Preventing Fraud

Fraud, whether online or offline, represents a growing threat to individuals and businesses. With the rapid evolution of technology and the increase in digital transactions, ...