The judgment rendered by the Court of Appeal of Rouen, Civil and Commercial Chamber, on 25 September 2025 (No. 24/02415), constitutes an interesting illustration of the application of the rules governing unauthorized payment transactions and the burden of proof of gross negligence attributed to the payment service user. Upholding the first instance decision of the Dieppe Judicial Court, the Court rejects the appeal of S.A. Caisse d’Epargne et de Prevoyance Normandie and recalls the enhanced protection of the user who is a victim of fraud, even when transactions have been validated via a strong authentication system such as “Secur’Pass.”
I. Summary of Facts and First Instance Proceedings
A. The Fraud Scenario
The case originates from a fraud attempt of which Mrs. [W] [J] was a victim, holder of several accounts at Caisse d’Epargne (a joint deposit account with Mr. [B] [Z], a Livret A and a Livret LLDS).
On 23 February 2022, Mrs. [J], having posted an advertisement for the sale of a sun lounger on a social network, was contacted by a third party wishing to pay via the PayPal platform. She then received a call from a person presenting themselves as a PayPal employee who guided her through the purported receipt of a transfer. Although Mrs. [J] claimed she refused to transmit certain confidential information, she subsequently noticed a credit transfer of 3,030 euros on her deposit account, which actually came from her Livret A.
The fraudster then recontacted her, requesting the reimbursement of 3,000 euros allegedly transferred by mistake. The bank ultimately informed Mrs. [J] that two transfers totaling 5,000 euros (1,500 euros and 3,500 euros) had been made to accounts abroad.
B. The First Instance Decision
Faced with the bank’s refusal to bear the loss of 5,000 euros, and after a failed mediation with the French Banking Federation (Fédération Bancaire Francaise) (17 June 2022), Mrs. [J] and Mr. [Z] sued Caisse d’Epargne before the Dieppe Judicial Court.
By a judgment of 11 April 2024 (reference No. 23/01229), the Dieppe Judicial Court ordered the bank to pay the clients the sum of 5,000 euros plus interest at the legal rate. S.A. Caisse d’Epargne et de Prevoyance Normandie appealed this decision.
II. The Parties’ Arguments on Appeal
A. The Bank’s Claims (Appellant)
Caisse d’Epargne et de Prevoyance Normandie based its appeal on several grounds:
1. Authorized Transactions and Strong Authentication: The bank emphasized having implemented the strong authentication device “Secur’Pass”, requiring a confidential code known to the client, a dedicated phone number and a four-digit code. It claimed that the addition of a new beneficiary and the two transfers (for 5,000 euros) had been carried out and validated by this strong authentication on Mrs. [J]’s mobile phone.
2. Client Participation and Gross Negligence: The bank contended that these transactions could not have been carried out without Mrs. [J]’s participation. In the event that the unauthorized payment rules applied, it claimed that Mrs. [J] had committed gross negligence (negligence grave) by validating the addition of the beneficiary, the disputed transfers, and potentially by transmitting a code to the fraudster (allegation based on the initial complaint).
B. The Clients’ Defense (Respondents)
Mrs. [J] and Mr. [Z] sought full confirmation of the Dieppe judgment. They denied having communicated their identifiers.
They advanced the following arguments:
1. Non-Authorization: They denied being the originators of the transfer transactions.
2. Failure to Prove Gross Negligence: They asserted that proof of gross negligence could not be inferred from the mere fact that their personal data had been used.
3. Bank’s Fault: They noted that no cooling-off period had occurred between the addition of the new beneficiary and the transfers in his favor, constituting a fault attributable to the bank. Furthermore, they denied having received SMS messages from the bank relating to these transactions. They specified that they had corrected their initial complaint, which contained a clerical error regarding the communication of codes.
III. Analysis and Decision of the Court of Appeal
A. The Legal Framework: The Burden of Proof
The Court of Appeal based its analysis on Articles L. 133-18 and L. 133-23 of the Monetary and Financial Code (CMF).
Article L. 133-18 of the CMF (applicable at the time of the facts) requires the payment service provider to immediately reimburse the payer in the event of an unauthorized transaction. The only exception allowing the user to bear the losses is if he or she acted fraudulently or through gross negligence, pursuant to Article L. 133-20 of the CMF.
Article L. 133-23 of the CMF establishes that it is incumbent upon the payment service provider to prove that the transaction was authenticated, recorded and was not affected by a technical deficiency. However, the use of the payment instrument does not necessarily suffice to prove that the transaction was authorized or that the payer committed gross negligence. The provider must furnish evidence to prove the user’s fraud or gross negligence.
B. The Rejection of Gross Negligence
The Court first established that the transactions were unauthorized, since Mrs. [J] denied having consented to them and they resulted from fraud. The bank did not moreover contest the fraudulent nature of the addition of the beneficiary and the transfers.
The Court then recalls, citing Court of Cassation case law (Cass. Com. 5 March 2025, 23-22.687), that the existence of a strong authentication system (such as “Secur’Pass”) does not derogate from the rule that proof of gross negligence cannot be inferred from the mere fact that the instrument or data were used.
Examining the evidence, the Court finds:
1. Mrs. [J] filed a complaint immediately upon discovering the facts.
2. The Court favored the corrected complaint of Mrs. [J], in which she denied having communicated a code or confidential data, thus setting aside the clerical error present in the initial complaint.
3. Despite the establishment of computer traces proving that the transactions were validated via “Secur’Pass”, Caisse d’Epargne failed to demonstrate that Mrs. [J] had communicated her confidential login information or a code to a third party, proof necessary to characterize gross negligence.
Consequently, the bank’s argument seeking to prove its client’s gross negligence is overturned.
Conclusion
The Court of Appeal of Rouen upheld the initial judgment, ordering S.A. Caisse d’Epargne et de Prevoyance Normandie to pay 5,000 euros to Mrs. [J] and Mr. [Z]. The bank is also ordered to pay costs and 3,000 euros under Article 700 of the Code of Civil Procedure for the appeal proceedings.
This ruling reaffirms the strict interpretation of gross negligence in the context of so-called “social engineering” fraud (where the client is manipulated into validating transactions). Even the activation and use of a strong authentication system such as Secur’Pass, while proving the technical authenticity of the transaction, is not in itself sufficient to discharge the bank from its reimbursement obligation. Proof of gross negligence requires the payment service provider to demonstrate intentional misconduct or negligence of exceptional gravity on the part of the user, beyond the mere validation of the disputed transactions.
