Undetermined Authentication on Apple Pay: Full Reimbursement of the Client – CA Paris, Pôle 5 ch. 6, 11 February 2026, No. 24/12670

Court of Appeal of Paris, Pôle 5 Chamber 6, 11 February 2026, No. 24/12670

I. Background and Chronology of the Case

The Facts: 7,487.76 Euros Diverted via Apple Pay

Mr [I], a client of the Caisse d’Epargne et de Prévoyance d’Île-de-France, had held a bank account for several years. Like many French people, he had chosen to use the Apple Pay mobile payment service, which allows secure remote transactions by registering a bank card on an iPhone.

On 12 June 2022, a request to register his bank card in the Apple Pay system was processed by the bank. Then, between 14 and 20 June 2022, fourteen payment transactions were carried out from his account, all in favour of a food delivery service provider. The total amount reached 7,487.76 euros, a far from negligible sum.

The problem? Mr [I] claims he never authorised these transactions. Neither their amount nor their beneficiary corresponded to transactions he would have wished to make. On 24 June 2022, barely four days after the last suspicious transaction, he immediately contacted his bank to dispute these payments and request reimbursement.

The Commercial Court Judgment: A First-Instance Failure

Faced with the Caisse d’Epargne’s refusal to proceed with reimbursement, Mr [I] sent a formal notice by registered letter with acknowledgment of receipt on 21 July 2022. Confronted with the bank’s persistent silence, he served proceedings before the Commercial Court of Paris on 9 January 2023.

Unfortunately for him, the Commercial Court rendered an unfavourable judgment on 27 June 2024. The commercial judges rejected all of his claims and even ordered him to pay 2,000 euros in irrecoverable costs to the bank, as well as costs. The reason? According to the court, Mr [I] had not proven the absence of consent to the disputed transactions.

This decision, characteristic of a certain judicial reluctance in banking fraud matters, in practice reverses the burden of proof which is nevertheless clearly established by law. It places the consumer in an untenable position: how can one prove that one did not do something? How can one demonstrate a negative?

Refusing to give up, Mr [I] lodged an appeal on 9 July 2024. His case was argued before the Court of Appeal of Paris on 18 December 2025, and the ruling handed down on 11 February 2026 would prove him entirely right.

II. The Legal Framework for Unauthorised Transactions

The Principle of Automatic Reimbursement

French law, transposing the European Payment Services Directives (PSD2), has established a protective regime for users of payment instruments. This regime rests on a simple and strong principle: in the event of an unauthorised payment transaction, the bank must immediately reimburse its client.

Article L. 133-18, paragraph 1, of the Monetary and Financial Code clearly states this rule:

« In the case of an unauthorised payment transaction reported by the user under the conditions set out in Article L. 133-24, the payer’s payment service provider shall reimburse the payer for the amount of the unauthorised transaction immediately after becoming aware of the transaction or being informed thereof, and in any event no later than the end of the first business day following, unless it has good reason to suspect fraud on the part of the payment service user and communicates those reasons in writing to the Banque de France. »

This text is crystal clear. As soon as a transaction has not been authorised by the account holder, the bank must proceed with reimbursement within an extremely short timeframe: the business day following the complaint. This is not a mere option but a mandatory legal obligation.

It should also be noted that the bank must restore the account to the state it would have been in had the fraudulent transaction never taken place. This means it must not only reimburse the diverted amount but also compensate any bank charges (overdraft fees, charges) caused by the disputed transaction.

Exceptions: Fraud or Gross Negligence

Naturally, this principle has exceptions. The law cannot allow a client to knowingly defraud their own bank, nor absolve them of all responsibility if they have been grossly negligent in protecting their banking data.

Article L. 133-19, IV, of the Monetary and Financial Code provides that:

« The payer shall bear all losses arising from unauthorised payment transactions if such losses result from fraudulent conduct on their part or if they have intentionally or through gross negligence failed to meet the obligations set out in Articles L. 133-16 and L. 133-17. »

Articles L. 133-16 and L. 133-17 require the account holder to:

• Take all reasonable measures to preserve the security of their personalised security credentials (secret codes, identifiers, etc.)
• Never disclose this data to third parties
• Inform their bank without delay in the event of loss, theft, or unauthorised use of their payment instrument

The concept of « gross negligence » (négligence grave) is particularly important. It does not refer to any carelessness, but to a characterised and inexcusable failure to follow basic security rules. For example: writing one’s PIN code on the back of the bank card, voluntarily communicating access codes to a stranger, leaving one’s card and unlocked phone together in a public place, etc.

The Burden of Proof: A Protective Reversal

This is where the heart of the protective mechanism lies. Unlike the general law of liability, where the person claiming compensation must prove harm and fault, in the case of unauthorised transactions, it is the bank that must prove that the transaction was legitimate or that the client was grossly negligent.

The case law of the Court of Cassation is now settled on this point. In several landmark rulings (Cass. com., 12 November 2020, No. 19-12.112; Cass. com., 20 November 2024, No. 23-15.099; Cass. com., 30 April 2025, No. 24-10.149), the Commercial Chamber affirmed that it follows from Articles L. 133-19, IV, and L. 133-23 of the Monetary and Financial Code that:

If the bank intends to make the client bear the losses caused by an unauthorised transaction, it must first prove that:

1. The transaction was authenticated in accordance with the applicable rules
2. The transaction was duly recorded and accounted for
3. The transaction was not affected by a technical or other deficiency

Only once this triple proof has been provided can the bank invoke any gross negligence on the part of the client. If it fails to demonstrate even one of these three elements, it must reimburse, full stop.

This reversal of the burden of proof is crucial. It recognises a simple reality: banks control payment technology, they hold the technical data, they design the security systems. It is therefore logical that they should be required to prove that their systems functioned correctly, rather than requiring the consumer to prove the contrary.

III. Analysis of the Court of Appeal’s Decision

The Client’s Arguments

In his appeal submissions filed on 22 August 2024, Mr [I] developed a solid and methodical argument.

On the unauthorised nature of the transactions:

Mr [I] categorically asserted that he had never given his consent to the fourteen fraudulent transfers made between 14 and 20 June 2022. He emphasised that he had consented to neither their amount nor their beneficiary. This assertion is corroborated by his immediate reaction: on 24 June 2022, just four days after the last suspicious transaction, he alerted his bank. This extremely short timeframe demonstrates that he was actively monitoring his account and did not let the situation linger.

On the absence of proof of strong authentication:

Mr [I]’s central argument concerns the insufficiency of the evidence provided by the bank regarding the authentication of the transactions. He pointed out that the transaction records provided by the Caisse d’Epargne did not establish that the authorisation code for each transaction was sent to the telephone number he had provided when subscribing to Apple Pay. He highlighted that the authentication was « undetermined », which is a crucial point that the Court would retain.

On non-compliance with security recommendations:

Mr [I] argued that the bank’s authentication system did not comply with the security recommendations issued by the Banque de France. Although this argument is not developed in detail in the ruling, it raises an important question: have banks truly implemented security measures commensurate with the stakes involved?

On the absence of gross negligence:

Finally, Mr [I] argued that the bank had not provided evidence of fraudulent conduct on his part, nor of an intentional breach or gross negligence. He recalled that these conditions are cumulative for a refusal to reimburse to be legitimate, and that the bank must also immediately communicate its reasons to the Banque de France, which it had not done.

On the bank’s strict liability:

Mr [I] insisted on the fact that the bank bears strict liability in matters of unauthorised payment transactions and that it had not complied with its reimbursement obligation, pursuant to Articles L. 133-18 et seq. of the Monetary and Financial Code. He added that neither the agreement on evidence nor the contractual limitations of liability invoked by the bank could attenuate this mandatory legal obligation.

The Bank’s Arguments

For its part, the Caisse d’Epargne attempted to defend itself with several arguments, classic in this type of litigation.

On strong authentication via Apple Pay:

The bank argued that the disputed transactions had been authenticated using the so-called Apple Pay « strong authentication » system. It explained that this system requires the entry of two codes by the person initiating the order: one permanent, to access the account; the other generating a payment for each transaction, sent to the account holder’s mobile phone.

It submitted to the court the account opening agreement, the general terms of use of the VISA bank card in the Apple Pay mobile payment solution, the records of payment transactions carried out via this solution, and the IT record of a secret code being sent to Mr [I]’s telephone.

On the client’s suspicious behaviour:

The bank attempted to cast doubt on Mr [I]’s good faith. It noted that he « deliberately omits to state what really happened » and that he had not filed a police complaint. It pointed out that he had not made any complaint to his telephone operator, even though he had claimed before the first-instance judges that he might have been the victim of fraudulent duplication of his mobile phone number (so-called « SIM swapping »).

The bank also noted that Mr [I] did not provide evidence of having been the victim of phishing of his personal data or bank card number, nor of having been dispossessed of his phone or bank card.

On presumed gross negligence:

The Caisse d’Epargne then developed a hypothetical argument. It asserted that, « assuming Mr [I] did not order the disputed payment transactions, which nothing supports », only two hypotheses would be conceivable:

• Either Mr [I] allowed a third party to access his bank card and his mobile phone, enabling that third party to learn the six-digit secret code required to activate Apple Pay
• Or Mr [I] communicated to a third party his bank card data and the secret code he personally received, enabling that third party to order payment transactions after activating and configuring the Apple Pay biometric function

In both cases, the bank concluded, Mr [I] would have been grossly negligent in failing to preserve the security of his personalised data, and should therefore be dismissed from his claims.

This reasoning, although ingenious, rests on a sophism: it presupposes that if fraud occurred, the client must necessarily have committed a fault. Yet this is precisely what the law and case law reject. Computer systems can be circumvented, hacked, and diverted without the client having committed the slightest carelessness.

The Court’s Reasoning: Insufficient Evidence

The Court of Appeal of Paris carefully examined the arguments of both parties at the hearing of 18 December 2025. The ruling handed down on 11 February 2026 is a model of legal rigour.

First finding: the transactions are not authorised

The Court noted from the outset that « the bank invokes the authorised character of the transactions, but does not truly dispute that Mr [I] did not give his consent to the disputed transactions ». This point is crucial. The bank never truly demonstrated that Mr [I] had consented to these transactions. It merely asserted that they had been authenticated by its system, which is not the same thing.

The Court logically deduced: « It follows that the fourteen transfer transactions criticised by Mr [I] between 14 and 20 June 2022 were not authorised within the meaning of the aforementioned legal provisions. »

Second finding: the client reacted immediately

The judges highlighted a determining factual element: « It is undisputed that Mr [I] immediately contacted his bank to report the disputed transactions, regardless of the fact that he did not file a police complaint. »

The absence of a police complaint, which the bank attempted to use as an indication of bad faith, was dismissed out of hand. Filing a police complaint is not a legal condition of reimbursement. What matters is the speed with which the client alerted their bank, a condition fully met in this case.

Third finding: the burden of proof lies with the bank

The Court then recalled the settled case law of the Court of Cassation (citing the 2020, 2024, and 2025 rulings): if the bank intends to make the client bear the losses, it must first prove that the transaction was authenticated, duly recorded and accounted for, and that it was not affected by a technical deficiency.

It is on this ground that the Caisse d’Epargne would stumble.

Fourth finding: the bank’s evidence is contradictory

Here is the heart of the ruling’s reasoning, which deserves to be quoted in full:

« It will be noted that while the bank contends that, in the context of the present dispute, the authentication service used is the Apple Pay service and that the general terms of the online banking specify the arrangements for this service applicable to Mr [I], who does not dispute their application, it submits records of payment transactions carried out via the Apple Pay mobile payment solution, which do not make it possible to certify that they were authenticated, duly recorded and accounted for and not affected by a technical or other deficiency, since they contain contradictory statements. Indeed, while for each transaction there appears on the last page the statement “CVD Label (Token): Applepay”, which attests to authentication, there also appears on the first page the following statement “3D Secure with undetermined authentication or pseudo 3D Secure (62)”, so that these statements do not make it possible to determine the authentication implemented or that the disputed transaction was not affected by a technical or other deficiency. »

In other words, the documents produced by the bank contain two contradictory pieces of information:

• On the one hand, the statement « Applepay » appears to indicate authentication
• On the other hand, the statement « 3D Secure with undetermined authentication or pseudo 3D Secure (62) » casts serious doubt on the reality of this authentication

Faced with this contradiction, the Court could not consider the evidence as established. One cannot simultaneously assert that a transaction was authenticated and that the authentication is « undetermined ». It is one or the other.

Conclusion: the bank must reimburse

The Court drew the logical consequences: « It follows that the preliminary proof, required before any invocation of gross negligence on the part of the client, that the transactions were authenticated, duly recorded and accounted for and not affected by a technical or other deficiency, has not been established, so that the bank is required to reimburse its client. »

Since the bank failed to prove the correct authentication of the transactions, it could not even invoke any gross negligence on the part of Mr [I]. The discussion ends there: full reimbursement, end of story.

IV. Apple Pay Strong Authentication: A Mechanism Under Scrutiny

How Does Apple Pay Work?

To fully understand the issues at stake in this case, it is worth pausing for a moment on how Apple Pay and the « strong authentication » it is supposed to guarantee actually work.

Apple Pay is a mobile payment service developed by Apple, available on iPhone, iPad, and Apple Watch. It allows one or more bank cards to be registered in the device’s « Wallet » application, and then used to make contactless payments in shops, or remote payments on the internet and in applications.

Initial card registration

To register a bank card in Apple Pay, the user must:

1. Open the Wallet application and select « Add a card »
2. Scan the bank card with the iPhone camera or manually enter the information
3. Accept the bank’s general terms and conditions
4. Receive a validation code (usually by SMS) sent by the bank
5. Enter this code to confirm the addition of the card

Once the card is added, it is « tokenised »: Apple does not store the actual card numbers but creates a unique encrypted « token » that represents the card in the Apple Pay system.

Authentication for each payment

According to the bank, each payment via Apple Pay requires « strong authentication » in two steps:

• First factor: possession of the device (iPhone or Apple Watch)
• Second factor: biometric authentication (Face ID, Touch ID) or entry of the device’s unlock code

For online payments via Apple Pay, a dynamic authorisation code may also be generated and sent to the user’s phone.

In theory, this system meets the requirements of the European PSD2 directive on strong authentication, which requires the use of at least two factors from three categories:

• Knowledge (something the user knows: password, PIN code)
• Possession (something the user has: phone, card)
• Inherence (something the user is: fingerprint, facial recognition)

In practice, however, this system can be circumvented. Sophisticated fraud techniques exist: « SIM swapping » (SIM card duplication to intercept SMS codes), hacking of iCloud accounts, exploitation of flaws in authentication protocols, etc. Moreover, if a fraudster manages to register the victim’s card on their own device, they can then use their own biometrics to validate payments.

The Revealing Contradictory Statements

Let us now return to the « contradictory statements » noted by the Court of Appeal, which constitute the tipping point of this case.

On the transaction records provided by the Caisse d’Epargne, two pieces of information appear:

1. On the last page: « CVD Label (Token): Applepay »

This statement indicates that the payment was made via an Apple Pay « token ». The term « CVD » probably refers to « Card Verification Data », a card verification system. The presence of this statement suggests that the system recognised an Apple Pay payment and that some form of authentication took place.

2. On the first page: « 3D Secure with undetermined authentication or pseudo 3D Secure (62) »

This statement is much more problematic. The « 3D Secure » protocol (called « Verified by Visa » or « Mastercard SecureCode » depending on the network) is an authentication system for online payments. It exists in several versions:

• 3D Secure 1.0: the old version, often based on a simple SMS code
• 3D Secure 2.0: the modern version, compliant with PSD2, with strong authentication

However, the statement « undetermined authentication » or « pseudo 3D Secure » means that the system could not verify with certainty that authentication had been properly carried out according to the full 3D Secure protocol. The code « (62) » is a technical error or anomaly code.

How can these two statements coexist? This is precisely the question posed by the Court. If the transaction was successfully authenticated via Apple Pay, why does the system simultaneously flag an « undetermined authentication »?

Several technical explanations are possible:

• A failure in communication between the Apple Pay system and the banking system
• A partial circumvention of the authentication protocol
• Sophisticated fraud exploiting a flaw in the authentication process
• A simple computer bug in the bank’s system

Whatever the explanation, the result is the same: the bank cannot assert with certainty that authentication functioned correctly. It therefore cannot prove that the transactions were « authenticated, duly recorded and accounted for and not affected by a technical deficiency », as required by case law.

Therein lies the full rigour of the Court of Appeal’s reasoning. It does not say that fraud is proven, nor that the Apple Pay system is inherently deficient. It simply notes that the evidence produced by the bank is contradictory and therefore insufficient. In case of doubt, the benefit goes to the consumer.

V. The Scope of This Decision for Consumers

Now Well-Established Case Law

The ruling of the Court of Appeal of Paris of 11 February 2026 is not an isolated case. It falls within a line of case law now settled and clearly established by the Court of Cassation. Since the landmark ruling of 12 November 2020 (Cass. com., 12 Nov. 2020, No. 19-12.112, published in the Bulletin), confirmed by several recent decisions (notably Cass. com., 20 Nov. 2024, No. 23-15.099, published; Cass. com., 30 Apr. 2025, No. 24-10.149, published), the position of the Commercial Chamber is clear:

The bank that refuses to reimburse an unauthorised transaction must first prove that its authentication system functioned correctly. Only after providing this proof may it invoke any gross negligence on the part of the client.

This case law is a rigorous application of the principle established by Articles L. 133-18 et seq. of the Monetary and Financial Code. It puts an end to the deplorable practice of certain banks which, faced with fraud, systematically refused reimbursement by invoking contractual clauses or presuming client fault.

Henceforth, courts are no longer satisfied with general assertions. They require precise, substantiated, and consistent technical evidence. Banks must produce:

• Detailed authentication logs (codes sent, precise times, IP addresses, etc.)
• Proof that the authentication system complies with applicable standards (PSD2)
• Demonstration of the absence of technical failure
• Proof of correct recording and proper accounting of the transactions

If these elements are not produced, or if they are contradictory as in the present case, the bank must reimburse. Full stop.

Practical Implications

For consumers who are victims of fraud

This case law constitutes genuine protection. It means that if you are the victim of fraudulent transactions on your bank account, you do not have to prove that you were careful, that you did not share your codes with anyone, that you did not leave your phone lying around, etc.

You simply need to:

1. Report the fraudulent transactions without delay to your bank (ideally as soon as you notice them, and in any case within 13 months of the debit under Article L. 133-24 of the Monetary and Financial Code)
2. Confirm your dispute in writing (registered letter with acknowledgment of receipt)
3. Keep all correspondence with the bank

If the bank refuses to reimburse you, it is for the bank to prove that its system functioned correctly and that you were grossly negligent. If it cannot provide this double proof, it must reimburse, and you can compel it to do so through the courts.

For banks

This case law imposes on banking institutions an enhanced obligation of means in matters of payment security. They can no longer simply assert that their systems are « secure » or that the transaction was « authenticated ». They must be able to prove it technically, in a detailed and consistent manner.

This implies in particular:

• Maintaining precise and usable IT logs
• Implementing authentication systems compliant with the latest standards
• Actively monitoring technical anomalies
• Responding quickly and professionally to disputes
• Reimbursing unauthorised transactions without delay, unless they have solid evidence to the contrary

Banks that persist in systematically refusing reimbursements expose themselves not only to court orders but also to reputational damage and potential sanctions from the ACPR (Autorité de contrôle prudentiel et de résolution).

For lawyers and legal practitioners

This case law offers a solid basis for defending consumers. In any dispute relating to unauthorised payment transactions, the strategy is now clear:

1. Invoke the unauthorised nature of the transactions and the prompt reporting
2. Recall the burden of proof which lies with the bank (settled case law of the Court of Cassation)
3. Meticulously analyse the documents produced by the bank to detect any contradictions or deficiencies
4. Challenge the absence of proof of correct authentication, proper recording, and absence of technical failure
5. Reject any presumption of negligence not supported by specific facts

The ruling of 11 February 2026 constitutes an excellent example of successful advocacy. Mr [I]’s lawyer was able to identify the weak point in the opposing argument (the contradictory statements on the records) and draw all the legal consequences from it.

VI. Steps to Follow in Case of Fraudulent Transactions

Immediate Response

If you notice unauthorised payment transactions on your bank account, here are the steps to follow:

1. Contact your bank immediately

As soon as you identify suspicious transactions, call your bank’s customer service or the opposition number shown on your statements without delay. Report the fraudulent transactions and request:

• Immediate blocking of your bank card (if compromised)
• Suspension of your access to Apple Pay, Google Pay, or other mobile payment services (if the fraud involves these services)
• Change of your online banking access codes

Make sure to note:

• The date and time of your call
• The name of the person you spoke with
• The case or complaint reference number given to you

2. Confirm in writing immediately

Never rely solely on a phone call. Article L. 133-24 of the Monetary and Financial Code requires the account holder to « notify » their bank « as soon as they become aware » of an unauthorised transaction. This notification must be traceable.

Therefore, send on the same day or at the latest the following day a registered letter with acknowledgment of receipt to your bank, in which you:

• Refer to your telephone call of [date]
• List precisely the disputed transactions (date, amount, beneficiary)
• Clearly state that you did not authorise these transactions
• Request full reimbursement of the debited amounts
• Request production of the authentication evidence

Keep the acknowledgment of receipt carefully. It is your proof that you complied with your obligation of prompt notification.

3. File a police complaint (optional but recommended)

Contrary to what some banks claim, filing a police complaint is not a legal condition of reimbursement. As the Court of Appeal of Paris recalled in the ruling under review, the absence of a complaint cannot be held against the client.

Nevertheless, filing a complaint has several advantages:

• It triggers a criminal investigation that may help identify the fraudsters
• The complaint receipt constitutes additional evidence of your good faith
• If the fraud involves identity theft, a complaint is indispensable

You can file a complaint at the police station or gendarmerie, or directly online via the THESEE platform (Traitement Harmonisé des Enquêtes et Signalements pour les E-escroqueries) or via the Ministry of the Interior portal.

4. Check your other accounts and change your passwords

If your bank account has been compromised, other services may also have been hacked. As a precaution:

• Immediately change your email password
• Change your passwords on online shopping sites
• Verify that your iCloud/Apple ID account has not been compromised (if you use Apple Pay)
• Enable two-factor authentication wherever possible

Formal Notice

If your bank refuses to reimburse you or is slow to respond (which is unfortunately common), you must proceed to the next step: formal notice (mise en demeure).

The statutory reimbursement deadline

Recall that Article L. 133-18 of the Monetary and Financial Code requires the bank to reimburse « immediately after becoming aware of the transaction or being informed thereof, and in any event no later than the end of the first business day following ».

In other words, the bank has one business day at most to reimburse you after your complaint. If it fails to do so, it is at fault.

The only exception: if the bank « has good reason to suspect fraud on the part of the payment service user », it may suspend reimbursement, provided it communicates those reasons in writing to the Banque de France. This double condition (good reason to suspect + communication to the Banque de France) is cumulative and strictly regulated.

Drafting the formal notice

If the bank does not reimburse you within the statutory deadline, send it a formal notice by registered letter with acknowledgment of receipt. This letter must:

• Recall your initial dispute of [date]
• Note the bank’s failure to comply with its statutory reimbursement obligation (Art. L. 133-18 Monetary and Financial Code)
• Formally require the bank to reimburse you the sum of [amount] within 8 days
• State that failing this, you will take legal action and that statutory interest will accrue from the date of the formal notice
• Request the bank to produce the evidence it claims to hold (authentication logs, communication to the Banque de France, etc.)

Sample wording:

« By this letter, I hereby formally require you to reimburse the sum of [amount] euros corresponding to the unauthorised transactions listed in my letter of [date], within eight days of receipt of this notice. Failing this, I shall be compelled to bring proceedings before the competent court and to seek, in addition to reimbursement of the principal, payment of interest at the statutory rate from the date of this formal notice, as well as compensation under Article 700 of the Code of Civil Procedure. I remind you that Article L. 133-18 of the Monetary and Financial Code requires you to reimburse unauthorised transactions immediately, unless you can justify good reason to suspect fraud on my part and have notified the Banque de France accordingly in writing, which you have not done. »

Statutory interest

As illustrated by the ruling of 11 February 2026, interest at the statutory rate accrues from the date of the formal notice. It is therefore this date that the court will use to calculate the interest owed by the bank. Hence the importance of sending this formal notice promptly and keeping the acknowledgment of receipt.

Legal Proceedings

Before the courts: alternative dispute resolution

Before referring the matter to court, you may try two amicable avenues of recourse:

1. The banking ombudsman

Each banking institution has an ombudsman (médiateur), whose contact details appear on the bank’s website and on your account statements. You may contact them free of charge by post.

The ombudsman has 90 days to issue an opinion. This opinion is not binding: you are free to accept or reject it. If you reject it, you retain the option of referring the matter to the courts.

Advantages: free, quick (in principle), less confrontational than a lawsuit.

Disadvantages: the opinion is not binding, and some ombudsmen are perceived as being too favourable to banks.

2. The Banque de France

You may contact the Banque de France (« Info Banque de France » service) for information about your rights. Note, however, that the Banque de France has no decision-making power in your individual dispute, but it may intervene with your bank to obtain explanations.

Referring the matter to court

If mediation fails or if you prefer to go directly through the courts, you must serve proceedings on your bank before the competent court.

Which court?

Since 1 January 2020, disputes between a consumer and a bank generally fall within the jurisdiction of the Judicial Court (tribunal judiciaire). However, if the amount in dispute is less than 10,000 euros, you must first attempt mandatory preliminary conciliation or mediation.

In certain cases (notably where the dispute relates to the client’s commercial activity), the Commercial Court (tribunal de commerce) may have jurisdiction, as was the case in the matter of Mr [I] v. Caisse d’Epargne.

Legal representation

Although legal representation is not compulsory before the Judicial Court for disputes under 10,000 euros, it is strongly recommended in this type of technical litigation.

A lawyer specialising in banking law will be able to:

• Analyse the documents produced by the bank to identify weaknesses
• Invoke the relevant case law of the Court of Cassation
• Draft legally robust submissions
• Argue effectively at the hearing

The example of the Mr [I] case is telling: dismissed at first instance despite the clarity of the law, he obtained complete success on appeal thanks to well-conducted advocacy that highlighted the contradictions in the bank’s evidence.

The claims to be made

In your summons, you should seek:

• Full reimbursement of the diverted sums
• Interest at the statutory rate from the date of the formal notice (or the date of the initial dispute)
• Reimbursement of bank charges potentially caused by the fraudulent transactions (overdraft fees, charges, etc.)
• An award under Article 700 of the Code of Civil Procedure to cover your legal costs (typically between 2,000 and 3,000 euros)
• An order that the bank bear the costs

In certain cases, you may also seek additional damages if you have suffered non-pecuniary harm or if the bank has engaged in particularly wrongful conduct.

Conclusion

The ruling of the Court of Appeal of Paris of 11 February 2026 constitutes an important and symbolic victory for consumers. By reversing the Commercial Court judgment and ordering the Caisse d’Epargne to fully reimburse its client, the Court firmly reaffirms the protective principles of the Monetary and Financial Code.

This decision falls within case law now well established by the Court of Cassation: a bank that refuses to reimburse an unauthorised transaction must first prove that its authentication system functioned correctly. It is not for the client to demonstrate that they were careful or that they did not commit any negligence. It is for the bank to prove that the transactions were authenticated, recorded, and accounted for in accordance with the rules, and that no technical deficiency occurred.

The Mr [I] case perfectly illustrates the traps into which certain banks fall. Faced with a legitimate complaint, the Caisse d’Epargne chose to refuse reimbursement by generally invoking the Apple Pay system and presuming client fault. But when it had to produce its evidence before the Court of Appeal, that evidence proved contradictory: the records mentioned both an « Applepay » authentication and an « undetermined authentication or pseudo 3D Secure », which is incompatible. This contradiction was enough to bring down the bank’s entire argument.

The message is clear: banks can no longer rely on formulaic assertions or standardised documents. They must provide precise, consistent, and verifiable technical evidence. Failing that, they reimburse.

For victims of banking fraud, this case law is essential protection. It means that if you promptly and formally dispute transactions you did not authorise, the law is on your side. Do not be intimidated by your bank’s initial refusal, nor by a possible unfavourable first-instance judgment. Courts of appeal, as demonstrated by this ruling, rigorously apply the protective principles established by the Monetary and Financial Code and the case law of the Court of Cassation.

Finally, this case raises a broader question about the security of modern payment instruments. Apple Pay, Google Pay, and other digital wallets are presented as « ultra-secure » solutions. Yet fraud does indeed exist, and is sometimes facilitated by technical flaws, poorly implemented protocols, or circumventable authentication procedures. It is for banks and tech giants to constantly strengthen their security measures, and for judges to verify that these measures actually work as advertised.

Vigilance remains essential for all users of banking services. But in the event of fraud, know that the law protects you, and that you are not alone against your bank.

FAQ