On 14 January 2026, the Commercial Chamber of the Court of Cassation delivered a major decision (No. 22-14.822). This ruling, published in the Bulletin, clarifies the conditions under which a payment services user may obtain reimbursement of unauthorised transactions, while strictly framing the concepts of “late reporting” and “gross negligence”.
Cass. com., 14 janv. 2026, n° 22-14.822, Publié au bulletin
1. Background: A Payment Card Fraud
The case concerns Mr [E], holder of a gold deposit account with the company Veracash. In March 2017, the company sent him a new withdrawal and payment card. However, between 30 March and 17 May 2017, numerous daily withdrawals were made without his authorisation.
Mr [E] claims never to have received the card nor to have authorised these debits. Faced with Veracash’s refusal to reimburse, initially upheld by the Court of Appeal of Paris, the case was brought before the Court of Cassation, which sought the guidance of the Court of Justice of the European Union (CJEU).
2. The Decisive Contribution of the CJEU: The Knowledge Criterion
Before ruling, the Court of Cassation incorporated the answers of the CJEU (ruling of 1 August 2025, Veracash SAS, C-665/23). The CJEU clarified the interpretation of Article 58 of Directive 2007/64/EC (transposed in Article L. 133-24 of the Monetary and Financial Code):
“The obligation incumbent on the payment services user to report without delay […] arises from the moment the user became aware thereof”.
This means that even if the report is made within the statutory thirteen-month period, the user may be deprived of the right to reimbursement if they delayed acting deliberately or through gross negligence after discovering the fraud.
3. The Court of Cassation’s Reversal of the Court of Appeal
The Court of Cassation quashes the ruling of the Court of Appeal of Paris on two essential grounds:
A. Failure to Investigate the Date of Knowledge
The Court of Appeal had dismissed Mr [E]’s claim on the grounds that he had waited until 23 May 2017 to dispute the facts, i.e. two months after the first withdrawal. However, the Court of Cassation held that the judges should have verified when the user actually discovered the transaction.
“By so deciding, without ascertaining […] the date on which Mr [E] became aware of the first payment transaction, the Court of Appeal failed to provide a legal basis for its decision”.
B. Gross Negligence Insufficiently Established
The Court of Appeal had also held that Mr [E] was liable because he had failed to prevent a third party from accessing his letterbox or had not safeguarded his codes. The Court of Cassation censured this analysis, deeming these grounds insufficient to establish gross negligence (négligence grave).
“Failing in particular to specify in what circumstances the third party had gained access to his identifier and secret key, the Court of Appeal failed to provide a legal basis for its decision”.
Key Takeaways (Summary of the Decision)
- Reporting obligation: The time limit for reporting an unauthorised transaction runs from the actual knowledge of the transaction by the user.
- Proof of negligence: To refuse reimbursement, the service provider must prove “gross” negligence, consisting of a characterised breach of the duty of care, and not mere imprudence.
