CJEU Advocate General Rantos: Banks Must Refund Unauthorized Transactions First — Liability Can Be Disputed Later
A recent legal opinion issued at the Court of Justice of the European Union (CJEU) may significantly reshape how fraud-related payment disputes are handled across the EU. In Case C-70/25 (Tukowiecka), Advocate General Athanasios Rantos concludes that once a bank is informed about an unauthorized payment, it must reimburse the customer without delay, even if the bank believes the customer may have acted with gross negligence.
According to the Advocate General, any attempt by the bank to recover the funds from the customer must occur after the reimbursement has been made, potentially through a separate legal claim.
Core Findings of the Opinion
The interpretation proposed by Rantos is rooted in the consumer-protection principles of Directive (EU) 2015/2366 (PSD2).
Key points include:
-
Immediate reimbursement obligation
PSD2 requires banks to restore the customer’s account balance as the initial response to an unauthorized payment. -
Gross negligence cannot justify refusal of a refund
Financial institutions cannot decline reimbursement at the complaint stage simply by claiming the user failed to comply with security obligations. -
Exception only in cases of suspected payer fraud
If a bank has reasonable grounds to believe that the payer committed fraud, the institution must report this suspicion to the competent national authority. -
Refund does not determine final liability
Once the refund is made, the bank may attempt to recover the funds if it can demonstrate intentional misconduct or gross negligence by the customer. -
Litigation may follow if recovery fails
Should the customer refuse repayment after reimbursement, the bank may need to pursue the claim through the courts.
Background of Case C-70/25 (Tukowiecka)
The dispute originates from a phishing incident connected to a sales platform link. After the victim’s credentials were compromised, an unauthorized payment was executed from the customer’s bank account.
The affected customer requested reimbursement, but the Polish bank refused, arguing that the user had breached security obligations. The case was subsequently referred by the District Court in Koszalin to the CJEU for clarification on how PSD2 should be interpreted in such situations.
Consumer Protection Logic Behind PSD2
The dispute highlights a core principle of PSD2: victims of unauthorized transactions should not be forced to carry the financial burden of fraud while banks investigate responsibility.
Under this framework:
- unauthorized transactions must be reversed quickly, and
- liability disputes should be resolved after the customer’s funds are restored.
Rantos’ interpretation reinforces this logic by emphasizing that immediate reimbursement is a strict legal requirement, leaving little room for national practices that effectively transform the refund process into a negligence investigation.
Operational Impact for Banks
If the CJEU ultimately follows the Advocate General’s reasoning, financial institutions across Europe may need to adjust their internal fraud-handling procedures.
Banks could be required to adopt a two-stage operational approach:
| Stage | Bank Action |
|---|---|
| Step 1 | Immediately refund the unauthorized transaction to the customer |
| Step 2 | Attempt recovery later if evidence of gross negligence or intentional breach exists |
This interpretation may significantly limit the widespread industry practice of denying refunds at the complaint stage.
Compliance Considerations for Financial Institutions
Should the Court confirm this approach, banks will likely face increased pressure to strengthen both fraud detection and post-incident investigation capabilities.
Key compliance priorities may include:
- improved real-time fraud detection systems
- stronger implementation of Strong Customer Authentication (SCA)
- comprehensive authentication and transaction logging
- collection of device and IP telemetry
- analysis of potential social-engineering indicators
These data points could become essential in any later attempt by banks to recover funds after issuing a refund.
Legal Status of the Opinion
It is important to note that opinions from Advocates General are not legally binding. The Court of Justice of the European Union will now deliberate before delivering its final judgment.
Nevertheless, such opinions frequently indicate the direction the Court may take. If the CJEU adopts Rantos’ interpretation, banks that routinely rely on “refund denial” strategies could face growing regulatory and legal risks.
Call for Information
Have you experienced a situation where a bank refused to reimburse funds after a phishing attack, SIM-swap incident, APP fraud, or manipulated authorised push payment—particularly when the institution claimed “gross negligence”?
The Scam-Or Project is collecting examples of such cases across the European Union to identify potential systemic patterns.
You can securely submit documentation, timelines, and correspondence with your bank through the Scam-Or Project whistleblower section.
