A recent case in the French courts has strengthened the position of banks who resist the refund of unauthorised payments from a customer account.
In France, as elsewhere in Europe, the responsibility of a bank to indemnify a customer in the event of a fraudulent transaction is clearly enshrined in law.
Under the Code monétaire et financier, the bank is obliged to immediately reimburse their client to the amount of the unauthorised transaction. If necessary, they are also under an obligation to restore the account debited to the state it would have been if the transaction had not taken place.
Article L. 133-18 of the code states : « en cas d’opération de paiement non autorisée signalée par l’utilisateur dans les conditions prévues à l’article L. 133-24, le prestataire de services de paiement du payeur rembourse immédiatement au payeur le montant de l’opération non autorisée et, le cas échéant, rétablit le compte débité dans l’état où il se serait trouvé si l’opération de paiement non autorisée n’avait pas eu lieu »
Nevertheless, insofar as credit card fraud is concerned, the same code provides an exception to the bank's obligation if the customer has not acted with due care under the law, whether intentionally or through gross negligence. What these obligations amount to is that a customer must use the card in accordance with the conditions governing its use, and must not act negligently, for example, in communicating their credit card security details.
These rules apply to a customer who is the victim of ‘phishing’, where someone impersonates an organisation familiar to a person, such as a bank or tax authority, for malicious intent.
In an important recent case in the French Supreme Court, the Cour de Cassation, the judges reversed the burden of proof in respect of damage suffered as a result of phishing, refusing to uphold a claim by a customer for refund of the fraudulent payment.
In the case, a client of the Crédit Mutuel bank in northern France received an e-mail she believed emanated from her mobile telephone operator SFR, notifying her of non-payment of her mobile telephone bill and seeking her bank details for payment of the bill. The e-mail was not addressed to her personally, and there were no contact details on it regarding the sender.
In response, the woman concerned replied to the mail giving her card details, including the three-figure cryptogram number on the rear face of the card, as well as summary information of her SFR mobile account. This information allowed the fraudster to set up telephone forwarding of messages, which they used to debit her bank account.
She later received two SMS messages from her bank communicating the six-figure 3-D Secure payment code, for validating two on-line payments, amounting to over €3,000.
The same day she notified her bank of the unauthorised transactions, and sought a full refund of the debits. The bank refused, claiming she had acted in a negligent manner, thereby leaving the courts to rule on the matter.
Although the local court ruled in her favour, the bank appealed the case up to the Cour de Cassation. They considered that the lower court should have investigated whether the client could not have been aware that the e-mail she had received was fraudulent; the fact that she had communicated information allowing a third party to become aware of the 3-D Secure code constituted a breach by gross negligence of her obligations.
It remains to be seen how the banks react to this judgement, as the Cour de Cassation in January, in a similar case, ruled in favour of the client.