CJEU Adviser Backs Immediate Bank Refunds for Phishing Victims Under PSD2
The key change in the Advocate General’s opinion is procedural, not just protective: under PSD2, a bank should refund a phishing victim first and argue about customer negligence later. The only stated basis for delaying reimbursement is suspected customer fraud, and even that requires written notification to the relevant national authority.
What the opinion actually says banks must do
Advocate General Athanasios Rantos, advising the Court of Justice of the European Union, took a narrow view of when a bank can refuse immediate reimbursement for an unauthorized payment. In his reading of PSD2, phishing-related transactions must be refunded without delay unless the bank has reasonable grounds to suspect that the customer committed fraud.
That matters because the common bank position in many disputes has been different: if the customer entered credentials into a fake site or otherwise acted carelessly, the bank treats that alleged negligence as a reason to deny the refund upfront. The opinion rejects that sequencing. Gross negligence may still matter, but not as a precondition for restoring the account balance.
The fraud exception is also tighter than a simple internal allegation. A bank would need to suspect customer fraud and report that suspicion in writing to the competent national authority. Without that step, the opinion points toward immediate reimbursement as the default rule.
The Polish case behind the dispute
The opinion comes from a case in Poland involving PKO BP S.A. and a customer who entered banking credentials on a fake website created for phishing. Fraudsters then used those credentials to initiate unauthorized payments. The customer reported the incident promptly, but the bank refused reimbursement on the basis of alleged gross negligence.
That fact pattern is important because it sits in the grey area banks often rely on: the customer was deceived rather than directly hacked, and the bank argues the victim enabled the loss by failing to protect credentials. Rantos’s opinion separates that later liability question from the bank’s immediate duty under PSD2 to reverse unauthorized payment losses.
Refund first, litigate later: what changes operationally
If the CJEU follows the opinion, banks would need to redesign both claims handling and fraud governance. The first decision point would no longer be “was the customer negligent?” but “is there a documented basis to suspect customer fraud and has that been formally reported?” If not, the refund should be made immediately.
Only after reimbursement could the bank try to recover the money by proving that the customer acted intentionally or with gross negligence in breaching security obligations. If the customer does not repay voluntarily, the bank would have to bring legal proceedings. That shifts litigation pressure away from victims who may lack the resources to contest a denial while also absorbing the financial loss.
| Issue | Before this opinion in many bank disputes | Advocate General’s PSD2 reading |
|---|---|---|
| Immediate refund after phishing-related unauthorized payment | Often withheld while the bank assesses customer conduct | Required without delay in most cases |
| Role of customer gross negligence | Used to deny reimbursement upfront | Not a valid reason to withhold immediate refund; relevant later for recovery |
| Exception allowing delay | Sometimes framed broadly by the bank | Suspected customer fraud only, with written notice to authorities |
| Who carries the burden of suing | Victim often has to challenge the bank’s refusal | Bank refunds first, then sues if it wants recovery |
Why this matters for bank systems, not just legal teams
A refund-first rule changes infrastructure requirements. Banks would need faster classification of unauthorized transactions, clearer escalation paths for fraud suspicion, and auditable workflows showing whether and when authorities were notified in writing. A generic negligence review would no longer be enough to justify delay.
It also raises the cost of weak fraud controls. If reimbursement must happen quickly, banks have stronger incentives to improve transaction monitoring, behavioral analytics, and context-aware authentication that can catch social engineering patterns before funds leave or before mule accounts disperse them. The opinion does not create those technical duties by itself, but it makes delayed reimbursement a less available fallback.
For customers, the practical effect is immediate liquidity protection. A phishing victim would not have to wait through a long negligence dispute while account balances remain depleted. For banks, the trade-off is higher short-term reimbursement exposure and a greater need to pursue recovery through evidence and litigation rather than claims-stage refusal.
What the opinion does not settle yet
The Advocate General’s view is influential but not binding. The next checkpoint is the CJEU’s final judgment on whether it adopts this refund-first, litigate-later interpretation of PSD2. Until then, the opinion is a strong signal, not the last word.
It also does not mean customers are automatically free from liability. The correction to make is narrower: banks cannot simply deny refunds upfront by alleging negligence, unless they are in the separate category of suspected customer fraud and have followed the formal reporting route. A bank may still try to recover losses later by proving intentional misconduct or gross negligence.
Quick Q&A
Does this opinion mean every phishing victim wins permanently?
No. It means the bank should usually reimburse first. The bank may still seek repayment later if it can prove the customer acted intentionally or with gross negligence.
Can a bank delay the refund just by saying the customer was careless?
Not under the Advocate General’s reading. Carelessness or gross negligence is not enough to block immediate reimbursement.
When can a bank withhold reimbursement immediately?
Only where it has reasonable grounds to suspect customer fraud and reports that suspicion in writing to the relevant national authority.
