The immediate reimbursement to phishing could redefine bank responsibility in the EU

A few days ago the daily account of a digital scam reached the highest steps of European law: a Polish client lost money after falling into a phishing attack and his bank, PKO BP, refused to repay him. That case - a sale on an auction platform, a malicious link that imitated the bank's access screen, introduced credentials and a transfer by the criminals - ended at the Koszalin District Court, which raised a preliminary question before the European Union Court of Justice (TEU).

TEU Advocate General Athanasios Rantos has now published a formal opinion on the case which, although not a binding judgment, marks the likely direction in which the court will move. In simple terms: Rantos considers that, according to the European Payment Services Directive (PSD2), the bank must immediately reimburse the customer for the amount of an unauthorized transaction, unless it has reasonable grounds to suspect that the customer itself has acted fraudulently.. This suspicion should also be communicated in writing to the competent national authority.

The official texts explain the Advocate General's recommendation in detail. The TEU communiqué contains the findings of Rantos and part of the legal analysis supporting the provisional reimbursement obligation, available on the official website of the Court: TEU communication. The full text of the Advocate General's opinion can also be found in the Court's case-law: full text of the opinion.

It is important to place this in the regulatory framework: Directive (EU) 2015 / 2366 known as PSD2 regulates the obligations of payment service providers - including banks - and the rights of users to unauthorized transactions. The directive and its purpose can be read on the European Union portal on payment services: explanation of the PSD2 in the European Commission and the legal text in the EUR-Lex repository: Directive (EU) 2015 / 2366.

What does this mean, in practice, for a person who has suffered phishing? First, that the initial presumption would be in the customer's favour: if he denounces the operation as unauthorized, the bank should return the amount to him without delay unless he has clear reasons to believe that that client acted fraudulently. Second, that the initial refund does not close the matter: if the bank is able to demonstrate later that the client intentionally or with serious negligence your security data (for example, by deliberately sharing passwords), you may claim or require the client to assume the loss; and, if the loss is refused, you will have to go to court to obtain such reimbursement.

This balance - immediate reimbursement with the possibility of subsequent recovery - is intended to protect the user who has been the victim of increasingly sophisticated techniques, without completely exonerating personal responsibility when there are behaviors clearly in conflict with safety obligations. In practice this would require entities to react quickly to allegations of fraud, and also to document rigorously any grounds for suspicion of the client's conduct, because such suspicion must be communicated in writing to the national authority in accordance with the interpretation proposed by the Advocate General.

The consequences for the financial ecosystem and the fight against fraud can be profound. For the victims, the advantage is obvious: to recover funds quickly avoids economic distress and reduces the immediate impact of a scam. For banks, however, the provisional reimbursement obligation implies an increase in operational cost and the need to improve their incident detection and analysis capabilities in order to be able to justify, where appropriate, non-reimbursement and subsequent claim. For fraud, the measure makes it difficult for criminals to keep the loot in unclaimed accounts indefinitely, although it does not prevent initial social engineering tactics that remain the majority vector of scams such as phishing, according to European bodies that study the phenomenon (see, for example, Europol's follow-up on phishing: Europol: phishing).

From a practical point of view, this also places added pressure on entities to invest in more robust authentication and measures that prevent stolen credentials from allowing unauthorized transactions. The PSD2 and the associated technical standards have already invested in the enhanced authentication of the customer, but the Advocate General's interpretation reinforces the incentive: if the bank is the one to respond initially, it is interested in reducing the likelihood of fraudulent access.

Finally, one procedural and political issue must be stressed: the opinion of a Advocate General is not the last word. Its function is to guide the Court; the TEU judges can follow that line or make it more sensitive in the final judgment, which will be the one to mark mandatory case law for the courts of the Member States. Until then, Rantos' opinion is a clear sign of where the Court could go, but not a mandate with immediate and uniform effect throughout the Union.

In human terms, these types of decisions reformulate how the risk is shared between customers and banks in the digital age. The objective is simple and legitimate: that a con person receives a quick response and that the responsibilities are determined by evidence, not by the inertia of the empty account. The TEU's judgment must be followed closely and, in the meantime, it must be remembered that prevention - not clicking suspicious links, always checking a bank's URL, using authentication in two steps and reporting as soon as possible - remains the first barrier against fraud.