For years, European financial institutions have utilized a powerful shield against the rising tide of phishing scams: the concept of "gross negligence." By arguing that a customer failed to protect their credentials, banks have frequently delayed or denied refunds for unauthorized transactions. However, a significant legal wind shift is occurring in Luxembourg that could dismantle this defense mechanism entirely.
Advocate General Athanasios Rantos of the Court of Justice of the European Union (CJEU) has issued a formal opinion that could fundamentally alter the operational playbook for EU banks. In his assessment of Case C-70/25, Rantos asserts that banks are obligated to refund unauthorized transactions immediately, stripping them of the ability to withhold funds based solely on allegations that the customer was negligent. If codified into a final ruling, this opinion would enforce a strict "refund first, litigate later" protocol, placing the immediate financial burden of fraud squarely on the institution rather than the consumer.
How does the proposed ‘refund first’ mandate function?
The core of Advocate General Rantos’s opinion rests on a strict interpretation of Articles 73(1) and 74(1) of the Payment Services Directive 2 (PSD2). Under current industry practices, when a customer reports a phishing incident, banks often freeze the refund process while they investigate whether the customer acted with "gross negligence"—such as voluntarily handing over 2FA codes to a scammer. This investigation can leave victims without access to their funds for weeks or months.
Rantos argues that this procedural delay is incompatible with EU law. According to the opinion, the bank must restore the debited amount immediately upon notification of the unauthorized transaction. As noted by the European Funds Recovery Initiative (EFRI), the legal sequence is explicitly redefined: the bank must refund the money first. Only after the funds are restored can the bank pursue legal action to reclaim them if they believe the customer was at fault. The bank cannot act as judge and jury by withholding the money preemptively.
When are banks legally permitted to withhold refunds?
The opinion does leave a narrow window for institutions to freeze funds, but the bar is set significantly higher than current industry standards. A bank can only refuse an immediate refund if it has "reasonable grounds" to suspect fraud committed by the account holder themselves. Furthermore, mere suspicion is insufficient; the bank must report these grounds to the relevant national authority in writing.
This distinction is critical. Alleging that a customer was "grossly negligent" because they fell for a sophisticated SMS phishing scam is not the same as suspecting the customer of being complicit in the fraud. The Advocate General made it clear: a bank cannot refuse the immediate refund merely because it alleges negligence. The burden of proof for withholding funds is shifted from a behavioral assessment of the victim to a criminal suspicion of the user.
What sparked this re-evaluation of banking liability?
This high-level opinion stems from a specific dispute in Poland, Case C-70/25 (Tukowiecka). The case involves a customer, identified as N.O., who sued the major Polish bank PKO BP S.A. The plaintiff was victimized by a classic social engineering attack, where credentials were stolen via a counterfeit bank login page, allowing attackers to execute unauthorized transfers.
While the bank argued that the customer’s failure to recognize the fake site constituted gross negligence, the Advocate General’s intervention highlights that PSD2 was designed to protect users even when they make errors. With payment fraud in the European Economic Area reaching €4.3 billion in 2022, largely driven by such social engineering, the CJEU is signaling that the systemic risk of these attacks should be absorbed by the entities best equipped to prevent them: the banks.
Looking Ahead
If the CJEU adopts this opinion in its final ruling—which occurs in the vast majority of cases—the implications for the European banking sector are profound. Banks will no longer be able to use the "gross negligence" clause as a cash-flow buffer. Instead, they will face immediate liquidity outflows upon every reported fraud case, forcing them to chase funds retrospectively through litigation, a costly and inefficient process.
This economic pressure will likely accelerate the deployment of real-time fraud prevention technologies, such as behavioral biometrics and ‘confirmation of payee’ systems, effectively forcing banks to solve the fraud problem technically rather than managing it legally. The era of offloading the cost of sophisticated phishing attacks onto the consumer appears to be drawing to a close.
![Illustration related to Bank Phishing Refunds: Gross Negligence Shield Ends? [CJEU]](https://bytewire.press/wp-content/uploads/bytewire-images/2026/03/eu-court-opinion-bank-refunds-phishing-gross-negligence-17578e80c1.webp)
![Diagram related to Bank Phishing Refunds: Gross Negligence Shield Ends? [CJEU]](https://bytewire.press/wp-content/uploads/bytewire-images/2026/03/eu-court-opinion-bank-refunds-phishing-gross-negligence-6cc3339fa6.webp)
