Tech
EU court adviser says banks must immediately refund phishing victims
Athanasios Rantos, the Advocate General of the Court of Justice of the EU (CJEU), has issued a formal opinion suggesting that banks must immediately refund account holders affected by unauthorized transactions, even when it’s their fault.
The opinion was issued in response to a request for a preliminary ruling submitted by the District Court in Koszalin, Poland, in a dispute between the PKO BP S.A. bank and one of its customers.
The case involved phishing fraud, where the customer advertised an item for sale on an auction platform, and was approached by a fraudster who sent them a malicious link to a page resembling the bank’s login interface.
The customer entered their bank account credentials on that site, which the fraudster then used to execute an unauthorized payment.
The victim reported the transaction the next day to both the bank and the police, but the fraudsters were not identified, and the bank refused to refund the lost amount. In response, the customer sued the bank.
The dispute arose because the bank argued it could deny the refund if the customer’s negligence caused the loss.
Rantos states that under the EU Payment Services Directive (2015/2366 / PSD2), a bank cannot refuse to issue an immediate refund to victims unless it has reasonable grounds to suspect customer fraud.
“Advocate General Athanasios Rantos considers that EU law requires the bank, as a first step, to refund immediately the amount of the unauthorised transaction, unless it has good reason to suspect fraud, which it must communicate in writing to the competent national authority,” reads the CJEU press release.
However, it is clarified that the process doesn’t end there, as the banks are still allowed to seek recovery of the losses from the customer if they can prove gross negligence or intention, leading to the security breach.
“If the bank establishes that the customer has failed, intentionally or through gross negligence, to fulfil one of the obligations relating, in particular, to personalised security data, it may require the customer to bear the corresponding losses,” reads the AG’s opinion.
“If the customer refuses to reimburse the amount of the unauthorised transaction, it is up to the bank to take legal action against that person to obtain payment.”
It is important to clarify that this opinion is not a CJEU ruling, but rather an indication of the direction the court may take when the matter reaches that stage. The AG’s opinion (full text here) is a legal recommendation to the CJEU judges, but the CJEU’s final ruling will be binding on all EU courts.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.