If you are a victim of phishing, the bank must return your money immediately. The interpretation of the Advocate General of the EU Court of Justice on the PSD2 directive and what could change for account holders.
Case
EU Court of Justice
Case No.
C-70/25
Date
March 5, 2025
Key Provision
Art. 73 PSD2
In an era where the internet is within everyone's reach, users must exercise great caution regarding the danger posed by cyber-criminals. Online scams are, today, one of the greatest risks in the daily use of digital banking services. Among these, phishing—that is, web-based scams through which malicious actors induce victims to communicate their banking credentials—is one of the most widely used techniques.
A significant clarification on this matter has come from the Community institutions. The Advocate General of the EU Court of Justice has stated that the bank cannot refuse to immediately refund the customer, victim of an unauthorized operation. And it cannot do so even when the incident occurred due to a negligent conduct of the victim herself.
His position is contained and detailed in the conclusions presented on March 5th, 2025, in Case C-70/25, relating to a dispute arising in Poland following an online scam with a fake bank link.
A customer of a Polish bank had posted an advertisement on an online marketplace. Shortly after, she was contacted by a person presenting themselves as a potential buyer.
The supposed buyer sent the future phishing victim a link that, apparently, redirected to a page connected to the bank. But such a link was actually a trap hiding a fraudulent site designed to mimic the banking interface.
The woman, convinced she was on the authentic website of her bank, entered her banking credentials. Thus, the scammer was able to obtain them and access her current account, making an unauthorized payment.
Realizing the operation the next day, the woman immediately reported the fact to both her bank and the police, requesting reimbursement of the withdrawn amount.
However, the Polish bank rejected any attribution of responsibility and, therefore, the request for restitution of the withdrawn amount. It argued that the customer had acted with gross negligence, having entered her data on an inauthentic website.
A legal dispute arose before a Polish district court. Here, the local judge decided to refer a preliminary question to the EU Court of Justice. In short, the Polish judiciary asked: "Does Union law permit banks to refuse immediate reimbursement of unauthorized operations when they believe the customer has acted with gross negligence?"
The answer indicated by the Advocate General is clear:
Article 73 of the European Payment Services Directive (PSD2 – Directive 2015/2366) establishes, in the case of an unauthorized payment operation—and reported by the customer—a precise obligation on the part of the bank.
The latter must immediately reimburse the amount stolen through phishing, in order to preserve the customer from sudden financial consequences, such as the inability to pay bills or mortgage installments.
According to the interpretation of the Advocate General, Member States—including Italy—cannot introduce exceptions that, through internal regulations, allow banks to delay or block reimbursement.
Any negligence (even gross) of the customer cannot be used as a reason to immediately deny the return of money.
There is only one situation in which reimbursement can be suspended:
This occurs when the bank has reasonable grounds to suspect that the customer themselves is committing a fraud.
In such circumstances, the credit institution must still follow a precise procedure: the suspicion must be communicated, in writing, to the competent national authority.
In every other case, the bank cannot oppose immediate reimbursement.
More in detail, the interpretation of current norms, proposed by the Advocate General, provides for a system divided into two phases:
The bank must immediately reimburse the amount stolen, regardless of negligence. This protects the customer from sudden financial consequences.
The bank can later check whether the customer violated security obligations. Where the bank can prove intentional or gross negligence, it may request that the customer bear the corresponding losses or return what has been reimbursed.
It is important to clarify that the conclusions of the Advocate General do not yet constitute a binding decision. It is, in fact, a legal opinion directed at the judges of the Court of Justice, indicating how EU law should be interpreted in the case examined.
However, in the Court's practice, the conclusions of Advocate Generals are often followed in final judgments. If, in a few months, the Court were to opt for this interpretation, the decision would become binding for all courts of Member States, including Italy. Therefore, the concrete consequences would be significant throughout the European banking system.
Credit institutions would have to change their internal fraud management procedures, ensuring immediate compensation to customers even when they suspect their negligence.
The reading of the regulations strengthens consumer protection, with particular reference to users of digital payment services.
The cited case demonstrates how EU law is trying to adapt to the spread of online scams. With the increased use of home banking, financial apps, and digital payments, the risk of cyberattacks is real. Precisely for this reason, those who use digital payment services must be able to rely on effective and immediate protection when they become victims of a scam.
If you have been a victim of phishing or unauthorized bank transfer, you may be entitled to immediate reimbursement. Don't let the bank refuse your legitimate request.
Evaluation of your bank's refusal and legal options
Representation against bank's unjustified refusal
Helping you recover your stolen money