Full Report
Athanasios Rantos, the Advocate General of the Court of Justice of the EU (CJEU), has issued a formal opinion suggesting that banks must immediately refund account holders affected by unauthorized transactions, even when it's their fault. [...]
Analysis Summary
# Regulation/Compliance: EU Payment Services Directive (PSD2) - Unauthorized Transactions Interpretation
## Overview
This matter concerns the legal interpretation of the **Payment Services Directive (PSD2)** regarding the immediate refunding of unauthorized payment transactions (e.g., phishing victims). The Advocate General’s opinion clarifies that banks must prioritize the immediate restoration of funds to the consumer's account before initiating disputes regarding "gross negligence."
## Key Details
- **Issuing Authority:** Court of Justice of the European Union (CJEU) - Advocate General’s Opinion
- **Effective Date:** Immediate impact on pending litigation; final CJEU ruling pending
- **Jurisdiction:** European Union (EU)
- **Status:** Proposed/Legal Opinion (High likelihood of being adopted by the CJEU)
## Requirements
### Mandatory Requirements
1. **Immediate Refund:** Upon notification of an unauthorized transaction, the bank must refund the amount immediately (by the end of the next business day per PSD2 Article 73).
2. **Notification of Suspicion:** If a bank refuses a refund based on suspected fraud by the customer, it must communicate this suspicion in writing to the competent national authority.
3. **Burden of Proof:** The bank bears the legal burden of proving that a transaction was authorized or that the customer acted with intent or gross negligence.
4. **Restoration of Account:** The account must be returned to the state it would have been in had the unauthorized transaction not occurred.
### Recommended Practices
1. **Post-Refund Investigation:** Conduct forensic analysis of the phishing incident after the refund has been issued to determine if recovery from the customer is legally viable.
2. **Enhanced Phishing Detection:** Implement real-time monitoring to identify "malicious links" and "look-alike" domains to prevent unauthorized access before it reaches the transaction stage.
## Affected Organizations
- **Industries:** Banking, Payment Service Providers (PSPs), Fintechs.
- **Organization Size:** All sizes operating within the EU.
- **Geographic Scope:** All EU Member States.
## Compliance Timeline
- **Current Status:** Advocate General Rantos issued the formal opinion on March 8, 2026.
- **Next Milestone:** CJEU Judges will deliberate and issue a final binding ruling (typically 3–6 months following the AG opinion).
- **Final Deadline:** Once the CJEU rules, the interpretation becomes binding for all national courts in the EU.
## Implementation Guidance
### Assessment Phase
- Review current "Claims Handling" SOPs to ensure they do not delay refunds while investigating "negligence" versus "fraud."
- Identify the threshold used to define "gross negligence" in the context of phishing (e.g., entering credentials on a spoofed site).
### Implementation Phase
- **Policy Update:** Update internal workflows to ensure "Refund First, Litigate Later" capability.
- **Reporting Mechanism:** Establish a direct line of communication to national regulators for reporting suspected customer fraud.
### Validation Phase
- Audit recent phishing claim denials to ensure they meet the "proven fraud" exception rather than just the "suspected negligence" criteria.
## Technical Requirements
- **Strong Customer Authentication (SCA):** Ensure compliance with PSD2 SCA requirements to mitigate the "gross negligence" defense.
- **API Security:** Secure backend payment processing to allow for rapid reversal/crediting of disputed funds.
- **Fraud Detection Systems:** Implement behavioral analytics to flag transactions originating from credentials harvested via phishing.
## Penalties & Enforcement
- **Fines:** Non-compliance with PSD2 refund mandates can result in significant administrative fines by national regulators.
- **Other Consequences:** Liability for legal costs if the bank is sued by a customer for withholding a refund; reputational damage.
- **Enforcement:** Enforced by national financial conduct authorities and the CJEU.
## Related Standards
- **PSD2 (Directive 2015/2366):** The primary legislative framework.
- **ISO 20022:** Standard for electronic data interchange between financial institutions.
- **NIST SP 800-63:** Digital Identity Guidelines (relevant for determining "reasonable" security measures taken by customers).
## Resources
- **Official Documentation:** hxxps://curia[.]europa[.]eu/site/upload/docs/application/pdf/2026-03/cp260031en[.]pdf
- **Full Opinion Text:** hxxps://infocuria[.]curia[.]europa[.]eu/tabs/jurisprudence (Case C-70/25)
## Practical Recommendations
- **Shift of Strategy:** Move from a "defensive" refund posture (withholding funds during investigation) to an "assertive" recovery posture (refunding immediately, then suing the customer if gross negligence can be proven).
- **Customer Education:** Intensify anti-phishing training for customers, as this remains the primary defense against the root cause of these unauthorized transactions.