A bank cannot refuse to refund immediately the amount of an unauthorised transaction simply by claiming the customer was grossly negligent, according to an opinion by Advocate General Athanasios Rantos at the Court of Justice of the European Union.

The case stems from a phishing fraud involving a customer of a Polish bank. A third party posed as a buyer on a sales platform and sent her a fraudulent link that imitated her bank’s website. Having been taken in, she entered her login details, allowing the fraudster to retrieve them and make an unauthorised payment from her account. The next day, the customer reported the transaction to her bank, which refused to refund the amount on the grounds that she had been grossly negligent in disclosing her bank details.

The dispute escalated to court, with the national judge asking the EU’s top court whether, under EU law, a bank is obliged to refund an unauthorised transaction immediately even if it considers the customer grossly negligent, or whether it may refuse reimbursement on that basis.

Why the refund comes first

Rantos reasoned that EU law requires banks, as payment service providers, to reimburse the amount of an unauthorised transaction immediately as a first step, unless they have good reason to suspect fraud. Where a bank does suspect fraud, he stated it must communicate that suspicion in writing to the competent national authority.

In the Advocate General’s view, there is no other exception to the principle of immediate reimbursement. He argued that the EU legislature did not provide for additional carve-outs and left no discretion to member states on whether banks can delay refunds because they believe a customer acted carelessly.

Recover later, if the bank can prove it

The opinion draws a clear line between immediate reimbursement and who ultimately bears the loss. Rantos stressed that an immediate refund is not final.

After reimbursing the customer, the bank may require the customer to bear the losses if it establishes that the customer failed, deliberately or through gross negligence, to fulfil obligations as a payment service user, including duties linked to personalised security data. If the customer refuses to reimburse the bank, the Advocate General concluded it would be for the bank to take legal action to obtain payment.

For consumers, the practical impact is that the first dispute with the bank should not be over whether money is returned quickly, but over whether the bank can later demonstrate deliberate wrongdoing or gross negligence strong enough to shift the loss back to the account holder.

Luxembourg impact

The Polish case is painfully similar to the fake BILnet website scam that targeted Luxembourg customers of Banque internationale à Luxembourg (Bil) between May and July last year. In total, nearly 60 Bil customers were tricked, with individual losses typically between €6,000 and €9,000, for a cumulative loss estimated at around €550,000. As of September 2025, nearly a quarter of those affected had not been reimbursed, despite steps such as blocking transfers and attempting recalls.

At the time, Bil stressed it was “protecting its clients” and maintained it would seek to recover disputed funds through banking channels, a “long and complex” process that does “not guarantee the recovery of funds”. That position sits at the heart of the legal question now before EU judges: whether banks can withhold immediate reimbursement by pointing to alleged customer negligence, or must refund first and only later pursue recovery if they can prove deliberate breach or gross negligence.

The Advocate General’s opinion is not binding on the Court of Justice. But if the Court follows it, banks may have less room to delay reimbursement by immediately leaning on “you were careless”.