can your bank refuse to reimburse you?

Have you been the victim of scams and fraudulent debits on your bank account? Logic dictates that your bank will reimburse you immediately and in full. Some, however, refuse, accusing you of negligence. Do they really have the right? Update on regulations and case law in the field.

Unfortunately, there are thousands of you, every day, who have the bitter experience of this: despite the progress made in security systems, bank account scams are still in the news. This summer again, dozens of LCL customers were victims of chain hacking, with the key to total damage amounting to hundreds of thousands of euros. More than ever, cybercriminals are on the lookout for all vulnerabilities and are adapting their operating methods.

One thing does not change: the source of these thefts, we generally find a theft of personal data, most often on the Internet: personal information (marital status, address, telephone number), bank card numbers or, even worse, online banking access identifiers. To achieve this, criminals continue to use the phishing techniquealso called phishing.

The tricks of scammers to empty your bank account

These thefts of data are no longer enough for them, however, to achieve their ends, since the generalization of strong authentication systems, completed in the spring of 2021, triggered during online payments or connections to online banking. Once again, cybercriminals have adapted. They no longer hesitate to contact their victims directly by telephone, pretending, for example, to be a bank adviser. The stolen personal data is used here to give credibility to their speech, the purpose of which is generally to push you authenticate an operation without your knowledge: a purchase, adding a transfer beneficiary, etc. The damage can then amount to tens of thousands of euros.

Regulations protecting users

Fortunately, the regulations in the field are very protective of the victims. The rule in case of fraudulent debits on a bank account is simple: the bank holding the account must reimburse. And on the spot: the so-called purchasing power law, adopted last summer by Parliament, now imposes a maximum period of one working day. At most it can charge you a deductible of 50 euros. And again… This only concerns fraudulent operations carried out with the use of the bank card’s secret code. The bank must also prove that you knowingly late to oppose after the loss or theft. Clearly, if you are in good faith, you are rather quiet on that side.

There are also cases in which your responsibility can never be engaged: if your bank has not clearly informed you on how to oppose; if your bank card has been counterfeited and you still have the original; if the fraudulent payment was made without strong authentication being required; but also if the fraud is the consequence of misappropriation, without your knowledge, of your bank card identifiers (unique number, expiry date, cryptogram) or bank account (customer number and secret code).

Restrictive policies

Problem: faced with the enormity of the sums to be reimbursed – the total amount of payment fraud has reached 1.24 billion euros in 2021, up 8%, according to the Banque de France -, banks do not always show good will. Some, in particular, have adopted a very restrictive policy: no refund from the moment the cybercriminals have succeeded in getting their victim to disclose their bank details or validate the fraudulent operation with strong authentication. This is the case, for example, of LCL, in the case mentioned at the beginning of the article.

Nobanques: the cheapest offers to control your budget

Here is their logic: if cybercriminals have succeeded in circumventing the security devices in place, it is necessarily because the victims were negligent, by failing to take all reasonable steps to keep their personalized security data secure. They thus refer to the Monetary and Financial Code, which effectively provides for a case of derogation from the rule of full and immediate reimbursement, in the event that the victim has not fulfilled, intentionally or through serious negligence, his contractual security obligations.

Favorable case law

Should a person abused by a phishing site or manipulated by a bogus counselor on the phone be considered seriously negligent? The question is tricky and has been the subject of controversy for years, even of legal disputes, between banks, users and the associations that represent them. Last June, UFC-Que Choisir filed a complaint against a dozen banks for misleading commercial practices. The association accuses them of making victims believe that they have no right to reimbursement and of deceiving them as to the extent of their rights. Because the regulations are clear: to refuse their customers their right to reimbursement, the bank must show how they were negligent. And this on a case-by-case basis.

In fact, clients who have the means and the courage to take their case to court very often succeed. Jurisprudence is clearly on the side of the victims. In several judgments published in recent years (in January 2017, in June 2017, in November 2018, in May 2019), the Court of Cassation has confirmed several principles. The first: customers are not not responsible a priori of the hacking of their bank account, even though the payments gave rise to strong authentication. The second: the bank has a duty of care and must warn his client in the event of unusual activity on his account. The third: the burden of proof is on the bank. That is to say that it is not up to the customer to demonstrate that he has taken all reasonable measures to preserve the security of his security data, but the bank to prove that he was negligent. And it’s rarely empty, in the absence of a confession from the victim.

Going to court against his bank, however, is still proof, even if it has a good chance of being successful. The best way is therefore toapply certain good practices, to short-circuit hackers’ strategies.

Our advice to protect your bank account

source site-96