Unauthorised payment transactions: The consumer is not always entitled to a refund | In Principle

Go to content
Find what you need in over 1,000 articles
Search form
Subscribe to newsletter
In principle newsletter subscription form

Unauthorised payment transactions: The consumer is not always entitled to a refund

06.11.2025 banking litigation | banking & finance | European Court of Justice

Banks’ liability for unauthorised payment transactions is one of the leading issues in the law of payment services. It directly affects the scope of protection of consumers using modern payment instruments. In an age of dynamic growth in electronic banking and a rising number of cyber offences, this problem takes on particular importance for users of payment services and for financial institutions.

As a rule, PSD2 and the national regulations implementing the directive establish a broad scope of protection for users, by charging payment service providers with liability for unauthorised transactions. But this protection is not absolute. In its case law, the Court of Justice of the European Union has developed important standards of interpretation clarifying the boundaries of financial institutions’ liability.

According to the position adopted by the CJEU, a bank can effectively defend against a user’s claim over an unauthorised transaction if the bank can show that the user was slow in notifying the payment service provider of the claim—whether intentionally or due to gross negligence, in a serious breach of the duty of care. Users are responsible for properly securing their payment instruments and responding in due time to suspicious events.

Consumer delay in challenging payments

On 1 August 2025 the Court of Justice issued its judgment in C-665/23, Veracash, addressing the rights and obligations of consumers in the context of unauthorised payment transactions. In response to a request for a preliminary ruling by the French Court of Cassation, the Court of Justice indicated how to interpret Directive 2007/64/EC on payment services in the internal market (the earlier PSD, repealed as of 13 January 2018). The ruling is a clear signal not only for payment institutions, but also for consumers—as a reminder of what to do in the event of irregularities.

In the case before the French court, a consumer held an account in gold in the company Veracash SAS. In March 2017 the company sent the consumer a card for making cash withdrawals and payments. From 30 March to 17 May 2017, daily withdrawals were made from the account. Then, on 23 May 2017 the consumer contested the withdrawals and stated that he had not authorised any of them. However, the courts at successive instances denied the consumer’s demand for return of the funds, finding that while the consumer’s contestation of the withdrawals fell within the 13-month deadline provided by the law, the consumer had not given notice of the suspicious withdrawals “without undue delay.”

When the consumer filed a cassation appeal, the Court of Cassation referred the following questions to the Court of Justice under Directive 2007/64/EC:

  • Is the payer deprived of the right to reimbursement of the amount of an unauthorised transaction if he delayed in notifying his payment service provider of the unauthorised payment transaction, even though he did do so within 13 months from the debit date?
  • If so, is the deprivation of the payer’s right to reimbursement conditioned on the lateness of the notification being intentional or the result of gross negligence on the part of the payer?
  • Is the payer deprived of the right to reimbursement of all the unauthorised transactions or only those which could have been prevented if the notification had not been late?

Intentional or grossly negligent delay—the funds will not be returned

On the first question, the Court of Justice held that in principle, the payment service user is deprived of the right to obtain rectification of a transaction if they did not notify their payment service provider without undue delay—even though they did notify it within 13 months.

The court pointed out that Art. 58 of Directive 2007/64/EC designates two separate temporal conditions: one subjective (“without undue delay on becoming aware” of the contested transactions) and one objective (“no later than 13 months after the debit date”). Both of these conditions should be considered in assessing the user’s actions.

The court stated in par. 37 of the judgment: “In that regard, it should be noted that the wording of that provision lays down the obligation for the payment service user to notify his or her payment service provider ‘without undue delay’ on becoming aware, inter alia, of an unauthorised payment transaction, ‘and no later’ than 13 months after the debit date. Therefore, it appears that, according to that wording, the right of the payment service user to obtain rectification of an unauthorised payment transaction is subject to the prior fulfilment of a twofold temporal condition.”

On the second question, the court concluded that the payer is deprived of their right to obtain actual rectification of the transaction only if they delayed in notifying it to their payment service provider with intent or gross negligence consisting in a serious breach of a duty of care. In this respect, the court stressed that the payment service provider bears the burden of proving that the payment transaction was authenticated, accurately recorded, and entered in the accounts.

As the court explained in par. 71–72, “in the event of an unauthorised payment transaction which, first, results from the use of a lost, stolen or misappropriated payment instrument or any unauthorised use of such an instrument and, second, has been notified by the payer to his or her payment service provider within 13 months after the debit date, that payer shall, in principle and except where the payer has acted fraudulently, be deprived of his or her right to obtain a refund of that transaction only if he or she has delayed in notifying the unauthorised payment transaction to his or her payment service provider, with intent or gross negligence. It is for the referring court, which alone has jurisdiction to assess the facts, to determine whether that is the case for each of the withdrawals at issue in the main proceedings, since Article 58 expressly refers to the notification of individual payment transactions.”

On the third question, the Court of Justice held that in the event of successive unauthorised payment transactions resulting from the use of a lost, stolen or misappropriated payment instrument or any unauthorised use of a payment instrument, where the payer observed the 13-month time limit after the debit dates of those transactions but partially delayed in notifying them to the payment service provider with intent or gross negligence, the payer is, in principle, deprived of the right to obtain a refund only of the losses resulting from the transactions which they delayed in notifying to their payment service provider with intent or gross negligence. Because the provision on the payer’s liability for unauthorised payment transactions is an exception from the general rule, it should be interpreted narrowly.

C-665/23, Veracash, also indicates how to interpret PSD2

In the Polish legal system, the rule is that the payment institution should immediately return the amount of an unauthorised transaction and restore the user’s account to the state prior to the charge, under Art. 46(1) of the Payment Services Act. The burden of proving the client’s authorisation or gross negligence rests on the payment service provider (Art. 45). These provisions directly implement the 2007 PSD as well as the superseding PSD2 (Directive (EU) 2015/2366 of 25 November 2015 on payment services in the internal market).

In the case of a series of unauthorised transactions, the question of whether the payer acted with gross negligence (a serious breach of the duty of care), as well as whether the notice was too late, should be assessed separately for each transaction.

The judgment of the Court of Justice in C-665/23, Veracash, clearly indicates how PSD should be interpreted, and by analogy, also PSD2. A serious failure by users to exercise care, i.e. gross negligence, will make the payer completely responsible. In such cases, users cannot demand that the payment service provider restore their account to the status prior to the unauthorised transaction.

Mateusz Kosiorowski, adwokat, Dispute Resolution & Arbitration practice, Klaudiusz Mikołajczyk, Banking & Project Finance practice, Wardyński & Partners

Recommended articles
Standing of acquirers of claims in consumer credit disputes (Court of Justice case C-80/24)
A tale of two claims: The Court of Justice questions Poland’s rules for unwinding invalid credit agreements
WIBOR litigation, part 1: Can the WIBOR benchmark be challenged as the basis for setting variable interest rates?
WIBOR litigation, part 2: Can basing variable interest rates on WIBOR be deemed an abusive clause?
Court of Justice: The sanction of free credit must be proportionate