For years, European banks have deflected fraud claims by invoking “gross negligence” to deny reimbursement and force victims into expensive litigation. A landmark opinion from CJEU Advocate General Athanasios Rantos, issued on 5 March 2026, proposes to end that practice: under PSD2, banks must refund unauthorised transactions immediately, and bear the burden of any recovery action themselves. If the Court follows — as it does in most cases — this will be one of the most consequential shifts in EU payment fraud liability in years, and an overdue correction to a system that has long protected institutions at the expense of victims.
Key Findings
- On 5 March 2026, Advocate General Athanasios Rantos delivered his Opinion in Case C-70/25, Tukowiecka, ruling that a bank cannot refuse the immediate refund of an unauthorised payment transaction merely because it alleges gross negligence on the part of the customer.
- The opinion was issued in response to a preliminary ruling request by the District Court in Koszalin, Poland, in a dispute between PKO BP S.A. and a customer who fell victim to a phishing scheme involving a fake bank login page delivered via a malicious link on an auction platform.
- The bank may still seek to recover losses from the customer after the refund has been made — but only if it can establish that the customer acted with gross negligence, and it must do so through formal legal action.
- The sole exception permitting a bank to withhold immediate reimbursement requires documented, justifiable suspicion of fraud committed by the customer, which must be formally reported in writing to the competent national authority.
- The Polish court noted that payment service providers in Poland generally refuse refunds in cases of unauthorised transactions, leaving customers to pursue costly legal proceedings to recover lost funds — a practice the AG’s opinion explicitly seeks to remedy.
- The opinion is not yet a binding judgment; it is a formal recommendation to the CJEU judges, who are not bound by it — though such opinions carry significant persuasive weight and are frequently followed. Efri
RatEx42 Analysis
Case C-70/25 strikes at a structural problem that the European Funds Recovery Initiative (EFRI) has documented repeatedly: banks routinely weaponise the concept of customer negligence at the outset of a dispute, using it as a shield to deny reimbursement altogether, and forcing victims into prolonged litigation. Advocate General Rantos argues that this inverts the intent of the PSD2 framework — immediate reimbursement for unauthorised transactions is a primary legal obligation, not a discretionary benefit that can be suspended at the bank’s convenience.
The case facts are instructive: the victim, an unnamed Polish woman, was defrauded of 3,000 Polish złoty (approximately €700) after a fraudster posing as a buyer on an auction platform lured her to a spoofed banking page and harvested her credentials. She reported the incident the next day. The bank refused to act. This scenario — a phishing attack exploiting human trust rather than technical system failure — is precisely the grey zone that banks have historically used to deny liability.
The broader European context is significant: according to ENISA’s Threat Landscape 2025 report, phishing accounted for 60% of 5,000 observed intrusions between July 2024 and June 2025. If the CJEU follows Rantos’s opinion — which it does in the majority of cases — the implications for fraud liability across all EU member states will be substantial, effectively requiring banks to absorb the immediate cost of phishing fraud while shifting litigation risk onto themselves rather than their customers.
Call to Action
If you have information about banks denying reimbursement to fraud and phishing victims, or about financial institutions structurally misapplying PSD2 liability rules, FinTelegram wants to hear from you. Submit your tip confidentially via our whistleblower platform Whistle42. Insiders, victims, and compliance professionals are encouraged to come forward — your information helps expose systemic misconduct and protect consumers across Europe.
