Immediate Restitution for Phishing Victims Suggested by EU Court of Justice Adviser: A Landmark Legal Opinion
Published
Key Takeaways
- Phishing Transactions: An Advocate General of the CJEU asserts that financial institutions must immediately refund customers impacted by unauthorized transactions stemming from phishing attacks.
- Quick Refund: Under the EU Payment Services Directive, banks may execute prompt reimbursement unless they possess verifiable grounds to suspect active customer fraud.
- Exceptions: While immediate restitution is suggested, institutions retain the legal right to pursue recovery of funds if they establish gross negligence by the account holder.
Banks should refund phishing victims immediately following an unauthorized transaction report, according to a highly consequential legal opinion on phishing fraud issued by Advocate General Athanasios Rantos of the Court of Justice of the European Union (CJEU).
Execution of the EU Payment Services Directive
Advocate General Rantos stated that the bank cannot refuse to refund the amount of an unauthorised transaction immediately on the grounds of gross negligence on the part of the customer, and the refund should be the first step.
The sole exception to this immediate remediation protocol requires the bank to have justifiable, documented suspicion of internal fraud committed by the customer, which must be formally reported to the competent national authority.
The guidance stems from a preliminary ruling request by a Polish District Court regarding a dispute between PKO BP S.A. and a compromised customer.
In this incident, a threat actor used a malicious auction link to harvest the customer's banking credentials and steal funds. When the bank denied restitution by citing user negligence, the ensuing litigation prompted this critical review of European financial liability frameworks.
Shaping the EU Phishing Refund Policy
This development significantly impacts the broader EU phishing refund policy by shifting the operational burden of proof. While the directive enforces rapid financial incident response and victim reimbursement, it does not permanently absolve users of data security responsibilities.
Following the reimbursement, the bank may require the customer, as a payment service user, to “bear the losses if the customer has deliberately or through gross negligence failed to fulfil their obligations.”
This opinion serves as a legal recommendation to CJEU judges, setting a formidable precedent for future regulatory compliance and fraud mitigation strategies across the European banking sector. To prevent attacks, check out our guide on how to spot and avoid phishing scams in 2026.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular