On 20 November 2024, the Commercial Chamber of the French Supreme Court (Cour de cassation) ruled (appeal no. 23-15.099) on the liability of users and providers of payment services in the event of fraudulent use of a payment instruments. This ruling, which clarifies the conditions under which liability may be triggered, is in line with evolving case law.

A context of recurring litigation

A bank’s customer who had a bank card disputed the fraudulent debits made from his bank account after his card had been stolen and his identifiers disclosed to a third party. In response, the bank cited gross negligence on its part in refusing to reimburse the debit balance.

The dispute mainly concerned the allocation of the burden of proof between the user and the payment service provider, pursuant to articles L. 133-19, IV, and L. 133-23 of the French Monetary and Financial Code.

The decision of 20 November 2024: clarification and confirmation

The Court of Cassation overruled the decision of the Riom Court of Appeal, pointing out that the burden of proving that transactions were in order rested with the payment service provider, even in the event of gross negligence on the part of the user.

The Court of Cassation ruled :

It follows from Articles L133-19 and L133-23 of the Monetary and Financial Code ‘ that if the payment service provider intends to make the user of a payment instrument with a personalised security feature bear the losses caused by an unauthorised payment transaction made possible by the user’s intentional or grossly negligent failure to comply with the obligations set out in Articles L. 133-16 and L. 133-17 of this Code, the payment service provider must first prove that the transaction in question was authenticated, duly recorded and accounted for and that it was not affected by a technical or other deficiency. ’

The bank must therefore:

1. Demonstrate that the transactions have been authenticated, recorded and accounted for.
2. Provide proof of the absence of any technical or other deficiency.

A gradual evolution in case law

This decision is part of a progressive evolution in case law that requires the bank to prove that the transaction was validly authenticated, but also to prove gross negligence.

The ruling of 20 November 2024 confirms this:

1. A higher burden of proof for banks:
   • The bank must establish with certainty :
     • The authenticity of the fraudulent transactions.
     • The absence of a technical failure or security weakness in its system.
2. A limit on gross negligence:
   • Gross negligence can only be upheld after a strict analysis, taking into account the specific circumstances (for example, sophisticated fraud or a faulty banking system).
3. Increased protection for users:
   • This ruling is a reminder that clients benefit from a protective legal framework. They cannot be held liable for losses without irrefutable proof of their fault and the absence of technical failings on the part of the bank.

This decision is therefore part of a trend in case law that highlights the increasing demands made on payment service providers. By making banks more accountable and limiting the cases in which gross negligence can be invoked, the Cour de cassation is offering consumers greater protection in the face of increasingly sophisticated fraud.

By Olivier Vibert, Lawyer, Paris