In a judgment of 4 March 2026, the Commercial Chamber ruled that the provisions of Article L. 133-21 of the Monetary and Financial Code do not protect the bank where it has not merely executed the payment order. If the bank itself prepared the transfer order based on bank details containing obvious anomalies, it may be held liable on the grounds of contractual liability for breach of its duty of care.

Court of Cassation, Commercial, Financial and Economic Chamber, 4 March 2026, No. 25-11.959

The facts relate to a classic case of bank account details fraud in the context of a property purchase.

BNP Paribas customers had sent their bank a bank account identification statement received from an email address fraudulently mimicking that of a notary’s office. The bank then drew up a transfer order using these details, before having it signed by the clients. The transfer was ultimately credited to an account whose beneficiary remained unknown. The clients then sought to hold the bank liable for breach of its duty of care.

The bank argued that the dispute fell exclusively under the special regime for payment services. It invoked Article L. 133-21 of the Monetary and Financial Code, according to which an order executed in accordance with the unique identifier provided by the user is deemed to have been duly executed, so that the service provider is not liable if that identifier is inaccurate.

The Court of Cassation first reiterated this reasoning, also referring to the case law of the Court of Justice of the European Union on the harmonised nature of this regime. However, it introduced a clear limitation:

“whilst the general contractual liability under Article 1231-1 of the Civil Code does not apply to the execution by the payment service provider of a payment order in accordance with the unique identifier provided by the user, this is not the case where the payment service provider has not merely executed the payment order. ”

The special regime remains exclusive where the bank merely executes the order received. Conversely, it ceases to preclude general law liability where the bank has played an active role in the disputed transaction.

However, in the present case, the Court endorses the lower courts’ finding that the disputed bank details contained obvious anomalies:

“the bank details appearing on the payment order drawn up by the bank and subsequently submitted for signature by Mr and Mrs [K] contained apparent and manifest inconsistencies which could leave no doubt, for a normally diligent professional, that the identifier was a gross forgery”

In the Court of Cassation’s view, the bank could no longer hide behind a purely technical execution of the order, since it had drafted it itself. The Court therefore upheld the judgment against it:

“ as the bank, in its capacity as a payment service provider, did not merely execute a transfer order in accordance with the unique identifier provided by Mr and Mrs [K], but had itself drafted that order, it was required, under ordinary law, to compensate its customers for the loss caused by this breach of its duty of care. ”

This decision does not call into question the principle that the bank is not, in principle, required to check that the beneficiary’s name matches the IBAN provided. However, it reiterates that this protection presupposes that the institution has remained in its role as an executor. Where it is itself involved in preparing the order and allows a gross error to pass, it may be held liable under ordinary law.

It should be noted that since 9 October 2025, all banks in the eurozone have been required to implement a new Verification of Payee (VoP) service under European Regulation 2024/886. This mechanism aims to secure bank transfers by verifying that the payee’s name provided by the customer matches the IBAN of the recipient’s account.

In practice, the ruling will encourage banks to further secure transactions in which they actively assist their customers, particularly in the case of transfers relating to property sales.

It will therefore be necessary in practice to determine whether the bank merely executed an order or whether it contributed to formalising a transaction in which inconsistencies were immediately detectable. The bank’s liability regime will depend on this distinction.

By Olivier VIBERT, SELARL KBESTAN

Paris and Evreux