Advocate-General of the Court of Justice of the EU (CJEU), Anthanasios Rantos, issued a formal opinion to the EU stating that banks should refund those who suffer from phishing attacks or lose funds through unauthorised payments, regardless of whether it was their fault or not.
Rantos provided his opinion in response to a case in the Koszalin, Poland District Court, where a customer suffered from a phishing incident after they advertised an item for sale online, and a scammer approached looking to purchase.
The scammer then sent a malicious link that mimicked the login page of the PKO BP SA, which the victim was a customer of. The customer entered their bank account login details on the site, which the scammer then used for an unauthorised transaction.
When the victim reported the incident to the bank and police, the bank refused to refund the money from the incident, and the scammer was not found. The customer then proceeded to sue the bank.
In Australia, the situation is much the same, where banks are not responsible for retrieving money lost in phishing and other scams; however, they do attempt to stop fraudulent transactions.
A similar case saw a British expat lose his $50,000 house deposit on a $600,000 Melbourne property when a scammer intercepted his conversation with his broker. The bank was only able to retrieve $1,800 of the $50,000.
While the victim believed the bank should do more to help him, the bank is not required to refund the cost or retrieve the stolen funds.
In the EU case, the bank argues it can deny a refund if scammers steal funds as a result of customer negligence.
However, under the EU Payment Services Directive (2015/2366 / PSD2), a bank cannot refuse an immediate refund to victims unless it has reasonable grounds to suspect customer fraud, a point Rantos raised.
In the CJEU press release, Rantos does, however, state that once the refund has been made, the bank can determine whether the fault is with the customer and then demand those funds back from the customer.
“However, once the immediate refund has been made, the bank may require the customer to bear the losses if the customer has deliberately or through gross negligence failed to fulfil his or her obligations as a payment service user,” Rantos said.
