EU Court Adviser: Banks Must Refund Phishing Victims Immediately

Overview of the CJEU Advocate General Opinion

Athanasios Rantos, the Advocate General of the Court of Justice of the EU (CJEU), has issued a significant legal opinion regarding the responsibility of financial institutions in the wake of cyber-enabled fraud. According to Bleeping Computer, the opinion suggests that banks must immediately refund account holders for unauthorized transactions, even if the user inadvertently facilitated the compromise through a Phishing attack.

This legal position emphasizes the consumer protection goals of the Payment Services Directive (PSD2). Under this framework, the burden of proof regarding “gross negligence” rests entirely on the bank. The AG argues that the refund must occur by the end of the next business day following notification, regardless of whether the bank has completed its investigation into the user’s conduct.

EU Payment Services Directive 2 Compliance Requirements

The interpretation of PSD2 by the Advocate General signals a shift in the liability landscape for European financial services. Current EU Payment Services Directive 2 compliance requirements demand that payment service providers (PSPs) maintain high standards of authentication and fraud detection. However, the AG’s opinion clarifies that the “immediacy” of the refund is a prerequisite that cannot be delayed by internal bank processes or preliminary findings of user error.

For many institutions, the current TTP employed by threat actors involve sophisticated social engineering that bypasses traditional security layers. When a customer is deceived into authorizing a transaction, the bank often classifies this as “gross negligence” to avoid repayment. The AG rejects this automatic classification, stating that simply falling victim to a scam does not inherently constitute the high threshold of negligence required to waive the bank’s refund obligation.

Defending Against Phishing Unauthorized Transactions

To mitigate the financial risk associated with this legal shift, institutions must refine their defending against phishing unauthorized transactions strategies. Security operations centers (SOC) should move beyond simple email filtering and focus on the behavior of the transaction itself.

Analysis of unauthorized transfers often reveals patterns that could be detected via SIEM and advanced behavioral analytics. If the AG’s opinion is adopted by the CJEU, the financial incentive for banks to prevent fraud before it occurs increases. The costs of immediate refunds will likely outweigh the investment in more resilient EDR for corporate banking environments and enhanced transaction monitoring for retail users.

Mitigating Financial Fraud in Banking via Real-Time Detection

Implementing real-time detection for mitigating financial fraud in banking requires a multi-layered approach that addresses the limitations of static authentication:

1. Contextual Authentication: Evaluating the geolocation, device fingerprint, and timing of a transaction request to identify anomalies.
2. Velocity Checks: Identifying rapid movement of funds that deviates from historical user behavior or standard account patterns.
3. Out-of-Band Verification: Requiring confirmation through a secondary, trusted channel that is less susceptible to Phishing intercepts.

Strategic Recommendations for Financial Institutions

The shift in liability means that technical controls must be proactive rather than forensic. Defenders should prioritize the following actions to protect both the institution and its customers:

• Enhance Transaction Scoring: Deploy machine learning models that score transactions in real-time based on risk factors, potentially holding high-risk transfers for manual review before the funds exit the system.
• Consumer Education and Positive Friction: While PSD2 encourages seamless payments, adding intentional friction for first-time payees or unusual transaction amounts remains a viable defense against social engineering.
• Update Response Workflows: Ensure that incident response teams are prepared to meet the next business day refund deadline to remain compliant with the proposed interpretation of the directive.

While the AG’s opinion is not yet a binding law, the CJEU follows such recommendations in the majority of cases. Financial institutions must prepare for a regulatory environment where the cost of cybercrime is increasingly borne by the service provider rather than the end-user.