Decisions handed down at the end of 2025 and the beginning of 2026 form part of a significant judicial trend in the field of banking fraud, particularly in cases involving impersonation of payment service providers (vishing, spoofing).
In this respect, several courts, including the Paris Commercial Court (23 December 2025, Case No. 2024072764) and the Toulouse Court of Appeal (6 January 2026, Case No. 23/04208), have clearly reaffirmed that the technical authentication of a payment transaction is not, in itself, sufficient to establish valid legal authorisation, within the meaning of the French Monetary and Financial Code.
The expansion of strong customer authentication, driven in particular by Directive (EU) 2015/2366 (PSD2), has profoundly structured banking security systems. However, recent case law highlights a limitation now expressly acknowledged by the courts: a payment system may operate without any technical malfunction while nevertheless producing a legally defective outcome when it is used in a context of fraudulent manipulation of the customer.
Courts are therefore drawing a fundamental distinction between the material act of validating a transaction (entry of a confidential code, confirmation via a banking application, or biometric authentication) and the expression of the payer’s free and informed consent. This approach leads to a reassessment of arguments based solely on proof of compliance with technical authentication standards.
Furthermore, the courts reiterate that gross negligence on the part of the customer cannot be presumed. It requires the demonstration of objectively inexcusable conduct, assessed in light of the specific circumstances of the fraud. Contemporary methods of banking identity theft, which are now well documented, are recognised as being capable of misleading ordinarily attentive customers, without their behaviour being automatically classified as negligent.
Finally, these decisions call for a broader assessment of the obligations incumbent upon credit institutions. Without establishing a general obligation of result, courts increasingly examine the overall coherence of banking systems, including the information provided to customers, preventive measures against known fraud schemes, and the ability to respond effectively to recurring fraudulent scenarios.
Ultimately, recent case law confirms a structuring principle: the technical security of payment transactions cannot, on its own, give rise to a presumption of valid legal consent on the part of the payer.
