Strong customer authentication, fake bank adviser fraud, gross negligence: banks cannot reduce the level of protection afforded to professionals

In the context of the growing prevalence of banking fraud through social engineering, and in particular so-called “fake bank adviser” fraud, credit institutions increasingly refuse to reimburse victims by invoking an alleged case of gross negligence on the part of the customer.

This position is even more systematically adopted where the victim is a company or a professional, with certain banks suggesting that business accounts would benefit from a lower level of legal protection than personal accounts.

This assertion has no legal basis.

Recent case law, on the contrary, consistently confirms that business accounts benefit from the same protective regime as personal accounts in matters relating to unauthorised payment transactions.

1. An identical legal framework for individuals and professionals

The payment services regime, derived from the European PSD2 Directive and transposed into Articles L.133-1 et seq. of the French Monetary and Financial Code, applies indiscriminately to:

consumers,
professionals,
companies holding bank accounts.

No statutory provision draws any distinction based on the status of the account holder.

In the event of an unauthorised payment transaction, the principle is clear: the bank is required to immediately reimburse the disputed amounts (Article L.133-18 of the Monetary and Financial Code), unless it can demonstrate fraud or gross negligence attributable to the customer.

The burden of proof rests entirely with the banking institution, including where the account concerned is a business account.

2. Strong customer authentication: a banking obligation, not a presumption of fault

Banks frequently argue that, since the transactions were validated through strong customer authentication, they must necessarily have been authorised.

This reasoning is legally incorrect.

Article L.133-23 of the Monetary and Financial Code is explicit: the use of personalised security credentials alone is not sufficient to prove that a transaction was authorised, nor that the user acted with gross negligence.

Strong customer authentication is a regulatory requirement imposed on payment service providers.
It does not create an irrebuttable presumption of consent, nor does it operate as an automatic transfer of the risk of fraud onto the customer, whether an individual or a professional.

3. Recent case law: full protection for business accounts

A particularly instructive judgment was delivered by the Paris Economic Activities Court on 23 December 2025.

In this case, a company holding a business bank account was the victim of fake bank adviser fraud, resulting in fourteen fraudulent transactions carried out over a very short period of time.

The bank refused reimbursement, relying on strong customer authentication and the alleged validation of the payments by the company’s director.

The court ruled against the bank and reaffirmed several fundamental principles:

the bank must provide precise evidence of how authentication was implemented (timestamps, communication channel used, correlation with each transaction);
mere internal tables or general assertions are insufficient;
the rapid exceeding of payment limits without any blocking mechanism constitutes a technical failure attributable to the bank;
no gross negligence on the part of the professional customer was established.

The court therefore ordered full reimbursement of the disputed amounts pursuant to Articles L.133-18 and L.133-23 of the Monetary and Financial Code.

4. Gross negligence: a strictly defined concept

Gross negligence is not presumed.

It requires conduct of particular seriousness, reflecting a deliberate breach of basic security obligations.

Case law is consistent in holding that the disclosure of credentials, compliance with instructions given by a third party posing as the bank, or the validation of a transaction under psychological manipulation do not necessarily, in and of themselves, amount to gross negligence, including where the customer is a professional.

The French Supreme Court (Cour de cassation) has long held that the mere use of payment instruments cannot release the bank from its reimbursement obligation.

5. Identical protection: a clear message for professionals

Recent decisions confirm a now well-established line of case law:

business accounts are not “risk-shifted” accounts;
banks remain subject to a high standard of security obligations;
strong customer authentication is not an automatic legal shield;
the burden of proving gross negligence always lies with the banking institution.

Professionals, company directors and entrepreneurs therefore benefit from the same level of protection as individuals in cases of banking fraud.

Our position

Banks cannot rely on the technical complexity of payment systems, nor on the professional status of the customer, to evade their statutory obligations.

The fight against fraud cannot justify a silent transfer of risk to the detriment of businesses.

Previous Article