Recent French judgments from the Nantes Judicial Court have drawn a clear line: banks are not liable for losses stemming from cyber-fraud where payment transactions have been duly authenticated, absent an obvious anomaly or internal bank fault. The courts declined to expand banks’ vigilance duties or to convert anti-money laundering obligations into a private right of action. Under the European maximum-harmonisation regime, Belgian law points in the same direction as it follows the same European framework, meaning identical outcomes likely await fraud victims here.
For Belgian practitioners, these decisions provide guidance on the scope of banking institutions’ duty of vigilance in cyber-fraud cases. The message is straightforward: once strong customer authentication has been satisfied, the operation is deemed authorised and the loss ordinarily rests with the payer, unless a glaring irregularity should have prompted the bank to intervene.
Overview of the recent French decisions
On 27 August 2025, the Nantes Judicial Court delivered a series of decisions (RG n° 21/03703, 21/03707, 22/01571, 22/04767 and 22/04863) setting out the extent of banking institutions’ duty of vigilance in cases involving cyber-fraud. In each instance, victims who had executed wire transfers following fraudulent investment proposals or bank identity theft sought to establish bank liability based on vigilance obligations and anti-money laundering (“AML”) compliance requirements.
The cases involved sophisticated fraud schemes, including diamond investment scams, fictitious trading platforms and bank identity theft, with victims seeking compensation for losses ranging from substantial personal savings to business transfers. Despite the victims’ arguments invoking banking vigilance duties and AML obligations, the court systematically rejected all claims.
The spectacular rise of cyber-fraud has forced European jurists to re-examine the allocation of losses stemming from unauthorised online payments. While consumers instinctively expect their bank to act as a safety net, the European regulatory framework – particularly Directive (EU) 2015/2366 (“PSD2”) – seems to place primary responsibility on the payer once a transaction has been authenticated via strong customer authentication (“SCA”).
Some litigants have attempted to rely on the rules of the Fourth AML Directive (Directive (EU) 2015/849) to support private claims, but the French judgments firmly reject this approach. Others invoke a general duty of vigilance incumbent upon banks.
This series of decisions reflects a consistent judicial trend and offers valuable insight for Belgium, where courts have issued divergent rulings on the scope of banking vigilance, the definition of “authorised” versus “unauthorised” transactions and the interplay between AML rules and PSD2. These inconsistencies are also mirrored in the varied positions adopted by Ombudsfin, underscoring ongoing legal uncertainty.
Key legal principles from the French decisions
The Nantes Judicial Court articulated several key principles in support of its decisions:
- Principle of non-interference. Banks must not interfere in client asset management, nor question the relevance or purpose of the transactions ordered, except in cases of obvious anomaly. The French decisions specifically noted that international transfers within the EU, high transaction amounts and client financial capacity mismatches do not, absent other indicators, constitute sufficient grounds for bank intervention.
- Targeted vigilance standard. The duty of vigilance only applies if the transaction presents an obvious anomaly, such as clearly falsified documents, material inconsistencies in the instructions or erratic account activity. In the absence of such signals, the bank is not required to investigate further. Several of the Nantes decisions specify that a secure transfer made to a foreign account within the EU does not constitute such an anomaly. Similarly, the judge held that the mere fact that the claimant had modest financial means and nonetheless initiated substantial transfers did not, in itself, constitute an anomaly. Provided the funds were available and the transactions bore no outward irregularity, the bank was under no obligation to interfere with the management of the client’s assets.
- Limited scope of AML vigilance obligations. The vigilance obligations under the French Monetary and Financial Code, which parallels the Belgian AML law of 18 September 2017, are intended for supervisory authorities and do not confer any right of action on individuals.
- Authorisation versus intent. The use of the authentication device is sufficient to qualify the transaction as authorised. The payer’s actual intent, including instances where it may be compromised by fraud, does not affect the service provider’s liability.
Brief reminder of the Belgian regulatory framework: Code of Economic Law and transposition of PSD2
In Belgium, the regime applicable to payment services is mainly governed by Articles VII.32 to VII.55/2 of the Code of Economic Law (“CEL”), which transpose Directive PSD2. The aim of the latter is to achieve complete harmonisation of the applicable law.
A transaction is considered “authorised” if validated through the agreed SCA method (e.g. password, SMS code), although there is still some debate about whether procedural consent alone suffices under civil law.
The payment service provider (“PSP”) is strictly liable for unauthorised transactions and must reimburse the payer, unless the payer acted with gross negligence (e.g. by sharing credentials or ignoring suspicious changes). Additionally, PSPs are only required to verify the IBAN provided, without checking whether it matches the beneficiary’s name – a point that is expected to be addressed in a forthcoming legislative reform.
Separately, the AML law of 18 September 2017 imposes vigilance obligations on financial institutions, but it remains unclear whether these obligations create directly enforceable rights for individual customers.
Application of these French principles mutatis mutandis to Belgian litigation
The legal principles developed can be applied in their entirety to Belgian law. This convergence can be explained by the influence of European law: the PSD1 and PSD2 directives impose maximum harmonisation of liability regimes, as reiterated by the Court of Justice of the European Union. National courts cannot therefore create parallel or more protective regimes.
As mentioned, certain issues remain under debate in Belgium, but this recent French case law reinforces the majority position concerning the following:
- Scope of the duty of care: Under Belgian law, this duty is limited to irregularities that are obvious or “crèvent les yeux”, according to the formula established by case law. The French decisions reinforce this interpretation, confirming that banks are not required to monitor the destination of funds unless clear irregularities are present. It confirms that it is materially impossible for banks to systematically monitor the destination of funds without violating the principle of non-interference and paralysing the functioning of electronic payments.
- Concept of unauthorised transactions: Only the authentication procedure matters; the subjective intention of the payer, even if flawed, is irrelevant. French judgments use the same distinction. The concept of “consent” under PSP liability rules must be distinguished from its broader civil law meaning.
- IBAN/name verification: There is no obligation to verify that the IBAN matches the beneficiary’s name (Article VII.55/2 CEL). The “IBAN-NAME Check” project remains at the legislative proposal stage. The French court similarly rejects this requirement.
- AML law invocation by the victim: This French case law has reached the conclusion that any basis derived from anti-money laundering law should be ruled out as this law is aimed exclusively at combating money laundering and terrorist financing, with administrative penalties. There is an absence of causal link. Therefore, the customer has no right of action in this area. It cannot be invoked by the victim of fraud to protect private interests and obtain compensation. Belgian courts increasingly follow this reasoning.
Conclusion
The alignment of French and Belgian solutions, driven by the PSD2 directive, leaves little room for doubt: unless there is a clear anomaly or internal fraud within the bank, the risk of cyber-fraud now weighs mainly on the negligent user. The six judgments of 27 August 2025 illustrate this trend and provide Belgian judges with further clarification confirming that an authenticated transaction is equivalent to an authorised transaction, regardless of the payer’s actual intention. Under current European law, loss allocation in cyber-fraud cases is unequivocal: once the SCA procedure is followed, the payer bears the financial consequences, even if the transaction arose from sophisticated phishing or hacking.
Neither the AML framework nor a general duty of vigilance alters this rule. Recent French case law adds further clarity and reinforces the prevailing interpretation.
That said, the debate remains subject to legal developments. The European Commission’s June 2023 proposals for a Third Payment Services Directive (“PSD3”) and the accompanying Payment Services Regulation envisage several reforms and could rebalance the equation and offer stronger protection to payers in cases of cyber-hacking.
Nonetheless, for now, except in exceptional circumstances, victims of cyber-fraud cannot seek redress from their bank. Accordingly, practitioners must advise clients that diligent internal controls, employee training and rapid incident response remain the only effective safeguards against the financial consequences of cyber-fraud.
