EU Legal Advisor Urges Immediate Reimbursement for Cyber Fraud Victims

One of the European Union’s top legal advisors has proposed a significant shift in how banks treat victims of financial fraud, potentially granting consumers greater protection far sooner than anticipated. Advocate General Athanasios Rantos has published a legal opinion urging a reinterpretation of the Second Payment Services Directive (PSD2). The proposal aims to ensure banks reimburse victims of scams immediately, rather than forcing them to wait while financial institutions investigate alleged negligence.

Background and Context

Under current EU regulations, banks often hold the advantage when unauthorized transactions occur. If a customer reports fraud, the bank reviews the case to decide whether to refund the money. Financial institutions frequently cite "gross negligence"—such as a customer being tricked into handing over a one-time passcode or login details—as a reason to delay or deny repayment. This process can leave victims in financial limbo, struggling to recover funds while the bank determines liability. According to a report by The Register, Rantos’s opinion seeks to reverse this dynamic.

Key Figures and Entities

The proposal centers on the legal interpretation by Advocate General Athanasios Rantos. In a hypothetical example cited in court documents, Rantos described a customer phished via a fake online marketplace link who unwittingly reveals banking credentials. Currently, a bank might refuse an immediate refund, arguing the customer failed to spot the deception. Rantos argues the bank should pay first and investigate later.

Industry analysts suggest this would fundamentally alter liability structures. Jonathan Frost, a director at fraud detection firm BioCatch, noted that such a ruling would shift the initial financial risk to banks, compelling them to improve their detection of account takeovers and credential compromises before processing payments.

Legal and Financial Mechanisms

The core mechanism involves changing the burden of proof for "gross negligence." Rather than the victim having to prove they were not careless to get a refund, the bank would be required to reimburse the unauthorized transaction immediately. The bank would then retain the right to reclaim the funds only if they can subsequently prove the victim’s gross negligence caused the loss.

While these protections are explicitly codified in the proposed PSD3 and the new Payment Services Regulation (PSR), the legislative process is slow. Rantos is pushing for this interpretation to be applied to existing laws now to protect consumers. The upcoming PSR is particularly significant because, unlike a directive, it is a regulation that would apply immediately across all member states without requiring domestic transposition.

International Implications and Policy Response

The shift comes as regulators brace for a wave of new rules aimed at curbing rising financial fraud. Beyond immediate reimbursement, the forthcoming PSD3 and PSR will mandate more robust Strong Customer Authentication (SCA). Payment service providers will be required to analyze richer data streams—such as device IP addresses and user locations—to distinguish genuine users from malicious actors.

Furthermore, the regulations aim to address accessibility gaps. Current SCA methods often rely exclusively on smartphones, leaving vulnerable populations without proper protection. The new framework would compel providers to broaden authentication methods to ensure security is not dependent on a single type of device.

Sources

This report draws on analysis by The Register, legal opinions from the Court of Justice of the European Union, and public statements regarding the Second Payment Services Directive (PSD2).