Top European Court Advisor Advocates for Immediate Refunds in Phishing Cases
In a significant development within the realm of financial regulations, an advisor to the European Union’s highest court has proposed a vital policy shift regarding the treatment of victims of phishing scams. Advocate General Athanasios Rantos argued that banks should promptly refund users whose accounts have been compromised due to these fraudulent schemes. This recommendation, published on March 9, 2026, carries substantial implications for how financial institutions across Europe handle unauthorized transactions, particularly in Poland.
The issue gained prominence through the case of an unnamed woman in Poland who fell victim to an online scam. The woman, while using an auction platform, was deceived by an individual impersonating a potential buyer. She was misled into visiting counterfeit versions of the auction site and her own bank’s website, where she unknowingly entered sensitive banking credentials. As a result of this breach, approximately 3,000 Polish zlotys (around $814) were illicitly taken from her account.
Following this incident, the victim quickly reported the fraud to her bank, PKO Bank Polski, only to be met with a refusal to reimburse her for the lost funds. This denial of refund prompted her to initiate legal proceedings against the bank. The case then reached the district court in Koszalin, where judges found themselves grappling with the complexities of the EU’s Payment Services Directive and its Polish implementation. Due to uncertainties around the legal interpretations involved, the case was subsequently referred to the Court of Justice of the European Union (CJEU).
The Payment Services Directive, which took effect in early 2018, was designed to enhance consumer protection and foster trust within the EU’s unified payments market. It stipulates that customers must swiftly inform their payment providers upon discovering unauthorized transactions while also ensuring the security of their personalized access credentials. Failure to maintain these security measures can potentially lead to customers being held accountable for the entirety of fraudulent transactions.
However, the Polish version of this directive contains provisions that allow banks to deny refunds if they suspect gross negligence on the part of the customer. As the Polish court observed, numerous banks in the country are prone to reject refund requests in cases of unauthorized transactions, effectively shifting the burden onto victims to pursue legal recourse to recover their losses.
In his comprehensive opinion, Rantos indicated that the language of the EU directive, as well as its Polish adaptation, provides a clear mandate: banks are only permitted to delay immediate refunds when there are suspicions of customer fraud. The advocate emphasized that even in cases where gross negligence is suspected, banks must issue the refund before embarking on any legal proceedings against the customer to reclaim the lost funds.
In his remarks, Rantos highlighted that the intent of the EU legislature was to eliminate the practice where banks could arbitrarily claim misconduct on the part of the payee to refuse refunds. "By reserving exclusively to the case of fraud the option for such a provider not to refund immediately an unauthorized payment transaction," he stated, "the EU legislature aimed to rectify the situation whereby payment service providers resorted to allegations of wrongful conduct, thereby compelling the payer to engage in legal battles to reclaim amounts tied to unauthorized transactions."
Complicating matters further, the Italian government weighed in with a suggested compromise. This interpretation proposed that banks would refund customers immediately, even if they suspected gross negligence, while subsequently allowing the banks to reclaim the money without launching formal legal proceedings. However, Rantos dismissed this interpretation, clarifying that the directive does not align with such an approach, and suggested it would leave customers in a similar predicament to never receiving a refund at all.
Adding to the concerns surrounding phishing fraud, Spain’s Supreme Court ruled in April 2025 that the responsibility falls on banks to demonstrate their customers’ negligence or fraudulent conduct in cases of phishing, thereby avoiding their obligation to cover the losses incurred.
This evolving legal landscape has significant implications for the European banking sector, particularly in nurturing a more consumer-friendly approach to fraud. According to a 2025 report by the European Banking Authority, inconsistent interpretations of what constitutes “authorization” and “gross negligence” among member states have led to a troubling scenario where victims absorb 85% of annual losses from fraud, with total fraudulent credit transfers reaching approximately 2.2 billion euros in 2024 alone.
As the matter progresses toward the CJEU’s final decision, the outcome could redefine the relationship between banks and their customers regarding the treatment of unauthorized transactions. Advocates for consumer rights are hopeful that this case will lead to greater protections for those who fall victim to increasingly sophisticated phishing scams, ensuring that they are not left to navigate the complexities of legal redress on their own.