EU court adviser says banks should refund phishing victims first, then recover losses later

Banks in the EU should immediately refund customers for unauthorized transactions, even when the bank believes the customer acted with gross negligence, according to an official opinion from Advocate General Athanasios Rantos of the Court of Justice of the European Union. The key limit is fraud: a bank may hold back the refund only if it has good reason to suspect the customer committed fraud and reports that suspicion in writing to the competent national authority.

That does not mean customers automatically keep the money forever. Rantos said the bank may later try to recover the loss if it proves the customer intentionally or through gross negligence failed to protect their personalized security credentials. In that situation, the burden shifts to the bank to pursue recovery after making the refund.

The opinion came in Case C-70/25, a Polish dispute involving PKO BP and a customer who entered banking details into a phishing page that imitated the bank’s login interface. After the fraudster used those credentials to make an unauthorized payment, the customer reported it the next day, but the bank refused reimbursement, arguing the customer’s negligence caused the loss.

What the opinion means right now

This is not the final judgment of the EU’s top court. It is an Advocate General’s opinion, which often signals the legal direction of a case but does not bind the Court of Justice. The judges will now deliberate and issue a final ruling later.

Still, the opinion matters because it reads the Payment Services Directive, known as PSD2, in a consumer-friendly way. Rantos said EU law requires an immediate refund as the first step in unauthorized transaction cases, subject to the limited fraud exception. He also stressed that Member States do not have discretion to create extra exceptions to that rule.

Why this could matter for phishing victims across Europe

Phishing scams often leave victims stuck between two bad outcomes: the money is gone, and the bank says the customer clicked the link or gave away credentials. This opinion suggests that, under PSD2, banks cannot use alleged gross negligence as a reason to delay the immediate refund stage. They may still argue negligence later, but only after the account holder gets the money back first.

That interpretation could strengthen consumer protection in disputes over account takeovers, fake banking pages, and social-engineering scams. It also places more urgency on how quickly banks investigate suspicious transfers and document any claim that the customer acted fraudulently.

What PSD2 says

PSD2 already states that, in the case of an unauthorized payment transaction, the payer’s payment service provider must refund the amount immediately and restore the account to the position it would have been in had the transaction not happened. The directive also places duties on users to protect personalized security credentials and notify the provider without undue delay when they become aware of misuse.

The Advocate General’s opinion tries to reconcile those two rules. In simple terms, the refund comes first. The negligence fight can come after.

Key points at a glance

What banks and customers should watch

• Banks may need to revisit internal refund procedures for phishing-related unauthorized transactions.
• Customers should still report fraudulent payments as fast as possible, because PSD2 includes timing obligations.
• The final CJEU ruling will matter most, because that judgment will carry binding force across EU courts.

FAQ