According to a recent report from the Bank of France, bank fraud reached more than €1.2 billion last year, and there were over 7 million fraudulent card transactions.
Due to improvements in security procedures introduced in recent years, the rate of card fraud fell by 13% to 0.059% of all card transactions, but with the increase in card payments over cheques and other forms of payments a growing number of customers are being snared.
As a result, there has also been an upsurge in disputes over unjustified refusals of a refund by a bank.
A recent report from consumer group 'Que Choisir' signaled over 4,000 cases where banks had refused to refund misappropriated funds.
Nearly 60% of the reports concern fraud of more than €4,000, up to several tens of thousands of euros.
The French banking federation (Fédération bancaire française FBF) themselves report that 1 in 6 frauds is not reimbursed.
As a result, Que Choisir have filed a complaint to the French banking regulator (Autorité de Contrôle Prudentiel et de Résolution) and to the government on the issue.
All the main banks - La Banque Postale, Crédit Agricole, Banque Populaire, BNP Paribas, Société Générale, CIC, and LCL - are in the frame, as well as some on-line banks.
For the association, these refusals are "a real strategy of the banks to free themselves from their obligation to demonstrate the personal negligence of their customers to refuse to reimburse them".
What Does the Law Say?
In France, as elsewhere in the UK and Europe, the responsibility of a bank to indemnify a customer in the event of a fraudulent transaction is clearly enshrined in law.
Under the 'Code monétaire et financier' a bank is obliged to immediately reimburse their client to the amount of the unauthorised transaction. A failure to do so makes the bank liable for an interest charge on the sum, which increases the longer the delay in not making the refund.
Thus, Article L. 133-18 of the code states : «en cas d’opération de paiement non autorisée signalée par l’utilisateur dans les conditions prévues à l’article L. 133-24, le prestataire de services de paiement du payeur rembourse immédiatement au payeur le montant de l’opération non autorisée et, le cas échéant, rétablit le compte débité dans l’état où il se serait trouvé si l’opération de paiement non autorisée n’avait pas eu lieu.»
Only if the bank suspects fraud by the customer, and they communicate their reasons in writing to the Banque de France, can they refuse to do so.
The rule applies both within and outside of Europe, provided the card is one established in Europe.
In specific, very limited circumstances, a bank is permitted to make a charge of up to €50 in the refund process.
Sometimes banks require that before they are prepared to make a reimbursement the fraud is reported to the police, and a formal complaint number obtained. More commonly, they may demand you report the fraud to an on-line service established by the government for this purpose, called 'Perceval'. The law does not require that such a complaint is made but the on-line reporting procedure is not onerous.
Neither can the bank claim that because the payment was authorised by 3D Secure they are not responsible, as fraudsters have methods of getting around any authentication process by, for instance, duplicating the telephone number of their victim.
Nevertheless, insofar as credit card fraud is concerned, the same code provides an exception to the bank's obligation if the customer has not acted with due care, whether intentionally or through gross negligence, stating that "the cardholder bears all losses caused by unauthorised payment transactions if these losses result from fraudulent acts on his part or if he has not intentionally or through gross negligence satisfied the obligations mentioned...." .
What these obligations amount to is that a customer must use the card in accordance with the conditions governing its use, and must not act negligently, for instance, in the communication of their credit card security details.
However, it is for the bank themselves to demonstrate that the customer has acted in a negligent manner, and there is a substantial amount of case law on just what constitutes 'gross negligence'.
In most cases the courts have considered that communicating bank details to a person presenting themselves under a false identity (phishing) is not, by itself, sufficient to characterise the action as being negligent. The bank would need to prove that the information provided to the customer was so obviously fake (eg, spelling errors) that they could be considered to have been negligent if they had not noted it.
Nevertheless, for the consumer association, it is by "letting consumers believe that they have no right to reimbursement that banks are guilty of misleading commercial practices".
Related Reading:
