As frauds and scams multiply on the Web, more and more banks refuse to reimburse their injured customers. A practice which benefited from a legal gray area and which the Banque de France is putting an end to.
Online scams and frauds have become commonplace, and unfortunately many people fall into the trap. Some have the unpleasant surprise of waking up one morning and discovering that large sums have disappeared from their bank account. They then turn to their bank to ask for explanations and, above all, to refute these transfers. Indeed, according to the law, when a customer disputes a suspicious transaction with his bank, the latter is required to reimburse him within 24 hours. Well, that’s in theory, because many of them refuse and, to date, only 70 to 80% of scams are actually reimbursed. A figure that can be explained above all by the democratization of strong authentication – also called two-factor authentication (2FA) or double authentication.
This technology, used in particular for connection to an online banking space and for purchases on the Internet, makes it possible to ensure that the legitimate person is indeed at the origin of the banking operation carried out remotely by two proofs of identity. distinct (secret question password, fingerprint, voice recognition, secret code, smartphone, etc.). However, very often, the banks use the excuse of strong authentication to accuse the victims of negligence, considering that they themselves participated in the scam. The Observatory for the Security of Means of Payment (OMSP) at the Banque de France has decided to tackle this growing problem and published, on Tuesday 16 May, a list of thirteen recommendations, aimed at both banks and their customers, aimed at combating fraud and eliminating the gray area surrounding their reimbursement by banking establishments. From now on, the strong authentication argument will no longer work!
Credit card fraud: increasingly complex techniques
Banking scams happen much more often than you might think, since approximately 1.3 million households were defrauded in 2020, which represents an increase of 161% since 2010! In addition, these are not small sums, because 60% of the frauds reported concern amounts ranging from 4,000 to several tens of thousands of euros, which ultimately represents a total of more than 1.2 billion euros. , according to latest report from the Banque de France. And while the strong authentication system has made it possible to considerably reduce payment fraud on the Internet – between 2019 and 2022, there is a 30% drop – fraudulent payments with strong authentication represented 9% of the total number of fraudulent payments by card on the Internet in 2021, but 30% of the sums stolen, according to the OMSP. Even if there are fewer victims, the sums stolen are more substantial!
Another problem: the modus operandi of cybercriminals have evolved, and new types of scams have developed to circumvent the regulations. The methods used are increasingly sophisticated: this can range from simple phishing – which consists of extorting someone’s personal and bank details via a fraudulent email or SMS – to identity theft by impersonating for bank advisors – the vishing technique – to hacking the phone chip. In short, it is time to evolve!
Online fraud: what does the law say?
The law requires banks to immediately reinstate victims’ accounts, except in cases of gross negligence. Indeed, the monetary and financial code (article L133-18) provides that when the customer reports to his bank “an unauthorized payment transaction“, this one must reimburse him “immediately“. This means that in the event of fraud, a bank must reimburse its customer without the latter having to provide the slightest proof. It is up to the bank to launch investigations in the event of doubt, since the customer pays a service to ensure the security of its transactions, and then to “prove fraud or gross negligence” in order to recover the reimbursement made. However, the banks tend to free themselves from their obligation to demonstrate the personal negligence of their customers to refuse to reimburse them. Most of the time, they are content to accuse the victims of ” negligence”, but without providing proof. However, the only reason a bank can recover a refund is to “prove fraud or gross negligence” of the customer, according to the monetary and financial code (L.133-23). But it must in any case advance the reimbursement.
Banks also refuse to reimburse victims in the event of enhanced authentication, without providing proof that their customer is the source of the payment. They advise instead to turn to the police in order to find the criminal and take back his money. But according to the law, “the use of the payment instrument as recorded by the payment service provider does not necessarily suffice as such to prove that the transaction has been authorized by the payer or that the latter has not satisfied intentionally or through gross negligence to the obligations incumbent on him in this matter“.
Credit card fraud: clearing up legal uncertainty
Among the thirteen points addressed by the Banque de France, one in particular concerns strong authentication and the refusal of reimbursement. The organizations point out that this device is not infallible, and that a customer can be manipulated by a scammer without being accused of negligence. Julien Lasalle, who directs the OMSP, questions this process. “In cases where it is the user who has carried out the authentication, one must ask what is the origin of the transaction? Was the user sufficiently informed at the time of authentication to find out about the transaction he was validating? Did the bank give him a chance to exit the transaction? These questions must be asked to determine the value of the consent given through the transaction. ‘authentication”he explains to France info.
The recommendations recall that if a disputed transaction has not been the subject of strong identification, the bank must reimburse the customer “at the latest at the end of the first working day”. If it has been the subject of strong authentication, then the banking institution must analyze the various parameters associated with this transaction (origin of the transaction, strong authentication parameters, interactions with the payer, etc.), while taking into account that the existence of strong authentication is not sufficient to consider that the transaction has been authorized by the customer. “AT lack of sufficient elements to justify the authorized nature of the transaction or demonstrate gross negligence on the part of the user, the establishment is required to reimburse the transaction in question without delay., concludes the report. The banking authority takes this opportunity to remind customers never to authenticate transactions that they have not initiated, and never to communicate their passwords, confidential codes or any banking information to third parties, even banker, let alone by email or telephone, because a bank never asks for this kind of information.
Online fraud: major banks refuse to reimburse
In June 2022, UFC-Que Choisir had analyzed no less than 4,300 reports of online fraud made between 2019 and 2022, and had found that twelve of the largest establishments – La Banque Postale, Crédit Agricole, Banque Populaire, BNP Paribas, Societe Generale, CIC, LCL, Boursorama, ING, Nickel, Cetelem and Floa Banque – did not comply with the law by refusing so “systematic“to reimburse the victims. The consumer association had therefore filed a complaint against the twelve establishments for deceptive commercial practices, as it announced in its June 28 press release.
The association believed that “cIt is by letting consumers believe in this way that they have no right to reimbursement that the banks are, in our view, guilty of misleading commercial practices. They deceive them on the extent of their rights“. For Alain Bazot, president of UFC-Que Choisir, “Faced with the proliferation of increasingly sophisticated frauds, it cannot be accepted that banks blithely free themselves from their obligation to expressly demonstrate the negligence of their customers in order to refuse to reimburse them“. Whatever the case, while waiting to prove the negligence of the customers, the banks must reimburse them and then carry out the investigation.