Newsfeed
September 25, 2025
The Court of Justice of the European Union (the “CJEU”) examined the right of refunds of payment service users in the event of unauthorised transactions in the case of IL v. Veracash SAS (C-665/23), where it emphasised the relevance of timely reporting of fraud by the users in its ruling delivered on 1 August 2025. In the context of the EU’s payment services regime, the key question addressed by the CJEU in this case was: should the payment service provider bear the liability if a customer delays notification of unauthorised payments, despite the notification being made within the legal timeframe?
Since the circumstances subject to the dispute date back to 2017, the CJEU applied the provisions of a repealed EU directive – Directive 2007/64/EC on payment services in the internal market (the “PSD”), which has since been replaced by Directive (EU) 2015/2366 (the “PSD2”). Nonetheless, the provisions of the PSD assessed by the court were practically retained in an identical manner in the PSD2, therefore rendering the CJEU’s analysis and interpretation fully relevant to today’s application of the EU payment services framework.
Background of the Case
The plaintiff in this case, Vercash’s customer, was sent a new card linked to the deposit account which he had opened with Veracash. It transpired that daily withdrawals were made from the plaintiff’s account via such new card, which the plaintiff claimed to have never received. Denying that the daily withdrawals were carried out by him, the plaintiff brought an action before the French courts seeking refunds from Veracash of the funds which were withdrawn without his authorisation.
At first instance, the French courts dismissed the plaintiff’s request on the basis that he did not notify Veracash of the unauthorised withdrawals ‘without undue delay’, but only did so almost two months after the first contested withdrawal. The national courts applied the national provision transposing Article 58 of the PSD (equivalent to today’s Article 71 of the PSD2). This law entitles a card user to rectification from the payment service provider (including banks and other financial institutions) only if the user notifies the provider without undue delay on becoming aware of any unauthorised transactions, and no later than 13 months after the debit date. The PSD further obliges providers to refund unauthorised transactions, unless the user acted fraudulently or with gross negligence.
The plaintiff appealed the court’s decision, contending that the law afforded him a 13-month time limit from the date of debit of the funds for the notification to be submitted to Veracash. On the other hand, Veracash argued that the PSD establishes a double time limit and that the plaintiff failed to adhere to the legal requirement to notify immediately.
Questions referred to the CJEU
The French courts before which the appeal was brought referred to previous cases heard by the CJEU on the same provision of the PSD on notifications of unauthorised transactions. However, it noted that the CJEU did not rule on the consequences of the payer’s failure to notify the payment service provider ‘without undue delay’ that an authorised transaction was made.
In this case, the French courts sought to clarify whether, in the context of the PSD, the delay in notifying a payment service provider of an unauthorised transaction should result in the user being denied of the right to compensation, even if such notification was made within 13 months from the debit date. The courts further questioned whether the deprivation of the user’s right to compensation depends on the fact that the user’s delay in notifying the payment service provider is intentional or the result of the user’s gross negligence.
The CJEU’s Considerations
In its interpretation of the afore-mentioned legal provision in the PSD, the CJEU observed that the payment service user has two distinct obligations
- to notify the payment service provider without undue delay on becoming aware of the unauthorised transactions; and
- to make such notification within 13 months from the date on which the relevant funds are debited.
Whilst noting that this assessment must be made on a case-by-case basis, the CJEU observed that the two obligations are autonomous and that the 13 months referred to in the PSD constitute a maximum time limit which applies independently of the obligation to notify ‘without undue delay’.
This conclusion was based on the CJEU’s interpretation that the notification obligation is a prerequisite to the obtaining of rectification and such prerequisite is intended to ensure that the payment service provider is informed of the fact that the user has become aware of an unauthorised transaction. The CJEU further noted that this is a twofold condition, in that the user must first notify the payment service provider immediately upon become aware of the fraudulent transactions and, secondly, the notification must take place no later than 13 months from the debit date.
In addressing the referring court’s additional question, the CJEU also pointed out that the payments regime favours the user of a lost, stolen or misappropriated payment instrument from which unauthorised transactions are made, as the burden of proof lies with the payment service provider to prove that the transaction has been authenticated, accurately recorded and entered in the accounts. Furthermore, the CJEU noted that, if the notification of an unauthorised transaction from a lost, stolen or misappropriated instrument is made by the user without delay and within the 13-month period set out in the PSD, the refund obligation of the payment service provider kicks in. However, the CJEU observed that the refund obligation of the payment service provider is not triggered where the unauthorised payment transaction:
- results from the use of a lost, stolen or misappropriated payment instrument or any unauthorised use of such payment instrument; and
- the payment service user notified the provider within 13 months after debit date but such notification was delayed with intent or gross negligence (consisting of a serious breach of a duty of care) on the part of the user.
Finally, the CJEU addressed a scenario where the transactions in question are several consecutive unauthorised withdrawals resulting from the use of a lost, stolen or misappropriated payment instrument and the user partially delays notification (despite this being made within the 13-month time limit) of such withdrawals to the provider with intent or gross negligence. The CJEU concluded that, in such cases, the user of the payment instrument is deprived of the right to obtain a refund only of the losses resulting from the transactions which the user delayed in notifying to the provider with intent or gross negligence.
Conclusion
The CJEU’s ruling in this case is a clear reminder that, in today’s regulatory environment which puts increasing pressure on payment service providers to fight payment fraud, payment service users must also play their part in taking immediate action when it comes to unauthorised payment transactions. For payment service providers, the ruling serves as a clarification that their liability for unauthorised transactions is not unlimited, however it is not easily avoided as the CJEU struck a balance by ensuring that only users which fail to notify their providers with intent or gross negligence are to carry the blame.
The ruling, which is still very relevant in the context of today’s payments framework, further contributes to an understanding of the liability regime established in such payments framework, and establishes a level of balance of responsibility between payment service providers and their customers.
Disclaimer: Ganado Advocates is responsible for contributing to this law report but was not in any way involved as legal advisor for the parties in the judgement being covered in this law report. This article was first published in ‘The Malta Independent’ on 24/09/2025.
Author
Related Articles
All Insights
