CJEU opinion of Advocate General: victims of online fraud must receive immediate refunds from service providers

On 5 March 2026, the Court of Justice of the European Union (CJEU) published the opinion of Advocate General Athanasios Rantos in ECJ preliminary ruling case C-70/25 on the immediate refund obligation for payment service providers when clients make unauthorised transactions under EU Directive 2015/2366 (PSD2). The facts of the case related to a classic phishing fraud: a customer of a payment service provider received a fraudulent link imitating her service provider’s website where she entered her login credentials. Using these credentials, the fraudsters initiated an unauthorised payment from the customer’s account.

In his reasoning, the Advocate General Rantos stated:

• PSD2 requires payment service providers to refund the amount of an unauthorised transaction immediately;
• the only exception is where the payment service provider has reasonable grounds to suspect fraud by the customer and notifies the competent national authority in writing; and 
• PSD2 leaves no discretion to member states to introduce additional exceptions to the immediate refund obligation.

The Advocate General highlighted that the immediate refund is not final in nature. A payment service provider may subsequently seek to recover the refunded amount if it establishes that the customer:

• intentionally failed to fulfil obligations as a payment service user; or
• through gross negligence failed to fulfil the obligation to protect personalised security data (e.g. login details).

Practical impact on payment services business

By executing payment transactions — including unauthorised ones — payment service providers comply with both their contractual and statutory obligations. Nevertheless, even minor negligence on the part of the consumer may trigger an immediate refund obligation on the provider’s side, resulting in direct financial loss.

The payment service provider may establish gross negligence on the customer’s side and pursue reimbursement, but only after the refund has been made, effectively requiring it to seek recovery of its own funds ex post.

The obligation to pay immediate refunds will likely generate losses on the balance sheets of payment service providers, which are expected to be absorbed as operating costs. In line with prevailing market practice, such additional costs are likely to be passed on to customers, ultimately increasing the cost of payment services.

To reduce the incidence of unauthorised transactions, payment service providers may be required to introduce three or four‑factor authentication mechanisms. While such measures may enhance security, they also entail higher operational costs and slower transaction processing, potentially undermining competitiveness vis‑à‑vis non‑EU market participants.

In scenarios where a consumer unlawfully refuses reimbursement, recovery is possible only through costly and protracted litigation. Procedural expenses (e.g. legal fees and court duties) will increase the risk exposure of providers, and contribute to rising operating costs, which may be transferred to consumers.

Finally, the adoption of an excessive consumer‑protective approach (i.e. the strict requirement of immediate refunds) may convey the regulatory message that heightened vigilance in handling payment service credentials is unnecessary, as losses resulting from fraud will be promptly reimbursed by the payment service provider.

The Advocate General’s Opinion is not binding, but is a proposed legal solution for the CJEU’s consideration. Nevertheless, it raises serious questions that carry implications for the entire EU payment-services market, including:

• Whether it is consistent with the PSD2 to allocate the full short‑term financial risk of unauthorised transactions to payment service providers, even where the transaction was enabled by the consumer’s failure to exercise reasonable care?
• Does the possibility to seek ex post reimbursement through litigation constitute an effective and proportionate safeguard, given the procedural costs, time delays, and uncertainty inherent in judicial recovery?
• Does an interpretation that mandates automatic immediate refunds risk weakening incentives for consumers to safeguard personalised security credentials, thereby undermining the PSD2’s broader objective of promoting secure and responsible payment practices?

It is hoped the CJEU will consider these questions before delivering its final and binding decision. 

Practical steps on mitigating risks and impact 

In practice, payment service providers can mitigate the risks associated with immediate refunds by doing the following: enhancing fraud detection and prevention systems; and investing in sophisticated real-time fraud monitoring technologies, including AI-driven behavioural analytics and machine learning.

Service providers should define in internal policies and in the General Terms and Conditions (GTCs) the types of customer conduct that may qualify as “gross negligence”. When customers accept the GTCs at the start of the contractual relationship, they should be clearly informed of behaviours to avoid, which will reduce the likelihood of falling victim to fraud and a subsequent reimbursement claim.

Customer education can also serve as a mitigating factor by raising awareness of fraud risks and providing practical guidance on these risks.

Payment service providers should also streamline the reimbursement workflow. Preparing standardised enforcement templates (e.g. customer notification letters, reimbursement requests, and payment notices) and streamlining dispute resolution and litigation arguments and strategies can accelerate the process and reduce overall costs.

For further information on this Opinion and how to mitigate risks arising from PSD2, contact your CMS client partner or the CMS experts who contributed to this article:

This article was co-authored by Belián Czellér.