- European banks are not obligated to automatically refund stolen funds – the determining factor is whether the transaction was authorised by the client or executed without their consent.
- Unauthorised transactions must be refunded by the bank within one business day under PSD2, unless the bank proves gross negligence or fraud on the part of the client.
- Authorised payments made under the influence of fraudsters (APP fraud) are not subject to mandatory refund – the bank is liable only where it breached its own security procedures or failed to apply Strong Customer Authentication.
- Recovery mechanisms differ by payment type – card chargebacks are more effective than SEPA/SWIFT bank transfer recalls, and cryptocurrency transactions are virtually irrecoverable.
- Cross-border fraud cases require parallel procedures across multiple jurisdictions – bank recall, regulatory complaint, civil litigation, and criminal proceedings must be initiated simultaneously.
What Determines the Bank’s Obligation to Refund
The central question in any refund claim is whether the transaction was authorised by the client. European legislation draws a clear distinction between two categories of cases. Unauthorised transactions are payments executed without the client’s consent and without their knowledge. Authorised payments made under the influence of fraud (Authorised Push Payment fraud, APP fraud) are transfers that the client initiated themselves but under the influence of deception. The legal consequences for the bank and the client in these two categories are fundamentally different. This classification determines whether the bank is obligated to refund automatically or whether recovery is available only through judicial and regulatory mechanisms.Unauthorised Transactions – Mandatory Refund
Under Article 73 of the PSD2 Directive (Directive (EU) 2015/2366), where a payment transaction was not authorised by the client, the bank must refund the full transaction amount by the end of the next business day after receiving notification. The bank may refuse a refund only in two circumstances: where it proves that the client acted with gross negligence in protecting their credentials, or where fraud on the part of the client is established. A victim of a phishing attack who could not have identified the fraudulent communication through reasonable care is not considered to have acted with gross negligence. The burden of proving gross negligence lies with the bank.Authorised Payments Made Under the Influence of Fraudsters (APP Fraud)
Where the client initiated and confirmed the transfer of funds themselves – even if they were deceived – the bank is not obligated to refund the payment under PSD2. In most EU jurisdictions, the principle of “client consent equals client liability” applies. A refund is possible only where a breach on the part of the bank is proven: failure to apply Strong Customer Authentication, failure to flag suspicious transaction patterns, or non-compliance with verification procedures for large transfers. APP fraud is the most complex category for recovery but not a hopeless one. Breaches by the bank of its own security procedures create grounds for regulatory complaints and civil litigation.Legal Framework: PSD2 and the Obligations of the Parties
Bank Obligations Under PSD2
The PSD2 Directive establishes three key obligations for payment institutions. The first is the provision of Strong Customer Authentication (SCA) for all electronic payments. SCA requires two-factor authentication using at least two of three elements: knowledge (password), possession (device), and inherence (biometrics). The second is monitoring transactions for patterns inconsistent with the client’s established behaviour. The third is the immediate refund of unauthorised transactions upon receiving notification from the client. Non-compliance with any of these obligations creates grounds for claims against the bank regardless of whether the fraudster has been identified.Client Obligations
The client is obligated to notify the bank immediately upon discovering an unauthorised or suspicious transaction. Delay in notification reduces the probability of a successful fund recall and may be used by the bank as grounds for refusing a refund. The client must not disclose credentials, passwords, or authentication codes to third parties. The client must comply with the security conditions established by the bank. Breach of these obligations does not automatically deprive the client of the right to a refund but shifts the burden of proof and creates grounds for the bank to contest the claim.Recovery Mechanisms by Payment Type
Bank Cards – Chargeback
Chargeback is the most effective recovery mechanism for fraudulent card transactions. Visa and Mastercard payment schemes provide cardholders with the right to dispute a transaction within 120 days. The issuing bank submits a refund request through the payment scheme to the acquiring bank serving the payment recipient. Chargeback is available for unauthorised transactions, non-delivery of goods or services, and material discrepancy between what was received and what was represented. The procedure is governed by payment scheme rules and does not require court proceedings.Bank Transfers – SEPA and SWIFT
Recovery of funds sent via SEPA and SWIFT bank transfers is significantly more complex. A bank transfer is irrevocable once executed. A recall is possible only before the funds are credited to the recipient’s account. Once the funds have been credited, the sending bank submits a recall request to the recipient bank, but the recipient bank is not obligated to freeze or return the funds without a court order or law enforcement directive. Speed of bank notification is critical – the window for a successful SEPA transfer recall is measured in hours.Cryptocurrency Transactions
Cryptocurrency transfers are virtually irrecoverable. Blockchain transactions are irreversible by their technical nature. Neither the bank, the payment system, nor the regulator has the technical capability to reverse a confirmed cryptocurrency transaction. Recovery is possible only through identification of the recipient and subsequent civil or criminal proceedings. Where the fraudster used a cryptocurrency exchange subject to European regulation, a request to freeze funds through a court order or law enforcement directive is the only available mechanism.Alternative Recovery Mechanisms
Complaint to the Financial Regulator
Where the bank has refused a refund, a complaint to the national financial regulator – BaFin (Germany), AMF (France), CNMV (Spain), Consob (Italy), AFM (Netherlands), FCA (United Kingdom) – initiates a supervisory review of the bank’s actions. The regulator does not return funds directly but creates pressure on the bank through the supervisory process. Where systemic PSD2 violations are identified, the regulator may require the bank to reconsider its refusal.Financial Ombudsman
In a number of EU jurisdictions, a financial ombudsman is available – an independent dispute resolution body between clients and financial institutions. Ombudsman decisions in some jurisdictions are binding on the bank. An ombudsman complaint is free of charge for the client and may be filed after receiving a final refusal from the bank.Civil Litigation
Civil proceedings against the bank are available where a breach of PSD2 obligations is proven, SCA was not applied, client notifications were ignored, or fraud prevention measures were not implemented. Civil proceedings against the fraudster are available for recovery of the loss amount where the fraudster is identified and their assets are located. The European Account Preservation Order (EAPO) enables the freezing of the fraudster’s assets across all EU member states simultaneously.Criminal Proceedings
A criminal complaint filed with the national cybercrime unit initiates an investigation in which law enforcement authorities gain access to bank records, IP logs, payment system data, and telecommunications operator records. Criminal investigation is the primary tool for identifying anonymous fraudsters and tracing the movement of stolen funds.Cross-Border Fraud Cases
Fraud involving banks in multiple EU countries requires parallel procedures in each jurisdiction. A fund recall request is submitted through the sending bank. A criminal complaint is filed in the country where the recipient’s account is held. Civil proceedings are initiated in the jurisdiction of the defendant’s domicile or the place where the damage occurred. The EAPO is filed with a court of an EU member state and is effective across all member states. For Asian clients who have fallen victim to fraud through European banks, coordination of all parallel procedures – banking, regulatory, criminal, and civil – is the critical factor in successful recovery.Frequently Asked Questions
Summary
Do European Banks Refund Scammed Money?
European banks are required to refund unauthorised transactions under PSD2, but authorised payments made under the influence of fraudsters are not subject to automatic refund. In such cases, recovery is achieved through a combination of alternative mechanisms – chargebacks, regulatory complaints, ombudsman referrals, civil litigation, and criminal prosecution. The payment type determines the available tools: card transactions have the most effective chargeback mechanism, bank transfers require immediate recall, and cryptocurrency transactions require judicial pursuit of the recipient.
Speed determines outcomes. The window for a bank transfer recall is measured in hours. Chargeback deadlines are limited to 120 days. The EAPO must be filed before the fraudster withdraws the funds from the account. Every hour of delay between fraud discovery and the initiation of procedures reduces the probability of recovery.
If you have lost funds through fraudulent transactions involving European banks, contact Veritas Advisory Group to have your legal position assessed.
Veritas Advisory Group provides professional legal and advisory services to victims of investment and trade fraud in Europe. This article is for informational purposes only and does not constitute legal advice.
