Access to European Union law
<a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a>
Choose the experimental features you want to try
EUR-Lex
Access to European Union law

This document is an excerpt from the EUR-Lex website

You are here
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search

Document 62025CC0070

Opinion of Advocate General Rantos delivered on 5 March 2026.


ECLI identifier: ECLI:EU:C:2026:153

Provisional text

OPINION OF ADVOCATE GENERAL

RANTOS

delivered on 5 March 2026 (1)

Case C70/25 [Tukowiecka] (i)

N.O.

v

PKO BP S.A.

(Request for a preliminary ruling from the Sąd Rejonowy w Koszalinie (District Court, Koszalin, Poland))

( Reference for a preliminary ruling – Payment services in the internal market – Directive (EU) 2015/2366 – Article 73(1) and Article 74(1) – Unauthorised payment transactions – Right to immediate refund – Gross negligence – Refusal by the payment service provider to refund without delay the amount of an unauthorised transaction in the event of a loss resulting from a serious breach by the payer of the obligations laid down in Article 69 of that directive – Scope of the exclusion from the right to immediate refund )






I.      Introduction

1.        The present request for a preliminary ruling, made by the Sąd Rejonowy w Koszalinie (District Court, Koszalin, Poland), concerns the interpretation of Article 73(1) and Article 74(1) of Directive (EU) 2015/2366 (2) on the system of rules on liability applicable to unauthorised payment transactions. In particular, it raises the question of the conditions under which a payment service provider may refuse to refund immediately such transactions on the basis of gross negligence on the part of the payer in the light of his or her obligations under Article 69 of that directive, in a context of phishing fraud, which is steadily rising.

2.        This case provides the Court with the opportunity to shed light on the balance which must be struck between the interests of the payer and those of the payment service provider. It thus invites the Court to rule on aspects likely to have a significant impact both on the allocation of risks between payment service providers and payers, and on the level of protection to be conferred on users of those services.

II.    Legal framework

A.      European Union law

3.        Recitals 6 and 71 of Directive 2015/2366 state:

‘(6)      New rules should be established to close the regulatory gaps while at the same time providing more legal clarity and ensuring consistent application of the legislative framework across the Union … ensuring a high level of consumer protection in the use of those payment services across the Union as a whole. This should generate efficiencies in the payment system as a whole and lead to more choice and more transparency of payment services while strengthening the trust of consumers in a harmonised payments market.

(71)      In the case of an unauthorised payment transaction, the payment service provider should immediately refund the amount of that transaction to the payer. However, where there is a high suspicion of an unauthorised transaction resulting from fraudulent behaviour by the payment service user and where that suspicion is based on objective grounds which are communicated to the relevant national authority, the payment service provider should be able to conduct, within a reasonable time, an investigation before refunding the payer. In order to protect the payer from any disadvantages, the credit value date of the refund should not be later than the date when the amount has been debited. In order to provide an incentive for the payment service user to notify, without undue delay, the payment service provider of any theft or loss of a payment instrument and thus to reduce the risk of unauthorised payment transactions, the user should be liable only for a very limited amount, unless the payment service user has acted fraudulently or with gross negligence. In that context, an amount of EUR 50 seems to be adequate in order to ensure a harmonised and high-level user protection within the Union. There should be no liability where the payer is not in a position to become aware of the loss, theft or misappropriation of the payment instrument. Moreover, once users have notified a payment service provider that their payment instrument may have been compromised, payment service users should not be required to cover any further losses stemming from unauthorised use of that instrument. …’

4.        Article 69 of that directive, entitled ‘Obligations of the payment service user in relation to payment instruments and personalised security credentials’, states:

‘1.      The payment service user entitled to use a payment instrument shall:

(a)      use the payment instrument in accordance with the terms governing the issue and use of the payment instrument, which must be objective, non-discriminatory and proportionate;

(b)      notify the payment service provider, or the entity specified by the latter, without undue delay on becoming aware of the loss, theft, misappropriation or unauthorised use of the payment instrument.

2.      For the purposes of point (a) of paragraph 1, the payment service user shall, in particular, as soon as in receipt of a payment instrument, take all reasonable steps to keep its personalised security credentials safe.’

5.        Article 71 of that directive, entitled ‘Notification and rectification of unauthorised or incorrectly executed payment transactions’, provides, in paragraph 1 thereof:

‘The payment service user shall obtain rectification of an unauthorised or incorrectly executed payment transaction from the payment service provider only if the payment service user notifies the payment service provider without undue delay on becoming aware of any such transaction giving rise to a claim, including that under Article 89, and no later than 13 months after the debit date.

…’

6.        Article 72 of that directive, entitled ‘Evidence on authentication and execution of payment transactions’, provides, in paragraph 2 thereof:

‘Where a payment service user denies having authorised an executed payment transaction, the use of a payment instrument recorded by the payment service provider, including the payment initiation service provider as appropriate, shall in itself not necessarily be sufficient to prove either that the payment transaction was authorised by the payer or that the payer acted fraudulently or failed with intent or gross negligence to fulfil one or more of the obligations under Article 69. The payment service provider, including, where appropriate, the payment initiation service provider, shall provide supporting evidence to prove fraud or gross negligence on part of the payment service user.’

7.        Article 73 of Directive 2015/2366, entitled ‘Payment service provider’s liability for unauthorised payment transactions’, is worded, in paragraph 1 thereof, as follows:

‘Member States shall ensure that, without prejudice to Article 71, in the case of an unauthorised payment transaction, the payer’s payment service provider refunds the payer the amount of the unauthorised payment transaction immediately, and in any event no later than by the end of the following business day, after noting or being notified of the transaction, except where the payer’s payment service provider has reasonable grounds for suspecting fraud and communicates those grounds to the relevant national authority in writing. Where applicable, the payer’s payment service provider shall restore the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place. This shall also ensure that the credit value date for the payer’s payment account shall be no later than the date the amount had been debited.’

8.        Article 74 of that directive, entitled ‘Payer’s liability for unauthorised payment transactions’, states, in paragraph 1 thereof:

‘By way of derogation from Article 73, the payer may be obliged to bear the losses relating to any unauthorised payment transactions, up to a maximum of EUR 50, resulting from the use of a lost or stolen payment instrument or from the misappropriation of a payment instrument.

The first subparagraph shall not apply if:

(a)      the loss, theft or misappropriation of a payment instrument was not detectable to the payer prior to a payment, except where the payer has acted fraudulently; or

(b)      the loss was caused by acts or lack of action of an employee, agent or branch of a payment service provider or of an entity to which its activities were outsourced.

The payer shall bear all of the losses relating to any unauthorised payment transactions if they were incurred by the payer acting fraudulently or failing to fulfil one or more of the obligations set out in Article 69 with intent or gross negligence. In such cases, the maximum amount referred to in the first subparagraph shall not apply.

Where the payer has neither acted fraudulently nor intentionally failed to fulfil its obligations under Article 69, Member States may reduce the liability referred to in this paragraph, taking into account, in particular, the nature of the personalised security credentials and the specific circumstances under which the payment instrument was lost, stolen or misappropriated.’

B.      Polish law

9.        Article 46 of the ustawa o usługach płatniczych (Law on payment services) of 19 August 2011, (3) in the version applicable to the dispute in the main proceedings, is worded as follows, in paragraphs 1 and 3 thereof:

‘1.      Subject to Article 44(2), in the event of an unauthorised payment transaction, the payer’s [payment service] provider shall refund the payer the amount of the unauthorised payment transaction immediately, and in any event no later than by the end of the following business day after detecting the unauthorised transaction debited from the payer’s account, or after the date of receipt of the ad hoc declaration, except where the payer’s [payment service] provider has reasonable and duly documented grounds for suspecting fraud and communicates those grounds to the law enforcement authorities in writing. Where the payer uses a payment account, the payer’s [payment service] provider shall restore the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place. The value date on which the payer’s payment account is credited shall not be later than the date on which it was debited.

3.      The payer shall be fully liable for the unauthorised payment transactions where he or she caused them intentionally or failed to fulfil, with intent or gross negligence, one or more of the obligations referred to in Article 42.’

III. The dispute in the main proceedings, the question referred for a preliminary ruling and the procedure before the Court

10.      N.O. (the applicant), a natural person holding a bank account with PKO BP S.A. (‘the Bank’), was the victim of phishing following the advertising for sale of an object on an auction platform. A third party, claiming to be a buyer, sent her a fraudulent link reproducing the interface of the platform and then that of the Bank. Having been taken in, the applicant provided her login data, thus enabling the fraudster to carry out an unauthorised payment transaction from her bank account. The next day, once she realised that the fraud had taken place, she immediately notified the Bank and the police but the fraudster was not identified. However, the Bank refused to refund the amount of the transaction at issue, taking the view that the applicant had failed, as a result of gross negligence, to comply with her obligation to keep the payment instrument diligently and not to make it available to unauthorised persons.

11.      Following that refusal, the applicant brought an action against the Bank before the Sąd Rejonowy w Koszalinie (District Court, Koszalin), the referring court, seeking payment of the sum of 3 000 Polish zlotys (PLN) (approximately EUR 705).

12.      In support of her application, the applicant claimed that the principle of immediate refund of the amount of an unauthorised transaction should be excluded only in the situation described in Article 73(1) of Directive 2015/2366, namely where the payment service provider has reasonable grounds for suspecting fraud on the part of the payer and informs the competent national authority of those reasons. She states that in the absence of such reasons, as in the present case, that service provider is required to refund immediately to the payer, at the latest by the end of the following business day, the amount of the unauthorised transaction. It is only after such a refund and an investigation into the circumstances of the incident that the payment service provider may require the payer to bear the losses incurred by his or her gross negligence. In the event that the payer refuses to refund the amount of the unauthorised transaction, the bank concerned must take legal action to obtain the payment.

13.      For its part, the Bank submitted that the Polish legislation transposing Article 74(1) of Directive 2015/2366 exempts the payment service provider from the obligation to refund immediately the amount of an unauthorised transaction, an obligation laid down in Article 73(1) of that directive, if it establishes that the payer’s conduct was grossly negligent. The Bank also argued that it may assess independently all the conditions of liability for an unauthorised transaction and that it is released from the obligation to refund immediately where it establishes the payer’s negligence.

14.      In those circumstances, given that it was found, during the proceedings, that the transaction at issue was unauthorised, the referring court states that it must carry out an analysis of Article 46 of the Law on payment services, which transposes Articles 73 and 74 of Directive 2015/2366, in order to be able to resolve the dispute pending before it between the applicant and the Bank as to the extent of the payment service provider’s obligation to reimburse immediately the amount of an unauthorised transaction.

15.      In that regard, that court considers that Directive 2015/2366 and the national provisions transposing it establish the general principle that payment service providers fully incur the risk of liability for unauthorised payment transactions. In addition, that court notes that the provisions of that directive and of the Polish legislation confer on payers a right to a refund of the amounts of unauthorised transactions, which entails a right to immediate recovery of the funds thus lost. That right would be excluded if there were reasonable grounds for suspecting fraud on the part of the payer and the fraud is reported to the national competent authorities.

16.      Moreover, that court notes that actions have not been brought before the Polish courts by banks against consumers concerning the obligation to repay the amount of unauthorised transactions on account of gross negligence attributable to the payer. By contrast, many actions have been brought by consumers against banks for failure to refund the amounts of unauthorised transactions. According to the referring court, that phenomenon indicates that the application by payment service providers of exceptions to the right to reimbursement has become the rule for unauthorised transactions. Payment service providers generally do not refund the amount of unauthorised transactions, with the result that it is the payers, and in particular consumers, who are obliged to bring legal proceedings.

17.      In so far as the interpretation of Directive 2015/2366, as suggested by the Bank, would not achieve the objective of protecting the payer pursued by the general rule establishing the refund of unauthorised transactions, that court infers from that that the provisions of that directive must be interpreted as precluding the possibility for a payment service provider to refuse to refund immediately the amount of an unauthorised payment transaction where the payer has suffered losses linked to that transaction by failing, as a result of gross negligence, to fulfil his or her obligations. That court adds that such an interpretation would have the effect of transferring from the payer, who is often the consumer, to the professional, namely the payment service provider, the burden of conducting proceedings, initiating proceedings, court costs, the taking of evidence and the preparation of documents.

18.      In those circumstances, the Sąd Rejonowy w Koszalinie (District Court, Koszalin) decided to stay the proceedings and to refer the following question to the Court of Justice for a preliminary ruling:

‘Should the provisions of Article 73(1) in conjunction with Article 74(1) of Directive [2015/2366] be understood to mean that a payment service provider can refuse to refund to a payer immediately the amount of an unauthorised payment transaction if the payer has suffered a loss in connection with the unauthorised payment transaction as a result of failing, with gross negligence, to fulfil the obligations set out in Article 69?’

19.      Written observations were submitted to the Court by the Bank, the Polish, Czech and Italian Governments and the European Commission.

IV.    Consideration of the question referred for a preliminary ruling

20.      By its single question, the referring court asks, in essence, whether Article 73(1) and Article 74(1) of Directive 2015/2366 must be interpreted as meaning that a payment service provider may refuse to refund immediately to a payer the amount of an unauthorised payment transaction on the basis that that payer failed, as a result of gross negligence, to comply with his or her obligations under Article 69 of that directive.

21.      In order to answer that question, the Court is called upon to determine whether the third subparagraph of Article 74(1) of that directive constitutes an exception to the payment service provider’s obligation to reimburse the payer, with the result that it could lead to the extinction or suspension of the obligation to refund immediately, laid down in Article 73(1) of that directive, or whether it is rather a separate right which that service provider may subsequently assert against the payer.

22.      In that regard, according to the Court’s settled case-law, in interpreting a provision of EU law, it is necessary to consider not only its wording but also the context in which it occurs and the objectives pursued by the rules of which it is part. (4)

23.      As regards, in the first place, the wording of the provisions for which an interpretation is sought, I note that their titles state that they govern the respective liabilities of the payment service provider and the payer in the case of unauthorised payment transactions. Article 73 of Directive 2015/2366 is entitled ‘Payment service provider’s liability for unauthorised payment transactions’, whereas Article 74 of that directive is entitled ‘Payer’s liability for unauthorised payment transactions’.

24.      As regards Article 73(1) of that directive, that provision provides, in principle, for payment of an immediate refund to the payer in the case of unauthorised payment transactions and a mandatory period within which the payment service provider must carry out that refund, (5) while providing for an exception to the immediate refund rule, namely where that service provider ‘has reasonable grounds for suspecting fraud’. Thus, that exception requires, first, the existence of significant suspicions concerning possible fraud and, secondly, that that service provider satisfies a formal condition, namely that it communicates its suspicions in writing to the competent national authority. (6)

25.      It should also be noted that Article 74(1) of that directive is worded as an exception to Article 73 thereof. (7) Moreover, the first and second subparagraphs of Article 74(1) of Directive 2015/2366 govern the liability of a payer without fault, which is limited in nature, while it follows from the third subparagraph thereof that the liability of the payer who is at fault is, in principle, unlimited. More specifically, that provision states that the payer is to be liable up to a maximum of EUR 50 or without limit if he or she acted fraudulently or intentionally failed to fulfil his or her obligations in respect of payment instruments made available to him or her under Article 69 of that directive.

26.      As regards, more specifically, the question of the immediate refund in the case of unauthorised payment transactions, I note that Article 73(1) of that directive does not provide for any other exception on which the payment service provider could rely, such as, for example, the suspicion or possibility that the payer did not fulfil, including negligently, one or more of the obligations referred to in Article 69 of that directive. Furthermore, as regards Article 74(1) of that directive, it appears that that provision does not concern the question of the immediate refund of the amount of an unauthorised payment transaction, but focuses on the allocation of liability between the payer and the payment service provider in order to determine who is to be held liable subsequently, in the context of the procedure, and, consequently, who is to bear the losses caused by such transactions.

27.      It is thus apparent, at first sight, from a literal interpretation of Article 73(1) of Directive 2015/2366 that, by expressly setting out derogations from the obligation to refund immediately the amount of an unauthorised transaction, that provision does not allow the list of derogations to be extended to other situations not provided for by that directive, including that of ‘failing to fulfil one or more of the obligations set out in Article 69 with intent or gross negligence’, referred to in the third subparagraph of Article 74(1) of that directive.

28.      However, it must be stated that, as regards Article 74(1) of that directive, it cannot be concluded with certainty, in particular on the basis of its wording alone, that the ‘derogation’ provided for in that provision relates solely to the substance of the obligation or whether it also extends to the principle requiring an immediate refund. Thus, two divergent interpretations may be envisaged, as evidenced by the opposing positions of the parties to the main proceedings. (8) According to the first interpretation, the payment service provider would have no obligation to refund the payer in the event of fault on the part of that payer, and it could therefore cite the payer’s liability for gross negligence in order to rely on the derogation provided for in Article 74 of Directive 2015/2366 and extinguish its obligation to refund immediately under Article 73(1) of that directive. Conversely, the second interpretation is based on the premiss that Article 73(1) and Article 74(1) of that directive govern two distinct stages of the procedure for the refund of an unauthorised payment transaction. According to that reading, the ‘derogation’ provided for in Article 74(1) does not have effects ab initio, which means that the payment service provider must initially refund the payer and then, subsequently, after that refund, exercise a right to compensation against a payer who is liable for the fault.

29.      For the reasons which I shall set out in the following points of this Opinion, I am of the view that that second reading of Article 73(1) and Article 74(1) of Directive 2015/2366 should be adopted.

30.      That interpretation is, in the second place, supported by the context of the provisions cited in the question referred for a preliminary ruling by the referring court.

31.      In that regard, I note that recital 71 of Directive 2015/2366 provides for only one case allowing the payment service provider – once the payer has notified him or her of the existence of an unauthorised transaction – to delay the immediate refund to the payer, namely the situation in which there ‘is a high suspicion of an unauthorised transaction resulting from fraudulent behaviour by the payment service user and where that suspicion is based on objective grounds which are communicated to the relevant national authority’. Like Article 73(1) of that directive, recital 71 does not mention any other exception capable of being relied on by the payment service provider, such as a suspicion or finding that, by his or her conduct, the payment service user has failed to fulfil one or more of the obligations set out in Article 69 of that directive, inter alia through gross negligence.

32.      Moreover, it should be pointed out that an analysis of the travaux préparatoires which led to the adoption of Article 73(1) of Directive 2015/2366 appears to support that interpretation. In its previous version, Directive 2007/64/EC, (9) repealed by Directive 2015/2366, did not provide for any exception to the obligation to refund an unauthorised payment transaction immediately. The EU legislature nevertheless considered it necessary to amend the relevant provision, in the present case Article 73(1) of Directive 2015/2366, in order to regulate further the procedure for immediate refund in the case of unauthorised transactions, by expressly providing for a specific exception to the obligation to refund, namely where the payment service provider has reasonable grounds to suspect fraud. (10)

33.      I also note that Article 107(1) of that directive states that the harmonisation provided for by the EU legislature in the field covered by the relevant provisions in the present case is full and does not permit the adoption of national measures distinct from those adopted by that legislature. (11) More specifically, Articles 73 and 74 of that directive are not among the provisions in respect of which the EU legislature intended to leave the Member States any leeway. In addition, Article 107(3) of that directive refers explicitly to the obligations of payment service providers, by requiring Member States to ensure that payment service providers do not derogate, to the detriment of payment service users, from the provisions of national law transposing or corresponding to Directive 2015/2366, except where such derogation is expressly authorised by that directive.

34.      Such an interpretation is, in the third place, confirmed by the objectives pursued by Directive 2015/2366.

35.      In that regard, I recall that the objective of Directive 2015/2366, as is apparent from recital 6 thereof, is to harmonise the rules on the provision of payment services by enhancing ‘legal clarity’ in order to ensure ‘consistent application of the legislative framework across the Union’, while ensuring a high level of consumer protection in the use of those payment services across the European Union as a whole.

36.      Although the main objective of that directive is the harmonisation of the rules on payment services and the proper functioning of the internal market of those services, (12) as evidenced by the fact that the Directive is based on Article 114 TFEU, the fact remains that the need to ensure a high level of consumer protection in the use of such services is also one of the objectives pursued by that directive. (13)

37.      I believe that the foregoing considerations permit the view that, although Article 73(1) and Article 74(1) of Directive 2015/2366 are closely linked, those provisions govern aspects which are nevertheless distinct from the procedure for the refund of amounts of unauthorised payment transactions in the sense that the former provides for an immediate refund in the event of unauthorised transactions, whereas the latter provides for the allocation of liability between the service provider and the payer at a later stage.

38.      Therefore, in accordance with Article 73(1) of Directive 2015/2366, the payment service provider is required, as a first step, to refund immediately the amount of an unauthorised payment transaction, except where there is a serious suspicion that that transaction is the result of fraudulent conduct on the part of the payment service user. That refund is not, however, definitive. Where, subsequently, and after that provisional refund has been granted, the payment service provider establishes that the payer has intentionally or through gross negligence failed to fulfil one of its obligations under Article 69 of that directive, it may require the payer to bear the losses caused by his or her gross negligence. If the payer refuses to refund the amount of the unauthorised transaction, it would then be for that service provider to bring an action against the payer, who is liable under the third subparagraph of Article 74(1) of that directive.

39.      The contrary interpretation, which would allow the payment service provider to refuse or to defer the refund in the event of mere suspicion of a breach, as a result of gross negligence on the part of the payer, of the obligations referred to in Article 69 of that directive, would enable that service provider to circumvent the obligation to refund immediately an unauthorised transaction laid down in Article 73(1) of that directive. Such a reading would unduly extend the situations in which that service provider may be exempted from that obligation, beyond the situations expressly provided for by its wording and would run counter to the principle that exceptions to an act of EU law must be interpreted restrictively. In so doing, it would directly infringe the consumer’s right to obtain that refund and, consequently, would deprive that provision of its content and effectiveness.

40.      In that regard, the EU legislature’s choice to attach strict conditions to the suspension of the obligation to refund immediately is intended to ensure that that refund remains the rule and does not become an exception. Such a mechanism would be deprived of all effectiveness if the mere extrajudicial allegation, by the payment service provider, of an infringement of the obligations arising from Article 69 of Directive 2015/2366 were sufficient to suspend its obligation to refund immediately. Moreover, it would be paradoxical, to say the least, in order to suspend the obligation to refund immediately in the event of fraud, to require the existence of serious suspicions and the initiation of a formal procedure before the competent national authority, while accepting that, in the case of conduct or an omission attributable to gross negligence, that same obligation may be suspended, with the same effects, in the absence of any other formal requirement.

41.      Taking the view that the payment service provider may refuse or defer the immediate refund of the amount of an unauthorised transaction by relying on the existence of gross negligence attributable to the payer would, at the same time, be liable to compromise the objective of ensuring a high level of consumer protection pursued by Directive 2015/2366. Irrespective of the fact that, in such a situation, the payer would be deprived of the immediate refund of the amount in question, the payer would also be obliged to bring legal proceedings against the payment service provider if the latter, in order to refuse the refund, relied on a failure to fulfil the obligations laid down in Article 69 of that directive due to gross negligence. By reserving exclusively to the case of fraud the option for such a provider not to refund immediately an unauthorised payment transaction, the EU legislature intended to remedy the practice whereby payment service providers alleged wrongful conduct on the part of the payer in order to refuse that refund, a practice which obliged the payer to bring legal proceedings in order to obtain the return of the amounts of unauthorised transactions. (14) It is apparent from the amendment made to Article 73(1) of that directive that it is not for the payer, but for the payment service provider, to seek reimbursement of the losses resulting from an unauthorised payment transaction attributable to the payer’s gross negligence and, where appropriate, to bring legal proceedings with a view to obtaining a refund of the amounts concerned. Furthermore, such an approach is also consistent with Article 72(2) of that directive, according to which the burden of proof, for demonstrating that the payer has been grossly negligent, is to be borne by the payment service provider.

42.      In addition, I consider it appropriate to clarify particular aspects relating to the foregoing analysis of the relevant provisions of Directive 2015/2366 with reference to the present case.

43.      I would point out, first, that the present case differs from a series of cases brought before the Court, relating to the relationship between the various provisions governing the allocation of liability in the event of unauthorised transactions between the payer and the service provider, as provided for in the earlier versions of Directive 2015/2366 (15) and in particular the case which gave rise to the judgment in Veracash. (16)

44.      I would point out in that regard that, unlike the present case, in which it is not disputed that the payer immediately informed the payment service provider of the occurrence of an unauthorised payment transaction, the case which gave rise to the judgment in Veracash concerned the consequences of the payer’s failure to comply with his obligation to inform the payment service provider without delay of the finding of such a transaction.

45.      It is true that, in that judgment, the Court held that the payment service provider’s obligation to refund immediately the amount of an unauthorised transaction, in accordance with Article 60(1) of Directive 2007/64, is subject to the exceptions provided for in Article 61(2) of that directive, with the result that the payer must, in principle, be held liable for all the losses relating to any unauthorised payment transactions if he or she incurred them by acting fraudulently or by failing to fulfil one or more of his or her obligations under Article 56 of that directive with intent or gross negligence. (17) Such a reading could suggest that Article 61(2) of that directive constitutes an exception to the payment service provider’s obligation to refund immediately the amount of the unauthorised transaction to the payer provided for in Article 60(1) thereof, thus allowing that service provider to avoid that obligation by relying on the payer’s liability for fraud or gross negligence.

46.      However, it must be stated that such an interpretation cannot be accepted with regard to Article 73(1) and Article 74(1) of Directive 2015/2366, which replaced Article 60(1) and Article 61(2) of Directive 2007/64. As noted in point 32 of this Opinion, while Article 60(1) of Directive 2007/64 did not provide for any exception to the obligation to refund an unauthorised payment transaction immediately, the EU legislature considered it necessary to amend that provision by introducing in Article 73(1) of Directive 2015/2366 an express exception to the obligation to refund immediately, limited to the situation in which the payment service provider has reasonable grounds to suspect fraud. By making such an amendment, the EU legislature intended to establish clearly that Article 73(1) and Article 74(1) of that directive govern two distinct stages of the refund procedure for an unauthorised payment transaction, in the sense that the first enshrines the principle of an immediate refund in the case of unauthorised transactions, while the second sets out, at a later stage, the allocation of liability between the service provider and the payer. (18)

47.      Secondly, I note that, in its written observations, the Italian Government supported an interpretation of Article 73(1) of Directive 2015/2366 according to which, while requiring an immediate refund, that provision nevertheless allows the payment service provider to recover subsequently, and directly, the amount refunded to the customer in respect of an unauthorised payment transaction, without necessarily having to bring legal proceedings, since an examination of all the relevant circumstances would provide it with reasonable grounds for considering that the unauthorised transaction was the result of intentional conduct or gross misconduct on the part of the payer. (19)

48.      While the interpretation advocated by the Italian Government seeks to strike a balance between the interests of the parties concerned, the fact remains that it would lead to the refund provided for under Article 73(1) of Directive 2015/2366 being made subject to additional limitations and conditions which have no basis in the wording of that provision, thus departing from the strict framework laid down by that directive. Moreover, from a practical point of view, the payer would be placed in a situation equivalent to that which he or she would have been in if there had been no refund and would therefore be obliged to bring legal proceedings against the payment service provider in order to recover the amount in question. As noted in points 37 and 38 of this Opinion, such an interpretation would allow that provision to be circumvented and would be liable to deprive that provision of its effectiveness, while reducing the scope of the protection conferred on consumers.

49.      Furthermore, I would point out, as noted in point 33 of this Opinion, that Article 73(1) of that directive is among the provisions which have been the subject of full harmonisation. It follows that the liability of a payment service provider for unauthorised payment transactions cannot be mitigated by the application of national provisions establishing a more limited liability regime. Consequently, Member States may not derogate from the regime established by Directive 2015/2366 as regards the obligation, for payment service providers, to refund immediately the amount of an unauthorised transaction by introducing derogations other than those expressly provided for in Article 73(1) of that directive.

50.      Thirdly, I note that, contrary to the submissions of the Czech and Italian Governments, the interpretation suggested does not lead to a circumvention of the ADR mechanism enshrined in Article 102 of Directive 2015/2366. (20)

51.      In that regard, I recall that Article 102 of that directive provides for an ADR procedure by which a payment service user may refer the matter to an ADR body to handle complaints lodged against payment service providers. While the mechanism thus established is intended to facilitate the settlement of disputes between such users and payment service providers, its scope is not limited solely to the immediate refund provided for in Article 73 of that directive, but extends to any type of dispute relating to the rights and obligations arising under Titles III and IV of that directive.

52.      Finally, although the solution adopted may give rise to certain reservations and is not free from practical difficulties, (21) the fact remains that the contrary interpretation has greater disadvantages, in particular for payment service users. (22) Moreover, the latter appear to have been at the heart of the concerns which led the EU legislature to amend Article 73(1) of Directive 2015/2366. In any event, if the current wording of that provision were to be regarded as incomplete, it would be for the EU legislature alone to amend it.

53.      In the light of all the foregoing, I propose that the answer to the question referred for a preliminary ruling should be that Article 73(1) and Article 74(1) of Directive 2015/2366 must be interpreted as precluding a payment service provider from refusing to refund a payer immediately for the amount of an unauthorised payment transaction by claiming that the payer has suffered a loss in connection with that payment transaction as a result of failing, with gross negligence, to fulfil his or her obligations under Article 69 of that directive.

V.      Conclusion

54.      In the light of the foregoing considerations, I propose that the Court should answer the question referred for a preliminary ruling by the Sąd Rejonowy w Koszalinie (District Court, Koszalin, Poland) as follows:

Article 73(1) and Article 74(1) of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC,

must be interpreted as precluding a payment service provider from refusing to refund a payer immediately for the amount of an unauthorised payment transaction by claiming that the payer has suffered a loss in connection with that payment transaction as a result of failing, with gross negligence, to fulfil his or her obligations under Article 69 of that directive.

1      Original language: French.

i      The name of the present case is a fictitious name. It does not correspond to the real name of any party to the proceedings.

2      Directive of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ 2015 L 337, p. 35).

3      Dz. U. of 2024, item 30.

4      Judgment of 1 August 2025, Veracash (C‑665/23, EU:C:2025:598, paragraph 34 and the case-law cited).

5      Article 73(1) of Directive 2015/2366 states, in that regard, that that refund must be made ‘no later than by the end of the following business day’.

6      Although that aspect is irrelevant in the present case, I would point out that there is a second situation allowing the payment service provider not to refund immediately the amount of an unauthorised transaction to the payer, namely where the payer fails to inform him or her or does so belatedly. More precisely, Article 71 of Directive 2015/2366, to which Article 73(1) thereof refers, lays down a time limit for notifying an unauthorised transaction by providing that the payment service user is to obtain rectification of an unauthorised or incorrectly executed payment transaction from the payment service provider only if the payment service user notifies the payment service provider without undue delay on becoming aware of any such transaction giving rise to a claim and no later than 13 months after the debit date. See, in that regard, judgment of 1 August 2025, Veracash (C‑665/23, EU:C:2025:598, paragraph 48).

7      Article 74 of Directive 2015/2366 contains the following wording: ‘by way of derogation from Article 73’.

8      See points 12 and 13 of this Opinion.

9      Article 73(1) of Directive 2015/2366 replaced Article 60(1) of Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC (OJ 2007 L 319, p. 1). The latter provision was worded as follows: ‘Member States shall ensure that, without prejudice to Article 58, in the case of an unauthorised payment transaction, the payer’s payment service provider refunds to the payer immediately the amount of the unauthorised payment transaction and, where applicable, restores the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place’.

10      It is thus apparent from those travaux préparatoires that, while the Commission’s initial proposal did not include an exception to the obligation to refund immediately where the service provider has reasonable grounds to suspect fraud, that amendment was introduced during the interinstitutional negotiations before being incorporated into the final text of Directive 2015/2366. See, in that regard, proposal for a Directive of the European Parliament and of the Council on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC (COM(2013) 0547 final), in particular p. 13; European Parliament, text agreed during interinstitutional negotiations, PE 604.827 (ordinary legislative procedure file 2013/0264 (COD), approved on 16 June 2015), in particular Article 65; and Supplementary Report on the proposal for a Directive of the European Parliament and of the Council on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC, A8-0266/2015 (adopted on 28 September 2015), in particular Article 73. The Commission has taken the same approach in its proposal for a Regulation on payment services in the internal market. In the provision on the liability of the service provider for unauthorised payment transactions, it is stipulated that only reasonable grounds for suspicion of fraud committed by the payer may justify a refusal of a refund by the service provider. In that case, the service provider must state the reasons for its refusal of the refund and indicate the bodies to which the payer may refer the matter.  See, in that regard, proposal for a Regulation of the European Parliament and of the Council on payment services in the internal market and amending Regulation (EU) No 1093/2010, COM(2023) 367 final – 2023/0210(COD) of 28 June 2023, in particular p. 11, Article 56(1) and (2).

11      See, with regard to Directive 2007/64, judgment of 2 September 2021, CRCAM (C‑337/20, EU:C:2021:671, paragraph 42).

12      See, with regard to Directive 2007/64, judgment of 2 September 2021, CRCAM (C‑337/20, EU:C:2021:671, paragraph 44).

13      See, to that effect, judgment of 11 November 2020, DenizBank (C‑287/19, EU:C:2020:897, paragraphs 56 and 102). See also, with regard to Directive 2007/64, judgment of 11 July 2024, Eurobank Bulgaria (C‑409/22, EU:C:2024:600, paragraph 79 and the case-law cited).

14      See, in that regard, Guimarães, M.R. and Steennot, R., ‘Allocation of liability in case of payment fraud: who bears the risk of innovation? A comparison of Belgian and Portuguese law in the context of PSD2’, European review of private law, Kluwer Law International, Vol. 30, No 1, 2022, pp. 29 to 72, in particular p. 47.

15      See, for example, judgment of 2 September 2021, CRCAM (C‑337/20, EU:C:2021:671).

16      Judgment of 1 August 2025, Veracash (C‑665/23, EU:C:2025:598).

17      Judgment of 1 August 2025, Veracash (C‑665/23, EU:C:2025:598, paragraph 63).

18      See points 37 and 38 of this Opinion.

19      According to that government, an interpretation which does not authorise the payment service provider to reverse the transaction, thus requiring it to bring legal proceedings to recover the refunded amounts in the event of gross negligence on the part of the customer, has no basis in the wording of Directive 2015/2366 and would lead to an unreasonable imbalance in the payment system. In particular, it submits that, in so far as no provision of that directive prohibits payment service providers from recovering directly, from the customer’s payment account, the amount refunded in respect of an unauthorised payment transaction resulting from intentional conduct or gross misconduct on the part of that customer, the question as to whether or not such a direct debit should be authorised should be left to the discretion of the national legislatures.

20      According to those governments, such a procedure would enable payment service users to obtain reimbursement of the amount of an unauthorised payment transaction more efficiently, faster and cheaper than by recourse to the traditional judicial system. They submit, to that effect, that that mechanism would lose all its relevance if the payment service provider were required to reimburse the amount of an unauthorised payment transaction even in the event of gross negligence on the part of the payment service user.

21      In view of the payment service provider’s obligation to carry out a refund ‘no later than by the end of the following business day’ once informed by the payer of an unauthorised payment transaction, it is legitimate to question the possibility for the payment service provider to gather, within such a short period, all the elements that might constitute serious suspicions of fraud. It is also important to note that although, in theory, the distinction between fraudulent and negligent conduct does not give rise to difficulties, that distinction is less obvious in practice, especially where that service provider is required to identify a fraudulent act (or, at the very least, suspicions of such an act) within an extremely limited period of time in order to be exempted from the obligation to refund immediately. One might also wonder whether, faced with the risk of having to carry out such refunds, payment service providers would be tempted to restrict the availability of certain means of payment or to make their use subject to stricter and more onerous conditions for users, which would run counter to the general objective of developing the integrated market for electronic payments pursued by Directive 2015/2366. As the Italian Government points out, such a system could also discourage the payer’s compliance with the due diligence obligations imposed by Article 69 of that directive.

22      It appears that, in a number of Member States, payment service providers have, by default, adopted the practice of refusing payers an immediate refund on the ground that they have, by their wrongful conduct, contributed to the occurrence of unauthorised payment transactions. It is precisely in order to prevent such practices that the EU legislature, by the amendment made to Article 73(1) of Directive 2015/2366, intended to strengthen consumer protection by ensuring that the obligation to refund immediately, incumbent on payment service providers in the case of unauthorised transactions, may be limited only by express and strictly defined exceptions. See, in that regard, the finding of the referring court set out in point 16 of this Opinion. See also, in the legal literature, Guimarães, M.R. and Steennot, R., footnote 14, op. cit., pp. 29-72, in particular p. 47.

Top