EU legal advisor pushes for faster cybercrime victim protections, challenging bank liability rules

An influential European Union legal advisor is pushing for urgent reforms to how banks handle cybercrime victims, potentially delivering faster financial protections to millions of Europeans before new regulations take full effect.

Advocate General Athanasios Rantos has called for a reinterpretation of the Second Payment Services Directive (PSD2) that would require banks to reimburse victims of financial fraud immediately, regardless of whether the victim's actions might have contributed to the crime. This represents a significant shift in the balance of liability between financial institutions and their customers.

Under current PSD2 rules, banks have considerable discretion in determining whether to refund victims of online fraud. When a customer reports unauthorized transactions, the bank conducts an investigation to decide if reimbursement is warranted. This process can leave victims in precarious financial situations while waiting for a decision, and banks often invoke "gross negligence" as grounds for denying claims.

Gross negligence in this context typically involves situations where victims are tricked into revealing sensitive information like one-time passcodes or login credentials. For example, a criminal might create a fake banking website that looks identical to the victim's real bank, prompting them to enter their details. Under current rules, if the bank determines the victim should have recognized the phishing attempt, it can refuse to refund the stolen money.

Rantos's proposed change would flip this dynamic entirely. Banks would be required to pay victims immediately upon reporting fraud, then pursue recovery if gross negligence is later proven. This approach prioritizes consumer financial security over institutional risk management.

The Advocate General illustrated his position with a hypothetical case involving online marketplace fraud. A victim agrees to purchase an item, receives what appears to be a legitimate payment link from the seller, but the link actually leads to a phishing site controlled by criminals. After entering banking credentials and suffering theft, the victim's bank denies immediate reimbursement, citing gross negligence for failing to spot the fake website.

Under Rantos's interpretation, the bank would still need to refund the victim immediately, then attempt to recover the funds if negligence is established through proper legal channels. This protects victims from financial hardship while ensuring banks can still pursue legitimate claims of customer fault.

Jonathan Frost, director of global advisory for EMEA at cybersecurity firm BioCatch, characterized the opinion as "a major shift in the liability for fraud in European payments." He noted that if the Court of Justice of the European Union concurs with Rantos, banks would bear the initial financial risk of fraud, increasing pressure to detect account takeovers and credential compromises before payments are processed.

The push for faster protections comes as the EU prepares to implement PSD3 and the Payment Services Regulation (PSR), which will introduce more stringent requirements for financial institutions. These upcoming regulations will mandate stronger Strong Customer Authentication (SCA) measures and clearer liability definitions when authentication fails.

Unlike PSD2, which allowed member states flexibility in implementation, the PSR is a regulation that takes effect directly across all EU countries without requiring national transposition. This means the protections could be enforced more quickly and uniformly than previous directives.

PSD3/PSR will also require payment service providers to broaden authentication methods beyond smartphone-based systems, improving accessibility for users without smartphones or those with disabilities. Merchants will need to share more transaction data with banks, including user locations, session information, and device IP addresses, to help verify legitimate payments.

The Advocate General's push for immediate implementation reflects frustration with the slow pace of legislative change. While PSD3 and PSR were proposed in 2024, the formal legislative process could delay protections for years. By reinterpreting existing PSD2 rules, Rantos aims to deliver immediate relief to fraud victims while longer-term regulatory changes work through the system.

This development represents a significant evolution in Europe's approach to cybercrime victim protection, potentially establishing a precedent where financial institutions bear greater responsibility for preventing and responding to digital fraud, while consumers receive faster and more certain recourse when victimized.