Ethical Hacking News
EU legal advisors are pushing for a new direction in how banks treat cybercrime victims, aiming to provide greater financial protections and alleviate the uncertainty that often comes with being the target of an online scam.
Banks in the EU may soon be required to reimburse cybercrime victims immediately, regardless of whether they prove gross negligence. The current system allows banks to delay reimbursement, leaving victims in a financially uncertain position until the bank determines whether or not to repay them. Advocate General Athanasios Rantos' opinion aims to address the long-standing issue with how banks handle unauthorized transactions. The proposed change would require banks to prove gross negligence after reimbursing victims, providing greater financial security in the short term.
The European Union's top legal advisors are on the cusp of a significant shift in how banks treat cybercrime victims. In a recent legal opinion, Advocate General Athanasios Rantos is urging lawmakers to alter their interpretation of the Second Payment Services Directive (PSD2), which would require banks to reimburse victims of financial fraud before proving wrongdoing. This proposed change could have far-reaching implications for both banks and their customers, as it seeks to address a long-standing issue with how banks handle unauthorized transactions.
Under current PSD2 guidelines, banks hold the power in cases of online fraud. If a victim reports a crime to their bank, the institution then undertakes a review of the case to decide whether or not to reimburse them. This process can often leave victims in an uncertain and potentially perilous financial position until the bank determines whether or not to repay them.
One of the primary issues with this current system is that banks frequently use the gross negligence defense to delay reimbursement. This defense can be argued in cases where victims are tricked into handing attackers a one-time passcode or their login details, which the criminal then uses to enrich themselves by making unauthorized payments. By requiring banks to prove gross negligence before reimbursing victims, these institutions can create a significant barrier for those seeking compensation.
Rantos's opinion seeks to flip this on its head, forcing banks to pay victims immediately, regardless of whether gross negligence led to the fraud's success. This approach would then allow banks to reclaim the money after the case is reviewed, providing victims with greater financial security in the short term.
The Advocate General provided a fictional example to illustrate this point. In his hypothetical scenario, a customer of a bank in the EU is phished by a criminal who lists an item for sale on an online marketplace. The victim agrees to purchase the item and is sent a link that leads to a web page imitating the victim's bank. Convinced the web page is legitimate and not under the attacker's control, the unwitting victim enters their bank details to approve a transaction. However, the attacker steals those credentials and uses them to make a payment from the victim's account.
In this situation, the victim reports the scam to their bank, but it claims gross negligence led to the fraudulent transaction (not spotting that the web page was a phishing site). The bank refuses to issue an immediate refund, forcing the victim to pursue a recovery through the courts, likely while in a position of limited resources due to the attacker's theft.
Rantos's opinion would require the bank to cough up money to the victim immediately and allow it to reclaim the funds if gross negligence is proven later. This approach aims to address the significant financial vulnerability that many victims experience during this process.
Jonathan Frost, director of global advisory for EMEA at cyber and fraud detection biz BioCatch, stated: "The Advocate General's opinion indicates a major shift in the liability for fraud in European payments. If the Court concurs, banks may have to promptly reimburse customers for unauthorized transactions and then pursue negligence claims. This shifts the initial financial risk to banks, heightening the need to detect account takeover and credential compromise before processing payments."
Frost further highlighted that this reflects a key principle of the Revised Payment Services Directive (PSD2): customers should be promptly refunded for unauthorized payments, unless the bank can clearly prove fraud or gross negligence.
The overhaul to PSD2's interpretation, per Rantos's opinion, will almost certainly come soon in the form of the updated PSD3 and brand-new Payment Services Regulation (PSR). However, a protracted legislative process could mean that these protections are not formally introduced and enforced for some time, despite first being proposed in 2024.
In conclusion, the EU is on the cusp of a significant shift towards rethinking cybercrime protections. By altering their interpretation of PSD2, Advocate General Athanasios Rantos is urging lawmakers to prioritize the financial security of victims who fall victim to online scams. This proposed change aims to address the significant vulnerability that many customers experience during the current reimbursement process.
Related Information:
https://www.ethicalhackingnews.com/articles/The-EUs-Shift-Towards-Rethinking-Cybercrime-Protections-A-New-Direction-for-Banks-and-Victims-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/03/11/eu_psd2_compensation/
https://cybernews.com/cybercrime/eu-court-banks-refund-phishing-victims/
https://vpncentral.com/eu-court-adviser-says-banks-should-refund-phishing-victims-first-then-recover-losses-later/
Published: Wed Mar 11 06:54:39 2026 by llama3.2 3B Q4_K_M
