In recent years, cases of payment fraud have seen a steady increase in Belgium, with the FSMA reporting that in 2024 it received 20% more reports of fraud-related activities compared to 2023. It also reported that 2024 marked the year in which the FSMA received the highest number of reports to date.
Once fraud is detected, fraud victims will often try to invoke the responsibility of their payment service providers (‘PSPs’ – often banks) in order to recoup at least part of the defrauded funds. This has led to a number of cases brought before Belgian courts, which often revolve around situations of phishing or spoofing.
In this legal insight, we dive into (i) a brief overview of the Belgian legal regime on payment fraud, (ii) the main points of discussion that arise between banks and fraud victims, as well as (iii) the future outlook of payment fraud regulation.
1. Belgian regime on payment fraud
The current legal framework to protect fraud victims stems from Directive (EU) 2015/2366 of 25 November 2015 on payment services in the internal market (‘PSD2’), which is transposed in book VII of the Belgian Code of Economic Law (‘CEL’). The regime provides a certain level of protection to fraud victims in the case of so-called ‘unauthorised’ transactions (except when the victim acted with gross negligence) but leaves the victim empty-handed when the transaction is deemed to be ‘authorised’.
According to the letter of the law, the difference between a qualification of a transaction as authorised versus unauthorised will depend on whether the victim has “consented” to the transaction in the meaning of whether he/she has followed all the procedures agreed upon with the PSP to authorise the transaction. Practically this will often involve the use of an identification app (like itsme in Belgium) on the platform of the PSP.
2. Predominant elements of disagreement
In court cases where fraud victims have sued their PSPs to compensate them for their losses, two issues are nearly always present: (i) whether the transaction was authorised or not and (ii) in case it was unauthorised, whether the victim acted with gross negligence.
a) Authorised nature of the transaction
As indicated above, the key element to determine whether a fraud victim can rely on the protection of the Belgian payment fraud regime is whether the fraudulent transaction(s) can be considered as ‘authorised’.
While the victims will often argue that they did not intend to authorise the transaction and were ultimately ‘tricked’ into cooperating with the fraudster, the PSPs will often argue on the objective element that the victim willingly followed all agreed upon procedures (such as two-step verification) which enabled the execution of the fraudulent transaction.
b) Gross negligence
In nearly all cases, the above discussion will tie into a debate on the presence of gross negligence on behalf of the fraud victim. This is because even in the case of an unauthorised transaction, the CEL prescribes that a victim remains liable if he/she acted with gross negligence.
The benchmark used by both parties for this assessment is that of a reasonable payment service user. In such case, there can be no gross negligence if a payment service user placed in the same circumstances would have acted in a similar manner. Naturally, this assessment is highly case-specific, where the court will take into consideration all factual elements, including the technical literacy of the fraud victim, the presence of fraud warnings in the environments of the PSP, as well as the complexity of the fraud scheme.
3. Opposing views: case law versus the Ombudsfin
Prior to the introduction of a case before a Belgian court, cases will often first be brought before the Ombudsfin for an initial advice. While the recommendations of the Ombudsfin are not binding for either party, the Ombudsfin nonetheless remains a key source of interpretation for the Belgian payment fraud regime.
Although the views of the Ombudsfin and the Belgian case law on many aspects are roughly aligned, they differ fundamentally on the concept of ‘consent’, which is the key differentiating factor between an authorised and an unauthorised transaction.
The vast majority of Belgian case law follows the letter of the law, taking the view that there is consent within the context of the payment regulation when the fraud victim followed all the procedures agreed upon with the PSP to authorise the transaction, and this regardless of whether he/she intended to carry out the transaction to the (fraudulent) beneficiary. The Ombudsfin (and a minority of case law) takes an opposite view, championing a subjective interpretation of consent, where the key consideration should be whether the victim knowingly and willingly carried out the transaction to the fraudster. This has notably resulted in case law that primarily favours the PSPs, which will usually only have to demonstrate that the fraud victim itself has followed all agreed upon procedures (i.e. the two-factor verification measures).
4. Future outlook on payment fraud
While the current legal framework on payment fraud and the majority of case law seem to favour the objective interpretation of consent, a shift towards a more subjective interpretation of consent – or rather of ‘authorisation’ – can be observed in the proposal for a Regulation on payment services (i.e. the upcoming ‘PSR’). In particular, the EU Parliament has taken the stance that proper ‘authorisation’ should be assessed in light of the actual intentions of the fraud victim (see recital 79a of PSR – EU Parliament amendments). While the EU Commission and the Council of EU Member States do not go as far in their positions, the Parliament’s position demonstrates a clear trend by certain lawmakers to move towards a more user-protective framework on payment fraud.
Another key development in PSR that demonstrates the user-protective trend is the introduction of a specific liability regime for ‘spoofing’, which covers fraud cases by impersonation of (employees of) a PSP. For such cases, the PSR proposes a broad level of protection to the fraud victim, provided he/she notifies their own PSP and local law enforcement of the fraudulent transaction as soon as practicable.
In addition to an increased level of protection, the PSR also places a lot more emphasis on fraud prevention measures, departing from the mostly reactive liability regime of PSD2 regime which predominantly focuses on liability after the instance of fraud has taken place. While PSR is still subject to negotiation, it undeniably hints towards the intention of the European legislators to move towards a more user-protective framework.
In case the above shift in regulation makes it to the final text of the PSR, we expect that this will inevitably also bring about a shift in Belgian case law, bringing it more in line with the current position of the Ombudsfin, while simultaneously also increasing the standards of PSPs when it comes to fraud prevention.
If you have any questions or would like to discuss this topic, feel free to reach out to us at digitalfinance@simontbraun.eu.
***
This newsletter does not constitute legal advice or a legal opinion. Please consult with a legal counsel before taking any action based on the information provided.
