Joris DeenePhishing remains a huge problem, with fraudsters becoming increasingly inventive in their methods. A complex issue arises when fraudsters first transfer private funds to the victim's company account and then steal them. Can the bank then hide behind the less stringent rules for companies? According to a judgment of the Dutch-speaking Enterprise Court of Brussels of 13 March 2025 the answer is clearly no. As long as the fraud starts in the private sphere, you enjoy consumer protection and the bank must reimburse you, unless it can prove gross negligence.
The facts: a complex fraud circuit
In this case, the victims, who were also directors of a private limited company (BV), were confronted with large-scale fraud.
Suspicious transactions took place between August 1 and August 4, 2021. The modus operandi was specific: the fraudsters first transferred €40.000 from the victims' private accounts to their own professional company accounts. The money was then siphoned off from those company accounts to third parties.
The bank (KBC) refused to compensate for most of the damage (€37,766.12). The bank argued that the actual theft took place from the business account, which meant that the victims should be considered professionals rather than consumers. In addition, the bank accused the victims of “gross negligence” because the transactions had been signed using the app.
The court's decision
The court ruled entirely in favor of the victims and ordered the bank to repay the full amount, plus interest and costs.
The judge based his decision on three elements:
- The origin of the money matters: Although the money effectively disappeared via the company account, the court ruled that the fraud began in the private accounts. At that time, the victims were acting as consumers. The fact that the money was transferred via their company does not change their status.
- No exclusion of liability: Because the victims were classified as consumers, the bank could not invoke contractual clauses limiting liability (as is often the case in B2B relationships).
- No evidence of gross negligence: The bank failed to prove that the victims had shared their codes or clicked on a phishing link. Mere log data from the bank showing that the app was used is not sufficient evidence of gross negligence.
Legal analysis and interpretation
This judgement is important for case law concerning Article VII.44 of the Code of Economic Law (CEL). This article regulates liability for unauthorized payment transactions.
Consumer vs. professional (Art. VII.29 CEL)
In banking law, the distinction between consumers and professionals is important. In the case of professional clients (B2B), Article VII.29 CEL allows parties to contractually deviate from the strict liability rules. In fraud cases, banks often try to shift the case to the professional sphere in order to circumvent strict consumer protection.
However, the court sees through the fraudsters“ ”construction." The judge looks at the economic reality: the loss affected private assets. The court thus confirms that the protection of Article VII.44 CEL is mandatory when the damage originates in the private sphere, regardless of the technical route taken by the money.
The burden of proof for gross negligence (Art. VII.44, §4 CEL)
The ruling reaffirms the heavy burden of proof that rests on banks. According to Article VII.44, §4 CEL, the bank must prove that fraud or gross negligence has occurred.
The court strictly applies article 8.4 of the Civil Code : in case of doubt, the party bearing the burden of proof (the bank) is found to be in the wrong. The bank's argument that the installation of the app necessarily requires the use of the card reader and secret code, and that there must therefore be negligence, is considered insufficient. Without concrete evidence of an active act (such as passing on a code to a third party), gross negligence cannot be assumed.
What this specifically means for you
This judgement has important consequences for victims of bank fraud:
- For individuals with a company: If fraudsters “mix” your private account and your business account during the theft, you do not automatically lose your consumer protection. The bank must compensate you according to consumer rules if the fraud started privately.
- Evidence position: As the victim, you do not have to prove exactly how the fraudsters operated. It is up to the bank to prove that you were grossly negligent. A simple assertion by the bank that “it is technically impossible without your code” is not sufficient in court.
- Reporting requirement: In this case, it worked in the victims' favor that they contacted the bank immediately (on the day of discovery) and filed a complaint with the police. Swift action remains essential.
Frequently Asked Questions (FAQ)
What constitutes “gross negligence” in phishing?
Gross negligence is more than simple carelessness. It refers to a serious form of recklessness, such as voluntarily giving your PIN and bank card to a complete stranger. Simply clicking on a link or falling victim to advanced spoofing is often not considered gross negligence by judges.
Is the bank always liable for stolen money?
In principle, yes, unless the bank can prove that you committed fraud or were grossly negligent (Art. VII.44 CEL). Until such proof is provided, the bank must immediately refund the unauthorized transactions. However, there is often an excess of up to €50, unless you were unable to detect the fraud.
Does consumer protection also apply to my company's account?
Not by default. For professional accounts, banks may limit their liability in their terms and conditions. However, as this ruling shows, if the fraud starts with private funds transferred by the fraudster to your company, you may still be able to invoke consumer protection.
Conclusion
In complex fraud cases, banks often try to shirk responsibility by citing technical logs or the business nature of an account. However, case law shows that judges take a very critical stance toward these arguments. The burden of proof for gross negligence is very high and rests entirely with the bank.
Dutch 
English