Is the bank required to refund a fraudulent transfer if you never authorized it?

When a scammer uses a hacked email account to send a payment order to the bank in your name, the question immediately arises as to who bears the loss. In a judgment dated March 19, 2026 The Dutch-speaking Commercial Court of Brussels ruled that the bank must reimburse the full amount of 40,960.56 euros to a business owner who had fallen victim to cyber fraud, and that the independent bank agent who actually processed the payment was not held liable. The ruling illustrates the strength of the protective mechanism provided by Articles VII.43 and VII.44 Code of Economic Law (CEL), including in a B2B context.

The facts

A company had maintained a checking account with a Belgian bank since 2019. Payment orders were submitted through a standard procedure: the financial manager sent a request by email to the bank branch, after which an “international payment order” document was prepared, signed, returned, and executed following a signature verification.

In 2022, the bank director received an email that appeared to be from the financial officer, requesting that he first transfer 159,810 USD and, after receiving a balance confirmation, ultimately transfer 41,000 USD to a recipient in New York. The agency executed an outgoing transaction of 40,960.56 euros.

Shortly thereafter, the company discovered that the email account had been hacked and that it had never issued such an order. The order email contained several discrepancies: no account number, no invoice reference, an outdated address, incorrect phone numbers, and an unusual form of address. The company filed a complaint and sought reimbursement from the bank, the bank agent, and the agent’s professional liability insurer.

The decision

The court ordered the bank to reimburse 40,960.56 euros, plus statutory interest, and dismissed the claim against the bank agent.

The court based its ruling on the finding that the email and signature procedure agreed upon by the parties constitutes a payment instrument within the meaning of Article I.9, 10° of the WER. That term is interpreted broadly and also includes analog or paper-based processes, provided that the parties have agreed on a mechanism by which the bank can verify that an instruction originates from the user. However, for the purposes of Article VII.43 of the WER, the court considered that classification to be less decisive, because that provision also applies when the unauthorized transaction results from the unlawful use of a payment instrument.

The court then analyzed the relationship between Articles VII.43 and VII.44 of the WER. Article VII.43 of the WER governs the immediate, provisional reimbursement by the bank; the only exception to this is a reported suspicion of fraud against the payer itself, communicated in writing to the FPS Economy. Article VII.44 of the WER, on the other hand, governs the subsequent, definitive allocation of risk at the payer’s expense. The bank had not suspected or reported any fraud on the part of the company and should therefore have reimbursed the amount immediately.

Regarding final liability, the court ruled that the bank had not validly exempted itself from liability. Article VII.29 of the WER allows a non-consumer to contractually deviate from Article VII.44 of the WER, but an exoneration is an exception to a statutory protection mechanism and must be accepted clearly, unambiguously, and with full knowledge of the facts. None of the clauses invoked from the bank’s general terms and conditions referred directly to Article VII.44 of the WER or demonstrated that the customer had knowingly waived his protection.

Finally, the court found that the bank had not proven gross negligence on the part of the company, that the anomalies were found exclusively in the correspondence between the fraudster and the agency, so that the company could not have detected the fraud in advance (Article VII.44, § 1, second paragraph, 1° WER), and that strong customer authentication had not been required (Article VII.44, § 2 WER). Under these circumstances, the payer did not incur any loss.

The claim against the bank agent was dismissed because the agent is not a payment service provider within the meaning of Article I.9, 2° of the WER and, as the bank’s agent, enjoys quasi-immunity from non-contractual claims.

Legal analysis and interpretation

Pay first, argue later: The court draws a clear distinction between VII.43 and VII.44

The strength of this ruling lies in the clear distinction between provisional reimbursement and final liability. Article VII.43 of the WER establishes a “reimburse first, litigate later” approach: the bank credits the payer immediately—and, if necessary, conditionally—pending further investigation. The only legal exception is a suspicion of fraud reported to the FPS Economy. A suspicion of gross negligence is not sufficient for this; that falls under the final allocation provided for in Article VII.44 of the WER.

This interpretation is consistent with a growing body of case law that no longer treats the repayment obligation under Article VII.43 of the WER as a dead letter, and with the opinion of Advocate General Rantos dated March 5, 2026, in the case C-70/25 before the Court of Justice. Rantos deduces from the headings of Articles 73 and 74 PSD2 directive It follows that Article 73 governs immediate reimbursement, while Article 74 governs only the subsequent allocation of liability. We must await the Court’s ruling, but the Brussels court is anticipating it here in a defensible manner.

The defense fails due to the lack of a clear, informed waiver

The fact that the payer is a business opens the door, under Article VII.29 of the WER, to a contractual deviation from Article VII.44 of the WER. However, that door is not as wide open as banks often assume. The court rightly emphasizes that an exoneration is an exception that must be interpreted strictly and that general clauses regarding the risks of email communication are insufficient.

Two observations are worth noting. First, Article VII.43 of the WER is not included in the list of provisions subject to derogation in Article VII.29 of the WER, whereas Article VII.44 of the WER is. The bank’s obligation to reimburse is therefore, in principle, mandatory, even vis-à-vis a business. Second, a bank that itself permits a high-risk procedure without strong customer authentication cannot simply pass the resulting risk on to the customer. Anyone who offers unsecured payment channels bears the consequences thereof, unless there is a valid and informed waiver.

The reversal of the duty of care: it wasn't the payer, but the bank that should have heard the alarm bells

It is striking that the court reverses the traditional banking argument. Whereas banks typically argue that the fraud was “detectable” to the payer, the court finds that the anomalies occurred exclusively in the correspondence between the fraudster and the agency. The payer could not see these; the bank, however, could. The absence of an account number and an invoice reference, as well as the unexplained halving of the amount following a balance notification, should have prompted a payment service provider exercising due diligence to conduct a simple telephone verification. This shift in the burden of proof regarding detectability to the bank is consistent with more recent case law, which places the burden of proof regarding detectability on the bank.

Specifically, what does this mean?

For businesses that fall victim to payment fraud. Even as a non-consumer, you are entitled to the protection afforded by Articles VII.43 and VII.44 of the WER. First and foremost, demand immediate reimbursement under Article VII.43 of the WER, regardless of the issue of gross negligence; if necessary, you can pursue this claim through summary proceedings. Report the fraud immediately and file a complaint so that the bank cannot claim that you reported it too late. Verify whether the bank required strong customer authentication: if it did not, then in principle you are not liable for any loss. Keep the fraudulent correspondence: it is up to the bank to prove that you could have detected the fraud in advance or acted with gross negligence.

For banks and payment service providers. A general disclaimer regarding email risks is not sufficient to waive legal protection. If you wish to deviate from Article VII.44 of the WER in dealings with businesses, a clause is required that explicitly refers to that provision and demonstrates a deliberate, informed waiver. The obligation to reimburse under Article VII.43 of the WER remains mandatory in any case. Anyone who permits a payment procedure without strong client authentication bears the risk thereof.

For independent bank agents and their insurers. An agent who acts solely in the name and on behalf of the bank is not a payment service provider within the meaning of Article I.9, 2° of the WER and cannot be subject to claims under Articles VII.43 and VII.44 of the WER. Furthermore, as an executing agent, he enjoys quasi-immunity from non-contractual claims, provided that the alleged error remains within the bank’s contractual sphere and does not cause any other damage.

Frequently asked questions (FAQ)

Is my bank required to refund a fraudulent transfer if I never authorized it?
In principle, yes. In the case of an unauthorized payment transaction, the bank must immediately refund the amount pursuant to Article VII.43 of the WER, unless it has reasonable grounds to suspect fraud on your part and reports this in writing to the FPS Economy. The ultimate liability will only be assessed afterward.

Does that protection also apply to businesses, and not just to consumers?
Yes. The protection mechanism applies to every payment service user. In the case of a business, the bank may attempt to contractually deviate from Article VII.44 of the WER, but such a deviation must be clearly and unambiguously agreed to after the business has been fully informed. The reimbursement obligation under Article VII.43 of the WER, on the other hand, is not included on the list of provisions that may be deviated from.

When am I, as the payer, responsible for the loss?
If you have acted fraudulently, or if you have breached your security obligations intentionally or through gross negligence. The burden of proof lies with the bank. The mere fact that your email account was hacked is not sufficient proof of gross negligence.

Conclusion

This ruling confirms that the protection mechanism for unauthorized payment transactions in Belgium is firmly established, even with respect to businesses. The bank must first reimburse the customer and only then discuss liability; a valid waiver requires an explicit, informed waiver; and a payer who could not have detected the fraud does not bear the loss. The responsibility for organizing secure payment processes remains with the bank.


Joris Deene

Attorney-partner at Everest Attorneys

Contact

Questions? Need advice?
Contact Attorney Joris Deene.

Phone: 09/280.20.68
E-mail: joris.deene@everest-law.be

Topics