Phishing and Internet fraud are pervasive today in our increasingly digitized society. Awareness campaigns by Safeonweb, Febelfin and financial institutions are being stepped up, and banks are constantly implementing new measures to combat Internet fraud. Nevertheless, the number of phishing cases continues to rise. This increase in Internet fraud is clearly visible in the statistics of Ombudsfin, where the number of Internet fraud cases handled increases exponentially year after year.
A question we often receive is whether the bank must share the financial consequences of this fraud? In Belgium, it is indeed the case that the bank has to refund the amount of the misappropriated amounts to the customer when there is a unauthorized payment transaction. However, the bank should not do so if the fraud is was detectable by the customer or if the customer grossly negligent has been.
Below, our lawyers provide an overview of the legal rules and principles applicable in Belgium in the allocation of liability for unauthorized payment transactions as laid down in Book VII of the Economic Law Code (IPC)..
(Un)authorized payment transactions 1.
1.1. What is an authorized payment transaction?
Thus, to determine whether a bank is liable in phishing, it must be determined whether the payment qualifies as an "authorized" or "unauthorized" payment transaction.
According to Article VII.32, §1, paragraph 1 WER, a payment transaction is considered authorized when the payer has consented to the execution of the payment order. If there is no such consent, the transaction is considered unauthorized. There is only an authorized payment transaction if the payer has expressly consented to it.
Although, in the meantime, distinguishing between a permitted and unpermitted transaction seems fairly straightforward, we note that in practice there is much debate about this, and especially about whether or not "consent" was given.
1.2. Who must prove that the transaction was not authorized?
Article VII.42 WER governs the burden of proof regarding the authorized or unauthorized nature of a disputed transaction. When a customer denies authorizing a payment transaction, the bank must prove that the payment transaction was authenticated, properly recorded, posted and not affected by a technical failure or other failure.
Thus, a simple statement by the customer that he did not consent is sufficient to place this burden of proof on the bank. If the bank cannot provide this technical evidence, the customer cannot be held liable.
Once the bank has provided the above evidence, then the customer must prove that he did not knowingly consent to the transaction. If the customer cannot do this then it is an authorized transaction.
Important here is that Article VII.42, §2, paragraph 1 of the WER provides that the use of a payment instrument registered by the bank (such as a bank card with a code) does not in itself necessarily constitute sufficient proof that the payer authorized the transaction or acted fraudulently or grossly negligently in breach of its obligations. Indeed, in practice, we often see that the bank can prove that a transaction was indeed authenticated (e.g., by a code created through a bank card, PIN, and card reader/digipass/Itsme).
How can the customer demonstrate plausibly that he did not consent to an authenticated transaction? He can do this by providing a detailed account of all the steps performed by the fraudster or by demonstrating the abnormal nature of the transactions or by filing a criminal complaint.
1.3. Subjective or objective customer consent?
1.3.1. Position of many banks : objective consent.
In practice, we find that some banks equate authentication (the use of the correct codes and procedures) with authorization (consent). They therefore believe that when they provide proof of an authenticated transaction, there is an authorized payment transaction and the file is closed for them. This is called objective or technical consent.
1.3.2. Position defended by the client : subjective consent
In our opinion, however, it should be the principle of subjective explicit consent. There can only be an authorized payment transaction when the payer has freely and knowingly consented to it. At the time of the payment, the payer must know the amount and the beneficiary account or the purpose of the transaction.
This principle can be explained through examples:
- Whaling fraud (in which a fraudster pretends to be a family member via WhatsApp and asks to make wire transfers) usually involves authorized payment transactions because the customer himself knowingly makes the transfers.
- Phishing or smishing, in which a fraudster intercepts codes that the victim enters on a fake website and then misuses these codes for payments, involves unauthorized payment transactions. After all, the victim thought he was confirming, for example, the application for a new digipass or the unblocking of an itsme account, not authorizing payments.
1.3.3. Position in case law.
In a judgment of Jan. 9, 2020, the Court of Appeal of Liège ruled in a phishing case that there was an unauthorized payment transaction since the customer never intended to confirm the disputed transaction. The Dutch-speaking court of first instance in Brussels in a judgment dated June 15, 2023 and the peace court in Antwerp in a judgment dated November 28, 2022 also confirmed in the principle of subjective consent.
In contrast, the principle of objective consent was accepted by the Dutch-speaking court of first instance in Brussels in a judgment of Jan. 8, 2021, and by the French-speaking court of first instance in Brussels in a judgment of Feb. 13, 2023 (albeit in both cases the victim did not make sufficiently plausible that he had not consented to the transactions). The principle of objective consent was also accepted by the French-language business court in Brussels in a judgment dated February 8, 2021, the Dutch-language business court in Brussels in a judgment dated July 7, 2023, the justice of the peace court in Liège in a judgment dated May 21, 2021, the court of first instance in Antwerp in judgments dated June 29, 2022 and November 9, 2022, and by the French-language court of first instance in a judgment dated February 18, 2025.
2. Obligation of immediate refund
2.1. Regulation in article VII.43 WER
When there is an unauthorized payment transaction, Article VII.43, §1, paragraph 1 WER states that the bank must immediately refund to the customer the amount of the unauthorized payment transaction no later than the end of the next business day.
However, this obligation does not apply if the bank has reasonable grounds to suspect fraud on the part of the payer and communicates these grounds in writing to the FPS Economy. The bank therefore has the opportunity to investigate within a reasonable period whether there is fraud on the part of the customer. However, if this investigation shows that the customer has not committed fraud, the bank must proceed with the repayment, even if the liability of the customer has not yet been definitively established (see point 3).
2.2. Banks often fail to meet this obligation
We often find that most banks do not comply with this obligation in practice. They often rely on the (erroneous) argument that an authenticated transaction is also an authorized transaction and therefore they do not have to proceed to immediate refund or that this obligation would only apply to unauthorized payment transactions without a payment instrument.
However, both a judgment of Feb. 11, 2022 by the Dutch-speaking court of first instance and a judgment of Oct. 27, 2022 by the Enterprise Court in Brussels of Oct. 27, 2022, ruled that a bank may not wait to proceed with repayment until there is a final determination of the customer's potential liability (see point 3).
In case of non-compliance with this obligation, the customer may claim compensation for the damage caused, in particular interest at the legal interest rate from the date on which the reimbursement should have been made to the account.
3. Liability allocation for unauthorized payment transactions.
3.1. Contestation of payment transactions before and after notification of fraud
The WER distinguishes between transactions that occurred before and after notification of the loss, theft, misuse or unauthorized use of the payment instrument.
3.1.1. Obligation to notify without delay.
The Customer is obliged to notify the Bank without delay of the loss, theft or misuse of his payment instrument as soon as he becomes aware of it (e.g. via Card Stop). Article VII.41, §1 WER provides that the Customer can only obtain rectification if he notifies the Bank of such transaction without delay and at the latest 13 months after the value date.
These two criteria (prompt and within 13 months) are cumulative conditions. If the customer does not discover the fraud until after 13 months, he cannot dispute the transaction. If he does not notify immediately after discovery, a rebuttable presumption arises that he accepted the transaction.
According to a judgment of the Court of Justice of September 2, 2021 after the expiration of these 13 months, the customer cannot invoke another liability regime (e.g., that of Article 6.6 §2 BW).
The bank must ensure that the customer can make this notification at any time (24/7) and free of charge. Since January 2023, all Belgian banks have had customer service available 24/7.
3.1.2. Importance of notification
After notification by the Customer, the payment instrument may no longer be used. Article VII.44, §3 WER expressly provides that use of the payment instrument after notification cannot have any financial consequences for the customer, unless the bank proves that the customer has acted fraudulently.
Moreover, from the moment of notification, the bank's obligation arises to take reasonable measures to recover fraudulently misappropriated funds, such as stopping disputed transactions, blocking beneficiary accounts and sending recovery notices to other financial institutions.
If a bank fails to comply with its recovery obligation, the bank may be liable to repay the full loss, the Antwerp Peace Court ruled in a Nov. 28, 2022 judgment.
3.2. Strong client authentication
According to Article VII.44, §2(1) WER, the customer does not have to bear financial losses when the bank does not require strong customer authentication, unless the customer himself has acted fraudulently.
Article I.9, 33/16° WER provides a definition of strong customer authentication that boils down to requiring at least two-factor authentication (2FA) (e.g. card details and ItsMe confirmation). This is not the case, for example, for an online credit card payment (Visa/Mastercard) where only card number, expiration date and CVC code must be entered.
In a judgment dated Feb. 11, 2022, the Dutch-speaking court of first instance in Brussels ruled that strong customer authentication exists in cases where a fraudster manages to install a mobile banking app on the victim's device using response codes generated with the victim's bank card, and then confirms fraudulent transactions with his own chosen code or fingerprint.
3.3. Franchise of 50 euros
Article VII.44, §1, paragraph 1, WER provides that until notification is given, the customer must bear the loss up to an amount of 50 euros for all unauthorized payment transactions resulting from the use of a lost or stolen payment instrument. This deductible applies to the totality of the unauthorized transactions, not per transaction.
3.4. Detectability of fraud
3.4.1. Legal framework
Article VII.44, §1, second paragraph, 1° WER provides that the customer does not bear any loss if the loss, theft or unauthorized use of the payment instrument could not be detected by the payer before a payment was made, unless the payer himself has acted fraudulently. Thus, if the victim of a fraud could detect the unlawful use of his payment instrument in advance, he is indeed liable for the fraud.
The assessment of whether the fraud was detectable takes into account all the circumstances and considers whether an average payer could have detected the phishing.
Relevant factors include:
- the formatting of the fraudulent message (e.g., grammatical or spelling errors)
- The e-mail address the fraudster used (the sending address)
- the URL of the fraudulent website
- creating a digipass code when all the customer needs to receive is an amount
- communicating codes by telephone
- responding to text messages coming from itsme about the blocking of an account when the customer does not have an itsme account
- context messages that appear on the digipass (e.g. sign for the installation of a new app when the customer only wants to confirm a payment)
In any case, it is the payer who must provide evidence showing that he could not detect the fraud in advance.
3.4.2. What if the customer was grossly negligent?
Article VII.44, §1(4) WER provides that the payer must bear all losses associated with an unauthorized payment transaction if it has failed to fulfill certain of its obligations due to gross negligence.
We believe that the gross negligence exception does not apply to cases where the fraud was undetectable in advance. In that case, we do not believe gross negligence plays a role: if the fraud was undetectable, the customer bears no loss even if it was grossly negligent.
The peace court in Antwerp confirmed this assertion in a judgment of Nov. 28, 2022. However, the Dutch-speaking court of first instance in Brussels contradicted this in a judgment of April 4, 2022, and examined as an independent exception whether the customer had been grossly negligent.
3.5. Gross negligence, fraud or intent on the part of the payer
Article VII.44, §1, fourth paragraph WER provides that the customer bears all losses if they were suffered because he acted fraudulently or intentionally or through gross negligence failed to fulfill certain obligations.
In particular, the customer is grossly negligent if he has failed to fulfill any of the obligations enumerated in Article VII.38 WER, such as:
- safe keeping of payment instruments and personal security data
- immediately notify the bank so that the customer establishes loss, theft or unauthorized use of his payment instrument
According to Article VII.44, §4, third paragraph WER, the assessment of gross negligence must take into account all factual circumstances. In a judgment dated November 5, 2020, the Antwerp Court of Appeal ruled that gross negligence must be assessed according to the criterion of the assumed conduct of a normally careful and circumspect payer placed in the same concrete external circumstances. Here, according to the court, the payer's age should not be taken into account.
According to Article VII.44, §4, paragraph 1 WER, the burden of proof regarding fraud, intent or gross negligence lies with the bank. The mere use of the payment instrument with the customer's code does not in itself constitute a sufficient presumption of negligence.
4. Should a bank implement systems to detect fraud?
Banks are required to implement fraud-monitoring systems that detect suspicious transactions (art. 2 SCA regulation in combination with article 95 PSD II).
If these systems manifestly fail (for example, when dozens of identical transactions are not stopped), the question arises whether the bank can be held liable. However, SCA and PSD II remain silent on this issue. In its judgment of September 2, 2021 exclude additional recourse to another liability scheme, while the above-mentioned judgment of the Antwerp Peace Court of Nov. 28, 2022 (on the failure to comply with the recovery obligation) could possibly also be applied to cases where a bank has clearly failed in its fraud detection duty.
Conclusion: How can our lawyers help you?
The regulations regarding liability for phishing are complex and their application in practice is not always straightforward. Banks often take positions that are inconsistent with the protection the legislature intended to offer consumers.
Our attorneys have extensive experience in assisting victims of phishing and other forms of Internet fraud. We can help you with:
- Analyzing your specific phishing case and applicable regulations
- Assessing whether the bank is justified in refusing repayment
- Assisting in drafting a complaint to Ombudsfin
- Taking legal action against the bank if necessary
Dutch 
English