This post is also available in:

Banking Phishing: Is the Bank the Temporary Financier of Uncertainty?

On the interim order issued on 26 May 2026 by the President of the Antwerp Enterprise Court, sitting in summary proceedings, in a banking phishing case.

On 26 May 2026, in a banking phishing case, the President of the Antwerp Enterprise Court, sitting in summary proceedings, ordered a bank to reimburse €49,958, together with interest, to a married couple aged 90 and 93. Two transfers to a Portuguese bank account had been executed after one of the customers had been contacted by telephone by an individual purporting to be an employee of the bank. The bank had refused compensation. The decision has since been widely reported, sometimes under the banner of a “revolution”.

It is precisely this characterisation that requires moderation. The order is an interim measure, granted in summary proceedings, subject to appeal, and does not determine the merits of the dispute. It does not establish that the bank committed any wrongdoing. This is not a mere procedural detail: it is the key to understanding the decision and determines what banks should, and should not, take away from it.

An Interim Order, Not a Landmark Judgment

The first key to understanding the decision is procedural.

The President of the Antwerp Enterprise Court was sitting in summary proceedings (référé). He therefore granted an interim measure in an urgent context, without making a definitive determination of the parties’ liability.

As regards urgency, the reasoning deserves careful attention.

The judge first recalled the traditional framework of Article 584 of the Belgian Judicial Code: urgency exists where an immediate decision is desirable in order to prevent harm of a certain magnitude or serious inconvenience which ordinary proceedings would not be capable of remedying effectively.

He then held that urgency arose primarily from the statutory provision relied upon. Where Article VII.43 of the Code of Economic Law requires a payment service provider to reimburse a customer “immediately” and, in any event, no later than the end of the first business day following notification, a claim seeking enforcement of that obligation is, in his view, inherently urgent. The claimants’ age—90 and 93—and their housing and care needs merely reinforced that conclusion.

This reasoning is not neutral. It tends to treat the statutory reimbursement deadline as a decisive indicator of urgency in summary proceedings. That approach is understandable, but it may also be open to debate: procedural urgency does not necessarily coincide with the prompt enforceability of a substantive obligation.

The Core of the Reasoning: Appearance Is Sufficient at the Interim Stage

Article VII.43 of the Code of Economic Law presupposes an unauthorised payment transaction. The judge could therefore not entirely disregard that requirement.

However, at the interim stage, he declined to transform the proceedings into a full technical and legal examination of the payer’s consent.

The bank argued, with some force, that the transfers had been authorised, since they had been executed following completion of the agreed authentication procedures: bank card, digipass, PIN code, response codes, and one-time codes sent by SMS.

The judge did not definitively rule on that argument. He considered that a comprehensive assessment of whether the transaction had been authorised—an assessment requiring analysis of the agreed procedure, the technical transaction data and the devices used—would go beyond the rationale of immediate reimbursement and risk depriving Article VII.43 of its practical effectiveness.

He therefore adopted an approach based on appearances: the conditions of Article VII.43 appeared, on a prima facie basis, to be satisfied. In his view, that was sufficient to justify ordering provisional reimbursement.

Accordingly, the argument that the transaction was authorised was not rejected on its merits. It was merely deferred.

Gross Negligence: A Deferred Defence, Not a Neutralised One

The same reasoning applies to gross negligence.

The bank argued that, even if the transactions were unauthorised, the claimants had acted with gross negligence. It relied on Article VII.44 of the Code of Economic Law as the specific provision governing the allocation of risk.

The judge declined to adopt that interpretation at the stage of immediate reimbursement, relying in particular on the Opinion delivered by Advocate General Rantos on 5 March 2026 in Case C-70/25, currently pending before the Court of Justice of the European Union.

According to that interpretation, Article 73 of Directive 2015/2366, transposed into Belgian law through Article VII.43 of the Code of Economic Law, governs immediate reimbursement. Article 74 of the Directive, transposed through Article VII.44, comes into play thereafter in order to determine the final allocation of liability.

In other words, gross negligence is not neutralised. It is deferred.

It may still be debated on the merits in the context of the final allocation of risk.

The debate is not eliminated. It is merely shifted: both in time and in terms of the burden of taking action.

A Separation Between Immediate Reimbursement and Final Liability

The order therefore applies the following logic: reimburse first, allocate responsibility later.

Article VII.43 of the Code of Economic Law provides for immediate and provisional restitution without prejudging the final allocation of liability. Article VII.44 subsequently governs the allocation of risk on the merits.

This distinction is essential, but it is not without difficulty.

One can readily understand the bank’s objection: if Article VII.44 allows the loss to be borne by the payer in cases of gross negligence, why should the judge hearing summary proceedings not be entitled to take account, even on a prima facie basis, of gross negligence that already appears evident from the file?

The court’s answer lies in the sequencing of the statutory provisions. In the judge’s view, allowing gross negligence to operate as an immediate bar to reimbursement would amount to introducing into Article VII.43 an exception that the provision itself does not contain. The only exception expressly provided for at that stage is suspicion of fraud by the payer, provided that such suspicion has been notified in writing to the FPS Economy.

Accordingly, the bank may well have substantial arguments regarding the authorised nature of the transaction or the customer’s gross negligence. However, according to the court’s interpretation, those arguments do not permit it to postpone immediate reimbursement. At most, they may support a subsequent recovery action.

The order expressly states that the bank retains the right to bring proceedings on the merits seeking restitution if it considers that the transaction was authorised by the payer or, alternatively, that the payer committed gross negligence. Only at that stage will the total or partial liability of the payers be determined.

Case law on the merits remains more nuanced than some commentaries suggest. Courts have previously found customers who fell victim to phishing schemes to have acted with gross negligence where the specific circumstances justified such a conclusion.

Authentication, Authorisation and Challenge: The Grey Area

An authenticated transaction is not necessarily an authorised transaction.

But a disputed transaction is not necessarily an unauthorised transaction.

The first proposition reminds us that the successful completion of a technical authentication process does not always establish legally valid consent on the part of the payer. The second reminds us that a customer’s mere denial is equally insufficient to establish the absence of consent.

Between these two propositions lies the realm of uncertainty.

The order does not definitively resolve that uncertainty. Rather, it determines who must bear its cost pending determination of the merits.

The Bank as the Temporary Financier of Uncertainty

The expression may sound provocative, but it encapsulates the issue.

Under this interpretation, the bank becomes, for the duration of the proceedings, the temporary financier of the uncertainty surrounding whether a payment was authorised, or whether the customer acted with gross negligence.

Not because the bank is necessarily wrong.

Rather, because the sequence adopted by the court places upon the bank the burden of bringing proceedings against its customer after reimbursement has been made.

The word temporary is crucial.

This is not a definitive loss. It is an advance, which may ultimately be recovered if the bank subsequently establishes, on the merits, that the transaction was authorised or that the payer must bear the loss as a consequence of gross negligence.

The uncertainty has not been resolved; its cost has merely been advanced on an interim basis.

A Decision Whose Scope Should Not Be Overstated

The order forms part of a genuine trend: the obligation of immediate reimbursement under Article VII.43 of the Code of Economic Law is increasingly being taken seriously, and the Opinion of Advocate General Rantos in Case C-70/25 reinforces that interpretation.

However, one should not move faster than the legislation and the case law.

First, the order was issued in summary proceedings. It grants an interim measure, subject to appeal, without determining the parties’ final liability.

Secondly, the European reasoning on which it relies is based, inter alia, on an Advocate General’s Opinion. Such opinions are influential, but they are not binding on the Court of Justice. The forthcoming judgment in Case C-70/25 will therefore require careful scrutiny.

Finally, the obligation to provide immediate reimbursement in cases of unauthorised transactions is not new. What is evolving is its practical enforceability in litigation: banks may increasingly be required to reimburse first and argue later.

That does not resolve everything.

The final allocation of loss will continue to depend upon the specific circumstances of each case: the chronology of the fraud, the messages received, the customer’s conduct, the consistency of the technical evidence, any warnings that were given, the use of payment instruments, and the overall quality of the evidential record.

That is where the real battle will be fought.

A Simple Rule, Difficult to Implement

On paper, the rule appears straightforward: in the event of an unauthorised transaction, the bank must reimburse immediately, unless there is suspicion of fraud by the payer himself, duly reported to the FPS Economy.

In practice, matters are considerably more complex.

A one-business-day deadline is difficult to reconcile with a serious fraud investigation. At that stage, the bank will not necessarily possess a complete chronology, usable logs, a stabilised technical analysis, or a clear understanding of the prospects for recovery from the receiving bank or from mule accounts.

Yet the bank must decide: reimburse, or invoke the payer-fraud exception. And if it reimburses, it must then determine whether recovery proceedings should subsequently be pursued.

Advocate General Rantos expressly acknowledged this difficulty in Case C-70/25. The obligation of immediate reimbursement may create practical difficulties and inconveniences for payment service providers. In his view, however, those difficulties are insufficient to displace the rule.

The challenge therefore lies in internal organisation: rapid qualification of the case, preservation of evidence, deciding whether reimbursement is required, and immediate preparation for any subsequent recovery action.

The payer-fraud exception remains available, but it requires reasonable grounds and written notification to the FPS Economy within a short period. It must not be confused with gross negligence, which belongs to the debate on the merits.

The right of recovery also exists, but it requires a properly documented file from the outset. Yet phishing cases are often won or lost within the first few hours: preservation of logs, coherence of the chronology, identification of messages received, proof of warnings, traceability of communications and analysis of customer conduct.

There remains, moreover, the risk of moral hazard.

A reimbursement mechanism perceived as automatic, without investigation or follow-up, could encourage opportunistic claims. The system addresses this concern only in part: the bank retains its right of recourse, and gross negligence remains sanctionable on the merits.

However, that balance can be maintained only if institutions are capable of identifying those cases that warrant recovery proceedings, documenting them properly and pursuing them to judgment where appropriate.

The real difficulty therefore lies not merely in determining whether reimbursement is required. It lies in determining how a bank can organise, within twenty-four hours, a decision that may subsequently shape the entire litigation.

---

Banking Phishing: Practical Considerations for Banks

1. Immediate Reimbursement: Industrialising the One-Business-Day Decision

The principal challenge is timing. The only basis for postponing reimbursement is the payer-fraud exception, coupled with written notification to the FPS Economy. In practical terms, banks require a rapid triage process leading, within the statutory timeframe, to one of two documented decisions: reimburse, or invoke the exception. In practice, such notifications appear to be used only rarely. Admittedly, cases involving actual fraud by the payer are not the most common.

Two precautions are essential. First, banks must not confuse payer fraud—the sole ground for postponement—with gross negligence, which becomes relevant only at the merits stage. Secondly, reimbursement should be viewed as a liquidity and provisioning issue. Internal performance indicators may need to shift from a “refusal rate” mindset to a “reimburse first, recover later” approach.

2. Securing Evidence That the Transaction Was Authorised

Summary proceedings do not definitively determine whether a transaction was authorised. The merits proceedings may do so. Consequently, the quality of the evidential record becomes decisive.

For banks, the challenge is not merely to preserve technical data. It is to make that data intelligible.

Authentication logs, Strong Customer Authentication (SCA) traces, device association records, itsme® or card-reader logs where applicable, proof of code transmission, IP addresses, geolocation data and session records are valuable only if they are properly structured, exportable and comprehensible to a judge.

In the matters we handle, courts are increasingly scrutinising such records in considerable detail. Counsel presenting the case must therefore be capable of translating technical terminology, internal codes and digital processes into a coherent evidential narrative: Who validated what? From which device? At what time? Following which warning? And in what context?

The Antwerp case provides an indirect illustration. The claimants challenged the significance of certain internal documents produced by the bank and pointed to an inconsistency relating to telephone numbers. The judge did not determine that issue in summary proceedings, but it illustrates the importance of a coherent, readable evidential file capable of standing outside the bank’s internal environment.

Banks must also avoid a simplistic assumption: documenting authentication is not always enough. Where possible, consent itself should also be documented.

An authenticated transaction is not necessarily an authorised transaction. But a disputed transaction is not necessarily an unauthorised transaction.

A customer alleging an unauthorised transaction must also make that allegation plausible. Belgian case law, including decisions of the Mons Court of Appeal, has confirmed that a mere denial is insufficient; the customer must present a coherent account compatible with both the technical evidence and the surrounding circumstances.

It is within that space that the merits will ultimately be decided: between the technical evidence of authentication, the explanation of the validation process, and the plausibility of the alleged absence of consent.

3. Adapting Litigation Strategy

If the interpretation adopted by the Antwerp order is ultimately confirmed—and even though a judge sitting in summary proceedings must assess urgency on a case-by-case basis rather than merely infer it from a statutory provision—it would also require banks to rethink their litigation strategy.

The traditional model is well known: the bank refuses reimbursement and subsequently defends itself if sued by the customer.

The logic of “reimburse first, argue later” partially reverses that dynamic. The bank may be required to reimburse immediately and then decide whether to initiate proceedings on the merits in order to recover the sums paid.

In summary proceedings, the range of available defences becomes narrower. The bank may challenge urgency, the prima facie fulfilment of the conditions set out in Article VII.43 of the Code of Economic Law, or the proper invocation of the payer-fraud exception where notification has been made to the FPS Economy.

However, summary proceedings should not be treated as a full trial concerning authorisation or gross negligence.

That point nevertheless remains open to debate.

It may be argued that a judge sitting in summary proceedings, who is required to assess matters on a prima facie basis, should be entitled to consider the entirety of the circumstances placed before him. Where gross negligence on the part of the payer already appears manifest, one may legitimately ask whether it is coherent to order reimbursement nonetheless, only to require the bank to pursue a subsequent recovery action.

The Antwerp order adopts a different approach. According to the court, allowing such a defence at the stage of immediate reimbursement would amount to introducing into Article VII.43 an exception that the legislature did not provide for. It is precisely this issue that may become the subject of debate on appeal or during proceedings on the merits.

In practical terms, banks must therefore prepare for two distinct forms of litigation.

The first is the summary proceeding: rapid, focused on appearances, urgency, compliance with the formal requirements of Article VII.43, and the possible application of the payer-fraud exception.

The second concerns proceedings on the merits: more technical, evidence-driven and focused on authorisation, gross negligence, chronology, security measures and the customer’s actual conduct.

At that second stage, the bank becomes the claimant. This requires a different organisational approach: selecting which cases warrant further proceedings, assessing the amount at stake, the strength of the evidence, the likelihood of recovery, the reputational risk and the broader jurisprudential interest.

The file must also be coordinated with other available remedies: criminal complaints, Card Stop notifications, potential freezing of funds, contacts with the receiving bank and recovery efforts directed at mule accounts or other involved third parties.

Recovery actions against third parties are likely to assume greater importance. The future Payment Services Regulation (PSR) points towards a broader allocation of responsibility across the technical and operational chain, although the precise contours of that approach will only become clear once the final text has been adopted and implemented.

4. Operations and Prevention: Reducing Litigation at Source

The best defence remains preventing the disputed transaction from being executed in the first place.

This requires, first and foremost, a real-time detection system capable, where possible, of suspending transfers displaying atypical characteristics before execution: a new beneficiary; a large transfer amount; an unusual destination; a recent increase in transaction limits; a combination of unusual transactions; or behaviour inconsistent with the customer’s historical profile.

It also requires targeted friction measures: enhanced authentication for certain transfers; cooling-off periods following increases in payment limits; clear warnings where a transaction presents a particular risk; and retention of evidence demonstrating that such warnings were provided.

Verification of Payee (VoP) becomes a central element in this regard. Since 9 October 2025, VoP has been mandatory throughout the euro area, including Belgium, pursuant to Regulation (EU) 2024/886, for SEPA transfers. It will not, of course, prevent all forms of fraud, particularly where the customer has been manipulated by an individual posing as a bank adviser. However, it will become an important component of the evidential record: what information was provided to the customer, what discrepancy, if any, was brought to the customer’s attention, and what decision was ultimately taken despite that warning.

Other initiatives must also be pursued, including a clear and rapid phishing reporting channel, written and harmonised criteria for assessing imprudent conduct—reflecting the request made by the Minister for Consumer Protection—as well as specific protocols for vulnerable customers.

These measures are not merely matters of regulatory compliance. They also become elements of the evidential record.

From a governance perspective, the “reimburse first, recover later” model ultimately requires alignment between fraud, legal, compliance and treasury teams. Institutions must determine who takes the decision, within what timeframe, on the basis of which evidence, subject to what level of approval, and according to which criteria a subsequent recovery action should be pursued.

Key Takeaways for Banks
If this approach becomes established, phishing disputes will no longer be decided merely through the response sent to the customer. They will be decided during the first few hours after the fraud is reported: qualification of the case; potential notification to the FPS Economy; preservation of logs; consistency of the evidential record; and the decision whether to pursue recovery proceedings.

The Regulatory Horizon: Change Has Already Begun

First, the present.

Verification of Payee is no longer a future development.

Since 9 October 2025, payment service providers within the euro area falling within the scope of Regulation (EU) 2024/886 have been required to offer payers a beneficiary verification service for both standard and instant SEPA credit transfers. In practical terms, the service  informs the payer whether there is a match; a partial match; or no match between the beneficiary’s name and the specified IBAN.

The payer may nevertheless choose to proceed. The fact that the transaction was confirmed despite a mismatch warning will, however, become an important factor in the assessment of risk, evidence and, potentially, gross negligence.

Then, the near future.

In spring 2026, the Council published advanced compromise texts as part of the PSD3/PSR legislative package. The PSR, a directly applicable regulation, has not yet been formally adopted. Caution therefore remains necessary regarding both the final numbering and the precise wording of the provisions. Nevertheless, two developments are of particular interest to banks.

For unauthorised transactions, the principle of reimbursement is retained. However, the compromise text introduces a more structured mechanism: the payment service provider would have fifteen business days either to reimburse the payer or to provide reasons for refusing reimbursement where objectively justified grounds exist to suspect fraud by the payer or an intentional or grossly negligent breach of the payer’s obligations. Compared with the one-business-day deadline under Article VII.43 of the Belgian Code of Economic Law, this would provide both a more realistic investigation period and, potentially, the reintroduction of a framework for considering gross negligence at the initial stage.

As regards impersonation fraud, or spoofing, the compromise text is aimed at protecting consumers who have been manipulated by a third party impersonating their payment service provider through communication channels appearing to originate from that provider and who, as a result, have authorised a fraudulent transaction. In such circumstances, the provider would be required to reimburse the consumer in full, subject in particular to prompt notification of the incident and a report being made to the police, unless fraud or gross negligence on the part of the consumer can be established.

The text also reflects a broader policy of allocating responsibility across the technical and operational chain, particularly where failures by technical service providers or preventive mechanisms contribute to the loss. It will nevertheless be necessary to await the final text and its implementation before the precise scope of any recourse against third parties can be properly assessed.

The timetable still allows some time, as the PSR is not expected to become fully applicable before the end of 2027 or the beginning of 2028. The direction of travel is nevertheless clear: greater protection for victims, including in respect of frauds that are currently classified as “authorised”, coupled, for banks, with a more realistic investigation period and increased emphasis on evidential matters, case triage and recovery mechanisms.

Accordingly, the investments described above should not be viewed as responses to a single judicial decision. They are projects that banks will, in any event, need to address.

References to the numbering and operation of the PSR remain subject to the definitive text as published in the Official Journal of the European Union.

Conclusion: The Uncertainty Remains; Its Cost Is Merely Advanced

The Antwerp order does not establish the definitive liability of banks. Rather, it rearranges the sequence of events: reimburse first, challenge later, and place upon the institution the burden of taking action.

The uncertainty has not been resolved; its cost is merely advanced on an interim basis.

For banks, the real issue is therefore not simply whether they are right on the merits. They may well have compelling arguments. The challenge is to be able to make a decision within the prescribed timeframe, to document the case immediately, and then to determine whether recovery proceedings should be pursued.

The issue is therefore not merely a legal one. It is also organisational, evidential and contentious in nature.

That is where the next generation of phishing disputes will be decided, far more so than in the narrative of any supposed revolution.

This article reflects an analysis as at the date of publication, based on a non-final interim order, on an Advocate General’s Opinion that is not binding on the Court of Justice of the European Union, and on a draft PSR text that has not yet been formally adopted.

See also our other articles on this topic.