On 5 March 2026, Advocate General Athanasios Rantos delivered his Opinion in Case C-70/25, Tukowiecka, a case that could become highly important for victims of online banking fraud across the European Union. According to the Court of Justice press release, the Advocate General’s position is clear: a bank cannot refuse the immediate refund of an unauthorised payment transaction merely because it alleges gross negligence on the part of the customer.
The reference comes from Poland, in proceedings between N.O. and PKO BP S.A., and concerns the interpretation of the PSD2 framework on unauthorised payment transactions. The case arose after a bank customer was deceived by a phishing scheme, entered credentials on a fake banking page, and a third party then executed an unauthorised payment. The customer reported the incident the following day, but the bank refused reimbursement on the basis that the customer had allegedly acted with gross negligence.
Why this Opinion matters
The importance of the Opinion lies in the distinction the Advocate General draws between the bank’s duty to refund immediately and the later allocation of losses. Under the interpretation advanced in the Opinion, the bank must first refund the amount of the unauthorised payment transaction without delay. Only afterwards may the bank attempt to recover the loss from the customer if it can establish that the customer acted fraudulently or with gross negligence in breach of the applicable duties.
That distinction is crucial in practice. Many victims of phishing, spoofing, and other payment scams are currently confronted with a familiar bank response: reimbursement is withheld from the outset while the bank argues that the customer should bear the loss. The Advocate General’s reasoning cuts directly against that approach. If followed by the Court, the legal sequence would be: refund first, litigate responsibility later. This is an inference from the structure described in the Court’s press release, which expressly states that the bank may seek to make the customer bear the losses only after the immediate refund has been made.
The key legal message
According to the Court’s press release, the Advocate General interprets Article 73(1) of PSD2 as requiring the payment service provider to refund an unauthorised transaction immediately. He further states that EU law provides only a narrow exception: the bank may avoid immediate reimbursement where it has reasonable grounds for suspecting fraud and has communicated those grounds in writing to the competent national authority. The press release does not describe any broader exception allowing banks to suspend reimbursement simply by asserting gross negligence by the customer.
At the same time, the Opinion does not mean that customer conduct becomes irrelevant. The press release explains that, once the immediate refund has been made, the bank may require the customer to bear the losses if it later proves that the customer acted fraudulently or with gross negligence. If the customer does not repay voluntarily, the bank would have to pursue that claim afterwards.
A major issue for phishing victims across Europe
This matters because the practical burden of delay is often devastating. When reimbursement is blocked, victims may face immediate liquidity problems, overdraft exposure, missed obligations, and substantial stress at precisely the moment they are trying to contain the fraud. The Advocate General’s reading of PSD2 appears designed to preserve the effectiveness of consumer protection in the payment-services framework by preventing banks from turning the “gross negligence” argument into a front-end barrier to reimbursement. That consumer-protection rationale is reflected in the Court’s summary of the Opinion.
For fraud victims and consumer organisations, the significance is obvious. If the Court follows the Advocate General, banks across the EU would face a more demanding rule in unauthorised transaction cases: they could no longer routinely deny immediate reimbursement in phishing cases simply by asserting that the user should have been more careful. They would instead need either to refund promptly or to fit within the narrow fraud-suspicion exception described by the Advocate General.
PSD2 and the burden-shifting effect
The Opinion also matters because it effectively shifts litigation pressure away from the victim. Under the approach described by the Court, the customer would no longer need to fight first for the return of the stolen funds while the bank retains the money. The bank would refund first and then, if it truly has a viable gross-negligence case, it would have to bring that claim forward afterwards. That procedural reversal could materially improve access to justice for victims of unauthorised payments. This is an analytical conclusion drawn from the refund-first structure set out in the press release.
Not yet the final judgment
It is important to be precise. This is not yet the judgment of the Court of Justice. It is the Opinion of Advocate General Rantos, delivered on 5 March 2026. The judges of the Court are not bound by an Advocate General’s Opinion, although such Opinions often carry significant persuasive weight. The case remains pending before the Court.
Why EFRI is watching this case closely
From a consumer-protection perspective, C-70/25 Tukowiecka goes to the heart of a recurring structural problem in payment fraud disputes: banks frequently try to move the argument about alleged customer fault to the beginning of the process, where it functions as a reason not to reimburse at all. The Advocate General’s Opinion pushes strongly in the opposite direction. It treats immediate reimbursement for unauthorised transactions as a primary legal obligation, not as a discretionary benefit that can be suspended whenever the bank invokes negligence. That conclusion reflects the official Court summary of the Opinion published on 5 March 2026.
For EFRI, the case is therefore more than a technical PSD2 dispute. It may become an important authority for the proposition that consumer protection in payment fraud cases must be effective in real time, not only after months or years of litigation. If the Court adopts the same line in its judgment, the decision could materially strengthen the legal position of phishing victims across the EU.
