Payment Fraud in Private Banking: Liability, Evidence and Strong Customer Authentication

ByBertrand Mariaux Updated on

Payment fraud liability in private banking turns first on legal qualification. Luxembourg’s loi modifiée du 10 novembre 2009 relative aux services de paiement, à l’activité d’établissement de monnaie électronique et au caractère définitif du règlement dans les systèmes de paiement et les systèmes de règlement des opérations sur titres (hereafter, the Payment Services Act of 2009) distinguishes three situations. It covers unauthorised transactions. It covers defective execution, meaning a payment that was authorised but not carried out correctly, for example because of delay, incorrect amount or transfer to the wrong beneficiary due to an execution error. It also covers payments authorised by a deceived payer, meaning a payer who consented to the transaction but was misled or manipulated by fraudsters. Authorised push payment fraud, meaning a situation where the payer is tricked into initiating and approving a transfer to a fraudster, does not automatically fall within the refund mechanism under Article 87 of the Payment Services Act of 2009.

Three Liability Controls

  • (i) Refund is the starting point. For an unauthorised transaction, Article 87 of the Payment Services Act of 2009 requires reimbursement no later than the end of the following business day, unless there are good reasons to suspect fraud and those reasons are communicated in writing to the Commission de Surveillance du Secteur Financier (CSSF).
  • (ii) Evidence sits with the provider. Article 86 of the Payment Services Act of 2009 requires a comprehensive evidentiary record, including authentication data, transaction integrity, system reliability and absence of technical failure, not merely technical logs. Use of a payment instrument does not necessarily prove authorisation, payer fraud or gross negligence.
  • (iii) Strong customer authentication (SCA) is a decisive control. It determines how financial risk is allocated between the payer and the provider. It requires the use of independent authentication factors falling within three categories: knowledge, possession and inherence. Each factor must be independent and properly combined. The mechanism must be correctly designed, triggered at the right moment and fully documented. Article 88(2bis) of the Payment Services Act of 2009 protects the payer where the provider failed to require SCA. This protection does not apply if the payer acted fraudulently.

The must-know point: a fraud file is an evidence file. Private banks should qualify consent, test the notification timeline under Article 85 of the Payment Services Act of 2009, preserve authentication data, document any fraud suspicion and align customer journeys with Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market (hereafter, PSD2), as transposed into Luxembourg law by the Payment Services Act of 2009, and with Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 with regard to regulatory technical standards for strong customer authentication (hereafter, the SCA Delegated Regulation).

Failures can arise at several levels. They may concern system design, the use of exemptions, step-up authentication or audit trails. Each failure can directly affect liability allocation. In private banking, this matters because high-value transfers, manual validation channels and relationship-manager involvement can make the evidence chain more complex.

Change to monitor: the proposal for a Regulation of the European Parliament and of the Council on payment services in the internal market, COM(2023)367 (hereafter, the PSR, the proposed Payment Services Regulation) and the proposal for a Directive of the European Parliament and of the Council on payment services and electronic money services, COM(2023)366 (hereafter, PSD3, the proposed third Payment Services Directive) are not yet applicable. The provisional political agreement of 27 November 2025 nevertheless points to targeted tightening: name and unique identifier checks, blocking measures, fraud-related information sharing and increased liability where required prevention mechanisms are not implemented. The sensitive point for private banking concerns fraud through impersonation of the payment service provider. The PSR could create a more protective reimbursement layer, subject to the final adopted text.

For non-consumer clients, Article 78 of the Payment Services Act of 2009 allows certain contractual derogations. Family holding companies, patrimonial vehicles and investment structures therefore need clause-by-clause review.

Connect with Bertrand Mariaux on LinkedIn. You can listen to the related podcast on ApplePodcast, Spotify, YouTube, or wherever you get your podcasts.

References:

Bertrand Mariaux is a certified Avocat à la Cour (admitted lawyer in Luxembourg, Liste I and Paris), holding an LL.B and LL.M (Hons).
He is an experienced lawyer with extensive expertise in investment funds, regulatory compliance, corporate & criminal law. Bertrand regularly contributes to legal publications and speaks at industry events, with a particular focus on financial regulation and corporate governance.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *