Fraudulent credit card payments in France must be reimbursed to the card owner within one working day of the fraud being reported, financial authorities have reminded national banks.
Financial resolution authority l’Autorité de contrôle prudentiel et de résolution (ACPR) and the Banque de France have issued a reminder to financial institutions that this is required by law.
This does not apply if the owner of the card themselves is suspected of the fraud.
The reminder comes as online payments have soared in the past 18 months due to Covid-19. In total, internet sales reached €112billion in France in 2020, the online business group la Fédération du e-commerce et de la vente à distance (Fevad) reports.
A rise in online payments has led to a rise in online credit card fraud, with scammers either stealing bank account information or making fraudulent payments to online stores.
Victims have historically had difficulty in securing repayment of these stolen funds.
As a result, the Autorité de contrôle prudentiel et de résolution (ACPR) and the Banque de France sent a questionnaire to 25 payment service providers, in a bid to require them to improve their processes for reimbursing unauthorised bank card transactions.
The card owner and victim of fraud must legally be reimbursed within one working day, except if the client themselves is suspected of fraud, the authorities said.
This reimbursement must cover not only the stolen funds but also any fees that may have been incurred as a result of the transaction.
If the disputed transaction is suspected of being linked to fraud on the part of the client, the financial institution must declare it to the Banque de France and begin an inquiry within a reasonable timeframe, in order to decide whether to accept or reject the reimbursement request.
The burden for claiming client fraud or serious negligence falls on the bank.
The Banque de France has also called on online payment services to improve their security protocols when allowing online transactions. These recommendations include using at least two of the following:
- Requiring information that only the real card holder would know, such as a secure password, secret code, or secret question
- Requiring the transaction to be linked to a personal device, such as a mobile phone or connected smartwatch
- Including a personal check using biometrics, such as face or voice recognition, or fingerprint
If one of these checks does not go through, the transaction or login will not be authorised.
From May 15, 2021, a new “strong authentication” process known as “3D Secure” is set to replace the current system, in alignment with a European directive on payment services (DSP2).
It is based on a unique code per transaction sent by the bank via a text message to the customer's mobile phone, and will apply to all online purchases over €30.