Unauthorised banking transactions in Poland – the bank’s liability and the customer’s rights

Unauthorised banking transactions are among the most common and problematic disputes between customers and banks in Poland. In practice, they cover a wide range of situations in which funds are lost from a customer’s bank account as a result of unauthorised actions by third parties, in particular through phishing, the theft of login details, SIM swap attacks, fraud involving platforms such as OLX or Vinted, as well as other forms of unlawful use of payment instruments.

What is an unauthorised banking transaction? An unauthorised banking transaction is a payment transaction carried out without the customer’s consent, i.e. without their informed approval in the manner provided for in the contract with the bank. This includes situations where a third party has gained access to the account and made a payment without the account holder’s knowledge.

In such situations, the key question is: who bears responsibility for such incidents – the bank as a professional, or the customer as the account holder? The answer is not intuitive, and judicial practice frequently contradicts the narrative presented by banks in disputes with customers.

The applicable regulations, and in particular Article 45(1) of the Polish Payment Services Act of 19 August 2011, introduce a liability model in which the general rule is that the bank is obliged to refund the funds to the customer without delay, and the only exception is – the customer’s liability, limited to strictly defined cases, such as wilful misconduct or gross negligence.

In practice, this means a reversal of the burden of proof, i.e. a departure from the principle set out in Article 6 of the Polish Civil Code, according to which the claimant (the party bringing the action) must prove the facts. The reversal of the burden of proof means that, as a consequence, the bank is obliged to demonstrate that the transaction was in fact authorised or that the customer contributed in a significant manner to the damage, i.e. the loss of funds from the bank account.

In this article, we have discussed in detail: the legal basis for the bank’s liability, the definition of an unauthorised transaction, the rules governing the distribution of the burden of proof, and the current line of judicial precedent in cases concerning unauthorised banking transactions. We also analyse specific cases, such as the unauthorised conclusion of a credit or loan agreement, as well as the possibility of claiming compensation for infringement of personal rights. The aim is to clearly identify the rights to which the customer is entitled and the legal instruments that allow for the effective pursuit of claims against the bank in the event of unauthorised transactions.

A practical example from Polish case law:

“Article 45(1) of the aforementioned Act [i.e. on payment services – author’s note] provides that the burden of proving that a payment transaction was authorised by the user rests with that user’s provider, and that merely demonstrating the recorded use of the payment instrument is not sufficient to fulfil this burden of proof. The provider is obliged to prove other circumstances indicating the authorisation of the payment transaction by the payer, or circumstances indicating that the payer intentionally caused an unauthorised payment transaction, or intentionally and as a result of gross negligence breached at least one of the obligations referred to in Article 42 of the Polish Payment Services Act” (judgment of the Polish Regional Court in Łódź, 3rd Civil Appeal Division, dated 4 September 2017, case no. III Ca 611/17).

Bank account agreement – legal basis

A bank account agreement is one of the fundamental legal relationships in commercial transactions and everyday life. Pursuant to Article 725 of the Polish Civil Code, the bank undertakes, for a fixed or indefinite period, to hold the account holder’s funds and, if the agreement so provides, to carry out financial transactions on the account holder’s behalf. The structure of this agreement is mutually binding and is classified as a service contract. This means that the bank not only holds the customer’s funds but also actively participates in financial transactions by carrying out the customer’s instructions.

It follows from the nature of the relationship between the bank and the consumer described above that the bank has two fundamental obligations in the context of unauthorised banking transactions:

1)    the obligation to hold funds and

2)    the obligation to execute the customer’s payment instructions.

However, these obligations are merely the starting point for a much broader regime of liability, which stems primarily from the Banking Law and the Polish Payment Services Act.

The bank’s obligation as a public trust institution

It is also important to note the bank’s status as a public trust institution and the significant legal consequences this entails in the context of unauthorised banking transactions. In practice, the status of a public trust institution means that the bank operates under a heightened standard of care, and its liability is not limited solely to the literal performance of the contract. It also includes the obligation to ensure the security of systems, monitor transactions and respond swiftly to indications of possible abuse. A bank is therefore not merely a profit-driven business, but an entity subject to higher standards of professional diligence, particularly regarding the safekeeping of its customers’ funds, which has direct implications for the issue of payment transactions carried out without the customer’s consent. This position is confirmed by case law.

A practical example from Polish case law:

“A bank, as an institution of public trust, is obliged to act in an honest, fair and professional manner, in accordance with the best interests of the customer” (judgment of the Polish Court of Appeal in Warsaw of 28 January 2019, 7th Civil Appeal Division, case no. VII AGa 897/18).

Unauthorised banking transaction – when must the bank refund the customer?

In practice, the key question is when the bank is obliged to refund the funds to the customer. Under Article 46(1) of the Polish Payment Services Act, in the event of an unauthorised payment transaction, the payment service provider (and therefore, as a rule, the bank) is obliged to refund the amount of such a transaction without delay. This refund must be made no later than the end of the working day following the day on which the transaction was identified or reported by the customer. If the account has been debited, the bank is additionally obliged to restore it to the state it would have been in had the unauthorised transaction not taken place at all. This provision is mandatory and constitutes one of the most important mechanisms for protecting users of banking services.

The condition for benefiting from this protection is that a claim must be made within 13 months of the date on which the unauthorised banking transaction was carried out or the account was debited. Once this condition is met, the burden of proof shifts to the bank.

In practice, this means that, at the initial stage of a dispute with the bank, the customer does not have to prove how the unauthorised transaction took place or who was responsible for it (assuming they have such information at all). It is sufficient simply to report that the transaction in question was not authorised by the customer. From that point onwards, the bank is obliged to act immediately – first and foremost to refund the funds, and only subsequently, if necessary, to clarify the circumstances of the incident, which is, however, of secondary importance to the customer.

Crucially, the bank cannot make the refund conditional upon the conclusion of a complaints procedure, criminal proceedings or an internal investigation within the bank. The obligation to refund is primary and should be fulfilled ‘up front’, unless the bank is able to demonstrate at this stage that the banking transaction was authorised or that the customer acted intentionally or committed gross negligence. In most cases, however, this is not possible.

In practice, this also means that the common strategy employed by banks of automatically rejecting complaints and shifting the burden of proof onto the customer is contrary to mandatory legal provisions. It is not the customer who must prove that they have been the victim of fraud; rather, the bank must demonstrate that the customer is responsible for the unauthorised banking transaction. Until such proof is successfully provided, the funds should be returned to the customer and the account restored to its state prior to the unauthorised transaction.

A practical example from Polish case law:

“Pursuant to Article 45(1) of the 2011 Polish Payment Services Act, by way of exception to the rule set out in Article 6 of the Polish Civil Code, the burden of proving that a payment transaction was authorised by the user or that it was executed correctly rests with the user’s provider. According to Article 45(2) of the Polish Payment Services Act, the provider’s demonstration of the registered use of the payment instrument is not sufficient to prove that the payment transaction was authorised by the user” (Polish Supreme Court judgment of 18 January 2018, ref. no. V CSK 141/17).

What is an unauthorised transaction?

The definition of an “unauthorised transaction” is of key importance in this context.

A payment transaction shall be deemed authorised if the payer (i.e. the bank’s customer) has consented to its execution in the manner provided for in the agreement between the payer and their provider, i.e. the bank.

Consequently, an unauthorised transaction is one to which the payer did not consent in the manner provided for in the bank account agreement and was unaware that the transaction had been carried out. In other words, the transaction was carried out against their will, most often as a result of phishing, vishing, smishing, spoofing, login credentials theft, SIM swap attacks, fraud via OLX or Vinted, ‘bank employee’ scams, or other forms of unauthorised use of payment instruments.

Importantly, in practice, banks often dispute the lack of authorisation, but the validity of this position is not always upheld in court rulings. It is not sufficient to demonstrate that the transaction was correctly authenticated from a technical standpoint, e.g. using an SMS code or a mobile app. Authorisation within the meaning of the Act means the customer’s actual consent to the execution of a specific transaction, and not merely the formal completion of a security procedure.

Promptly informing the bank of an unauthorised transaction may be crucial

In practice, promptly informing the bank of an unauthorised transaction is significant not only from a technical point of view, but above all as a matter of evidence. Although the law provides for a relatively long period of up to 13 months to report an unauthorised transaction to the bank, case law suggests that a delay in responding may be used by the bank to argue that the customer failed to exercise due diligence. Consequently, the immediate action taken by the affected customer once they become aware of an unauthorised payment transaction may be crucial.

It appears that reporting the matter to the bank without delay and as soon as possible strengthens the customer’s credibility and makes it more difficult for the bank to attribute gross negligence to them, which is the most common argument put forward by banks in court disputes. This issue also appears to be particularly significant in the context of the burden of proof; since it is the bank that must prove the customer’s fault, any circumstance confirming the customer’s correct and prudent conduct works in their favour. In judicial practice, courts attach great importance to how quickly the customer reacted upon discovering the irregularity.

A practical example from Polish case law:

“There were, in fact, no shortcomings or faults on her part [the claimant’s], as evidenced by her swift response, which consisted of immediately notifying the bank and the police that her account had been ‘cleared’ on 19 December 2013, when the claimant noticed transfers in her account history which she had not made herself” (judgment of the Polish Regional Court in Łódź, 3rd Civil Appeal Division, dated 19 December 2016, case no. III Ca 1401/16).

Furthermore, even in situations where the customer initially acts with a degree of negligence (for example, by disclosing login details to the banking system as a result of fraud), this does not automatically preclude the bank’s liability. Case law emphasises that, when assessing the issue of authorisation of a banking transaction, the customer’s conduct is of key importance. Therefore, if the customer fulfils their obligations without delay, and thus immediately reports the loss of control over the payment instrument, the bank is under an obligation to take effective protective measures immediately. A failure to react or a delayed reaction may constitute an independent basis for the bank’s liability, even regardless of the customer’s prior conduct.

This issue is directly linked to the fact that the bank is obliged to put in place effective channels for reporting unauthorised transactions and mechanisms to prevent further abuse. If the bank fails to meet these obligations, and in particular if it does not block access to the account or online banking in a timely manner, it will undoubtedly then bear the risk of further unauthorised transactions. The bank’s liability is therefore not limited solely to the transaction authorisation stage; the response phase following a security breach is equally important. Even in borderline or ambiguous situations, where the customer’s behaviour may raise doubts, the bank’s failure to respond adequately and immediately may determine its liability for the entirety of the loss arising from an unauthorised transaction.

A practical example from Polish case law:

“Although the claimant disclosed her login details as a result of failing to take the necessary precautions, she subsequently fulfilled the obligations referred to in Article 42 of the Polish Payment Services Act, and the bank’s proper response to the notification, namely the immediate blocking of access to mobile banking, would have prevented the criminals from carrying out the transaction and entering into a credit limit agreement. Since the response to the report was delayed, it must be concluded that the defendant failed to ensure effective procedures to prevent the use of the payment instrument following the report in accordance with Article 42(1)(2), which it was obliged to do under Article 43(1)(5) of the Act” (judgment of the Polish Regional Court in Sieradz, 1st Civil Appeal Division, dated 28 December 2022, case no. I Ca 522/22).

Customer fault – when does it exclude the bank’s liability?

The bank’s liability for an unauthorised payment transaction is fundamental and may be excluded only in exceptional circumstances, i.e. where the bank demonstrates that the customer:

1)    acted intentionally or

2)    committed gross negligence in relation to the obligations associated with the use of the payment instrument.

In most cases, the bank’s argument is based on the second ground, namely gross negligence. Importantly, the concept of gross negligence is of a so-called ‘qualified nature’ and cannot be interpreted broadly. In practice, gross negligence refers to conduct that clearly and flagrantly deviates from the basic principles of prudence that an average market participant, i.e. a bank customer, should observe. Generally, therefore, it concerns situations where fundamental safety rules are breached, to such an extent that the consequences would be easily foreseeable to any reasonable person.

Case law, however, clearly indicates that the courts take a restrictive approach to this criterion and do not equate every customer error with gross negligence.

On the one hand, in the example judgment, the Court found that the customer had acted with gross negligence when they entered their payment card details on a website that was clearly illogical (from the perspective of the transaction) and subsequently confirmed the transaction with an SMS code whose content unambiguously indicated a purpose other than the one declared. In these circumstances, the court held that there had been a breach of basic security principles, which justified attributing full liability to the customer and thus exempted the bank from liability (judgment of the Polish Regional Court in Gliwice of 6 July 2022, 3rd Civil Appeal Division, case no. III Ca 264/22).

On the other hand, numerous court rulings emphasise that merely falling victim to phishing or providing login details does not in itself constitute gross negligence on the part of the customer.

• By way of example, the Polish Regional Court in Olsztyn pointed out that the mere disclosure of login details, in the absence of evidence that authorisation codes were also provided, is not sufficient to attribute gross negligence to the customer (judgment of the Polish Regional Court in Olsztyn, 9th Civil Appeal Division, of 25 March 2024, ref. no. IX Ca 109/24).

• In one of the Supreme Court’s rulings, it was held that only the combined disclosure of login details and authorisation codes, in a situation where their significance is obvious, may constitute gross negligence (judgment of the Polish Supreme Court of 15 September 2023, ref. no. II CSKP 1013/22).

• In a judgment of the Regional Court in Sieradz, however, it was ruled that the client’s actions as a victim of phishing constituted, at most, ordinary negligence, particularly as she took immediate action upon detecting the threat, whilst the bank reacted with a delay (judgment of the Polish Regional Court in Sieradz, 1st Civil Division, case no. I Ca 522/22).

• The District Court for Warsaw-Mokotów noted that even the installation of remote access software under the influence of criminal manipulation does not necessarily constitute gross negligence if the act was accompanied by an element of pressure and sophisticated deception (judgment of the Polish District Court for Warsaw-Mokotów, 1st Civil Division, case no. I C 3854/21).

The conclusions drawn from the court rulings in the cited examples are unambiguous. As a general rule (and often contrary to the claims of banks), the threshold for ‘gross negligence’ is high and requires proof of extremely irrational behaviour, clearly contrary to the basic principles of account user security. In most cases of modern fraud, based on manipulation and advanced social engineering techniques, the customer’s behaviour, even if it may be assessed as careless, does not reach that level.

Furthermore, it should be emphasised that the assessment of the customer’s behaviour cannot be viewed in isolation from the bank’s actions. If, following the reporting of an incident, the bank fails to take immediate and effective security measures, this circumstance may determine its liability, even where there have been prior failings on the part of the customer.

Unauthorised loan – is the agreement valid?

Particularly significant legal consequences arise in situations where the perpetrator’s actions result not only in unauthorised payment transactions but also in the incurring of a credit or loan obligation. In such cases, it is crucial to determine whether the customer has effectively made a declaration of intent. If the act was carried out without the customer’s knowledge or consent, solely through the use of compromised authentication credentials, it must be assessed whether there are grounds for attributing the legal consequences of the third party’s actions to the customer.

In particular, this requires an assessment of whether the conditions for valid authorisation have been met and whether the declaration of intent was not vitiated by a defect precluding its validity within the meaning of the Polish Civil Code. Consequently, these findings must be demonstrated in each case during the proceedings, in particular taking into account the overall circumstances of the case.

Legal interest in declaring an unauthorised contract void

In such a situation, the appropriate remedy is an action to declare the contract void, based on Article 189 of the Polish Code of Civil Procedure. For such an action to be successful, it is necessary to demonstrate a legal interest, which exists where there is objective uncertainty as to the existence of a legal relationship, and a court judgment can definitively remove that uncertainty. In practice, this interest is evident where a bank treats the contract as valid and charges obligations under it, even though the customer did not participate in its conclusion.

The bank’s failure to respond to the customer’s complaints and its continued enforcement of a contract concluded as a result of a criminal offence leads to a state of persistent legal uncertainty and a real threat to the financial situation of the aggrieved party. In such circumstances, an action for a declaratory judgement is often the only effective means of protection.

Disputes with banks over unauthorised transactions and compensation for infringement of personal rights

In practice, claims for compensation for the infringement of personal rights in connection with unauthorised transactions are also being brought with increasing frequency. In such cases, the main grounds cited are the infringement of the right to peace of mind, the sense of financial security, and the ability to freely dispose of one’s own funds. The loss of access to an account, the need to engage in a dispute with the bank, or the incurrence of legal costs undoubtedly have a negative impact on the victim’s life situation and may justify the award of appropriate financial compensation.

What should you do in the event of an unauthorised transaction?

From the perspective of a potential dispute with the bank, it is crucial not only to report the unauthorised transaction itself, but also to properly secure the evidence and demonstrate that the payer has complied with their statutory obligations. In practice, the following steps should be taken:

Report the unauthorised transaction to the bank immediately

The report should be made immediately upon detecting the irregularity – by telephone, via the app or at a branch. The timing of the report is of significant evidential importance and influences the assessment of any gross negligence on the part of the customer.

Block access to your account and online banking

Change your passwords, block your card, log out of all sessions and, if possible, temporarily block your account. The aim is to prevent further unauthorised transactions.

Submit a complaint and clearly state that the transaction was unauthorized

In your complaint, clearly state that the transaction was unauthorised and demand a refund, citing the Polish Payment Services Act.

Report the matter to the police

Filing a report with the police or the Prosecution Service strengthens the credibility of your claim and constitutes significant evidence in any potential dispute with the bank.

Secure the evidence

Keep a record of transaction history, transfer confirmations, text messages, emails, screenshots, and login details. In practice, this is often crucial evidence in proceedings against the bank.

Monitor the bank’s response and deadlines

As a rule, the bank should refund the funds immediately (by the end of the next working day at the latest). Failure to refund may form the basis for further claims.

Consider taking legal action

If the bank refuses to refund the funds, it is possible to pursue claims in court, including a claim for payment, a declaration of the invalidity of a contract (e.g. a loan) or, in certain situations, compensation.

Summary

An analysis of the applicable legislation and established case law leads to the unequivocal conclusion that the legal system provides strong protection for users of payment services. A bank cannot evade liability by relying solely on the formal correctness of its authorisation procedures. The key factors are the customer’s actual consent and the absence of fault on their part in causing the loss. In the absence of these, the obligation to restore the account balance and refund the funds rests with the bank, and failure to do so opens the way for legal action.

In practice, this means that in most cases the bank bears the risk of unauthorised transactions, and the customer has effective means to successfully pursue their claims.