- Bank liability for fraud-related losses
- Recovery rights following authorised push payment (APP) scams and transfers under deception.
- Evidentiary thresholds for reimbursement and the burden of proof between banks and customers
Recovery following bank-related scams remains one of the most challenging areas of consumer financial protection in the European Union. While recent EU legislative reforms strengthen bank liability for unauthorised or manipulated payments, recovery outcomes remain uneven. This is especially true for people who fall victim to authorised push payment scams, where money is sent as a result of deception, not because of technical problems with their accounts.
The Reality of Bank Scams and Recovery Risk
Bank scams have evolved rapidly from technical account breaches into psychologically sophisticated social-engineering operations. Fraudsters increasingly exploit impersonation, urgency, and trust — often via social media, messaging platforms, or spoofed communications — to induce victims to authorise payments themselves.
From a recovery perspective, this distinction is critical. Traditional payment law has historically been designed around unauthorised transactions, not situations where consent is obtained through deception. As a result, many victims discover, often too late, that their ability to recover losses depends less on the harm suffered and more on how the fraud is legally classified.
According to industry data from the European Central Bank (ECB) and the European Banking Authority (EBA), in 2024, payment fraud in the EEA rose to approximately €4.2 billion, up from an estimated €3.5 billion in 2023, underlining both rising risk of fraud and the limitations of current mitigation tools.
At a national level, Malta’s payment fraud landscape reflects similar challenges, with recent reporting indicating 10, 024 fraud incidents occurred over a 6-month period that resulted in close to €3.76 million in financial losses, the majority of which stemmed from credit transfers rather than lower-value card incidents.
Recovery Rights Under EU Payment Law
Under the revised EU framework, banks are clearly liable to reimburse customers where:
- a payment transaction was unauthorised; or
- a payment was altered or manipulated due to failures in authentication or fraud-prevention systems.
In such cases, the law is explicit: the payment service provider must restore the customer’s account to the position it would have been in had the transaction not occurred, subject to limited exceptions. This reflects long-standing EU principles that consumers should not bear losses arising from system failures beyond their control.
From a recovery standpoint, these cases are relatively straightforward. Victims can rely on statutory rights, complaint mechanisms, and, where necessary, judicial enforcement. The challenge presents itself when a case of fraud does not clearly fit into these rules.
Authorised Push Payment Scams: The Recovery Gap
The most problematic category for recovery is the authorised push payment (APP) scam. In these types of scams, the consumer authorises the transaction often believing they are paying a trusted counterparty, but the transaction is induced by fraud.
Despite growing recognition of the harm caused by such scams, EU payment law has traditionally treated these transactions as authorised, even if consent was obtained through deception. The practical effect is stark:
- banks may deny reimbursement on the basis that the customer “authorised” the payment;
- recovery depends on internal bank policies rather than enforceable rights; and
- victims often face protracted disputes with uncertain outcomes.
Recent EU reforms marginally improve this position by tightening banks’ fraud-monitoring obligations and clarifying certain reimbursement triggers, through the Payment Services Regulation and PSD3. Notably, the legislation reforms include an obligation on payment service providers to check the payee’s name and unique identifier match. However, they stop short of establishing a general right to reimbursement for APP scam victims.
Evidentiary Burdens and the Practical Reality of Claims
For victims seeking recovery, one of the most significant obstacles is proof.
Banks routinely assess:
- whether the customer acted with “gross negligence”;
- whether warnings were ignored;
- whether fraud indicators should have been obvious.
From a customer’s perspective, the process can feel unbalanced and challenging to navigate. Victims must often reconstruct events under stress, while banks rely on internal logs, standardised criteria, and contractual exclusions.
In practice, successful recovery often depends on:
- the speed of reporting the fraud;
- the clarity of evidence showing deception or impersonation;
- whether the bank failed to act on clear red flags; and
- the availability of external escalation mechanisms (ombudsman, regulator, or court).
Even where recovery is ultimately achieved, the process can take months, sometimes years, undermining trust in the payment system itself.
The Missing Link: Online Platforms and Fraud Origination
A recurring weakness in recovery frameworks is the disconnect between where fraud originates and who bears liability. Many bank scams begin on:
- social media platforms;
- online advertising networks;
- messaging services.
Yet liability remains concentrated at the payment stage, long after the deception has occurred. The recent proposed revision to payment laws does little to impose meaningful responsibility on platforms that host fraudulent content or advertisements, despite evidence that such activity generates substantial revenue.
From a recovery standpoint, this creates a structural dead end. Victims may recover nothing from banks, while having no realistic avenue of redress against platforms operating across borders with limited accountability.
This imbalance increasingly undermines the effectiveness of payment-law reforms and suggests that recovery policy cannot be separated from platform regulation.
Comparative Signals: A Shift in Regulatory Thinking
Outside the EU, regulatory approaches are already evolving. For instance, the UK has implemented mandatory reimbursement schemes for APP scams, transferring the risk of recovery from consumers to payment service providers, though discussions about how costs should be shared appear to still be underway.
These developments signal a broader policy trend: consumer recovery is becoming a systemic responsibility, not a matter of individual fault. The EU’s incremental approach may therefore represent a transitional phase rather than an end state.
Strategic Implications for Consumers, Banks and Policymakers
For Victims of Bank Scams
Victims of bank scams must respond promptly and document every step taken throughout the recovery process. Immediate action can be crucial to increasing the chances of recovering lost funds.
Maintain Comprehensive Records
Thorough documentation is essential. Victims should keep detailed records of all interactions with their bank and any relevant authorities. This includes retaining emails, call logs, and reference numbers associated with the case. Additionally, collecting and preserving evidence related to the scam—such as screenshots of fraudulent messages, advertisements, or payment instructions—can be vital. Such records serve to support the victim’s claim and may be required for internal investigations or legal proceedings.
Understand the Recovery Landscape
While it is possible to recover funds in some cases, recovery is not guaranteed and often depends on several factors. These include the policies and responsiveness of the financial institution, the speed with which the victim acts, and the jurisdiction where the scam occurred. Frequently, when fraudulent content is hosted on international platforms, victims may face significant challenges in holding those entities accountable.
For Policymakers
The central challenge remains unresolved: how to allocate fraud risk fairly in an ecosystem where deception, not technology, is the primary weapon. Without clearer recovery rights for APP victims and stronger platform accountability, fraud losses will continue to be socialised onto individuals least able to absorb them.
Looking Ahead: Recovery as the Next Regulatory Frontier
The recent EU reforms mark progress, but they also expose the limits of current thinking. Recovery after bank scams is no longer a marginal issue: it is a defining test of digital consumer protection.
Future reforms are likely to focus on:
- statutory reimbursement rights for authorised scams;
- clearer evidentiary standards favouring victims;
- mandatory inter-bank recovery cooperation; and
- shared liability models involving online platforms.
Until then, recovery will remain uneven, contested, and deeply dependent on legal nuance rather than lived harm.
Our Cybersecurity Practice
Recovery following a bank scam is rarely automatic and often turns on early legal strategy rather than technical reporting alone. Our Cybersecurity Practice supports victims of payment fraud by preserving critical evidence, assessing bank liability under EU payment law, and pursuing reimbursement through complaints, regulatory escalation, and litigation where necessary. We also advise on cross-border recovery issues and platform-linked scams, recognising that effective recovery increasingly requires coordinated legal action across banks, regulators, and digital intermediaries.
