From victim to accused. Banks give customers money back, but take cases to court


In September, we wrote in Business Insider that banks are negotiating with the Office of Competition and Consumer Protection the conditions for issuing a binding decision in the proceedings that the Office is conducting against banks in the so-called unauthorized transactions. This allows banks to avoid fines, but forces them to comply with the Office's requirements regarding refunds to customers.
An unauthorized payment transaction is an operation that has been correctly authenticated (a technical action intended to verify the identity of the customer making the transaction), but to which the user has not consented. There are thousands of such operations in Poland and determining the liability of banks and customers is one of the biggest challenges for regulators.
See also: “Just confirm the transfer.” This is how most financial dramas begin
According to the regulations, banks should, after the customer submits a complaint, return the money by the end of the next business day after the complaint (so-called D+1). However, in the past they did not always fulfill this obligation. They often dismissed complaints, arguing that since the transaction had taken place, it had been properly authenticated and there was no question of an unauthorized operation. They did not provide evidence of gross negligence or willful misconduct on the part of the client.
Extorting money from bank customers is a real industry
The scale of extortion of money from bank customers by criminals who, according to our interlocutors, are very well organized, operate de facto like enterprises, invest and constantly try new methods, is increasing. According to bankers we talked to, the scale of losses due to fraudulent transactions – incurred by banks together with consumers – is approximately PLN 800 million per year, and some suggest that it may be as much as PLN 1 billion.
The text continues below the video:
The Payment System Council at the NBP noted in the first half of 2025 a further increase in fraudulent transactions in transfer orders, mainly using social engineering, and recommended that payment market participants counteract this phenomenon. It recommended the creation of a sector-specific solution to verify compliance of the account number with the name of the payment recipientand the introduction of appropriate regulatory changes in national and EU law, including: in relation to the functioning of communication channels used by fraudsters.
The proceedings are ongoing and the procedures have been changed
Banks claim that they have largely complied with the Office of Competition and Consumer Protection's position from 2022 regarding unauthorized transactions and are returning the money within the D+1 deadline. Currently, the common approach of banks in Poland is that authorization is authentication plus the customer's consent. This is a more rigorous approach than in other countries, where authorization is only a formal confirmation of the authentication process (it is difficult to clearly assess what the client's will was).
However, proceedings on the suspicion of these entities using practices violating the collective interests of consumers, conducted by the Office against 14 banks, are still ongoing. As part of the administrative decision issued as a result of such proceedings, the President of the Office of Competition and Consumer Protection may, among others: state that an infringement has occurred, at the same time establishing that the entrepreneur has discontinued the practice he is accused of. This is the so-called binding decision, which means no financial penalty for the audited entity.
See also: Experts warn against a new scam. Filing a “complaint” with the bank may even result in imprisonment
In response to our question about whether banks have actually started to comply with the requirements, the Office of Competition and Consumer Protection replied that: As part of the ongoing proceedings, some entities submitted modified procedures for dealing with such complaints. “They are currently being analyzed by the President of the Office of Competition and Consumer Protection. The position on this matter will only be expressed in the administrative decision concluding the proceedings,” the Office indicated.
Our unofficial information shows that banks are still talking to the Office of Competition and Consumer Protection regarding complaints and refunds for transactions that customers believe were unauthorized. On October 7, bank presidents met with the president of the Office of Competition and Consumer Protection and two working groups were launched – legal and operational – to develop methods of counteracting fraud.
Banks file lawsuits against customers
At the same time, banks claim that adapting to the practice required by the Office of Competition and Consumer Protection forces them to take certain measures. If the customer filed a complaint claiming that he did not authorize the transaction, the bank refunds the money (in accordance with the requirements of the Office of Competition and Consumer Protection), often at the same time – suspecting that the customer has committed gross negligence – brings him a civil suit for the return of funds, and sometimes also a criminal case (if he believes that he has given false testimony).
– We do not want to do this, but it results directly from the interpretation of the regulations by the Office of Competition and Consumer Protection. We have to fight for refunds. There is quite a lot of it, on average we submit one notification a day to the prosecutor's office – says one of the bankers, ironically claiming that after such a notification, customers sometimes “remember” and remember that, for example, they shared their login details.
In this context, in a comment for Business Insider, the Office of Competition and Consumer Protection pointed to the position of the President of the Office of Competition and Consumer Protection on the interpretation of the provisions of the Act of August 19, 2011 on payment services regarding unauthorized payment transactions, which was published on November 16, 2022.
“In a situation where the payment service provider suspects that an unauthorized payment transaction has occurred on the result of gross negligence of the payer, the supplier is obliged to refund such a transaction, but may pursue its claims against the payer in civil proceedings. Pursuant to Art. 46 section 1 only in two situations, expressly indicated in this provision, the payment service provider is released from the obligation to refund the amount of a transaction whose authorization is denied by the payer” – said the press office.
These situations are, respectively, the lapse of 13 months from the date of the unauthorized payment transaction (if the payer has not reported such a transaction to the payment service provider within this time) and the situation in which the payment service provider has reasonable and duly documented grounds to suspect fraud and informs the law enforcement authorities about this in writing.
“Therefore, if a payment service provider suspects that a customer's report constitutes an attempted fraud, he or she is obliged to report it to law enforcement authorities — otherwise he must refund the amount of such transaction.
Is the Office of Competition and Consumer Protection going a step further?
Our unofficial information shows that The Office of Competition and Consumer Protection (UOKiK) has increased expectations towards banks and now demands that banks also treat as unauthorized transactions (and refund money in these cases) those that were carried out by the client under the influence of fraudsters (social engineering methods). This is the majority of frauds and losses incurred as part of fraudulent transactions.
See also: Does Henryk Kania have money? Here's how he responded to our question
The Office of Competition and Consumer Protection (UOKiK) replied that, as part of its proceedings, it found that banks could often arbitrarily assess the issue of possible gross negligence on the part of the customer (and refused to refund the amount of the complained transactions), as well as equate the concepts of “authentication” and “authorization”, thus misleading customers.
“Due to the above, it is currently important from the point of view of the President of the Office of Competition and Consumer Protection that the entities that have been charged should develop procedures to exclude such arbitrary actions.. The details of these solutions are the subject of talks with individual entities as part of ongoing administrative proceedings. The President of the Office of Competition and Consumer Protection is aware that in individual cases it is not always easy to determine whether a given transaction was authorized or not.. In principle, cases in which customers make transactions themselves do not constitute unauthorized transactions, but internal procedures for considering complaints should, to an appropriate extent, exclude the possibility of arbitrary refusal to refund the amount of a transaction complained by the customer as unauthorized,” the Office of Competition and Consumer Protection said.
Banks are against extending their liability
One of the bankers we talked to points out that under applicable law (PSD2, Payment Services Act), banks are only liable for transactions unauthorized by the customer. It is important that the regulations exclude banks' liability in a situation where the customer has caused these transactions due to willful misconduct or as a result of willful or grossly negligent violation of at least one of the obligations arising from Art. 42 UUP (Article 46(3) UUP).
— In principle, the customer is responsible for transactions authorized by the customer, i.e. those to which the customer has agreed in the manner provided for in the contract between the customer and the bank. Fraudulent transactions resulting from manipulation or social engineering are in many cases transactions authorized by the customer himself – convinces our interlocutor.
Indicates that the discussion on extending the liability of payment service providers for fraudulent transactions appeared only during the work on the PSR project (Payment Services Regulation), which has not yet been completed. Notes that although there have been attempts to extend liability to payment service providers for all fraudulent transactions, it was finally agreed that banks would only be liable for fraudulent transactions resulting from the so-called bank spoofing (impersonating a bank). On Thursday, the EU Council and the European Parliament reached a preliminary political agreement on new rules on payment services (the so-called PSD3 package and the PSR regulation).
According to the banker we talked to, the Office of Competition and Consumer Protection's expectation that banks will also refund money for fraudulent transactions, i.e. transactions that were actually authorized but when the customer was under the influence of fraudsters using social engineering methods, is too far-reaching.
— Banks must, first of all, comply with applicable legal provisions, and today there is no such legal basis. Even the PSR project does not go that far and proposes extending the liability of banks only to the so-called bank spoofing. In the course of work on the PSR, member states came to the conclusion that banks cannot be held responsible for something over which they have no influence, and they often do not even know that a criminal contacts a bank customer and commits the crime of extorting funds for the so-called granddaughter, priest or policeman, using infrastructure outside the bank, belonging to telecommunications companies – he adds.
Jacek Barszczewski, spokesman for the Polish Financial Supervision Authority
It is crucial to maintain a reasonable balance when determining the scope of responsibility for both the user and the financial institution. The idea is to create a mechanism that, on the one hand, will encourage financial institutions to consistently improve the security of transactions, and on the other hand, will not lead to a situation in which customers will lose vigilance, assuming automatic compensation for each action. Too far-reaching release of the customer from liability may contribute to the increase in the phenomenon of manipulation by criminals and create space for moral hazard in which users make less prudent decisions. This requires taking into account both the need for real consumer protection and the risk of fraud, which may increase the operating costs of the entire sector.
Customer protection should be effective, but cannot lead to the complete elimination of responsibility for compliance with basic payment security principles. The system must reduce the risk of abuse and support solutions that both help customers and enhance market stability. At the same time, insufficient customer protection would lead to a decline in trust, which is one of the most serious threats to the market. It is therefore necessary to shape regulations and practices in such a way that responsibility is distributed proportionally. Customer protection must be real, but the system must not generate incentives for abuse. Precise definition of liability rules, exceptions and criteria for protecting vulnerable customers is the key to maintaining the security and resilience of the entire sector.
Author: Maciej Rudke, journalist of Business Insider Polska




