On 5 March 2026, Advocate General Athanasios Rantos delivered his Opinion in Case C-70/25, N.O. v PKO BP S.A. (Tukowiecka), articulating what may become a landmark reinterpretation of the liability architecture under the Second Payment Services Directive (PSD2). The Opinion has not yet been converted into a binding judgment of the Court of Justice of the European Union (CJEU). But if the Court follows the AG’s reasoning, as it frequently does, the practical consequences for financial institutions will be both immediate and significant. The Opinion also lands at a relevant moment, with the European Parliament and Council having reached a provisional political agreement on PSD3 and the Payment Services Regulation (PSR), with formal publication in the Official Journal expected soon.

The AG Opinion in C-70/25 is (deceptively) simple: Article 73(1) PSD2 imposes an immediate refund obligation on payment service providers (PSPs) in the event of an unauthorised payment transaction, and gross negligence by the customer does not suspend that obligation. Under the AG’s reading, the legal sequence should be that the PSP refunds the customer promptly upon notification of an unauthorised transaction and, only after refunding, the PSP may seek to recover the amount from the customer if it can prove that the customer acted fraudulently or with gross negligence.

Only where the PSP has reasonable grounds to suspect fraud by the customer and has communicated those grounds in writing to the competent national authority can the PSP refuse to reimburse. This refund first, litigate later sequence inverts the default posture that many EU banks currently adopt. Rather than bearing the practical burden of proving institutional fault while waiting months or years for courts to resolve disputes, fraud victims would recover funds immediately.

From a consumer protection point of view, there are clear benefits to AG Rantos’ approach. When reimbursement is withheld, victims face immediate liquidity problems, overdraft exposure, and inability to meet financial obligations at a very delicate moment, when also faced with damage from fraud. Nevertheless, the approach will expose PSPs to risks. It may often be the case that a fraudulent or negligent consumer will no longer be solvent by the time the bank obtains a favorable court order demanding reimbursement.

The AG Opinion does not arise in a vacuum. It crystallises a problem that practitioners and scholars have documented for years, namely that EU law does not define gross negligence. The European Banking Authority identified the same gap in its April 2024 Opinion, recommending that gross negligence assessments account for fraud complexity, the victim's personal circumstances, whether the victim had reasonable grounds to believe they were transacting with a legitimate entity, and whether PSPs could have taken additional preventive measures. The French Cour de Cassation moved in this direction in October 2024, holding in Cass. com., n° 23-16.267 (BNP Paribas) that sophisticated impersonation tactics such as using telephone numbers identical to legitimate bank numbers, deploying artificial urgency, and impersonating recognized bank advisors preclude a finding of gross negligence. The AG Opinion in Tukowiecka pushes further by removing gross negligence entirely as a precondition for the duty to refund.

The divergence across Member States, with France applying a sophisticated-fraud-awareness standard while Romania, among others, continuing to privilege technical authorization, illustrates why a harmonized definition is not merely desirable but essential. The Tukowiecka judgment, once delivered, might provide that harmonizing impetus at the level of CJEU authority.

For PSPs, the AG Opinion imposes four operational demands that financial institutions should begin addressing now, rather than awaiting the final judgment.

First, refund processing infrastructure must be redesigned. If the CJEU follows the Opinion, PSPs will need to build or upgrade systems capable of processing refunds for reported unauthorised transactions promptly, without withholding reimbursement pending internal gross-negligence review. The internal investigation may continue, but it can no longer function as a precondition for payment.

Second, the fraud-suspicion exception must be operationalized with care. The narrow exception (reasonable grounds to suspect customer fraud, communicated in writing to the competent authority) must be governed by clear internal escalation protocols. Invoking this exception without adequate documented grounds exposes PSPs to regulatory and civil liability.

Third, downstream recovery procedures must be strengthened. If PSPs can no longer front-load the gross-negligence analysis to deny reimbursement, the practical utility of a subsequent recovery claim depends on evidentiary preparation beginning at the moment of the fraud report, not after reimbursement has been made. Transaction logs, SCA records, fraud intelligence, and communications with the customer must be preserved and organized in real time.

Fourth, the litigation strategy must adapt. Legal teams and compliance functions will need to develop robust frameworks for assessing and substantiating fraud or negligence claims, not as a gatekeeping exercise at the refund stage, but as a considered decision whether to pursue subsequent recovery.

The Tukowiecka scenario (phishing via a link delivered on a purchase platform) represents a narrow slice of a broader landscape. The EBA and ECB 2025 Report on Payment Fraud records billions in EEA payment fraud for 2022 alone. What makes these figures legally significant is that the majority of losses arise from transactions that are technically authorised, meaning the PSD2 liability framework, including the upcoming Tukowiecka ruling, does not directly resolve them.

Tukowiecka is not yet a judgment, and financial institutions have not yet crossed the compliance threshold it may ultimately impose. But the direction of travel is clear. The CJEU is being asked to confirm that immediate reimbursement is a primary legal obligation under PSD2, not a discretionary benefit conditional on the PSP's internal assessment of customer negligence. The AG has said yes, unambiguously.

For financial institutions, the responsible course is to redesign refund workflows, operationalize the fraud-suspicion exception with documentary rigor, preserve evidence for downstream recovery, and audit gross-negligence assessment protocols against a standard that accounts for fraud sophistication rather than mere technical authorization.