Here’s a short introductory paragraph to prepend to the article:
The question of who bears responsibility for fraud losses – banks or customers – is a growing concern as scams become increasingly elegant. Current regulations generally place the onus on customers to protect their financial facts, but discussions are underway regarding potential shifts in liability. Experts acknowledge the need to balance consumer protection with preventing fraud incentives and maintaining a stable financial sector, a complex issue explored in the following statements from the Financial Supervision Authority and industry representatives.
Banks in Poland are facing increased pressure to reimburse customers for unauthorized transactions, a move that could significantly impact the financial sector and consumer trust. Negotiations between banks and the Polish Office for Competition and Consumer Protection (UOKiK) are nearing completion regarding a binding decision that will require lenders to adhere to stricter refund policies.
Unauthorized transactions are defined as those that are properly authenticated – verifying the identity of the customer – but for which the user did not provide consent. These incidents are increasingly common in Poland, posing a significant challenge for regulators seeking to determine liability between banks and their customers.
Current regulations stipulate that banks should refund customers within one business day (D+1) of receiving a claim. However, banks have historically resisted full compliance, often denying claims by arguing that successful authentication meant the transaction was authorized. This practice has drawn scrutiny from the UOKiK, which is now pushing for more consistent application of the rules.
Fraudulent Activity Targeting Bank Customers is a Growing Concern
Table of Contents
- Fraudulent Activity Targeting Bank Customers is a Growing Concern
- Read More in BUSINESS INSIDER
- Proceedings Continue as Procedures are Updated
- Banks Initiate Legal Action Against Customers
- UOKiK Considers Expanding Scope of Responsibility
- Banks Push Back Against Expanded Liability
- Jacek Barszczewski, Spokesman for the Financial Supervision Authority
The scale of fraud targeting bank customers is escalating, with perpetrators operating as sophisticated enterprises that continually invest in and test new methods. Banking sources estimate that losses from fraudulent transactions – shared between banks and consumers – total approximately 800 million Polish złoty annually, with some estimates reaching 1 billion złoty. This represents a substantial financial risk for both institutions and individuals.
More on this story below:
The Polish Payment System Council (RPS) reported a continued increase in fraudulent transfer transactions in the first half of 2025, primarily utilizing social engineering tactics. The council recommended that market participants implement measures to verify the consistency of account numbers with recipient names, and advocated for regulatory changes at both the national and EU levels to address communication channels exploited by fraudsters.
Proceedings Continue as Procedures are Updated
Banks claim to have largely aligned with the UOKiK’s 2022 position on unauthorized transactions and are now refunding funds within the D+1 timeframe. The prevailing approach in Poland now considers authorization to require both authentication and customer consent – a more stringent standard than in some other countries where authentication is seen as a purely formal process.
However, proceedings initiated by the UOKiK against 14 banks regarding suspected violations of collective consumer interests are still ongoing. A binding administrative decision could result in the banks agreeing to cease the challenged practices without facing financial penalties.
See also: Experts Warn of New Scam: Filing a Complaint with Your Bank Could Lead to Imprisonment
In response to inquiries, the UOKiK stated that, as part of ongoing investigations, some institutions have submitted revised procedures for handling such claims. “These are currently under review by the President of UOKiK. A position on this matter will be expressed only in the administrative decision concluding the proceedings,” the office indicated.
Sources indicate that banks continue to discuss claims and refunds with the UOKiK for transactions customers believe were unauthorized. On October 7th, bank presidents met with the President of UOKiK, and two working groups – legal and operational – were established to develop methods for combating fraud.
Banks Initiate Legal Action Against Customers
Banks contend that complying with the UOKiK’s requirements necessitates certain actions. When a customer files a claim alleging unauthorized transactions, banks often initiate civil lawsuits to recover funds – even while refunding the money as mandated by the UOKiK – suspecting customer negligence. In some cases, they may also file criminal complaints if they believe false statements were made.
— We don’t want to do this, but it stems directly from the UOKiK’s interpretation of the regulations. We have to fight to recover the money. We file an average of one notification with the prosecutor’s office per day — said one banker, ironically noting that such notifications sometimes prompt customers to “remember” that they shared their login credentials.
In this context, the UOKiK referenced its position statement regarding the interpretation of the Payment Services Act of August 19, 2011, concerning unauthorized payment transactions, published on November 16, 2022.
“If the payment service provider suspects that an unauthorized payment transaction occurred due to the payer’s gross negligence, the provider is obliged to refund such a transaction, but may pursue claims against the payer through civil proceedings. According to Art. 46 para. 1, the provider is exempt from the obligation to refund the amount of a transaction that the payer disputes in only two situations expressly indicated in the provision,” the press office stated.
These situations are the expiration of 13 months from the date of the unauthorized payment transaction (if the payer did not report the transaction to the payment service provider within that time) and the situation where the payment service provider has justified and properly documented grounds to suspect fraud and informs the law enforcement authorities in writing.
“If the payment service provider suspects that the customer’s report constitutes an attempt to defraud, it is obliged to report it to law enforcement agencies – otherwise, it must refund the amount of the transaction.”
UOKiK Considers Expanding Scope of Responsibility
Sources indicate that the UOKiK is increasing its expectations for banks and now seeks to treat as unauthorized – and refund – transactions conducted by customers under the influence of fraudsters using social engineering tactics. This represents a significant portion of losses from fraudulent transactions.
See also: What Will Henryk Kania Do Now? An Exclusive Interview with the ‘King of Cold Cuts’
The UOKiK responded by stating that, during ongoing investigations, it has found that banks often arbitrarily assessed both the potential gross negligence of the customer and equated the concepts of “authentication” and “authorization,” misleading customers.
“In light of the above, the President of UOKiK is currently focused on ensuring that the entities subject to allegations develop procedures that eliminate such arbitrary actions. Details of these solutions are the subject of discussions with individual entities within the framework of ongoing administrative proceedings. The President of UOKiK is aware that in individual cases, it is not always easy to determine whether a transaction was authorized or not. As a general rule, cases in which customers themselves make transactions do not constitute unauthorized transactions, but internal procedures for handling complaints should appropriately exclude the possibility of arbitrarily refusing to refund the amount of a transaction reported by the customer as unauthorized,” the press office indicated.
Banks Push Back Against Expanded Liability
One banker stated that under current law (PSD2, the Payment Services Act), banks are only liable for transactions not authorized by the customer. However, the law excludes liability in cases where the customer’s intentional misconduct or gross negligence contributed to the transaction (Art. 46 para 3 of the UUP).
— For authorized transactions – those for which the customer has given consent in accordance with the agreement between the customer and the bank – the customer is generally responsible. Fraudulent transactions resulting from manipulation or social engineering are often authorized by the customer themselves — our source emphasized.
The discussion about expanding the responsibility of payment service providers for fraudulent transactions arose during the work on the PSR project (Payment Services Regulation), which is still under development. While there were attempts to broaden responsibility, it was ultimately agreed that banks would only be liable for fraudulent transactions resulting from so-called bank spoofing (impersonating a bank).
The banker argues that the UOKiK’s expectation that banks refund money for fraudulent transactions – effectively authorized but occurring while the customer was under the influence of fraudsters – is excessive.
— Banks must comply with existing laws, and today there is no legal basis for this. Even the PSR project does not go that far and proposes to extend the liability of banks only to so-called bank spoofing. Member states, during work on the PSR, concluded that banks cannot be held responsible for something over which they have no influence, often not even knowing that a fraudster is contacting the bank’s customer and committing a fraud involving the transfer of funds to, for example, a grandson, a priest, or a police officer, using infrastructure outside the bank, belonging to telecommunications companies — he added.
Maintaining a reasonable balance when determining the scope of responsibility for both the user and the financial institution is key. The goal is to create a mechanism that, on the one hand, encourages financial institutions to consistently improve the security of transactions, and on the other, does not lead to a situation where customers lose vigilance, assuming automatic compensation for every action. Overly broad exemption of the client from responsibility could encourage the growth of fraud and create space for moral hazard, in which users make less cautious decisions. It requires taking into account both the need for real consumer protection and the risk of abuse, which can increase the costs of the entire sector.
Customer protection should be effective, but should not lead to the complete elimination of responsibility for compliance with basic payment security principles. The system must limit the risk of abuse and support solutions that help customers and strengthen market stability. Insufficient protection of customers, however, would lead to a loss of trust, which is one of the most serious threats to the market. It is therefore necessary to shape regulations and practices so that responsibility is distributed proportionally. Customer protection must be real, but the system must not generate incentives for abuse. Precise definition of the principles of responsibility, exceptions and criteria for protecting vulnerable customers is key to maintaining the security and resilience of the entire sector.
Author: Maciej Rudke, Business Insider Poland
