“CEO fraud” & banks’ liability: The French Court of Cassation clarifies

In two decisions dated June 12, 2025, the Court of Cassation clarified the conditions under which a bank may be held liable in the event of “CEO fraud.” In the first case, the Court excluded the bank’s liability since the disputed orders had been validated by a duly authorized person. In the second case, it confirmed the absence of fault, as the transfers, although fraudulent, showed no apparent irregularity. These decisions confirm that the bank’s duty of vigilance must be assessed in light of the specific circumstances and the formal regularity of the operations.

In two rulings delivered on June 12, 2025 (Nos. 24-13.697 and 24-10.168), the Commercial Chamber of the Court of Cassation recalled and clarified its case law on the liability of banks under their duty of vigilance when executing fraudulent transfer orders, particularly in cases of so-called “CEO fraud”.

“CEO fraud” refers to schemes in which an individual impersonates a company executive or authorized representative to induce an employee—often under pressure or under the guise of confidentiality—to execute an urgent transfer to a third-party account.

In such cases, since the transfer order is deemed to have been authorized by the client, the bank’s liability cannot be established under Articles L.133-18 to L.133-24 of the French Monetary and Financial Code, which govern unauthorized payment transactions. However, a bank may still be held liable under the general principles of contractual liability set out in Article 1231-1 of the French Civil Code.

Through these two rulings (Nos. 24-13.697 and 24-10.168), the Court of Cassation reiterated that the bank’s duty of vigilance does not impose a general obligation to detect fraud. Consequently, a bank’s liability cannot be engaged (I) when the transfer has been confirmed by an authorized individual, or (II) when the transaction bears no apparent irregularity that could have reasonably raised suspicion.

I. The bank’s liability for breach of its duty of vigilance cannot be established when the transfer has been confirmed by an authorized person

In the first case (No. 24-13.697), a company discovered that an employee of a service provider responsible for managing and administering its bank accounts had executed eleven transfers as part of a “CEO fraud” scheme. The account-holding company alleged that the bank had failed to comply with its duty of vigilance.[1]

In this case, an accountant employed by the debtor company, who was duly authorized to operate the company’s account, had carried out eleven fraudulent transfers to foreign accounts after receiving fake emails purporting to come from the company’s CEO and referring to a confidential acquisition project. These transfers were made through the bank’s online banking service, using the established authentication procedure by the authorized employee.[2]

A few days later, the company’s CEO received a call from the bank requesting confirmation of a phone inquiry aimed at increasing the company’s existing credit facility. The CEO immediately asked that the transfer be blocked and cancelled. The company subsequently filed a criminal complaint and sought to hold the bank liable for damages.[3]

The Court of Appeal had found the bank liable, ruling that the apparent anomalies in the transfer orders should have prompted the bank, under its duty of vigilance, to verify the authorization with the company’s CEO or CFO.[4]

The Court of Cassation overturned this decision, holding that since the bank had obtained confirmation of the transactions from a person duly authorized to operate the account, it had not breached its duty of vigilance.[5]

This ruling therefore clarifies the scope of the duty of vigilance incumbent on banks in cases of “CEO fraud.” It confirms that once the bank ensures that operations are authorized by a duly empowered individual, its liability cannot be engaged—even where the transfer orders present apparent irregularities.

II. The bank’s liability for breach of its duty of vigilance cannot be established in the absence of apparent anomalies in the transfer orders

In the second case decided on June 12, 2025 (No. 24-10.168), an accountant, deceived by fraudulent emails impersonating the company’s CEO, ordered several transfers to an account held in a Member State of the European Union. The company holding the bank accounts then accused the bank of breaching its duty of vigilance.[6]

The Court of Cassation upheld the findings of the lower courts, which had dismissed any fault on the part of the bank. The Court noted that although the transfers were fraudulent, they complied with the agreed limits, were covered by the account balance, and were directed to a licensed EU-based bank “which did not raise any particular security concerns”. Therefore, there were no obvious anomalies that would have required a specific alert from the banking institution.[7]

This decision confirms a restrictive interpretation of the bank’s duty of vigilance, which appears to be limited to objectively detectable anomalies. In the absence of clear indicators of fraud – such as exceeding transaction limits, insufficient funds, or a suspicious recipient – the bank is not required to question the authenticity of the transfer orders it receives.

In conclusion, these rulings clarify the scope of banks’ liability in cases of “CEO fraud.” The firm stance adopted by the Court of Cassation should encourage companies to raise awareness among their employees about such fraudulent schemes.