Belgian Court Defines Gross Negligence in Phishing Ruling
Belgium’s highest court has delivered a landmark ruling that clarifies when banks can deny compensation to phishing victims, prompting Minister of Consumer Protection Rob Beenders to declare that financial institutions must respect the law. The Court of Cassation’s decision, handed down last month, provides the first clear legal definition of “gross negligence” in the context of online banking fraud — a term that has long been a source of legal uncertainty for victims and banks alike.
According to VRT NWS, the ruling overturns a 2025 Brussels Court of Appeal decision that had deemed a phishing victim “grossly negligent,” setting a new legal standard that significantly raises the bar for banks seeking to avoid reimbursement.
The Legal Framework
Under Belgian law, which implements EU payment services directives, when a payment is made without a customer’s consent, the bank must reimburse the amount — unless the bank can prove the customer was grossly negligent. In practice, banks have routinely invoked this exception to deny claims, leaving victims to fight lengthy legal battles.
The problem was that Belgian law never defined what constituted “gross negligence.” The Court of Cassation has now filled that gap, defining it as “conduct that a reasonable, normally careful payer would never engage in or would never fail to engage in.” This means a victim is only at fault when no ordinary bank customer would ever have acted in the same way under any circumstances.
Minister Beenders’ Response
Minister Beenders welcomed the ruling and called on banks to change their approach. “Banks must respect the law,” Beenders said. “It cannot be that people first have to go to court to enforce their rights.” He added: “Time and again it appears that some banks do not correctly apply the law and unjustly leave phishing victims out in the cold.”
The minister’s comments reflect growing frustration with how financial institutions handle phishing compensation claims. The ruling is expected to have significant implications for thousands of pending and future cases.
A Widespread Problem
The scale of phishing fraud in Belgium is staggering. In December 2025 alone, phishing victims in the province of Antwerp lost EUR 5.5 million. Over the full year 2024, total losses in Antwerp province reached nearly EUR 40 million. These figures underscore the urgency of clearer legal protections.
Just weeks before the Cassation ruling, on June 3, 2026, an Antwerp summary proceedings judge ruled that banks must immediately reimburse phishing victims before arguing about gross negligence. That case involved an elderly couple who lost nearly EUR 50,000 to someone posing as a bank employee in Portugal. Banking law expert Geert Lenssens described the decision as significant because “the roles are reversed. It is the bank that must pay first and can then go to court itself to challenge that.”
Victims Speak Out
Phishing victims have long felt blamed by their banks. Marc Vermeulen, who lost EUR 122,000, told VRT NWS: “You are often labeled as the stupid fool who falls for it. I know stories of doctors, lawyers and even IT professionals who have been robbed this way.” Another victim, 57-year-old Ella, who lost EUR 44,999, said: “The bank treats you almost as a perpetrator, instead of as a victim. They push people even deeper into the pit.”
Jean Cattaruzza, the Ombudsman for Financial Services, has noted that “banks too often reason that you can only be scammed if you as a customer have been negligent yourself. That is of course not true.” He pointed out that in other countries, banks must reimburse victims even when they have been negligent.
What Comes Next
Minister Beenders is not waiting for the courts alone. His party, Vooruit, proposed legislation in April 2026 requiring banks to reimburse phishing victims within 24 hours. Additionally, new European rules under PSD3/PSR will introduce a four-hour cooling-off period between a request to increase a transfer limit and its implementation, along with mandatory IBAN-name checks. These measures are expected to take effect by the end of 2027, but Beenders is negotiating with Febelfin, the Belgian banking federation, to implement them sooner in Belgium.
The minister has also announced a single telephone hotline for reporting phishing, to be operational from mid-2026.
The Court of Cassation’s ruling marks a turning point in the fight against online banking fraud in Belgium. By providing a clear legal standard for gross negligence and shifting the burden of proof firmly onto banks, the decision empowers victims and signals that financial institutions can no longer rely on legal ambiguity to deny legitimate claims. The question now is whether banks will change their practices voluntarily — or whether further legislative action will be needed to enforce compliance.