Thursday, July 16, 2026

Belgium Mandates Faster Bank Refunds for Phishing Victims

Valyrian News Network 4 min read

Belgium Mandates Faster Bank Refunds for Phishing Victims

Belgian Minister of Consumer Protection Rob Beenders (Vooruit) is pushing forward with legislation that would require banks to reimburse phishing victims within one working day, fundamentally reshaping the balance of power between consumers and financial institutions. The bill, set for debate in the Council of Ministers on Friday, July 18, aims to end the practice of banks routinely denying claims by citing customer “gross negligence.”

The Scale of the Problem

Phishing has reached epidemic proportions in Belgium. In 2025, criminals stole €93 million through phishing attacks, with over 11,000 cases reported — a 30% increase from the previous year, according to Het Laatste Nieuws. Fraudsters now impersonate not just banks but also government services like MyMinfin, health insurer CM, and utility company De Watergroep, making detection increasingly difficult for ordinary consumers.

What the Legislation Changes

The proposed law provides a clear legal definition of “authorized” versus “unauthorized” payments. Under the new rules, clicking a phishing link in good faith — even if the victim entered their PIN, used itsme, or confirmed with a card reader — constitutes an unauthorized payment. The bank must reimburse the full amount by the next working day.

“Criminals today work so professionally that it’s nearly impossible for an ordinary consumer to distinguish real from fake,” Beenders told HLN. “If you click in good faith on a link from scammers to, for example, MyMinfin, CM, or De Watergroep, after which money disappears from your account, that is an unauthorized payment.”

Victims tricked by fake bank employees into installing hacking software or giving codes over the phone are also covered. However, the law does not protect against invoice fraud, where victims themselves initiate a transfer to a fraudulently altered IBAN — the IBAN-name check is expected to provide sufficient warning in those cases.

Burden of Proof Shifts to Banks

A central pillar of the legislation is shifting the burden of proof. Banks must now prove that the customer was genuinely at fault to deny reimbursement. The only exception is if the account holder themselves attempted to defraud the bank.

This follows a landmark ruling by Belgium’s Court of Cassation, which defined gross negligence as “conduct that a reasonable, normally careful payer would never engage in or never fail to engage in” — an extremely high bar. “By consistently waving the term ‘gross negligence,’ banks have created the atmosphere that phishing is almost always the customer’s fault. That’s not correct,” Beenders said.

Transparency Measures

The bill also introduces unprecedented transparency requirements. Banks must publish anonymized legal opinions from the financial ombudsman service Ombudsfin on their websites for each disputed case. If a bank refuses to follow Ombudsfin’s advice, it must publish its reasoning publicly, allowing consumers to compare how different institutions handle claims.

Banking Sector Response

The banking sector, represented by Febelfin, refused to cooperate on the reimbursement aspect of the legislation, though it did collaborate on a 15-point prevention plan announced the previous week. That plan includes lowering standard transfer limits to a maximum of €5,000 per day by early 2027, a mandatory four-hour cooling-off period for limit increases, and a fraud data sharing platform across banks.

Febelfin stated that banks already make “heavy efforts” and argued that online fraud requires a broad approach involving telecom operators, tech companies, police, and the justice system.

EU Context and Timeline

Belgium is accelerating ahead of expected EU-wide rules. The Third Payment Services Directive (PSD3) and new Payment Services Regulation (PSR) are projected to require all EU banks to compensate phishing victims by the end of 2028. “We are accelerating in Belgium now what Europe will impose anyway,” Beenders noted.

Opposition MP and former Justice Minister Vincent Van Quickenborne (Anders) welcomed the clarity but stressed enforcement: “The minister is doing what we already proposed with a bill two years ago: creating clarity. But he must also enforce the law. That means banks must first actually reimburse, and only then can there be discussion.”

The bill is expected to pass the Council of Ministers and become law by the end of 2026.

What This Means for Consumers

If enacted, the legislation represents a significant victory for Belgian consumers. Currently, phishing victims face a daunting process: banks refuse reimbursement, forcing victims to hire lawyers and go to court. The new framework guarantees rapid reimbursement, shifts the burden of proof to banks, and creates public accountability through published Ombudsfin opinions — reducing the power imbalance between individual consumers and large financial institutions.