For years, banks have held the stronger hand in fraud disputes. A Belgian court has just reshuffled the deck.
On 26 May 2026, the presiding judge of the Antwerp Business Court handed down what banking law specialists are already describing as a groundbreaking decision. The facts were straightforward but troubling: a couple aged 90 and 93 lost nearly EUR 50,000 (approximately ZAR 1 million) after a fraudster, impersonating an employee of their bank, persuaded them to transfer the money to an account in Portugal. The fraud was sophisticated. The deception was complete. And, as in so many cases of this nature, the bank initially refused to reimburse its customers.
In circumstances where the cash cannot be recovered from the fraudster, which is more often the case than not, banks routinely refuse to reimburse victims on the basis that they were negligent in falling for the scam. The Antwerp court rejected that reasoning, in a decision that may carry considerable weight well beyond Belgian borders.
The Court held that the bank's obligation under the Belgian Code of Economic Law is to reimburse immediately and provisionally. The question of gross negligence and allocation of final liability is a matter for subsequent proceedings on the merits. The bank cannot rely on that prospect to withhold reimbursement. This finding is underpinned by the principle of
“pay first, argue later”.
The ruling also draws weight from developments in EU law. On 5 March 2026, the Advocate General in a pending Court of Justice of the European Union case gave an opinion that the obligation to reimburse immediately applies even where gross negligence by the customer is suspected. While not binding, the Antwerp Court found this highly persuasive.
The Court further affirmed the principle that
the bank is obliged to reimburse a customer who is a victim of phishing, unless the
bank proves that the customer committed a
gross error.
This is significant for two reasons:
- Historically, customers had to prove they were not negligent. The Antwerp Court shifts this burden onto banks to prove gross negligence.
- The standard is now
gross negligence, not ordinary negligence. The bar is high: not every mistake or lapse in judgment meets this threshold. The distinction between being deceived and being careless is central.
It should be noted that the Antwerp ruling is provisional and the gross negligence question remains to be determined at a later stage.
The South African position
Closer to home, courts have grappled with similar tensions but reached different conclusions. Importantly, leading South African cases concern disputes between payer and payee, not between banks and customers. Whether financial institutions owe a duty of care to those transacting through them remains unresolved.
In
Edward Nathan Sonnenberg Inc v Hawarden [2024] ZASCA 90, the Supreme Court of Appeal reversed a decision suggesting that payees owe a duty to protect payers from hacked accounts, holding that such a duty was untenable where the payer could have taken protective steps.
More recently, in
Intengo Imoto (Pty) Ltd t/a Northcliff Nissan v Zoutpansberg Motor Wholesalers CC t/a Hyundai Louis Trichardt [2025] ZASCA 93, the Court held that a payer who pays into the wrong account due to fraud has not discharged its obligation. The risk remains with the payer, who must ensure payment reaches the correct account.
A law still being written
This is an area of law in flux. Courts worldwide are applying pre-digital legal principles to modern cybercrime, increasingly drawing on each other’s reasoning. South African courts have shown willingness to consider international jurisprudence, and it is likely that rulings of this nature will influence future decisions locally.
As cybercriminals become more sophisticated—leveraging artificial intelligence, deepfakes, and highly convincing phishing tactics—the adequacy of institutional safeguards is under increasing scrutiny. Banks must implement controls proportionate to evolving risks. What was reasonable security five years ago may no longer suffice.
Customers must remain vigilant, but vigilance alone is often inadequate against well-resourced and adaptive adversaries.
What this means for your business
Whether you are a financial institution calibrating your exposure to fraud reimbursement claims, a business assessing the adequacy of your payment verification controls, or navigating a dispute arising from a compromised transaction, the legal ground is shifting beneath your feet. Understanding where the law currently stands, how it is developing, where your exposure lies and how you can mitigate your risk has never been more commercially critical.
In a landscape where the law is still being written, the institutions that understand their exposure, and act on it, will be the ones best placed to navigate what comes next.
