Unauthorized Transaction – Who Is Liable When Funds Disappear from a Business Account?
Cases of fraud involving unauthorized withdrawals from bank accounts—without the account holder’s knowledge or consent—are increasingly common. Business owners are not immune to such incidents. This raises the question: who bears responsibility for unauthorized transactions from a bank account? This article aims to clarify key issues based on an analysis of national and EU regulations, case law, and banking practices.
Case Example
Consider a scenario in which an entrepreneur running a business falls victim to funds being stolen from a company bank account. A transfer was made to a third-party account without the entrepreneur’s knowledge or consent—likely through phishing, malware, or compromised login credentials. Upon lodging a complaint, the bank declined to reimburse the funds, arguing that consumer protections do not apply to business clients.
This situation raises two essential issues: the extent of a bank’s liability to a non-consumer client, and the practical legal avenues for pursuing claims—through complaints or civil lawsuits.
Legal Framework – Distinction Between Consumers and Entrepreneurs
According to Article 45(1) of the Payment Services Act, a payment service provider is liable to the user for any unauthorized payment transaction, subject to Article 46(2) and (3). In consumer cases, there is a presumption that the user did not authorize the transaction—meaning the burden is on the bank to prove it was authenticated and approved.
For businesses, the situation is more complex. The law permits contractual modifications or exclusions of the bank’s liability in agreements with non-consumer clients. In practice, banks often use their general terms and conditions (GTCs) to disclaim responsibility for transactions they deem authorized—raising legal concerns about fairness and potentially violating principles of good contractual faith.
Furthermore, Article 50 of the Payment Services Act obligates the service provider to implement adequate technical measures to ensure secure use of payment services. A bank cannot escape liability merely because the client is a business, especially if it failed to provide a sufficient level of system security.
Judicial Perspective and Case Law
In handling such cases, I have observed a positive trend: although consumer protections are formally excluded in B2B relationships, courts increasingly hold banks accountable for unauthorized transactions when there is a clear failure on the part of the financial institution.
For example:
- Court of Appeal in Warsaw, judgment of 30 November 2020, case VI ACa 407/19 – held that banks must apply the same standards of diligence in business relationships as in consumer ones. Liability stems from Article 471 of the Civil Code, in conjunction with Article 355 § 2, which defines the standard of care required of professionals.
- District Court in Katowice, judgment of 18 May 2022, case I C 764/21 – found that the bank was liable for not implementing strong customer authentication (SCA) mechanisms or ignoring suspicious transaction patterns (e.g. large amounts, transfers to exotic destinations, logins from different continents).
Additionally, the Court of Justice of the European Union (CJEU) judgment of 25 November 2021 in OTP Bank, case C-287/19, emphasized that technical implementation of security measures alone is insufficient—banks must act “actively and dynamically” to combat fraud, including, for example, automatically blocking suspicious transactions.
Both EU case law and legal doctrine affirm that differentiating between consumers and businesses must not amount to a complete denial of legal protection for the latter.
National courts such as the German Federal Court of Justice (BGH) and French Cour de cassation also stress that all clients—regardless of legal status—have the right to expect professionalism and adequate safeguards from their banks.
In its 26 January 2021 ruling, case XI ZR 22/20, the BGH stated that “professional diligence by a bank includes monitoring customer behavior patterns and automatically responding to anomalies”—failure to do so may justify liability.
Moreover, the European Banking Authority (EBA), in its PSD2 guidelines, highlights that strong customer authentication should be applied even in high-value B2B transactions, particularly if the client does not implement internal security controls.
Summary and Recommendations
Entrepreneurs should review their contracts and general terms of service with banks carefully, and consider requesting enhanced security measures—such as SMS confirmations for transactions exceeding a predefined threshold.
In case of an unauthorized transaction, immediate action should be taken:
- File a formal complaint with the bank,
- Request system logs to verify activity,
- Report the incident to law enforcement (under Article 286 of the Penal Code – fraud),
- Consult a digital forensics expert to prove the business was not at fault.
Legal claims may also be pursued for non-performance of contractual obligations (Art. 471 of the Civil Code) or gross breach of duty by a public-trust institution, such as a bank.
Although statutory consumer protections do not extend to entrepreneurs, this does not automatically exempt financial institutions from liability for unauthorized transactions.
Each case must be individually assessed with respect to:
- The bank’s duty of care,
- Whether SCA was applied,
- How the bank responded to client behavior anomalies,
- The adequacy of the bank’s internal security systems.
A business client has a legitimate basis to demand reimbursement—provided the right evidence is presented and the bank’s failures are clearly demonstrated. National and EU case law can and should be used strategically in disputes with financial institutions, especially in light of the legal expectations of professionalism, transparency, and client protection.