Publication date: May 11, 2026
An unauthorized transaction is a financial transaction made without the consent of the account or cardholder, for example, as a result of data theft. In such a situation, the bank is obligated to return the funds unless it can prove the customer’s intentional act or gross negligence.
Currently, there is a noticeable increase in unauthorized transactions. This causes payers and banks to lose nearly a billion złoty annually. The Polish Financial Ombudsman is noticing a growing number of requests for intervention regarding unauthorized payment transactions. In the first half of 2020 alone, it received 416 requests. This is more than in all of 2018, when there were 367. In 2019, there were 612 requests, an increase of almost 60%. It is worth noting that in the first half of 2020, requests regarding unauthorized transactions accounted for 80% of all requests related to violations of the Payment Services Act.
The Payment Services Act [1] (which has been harmonized with EU law[2]) lacks a definition of an unauthorized transaction, but it can be derived from Article 40(1) of the Act. A payment transaction is considered authorized if the payer has consented to executing the payment transaction in the manner provided for in the contract between the payer and their payment service provider. Consent may also apply to subsequent payment transactions. In simple terms, an unauthorized payment transaction is one to which the payer has not consented, i.e., has not authorized it. Authorization should be distinguished from authentication, i.e., a technical act involving the provision of payer data, use of an appropriate financial token, etc. An authenticated transaction may remain unauthorized due to the use of various manipulation and social engineering techniques, such as phishing.
Bank account agreement
Pursuant to Article 725 of the Civil Code, through a bank account agreement, the bank undertakes to the account holder, for a specified or unspecified period, to hold their funds and, if the agreement so provides, to conduct monetary settlements on their behalf. The bank is therefore the owner of the funds and should ensure their security.
It is possible to obtain a refund from a bank in the event of an unauthorized transaction. The Payment Services Act, in this case, assumes a shift in the burden of proof from the customer to the bank (reversed burden of proof). Article 45, paragraph 1 of the Act states that the user’s provider bears the burden of proving that the payment transaction was authorized and correctly recorded in the provider’s payment transaction processing system and that it was not affected by a technical failure or other defect related to the payment service provided by that provider, including the provider providing the payment transaction initiation service.
Under the Act, the bank is obligated to respond to a complaint within 15 days (and exceptionally within 35 days in particularly complex cases). If the response deadline is extended, the bank must inform the client within 15 days of the extension and the basis for it. Communication is in writing, but with the client’s consent, electronic contact is also possible. If the complaint is upheld, the refund must be made immediately, within one business day of notification to the bank. If the bank disagrees with the client, it must notify law enforcement authorities and may then waive the refund. The payer will be required to return the funds once the bank proves that the client:
The user’s obligations are as follows:
Accidental transfer and unauthorized transaction
Unauthorized transactions should be distinguished from erroneous transfers. In the case of a transfer, the payer intends to complete the transaction (authorizes) and confirms login details (authenticates), but due to an error, the funds are transferred to the wrong recipient’s bank account. The customer should immediately notify the bank of the error. The bank will contact the recipient of the erroneous transfer within three days, informing them of the consequences of failing to refund within 30 business days. The bank will provide the recipient with a technical account to eliminate the risk of data leaks. The payer receives the refund from the technical account. The recipient remains anonymous and cannot be charged any fees. The bank may, however, pass on the costs of the refund to the payer. If the recipient of the transfer does not transfer the funds to the technical account within 30 days, the bank will share the recipient’s data with the payer, who will then be able to pursue civil claims.
| Accidental transfer | Unauthorized transaction |
| the payer knowingly makes the transfer | a third party interferes in the process |
| he realizes that he mistakenly made it to the wrong account | lack of payer’s consent, further-reaching rights |
| authorized and authenticated. | authenticated but unauthorized. |
Exceptions to the return obligation
Pursuant to Article 46 of the Payment Services Act: “the payer is liable for unauthorized payment transactions up to (…) the equivalent of EUR 50 (…) if the unauthorized transaction is a result of: using a payment instrument lost by the payer or stolen from the payer, or misappropriation of a payment instrument. The above provision cannot be applied in the event that:
[1]Act of 19 August 2011 on payment services (consolidated text: Journal of Laws of 2025, item 611, as amended).
[2]Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC, 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ EU L 337, 2015, No. 337, p. 35, as amended)
Unauthorized transactions are becoming an increasingly serious challenge for both customers and financial institutions. Banks are generally required to refund stolen funds unless they can prove intentional misconduct or gross negligence by the customer. It is also important to distinguish unauthorized transactions from accidental transfers, where the payer willingly authorizes the payment but sends it to the wrong account. Growing cyber threats and phishing attacks highlight the importance of financial awareness, data protection, and rapid response to suspicious activity.
UnauthorizedTransactions #CyberSecurity #BankingSecurity #FinancialSafety #FraudPrevention #DigitalBanking #PaymentSecurity #PhishingAwareness #FinancialEducation #RiskManagement #ConsumerProtection #CyberFraud #FinTech #DataProtection #OnlineSecurity