Identity theft and electronically signed contracts: case law is growing

In four recent cases involving electronically signed consumer credit agreements, the borrower claimed that his identity had been stolen. The courts seized on appeal have all confirmed the usurpation, highlighting certain weaknesses in these signature processes.

Two of these cases (Court of Appeal, Bordeaux, 1st Civil Chamber, 23 February 2026 – No. 23/05165 and Court of Appeal, Amiens, Economic Chamber, 12 March 2026 – No. 24/04035) relate to fraud by spouse.

In the first, the judge noted that authentication by OTP/SMS and email address is not worth much in the context of a suspicion of family fraud:

"Mr [V] had access to all of Mr [P]'s administrative and personal documents as he had been living in a cohabiting relationship and in a PACS for 2 years at the time of signing the disputed contract. Their production cannot therefore automatically be considered as proof of the reality of the signatory in this specific context of suspicion of identity theft by his cohabiting partner".

"the documents sent by e‑mail refer to Mr [P's] e‑mail address, which could be freely used by his cohabiting partner"

"it is established that the mobile phone number used to sign remotely was not that of Mr [P], the number indicated containing an error"... "Thus, BNP Paribas Personal Finance does not demonstrate that it has ensured that the identity of the signatory had been verified by the service provider trusted in the one‑time password."

In the second, the Court considers that the email address and telephone number appearing on the evidence file do not constitute the expected link with the signed contract: ".  The court cannot therefore accept which document was the subject of the electronic signature or even whether the document entitled 'Contract' in the evidence file is related to the credit subject of the present proceedings". It is a poor presentation of the documents that is criticized here (no common reference between the contract and the evidence file) which, combined with the suspicion of usurpation, leads to the rejection of the bank's request for reimbursement.

In a third case (Court of Appeal, Limoges, Civil Chamber, 18 March 2026 – No. 25/00235), thedefendant claimed that his identity had been usurped by a fraudster. The Court directly challenged the use of an email address and a mobile number to confirm the identity of a remote signatory: "the evidence adduced in the proceedings did not make it possible to link [the defendant] to the borrower's email address and mobile phone number, as it appeared on the credit agreement, produced by the company [Address 1],  as well as the email address appearing on the document entitled 'evidence file', issued by Protect & Sign, and which [the defendant] on the contrary provided proof of a different email address and telephone number, in particular by producing invoices from the telephone operator, as well as contractual documents filled in at the time of the facts. It follows that the verification and authentication procedure, which is supposed to guarantee the electronic signature by the person designated by the contract, which is based mainly on the transmission of a code to the customer, which the latter must enter as a signature, loses all reliability since that code was clearly addressed not to the email address or telephone number [of the defendant] but, obviously, to those provided by the perpetrator of the fraud. »

Finally, in a fourth case (Court of Appeal, Lyon, 6th chamber, 5 March 2026 – No. 24/02249), the Court upheld the action of the usurped borrower, noting that the postal address declared by the fraudster did not exist and that the payslips produced were false. It is in this case for insufficient diligence in verifying the documents that the bank's action for reimbursement is dismissed.

The lessons of these few legal setbacks incurred by lenders are clear:

First of all, and we already knew it, relying on an email address and a mobile phone number to validate an electronic signature is a fragile insurance, which can be shattered as soon as identity fraud is alleged.

Verification of the authenticity of supporting documents produced remotely is essential, in a context where it is to be feared that the volume of identity fraud will increase significantly in the coming times, until everyone has a reliable digital identity...