The EU Court of Justice rules on various PSD2 provisions, including potential cardholder liability in relation to contactless payments

As we know, the area of payments is a complex one, not only because of the way in which payments operate (i.e. the technology is sometimes complex), but also because the relevant legislation is not always very clear, is often complex and can therefore be difficult to interpret, apply and enforce.

Over the years, the EU Court of Justice (the Court) has issued a number of judgments on payments-related issues - see for example T-Mobile Austria judgment of 9 April 2014 that clarified the definition of “payment instrument” (available here), the American Express judgment of 7 February 2018 on the application of the EU interchange fee regulation (IFR) to three-party card schemes (see our alert here) and the ING-DiBa judgment of 4 October 2018 where the Court clarified the notion of a “payment account” (see our alert here).

On 11 November 2020, the Court issued a further judgment that relates to various PSD2 provisions (see the full text of the judgment here). The questions before the Court were raised by the Austrian supreme court as part of on-going litigation between the Association for Consumer Information (VKI) and DenizBank Agoda (DenizBank).

We provide below a summary of the main conclusions reached by the Court in its judgment, as well as our preliminary thoughts on those conclusions (including on the interface between its conclusions and the PSD2 provisions on strong customer authentication (SCA)).

All references to “Articles” and “Recitals” below are to articles and recitals of PSD2, except where stated otherwise.

The judgement covers three separate topics:

Topic 1: changes to the framework agreement – tacit consent by the PSU not notifying any objection

Sometimes a payment service provider (PSP) wants to make changes to an existing framework agreement (e.g. its terms and conditions or T&Cs) in place with a payment service user (PSU) and, in order to make those changes, the PSU’s consent is required.

However, as an alternative to an actual PSU consent being obtained, the parties can (and typically do) agree in the T&Cs that the PSU “is to be deemed to have accepted [proposed] changes if it does not notify the [PSP] before the proposed date of their entry into force that they are not accepted” (Article 54(1), second subparagraph).

The Court was asked by the Austrian court whether the above “presumption of tacit consent” (as the Court calls it):

(1) applies in relation to consumer PSUs as well as non-consumer PSUs. The Court concluded that there is nothing in PSD2 which disapplies the presumption where consumer PSUs are concerned (although see below for an important qualification to this conclusion); and

(2) is subject to any limits on the amendments that can be made in this way. The Court concluded that changes to all provisions of the T&Cs can be made in reliance on the presumption provided that they do not affect the framework agreement so fundamentally that, in reality, they amount to the conclusion of a new agreement. If that was the case, the PSU’s explicit consent would be required to the entry into what was effectively a new agreement.

However, the Court then went on to address an issue which had actually not been raised by the Austrian court, being the interplay of PSD2 and other consumer protection legislation, and in particular EU directive 93/13 on unfair terms in consumer contracts (the Unfair Contract Terms Directive or UCTD). The UCTD states that “A contractual term which has not been individually negotiated shall be regarded as unfair if, contrary to the requirement of good faith, it causes a significant imbalance in the parties' rights and obligations arising under the contract, to the detriment of the consumer”, and the Annex to the UCTD specifically lists a clause “enabling the seller or supplier to alter the terms of the contract unilaterally without a valid reason which is specified in the contract” as a type of clause which may be considered unfair.

The Court ruled that the contract amendment provisions of PSD2 do not override these provisions of the UCTD; on the contrary, they operate subject to such provisions. Accordingly, while the presumption of tacit consent prima facie works for the making of amendments to a framework agreement with a consumer PSU, the clause in the framework agreement which makes reliance on the presumption possible may be invalidated altogether by UCTD if it is deemed an unfair term. A term in a contract can be deemed “unfair” if there could be circumstances where its effect would be unfair, even if those are not the actual circumstances in which it is being challenged (where its effect could be reasonable).

While not surprising, the conclusions of the Court on this Topic 1 emphasise two considerations for PSPs:

(a) the importance of ensuring that right-to-amend clauses in T&Cs for payment services not only comply with the 2-month notice period in Article 54(1), but are also drafted so as to maximise the chances of them not being challenged as UCTD-unfair; and

(b) that the presumption of tacit consent cannot be used to effect changes so fundamental that they constitute a new agreement. Whether this is the case is a question which will depend on the facts of each case.

Topic 2: PSP obligation to prove and to refund – exception for anonymous payments, including contactless payments without SCA

Articles 72, 73 and 74 contain various provisions which make the PSP liable in respect of any unauthorised use of a payment instrument which it has issued, subject to certain limitations – such as the potential for the PSU to be liable for up to the first €50 of any loss [1] and also bearing full liability to the extent of fraud or gross negligence on their part.

Article 63(1) does, however, envisage a derogation from the above PSP-bears-liability principle (the Low Value Derogation) for low-value instruments which are being used anonymously or in circumstances where it not possible to prove due PSU authorisation. Where the derogation applies, the PSU can be required to bear the full loss of unauthorised transactions.

The Court notes here the statement in Recital 81 that “low value payment instruments should be a cheap and easy-to-use alternative in the case of low-priced goods and services and should not be overburdened by excessive requirements” as part of the rationale for the PSU assuming this increased liability/risk. It also notes that the extent of such risk is limited by the thresholds below which transactions must fall if the payment instrument is to qualify for the Low Value Derogation in the first place (i.e. given the low value of the transactions qualifying for the derogation, there is then only so much that the PSU can lose from unauthorised transactions).

These thresholds are set out in Article 63(1). Essentially, the Low Value Derogation is only available “In the case of payment instruments which, according to the framework contract, solely concern individual payment transactions not exceeding EUR 30 or which either have a spending limit of EUR 150, or store funds which do not exceed EUR 150 at any time”. It should however be noted that, for national payments, Members States can change (and most Member States have changed) these figures for national payment transactions in accordance with Article 63(2). In particular, they are allowed by this article to be reduced or doubled, and for prepaid payment instruments they can be increased to up to €500.

The question which the Court was asked to determine for the DenizBank card was whether the Low Value Derogation would apply to the use of a payment card on which it was possible to initiate contactless payments using NFC functionality. To answer this question, it was effectively broken down into the following sub-components:

 (1) could the NFC functionality of the card constitute a “payment instrument” (as defined in Article 4(14)) on the basis that it was “a personalised device or a set of procedures” agreed between the PSP (the bank) and the PSU? The Court’s conclusion was that it was not a “personalised device” because to be “personalised” it would have to allow the PSP to verify that any payment transaction which it was used to initiate was authorised by the PSU. Given the specific lack of any PSU identity verification when used for contactless transactions (at least without SCA), it failed this test. But the Court concluded that the second limb of the definition applied as the NFC functionality constituted a “set of procedures” and that such a set was not qualified by the requirement that it should be “personalised” (which is something that the Court had already ruled up-on the T-Mobile Austria judgment);

(2) could the NFC functionality be separated from the rest of the functionality of the payment card (i.e. the Chip & PIN functionality)? The DenizBank card was not only able to initiate NFC transactions; it could also be used to carry out other transactions (namely Chip & PIN transactions), including transactions which would be too large to fall within the value limits of the Low Value Derogation (see above). However, the Court concluded that, when the card was utilised employing solely its NFC functionality, it effectively constituted a payment instrument which was separate from the payment instrument which it constituted when used to initiate other (larger) transactions (i.e. Chip & PIN transactions).  While not expressly stated, it seems implicit in the Court’s judgment that when it refers to NFC transactions as being a separate payment instrument from the Chip & PIN functionality, the Court was specifically referring to NFC transactions without SCA (as opposed to transactions that started as NFC contactless transactions, but which were then made the subject of an SCA requirement, e.g. because the conditions for an exemption under the Regulatory Technical Standards 2018/389 on SCA (the RTS on SCA) where not met). Therefore the two payment instruments on the cards are essentially a payment instrument for payments without SCA, and a separate payment instrument for payments with SCA.

(3) did the transactions that could be made using the payment instrument constituted by the (separate) NFC functionality fall within the value limits stipulated in Article 63(1)? The maximum amount specified in the DenizBank card T&Cs as available for funding through any single NFC-initiated transaction was €25 and so fell below the €30 limit in Article 63(1). It is worth noting here that the DenizBank card was not a prepaid instrument and could be used to access a payment account with a potential balance higher than the maximum aggregate spend limit test available as an alternative under Article 63(2);

(4) when an NFC-initiated transaction took place, did it fall within the requirements of Article 63(1)(b)? This Article specifies that the Low Value Derogation will only apply to a payment instrument if it is “used anonymously or the payment service provider is not in a position for other reasons which are intrinsic to the payment instrument to prove that a payment transaction was authorised” (the Anonymity Test). Since the DenizBank card was linked to a named bank account, it might at first be considered counter-intuitive to describe even its NFC-initiated without SCA use as “anonymous”. However, the Court was able to reach the conclusion that this was appropriate on the basis that, although the card was linked to a named user, when it was used via its NFC functionality, and assuming that no linked SCA was required (this being implicit, rather than explicit, in the Court’s judgment), it was not possible to prove that such use was authorised by the PSU (so the second limb of the Anonymity Test applied). Note again here the importance of the card effectively becoming a different (anonymous) payment instrument when used solely through its NFC functionality and with no SCA; and

(5) had it been agreed in the DenizBank T&Cs (i.e. the framework agreement for the card) that the Low Value Derogation would apply to NFC use of the payment card without SCA? Note that such agreement is a mandatory requirement of Article 63(1) and, in the DenizBank case, it was concluded that it had been met.

On the basis that all the above questions could be answered in the affirmative, the Court concluded that transactions initiated using the card’s NFC functionality (we add: without SCA) were subject to the Low Value Derogation.

There are a few points worth noting regarding the Court’s judgment:

(a) any PSP wanting to be able to use the Low Value Derogation in respect of a card which offers both contactless without SCA and also PIN-enabled functionality will need to make sure that it can answer “yes” to all the above questions in respect of that card offering. A failure to meet any of the tests will rapidly deny the availability of the Low Value Derogation on the basis that the Court emphasised its general reluctance to disapply any form of consumer protection, unless strictly required to do so;

(b)  it seems somewhat surprising that the Court does not specifically address whether Article 74(2) poses any difficulty for its conclusions. This Article states that “Where the payer's [PSP] does not require [SCA], the payer shall not bear any financial losses unless the payer has acted fraudulently. …”.

The Low Value Derogation clearly involves a contactless transaction being carried out without SCA and it clearly also potentially involves financial losses falling on the payer (in respect of unauthorised transactions). The Court does not say anything in its judgement about the apparent conflict here. Perhaps the Court concluded that Article 74(2) simply must be taken to be overridden by Article 63(1)(b) (in the case of conflict) on the basis that, if this was not the case, then 74(2) would more-or-less entirely negate the Low Value Derogation. This argument may gain some support from Recital (8) of the RTS on SCA which reads: “Due to their very nature, payments made through the use of an anonymous payment instruments are not subject to the obligation of [SCA]”. A counterargument to this, however, is that Article 63(1)(b) specifically stipulates that it will disapply Articles 74(1) and 74(3), but does not refer at all to Article 74(2). It would have been useful if the Court’s judgment had specifically addressed this counterargument;

(c)  where a payment card is used via NFC functionality but on the basis that the card has been tokenised and placed within a wallet on a mobile phone, typically all NFC mobile transactions will be subject to SCA (e.g. a PIN code, fingerprint/face recognition or other identity verification facility provided through the cardholder’s use of the phone). The Court’s analysis of the availability of the Low Value Derogation is unlikely to apply. This is because the use of the card in these circumstances will not typically be treated as anonymous given that it is possible to prove that a phone-initiated NFC payment transaction was authorised by the cardholder;

(d)  for many issuers of cards with NFC functionality, the €30 individual transaction limit will be a problem in relation to any reliance they might wish to place on the Low Value Derogation, at least unless their Member State has increased this limit as envisaged by Article 63(2) (but the increase only applies to domestic transactions). In particular, due to the COVID crisis, the EBA requested that card issuers should make maximum use of the SCA contactless exemption set out in the RTS on SCA, and in particular the €50 limit in order to minimise the circumstances where the cardholder would be required to touch a POS terminal to enter their PIN (see the EBA “Statement on consumer and payment issues in light of COVID19” here). As a result, many issuers have increased the contactless without SCA limits to €50. It would be sensible if the differing limits applicable in this area were aligned as part of the PSD2 revision process (that is due to begin H2 2021).

Topic 3: exception to notification requirement and PSU liability – obligation for PSP to prove that the low-value payment instrument cannot be blocked

It is a key element of the protection of PSPs and PSUs in relation to unauthorised payment transactions initiated through a payment instrument that, should the PSU find that its payment instrument has been lost or its security compromised, they can cap off any liability (including their potential liability for the first €50 of any financial loss) by notifying the instrument’s PSP issuer and getting the instrument cancelled. This principle is enshrined in Articles 69(1)(b), 70(1)(c) and (d), and 74(3).

As for Topic 2, there is, however, a potential derogation (the No-Cancellation Derogation) available which will disapply these PSU protections for certain low-value payment instruments. This is provided by Article 63(1)(a) and the test of whether a payment instrument is sufficiently low value is the same as it is for application of the Low Value Derogation.

Importantly, the No-Cancellation Derogation is only available according to Article 63(1)(a) if:

(1)  “the payment instrument does not allow its blocking or prevention of its further use”; and

(2)   the PSP and the PSU have agreed in the framework agreement for the use of the payment instrument that the derogation will be available.

In its T&Cs for the DenizBank card, it had been stipulated that the No-Cancellation Derogation would be available, but the Court was asked to decide whether the test in (1) was met. In particular, it was argued by VKI (on behalf of the PSUs it was seeking to protect) that it was entirely possible for DenizBank to cancel the card if notified of its loss or compromise, and this was not disputed by the bank. It was also argued that meeting the test in (2) was not enough and that test (1) was separate and also had to be met.

The Court agreed with VKI and determined that a PSP could only rely on the No-Cancellation Derogation where it could “establish, with the burden of proof being on that provider in the event of a dispute, that that instrument in no way allows, on account of technical reasons, its blocking or prevention of its further use”. The Court goes on to state that “If the court hearing those proceedings considers that it would have been physically possible [for the PSP] to carry out such blocking or to prevent such use, having regard to the objective state of available technical knowledge, but that [the PSP] did not make use of that knowledge, Article 63(1)(a) may not be applied.

It is clear that the test for availability of the No-Cancellation Derogation in the light of the Court’s comments is very strict and essentially requires that the PSP establish that the taking of effective blocking measures is, for all practical purposes, impossible.

Should you have any questions about the above, please do not hesitate to contact one of the members of the Bird & Bird global payments team.

If you would like to receive our regular Payments alerts in your inbox, click here.

If you would like to read Bird & Bird’s previous alerts, please check out our Payments In Focus webpage here.


 
[1] Although this itself being subject to further limitation, such as the cessation of any loss bearing by the PSU after it has notified the PSP of the loss of the relevant payment instrument. We also understand that some cards schemes may have requested (e.g. through a “zero cardholder liability rule” in their scheme rules) that PSPs essentially waive the right given to them by Article 74(1) to place any liability on cardholders.

Latest insights

More Insights
Curiosity line green background

Something to Embrace: The scope and power of the court under 90-15 of the IPS (Corporations)

Nov 19 2024

Read More
mountain scape

European Union Artificial Intelligence Act Guide

Nov 06 2024

Read More
Curiosity line teal background

Transforming A Brand into A Global Business – what to consider from a legal perspective

Nov 05 2024

Read More