European Union: European Court of Justice Rules on Liability of Banks for Unauthorized Low-Value Transactions Using Contactless Payment

(Dec. 21, 2020) On November 11, 2020, the Court of Justice of the European Union (CJEU) held that the near-field communication (NFC) functionality of a bank card, also known as contactless payment, in itself is a “payment instrument” as defined in the EU Payment Services Directive 2015/2366 (PSD 2). The CJEU also clarified the meaning of “anonymous use” under PSD 2 with regard to NFC functionality. The court stated that a bank may not exclude its liability for unauthorized low-value transactions in its general terms and conditions by simply claiming that blocking the NFC functionality would be technically impossible, but must prove impossibility in light of the objective state of available technical knowledge when a customer reports a lost or stolen bank card. Furthermore, the court ruled that if the user is a consumer, general terms and conditions that provide for tacit consent to possible future amendments to such terms and conditions must comply with the standard of review set out in Directive 93/13 on consumer rights protection, not with PSD 2.

Facts of the Case

The plaintiff in the case is the Association for Consumer Information Austria (Verein für Konsumenteninformation, VKI), an association established in Austria that has standing to bring claims to protect consumer interests under Austrian law. (Case-287/19, para. 31.) The defendant is DenizBank AG, a banking institution operating in Austria. (Para. 32.)

On August 9, 2016, the VKI filed an action for injunction against DenizBank at the court of first instance, the Vienna Commercial Court, to prevent the use of certain terms and conditions, which it claimed were prejudicial to consumers. On April 28, 2017, the court of first instance held, among other things, that clause 14, which concerned a consumer’s tacit consent, was grossly prejudicial and that the NFC functionality itself may not be regarded as a payment instrument. (Para. 35.) The court of appeals, the Higher Regional Court of Vienna, upheld the judgment in part. (Para. 36.) The Austrian Supreme Court in a further appeal on a point of law suspended the proceedings and asked the CJEU for a preliminary ruling according to article 267 of the Treaty of the Functioning of the European Union. (Para. 42.)

Customers whose bank cards have NFC functionality are able to pay transactions up to 25 euros (€) (about US$30)—referred to as “low-value payments”—without authentication at technically equipped registers, meaning they can pay without using a personal identification number (PIN code) or signature. Payments over €25 require authentication. The NFC functionality is activated when customers make their first transaction with the respective bank card using their PIN code. (Para. 32.)

The following general terms and conditions used by DenizBank were at issue in the case:

Clause 14 dealt with the consumer’s tacit consent to amendments to the respective general terms and conditions. According to that clause, it is presumed that customers who do not communicate their disagreement with prospective changes within a certain time frame agree with the changes.

Furthermore, DenizBank’s general terms and conditions excluded the bank’s legal and financial liability in certain cases, in particular in clause 16 for unauthorized transactions using NFC.

Clauses 15 and 17 stated that DenizBank was not required to prove that low-value payments conducted with NFC functionality were authorized or that they were not affected by a technical breakdown or some other deficiency, and therefore, bank account holders bear the risk of any misuse conducted with their card using the contactless payment method. Clause 18 provided that, in the event a bank card was lost or stolen, it was “technically impossible” to block the bank card for low-value payments and that even after a general blocking of the card, low-value payments would still be possible up to €75, without any refund by the payment service provider.

Ruling

The CJEU focused its remarks on the tacit consent clauses and on liability with regard to payments using NFC functionality. Regarding the clauses providing for tacit consent to amendments of contractual clauses, the CJEU stated that PSD 2 itself neither provides special provisions for consumers nor categorizes the type of contractual terms that may be the subject of tacit consent. (PSD 2, art. 52, no. 6 (a) in conjunction with art. 54, para. 1; CJEU, paras. 49 & 58.) Accordingly, payment services providers may generally insert a clause in their general terms and conditions that provide for tacit consent to future changes if the other parties do not communicate their disagreement. However, the CJEU confirmed the Austrian Supreme Court’s opinion that if the user of the payment services is a consumer, the general terms and conditions must meet the requirements set out in Directive 93/13 on consumer rights. (Para. 65.) As a result, the CJEU ruled that the Austrian Supreme Court must review whether clause no. 14 on tacit consent is unfair in light of Directive 93/13 and not PSD 2. (Paras. 64. & 66.)

The CJEU also had to determine how the NFC functionality of a bank card fits within the context of PSD 2, meaning whether it can be classified as a “payment instrument.” According to article 4, no. 14 of PSD 2, a payment instrument is defined as “a personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used in order to initiate a payment order.” In accordance with its previous jurisprudence, the CJEU ruled that the NFC functionality of a multifunctional bank card associated with a specific bank account in itself cannot be classified as a “personalized device.” (Paras. 70–73.) It stated that the use of NFC functionality “in itself, does not allow the payment service provider to verify that the payment order was initiated by a user authorised for that purpose.” (Para. 73.) However, the CJEU held that the NFC functionality still falls within the scope of PSD 2 because it may be considered a “payment instrument” according to the second alternative of the definition (a set of procedures). (CJEU, paras. 77 & 79.)

Furthermore, the CJEU qualified the use of NFC functionality for low-value payments as an “anonymous use” within the meaning of article 63 para. 1 (b) of PSD 2. This provision of PSD 2 provides that the parties can agree to derogate from the payment provider’s obligation to prove the authentication of the payment transaction as well as from the liability provisions with respect to unauthorized low-value payment transactions where the payment instrument is used “anonymously.” (PSD 2, art. 63, para. 1 (b) in conjunction with arts. 72, 73, 74, paras. 1 and 3.) The court did not provide an exact definition of “anonymous use,” but rather relied on the circumstances of the NFC functionality’s usage. After the NFC functionality is activated, no “authentication through the use of personal security data,” such as a PIN code or signature, is needed for subsequent low-value transactions. (Para. 87.) In this case, a payment service provider, such as DenizBank, “is objectively unable to identify the person who paid using that functionality and thus unable to verify, or even prove, that the transaction was duly authorised by the account holder.” (Para. 89.)

According to article 63, para. 1 (a) of PSD 2, in respect of low-value payment instruments, a payment service provider can take advantage of exemptions from liability if it is impossible to block the payment instrument or to prevent its further use. The court stated that for the exemption to apply, the payment service provider must prove that the blocking or prevention is not possible considering the objective state of technical knowledge. (Paras. 98 & 106.) Simply claiming in the general terms and conditions that the blocking or prevention is impossible as done by the defendant DenizBank is not sufficient to limit a bank’s liability, in the opinion of the court. (Para. 98.) The CJEU noted that PSD 2 requires that customers report the loss of their bank card or its misuse without delay, that they must have the opportunity to do so free of charge, and that after such a report has been made, no financial consequences may be assigned to the customers unless they are guilty of fraudulent behavior. (Para. 100.)

Related Developments

Because of the ongoing pandemic and the attempt to encourage customers to use cashless payment methods to contain the spread of COVID-19, several bank institutions and credit card companies throughout Europe raised the amount available for contactless payments. In Austria, the limit was raised from €25 to €50 because EU law enables EU member states or their competent authorities to change the limit for contactless payments and make use of the low-value exemption from strong customer authentication (SCA). (PSD 2, art. 63, para. 2; Commission Delegated Regulation (EU) 2018/389, art. 11.) However, this increase from €25 to €50 might be a temporary change lasting only as long as the pandemic.

In an ad hoc survey carried out by the European Central Bank (ECB) in July 2020, the potential impact of the ongoing pandemic on consumers’ payment behavior was assessed. This survey was added to the 2019 Study on the Payment Attitudes of Consumers in the Euro Area (SPACE). This study showed, in general, that card payments have become increasingly contactless and that the pandemic has accelerated the use of cashless payment methods. According to the survey, the main reason why consumers have changed their payment behavior during the pandemic is that paying electronically has been made more convenient for them. (SPACE at 23.)

Prepared by Viktoria Fritz, Law Library intern, under the supervision of Jenny Gesley, Foreign Law Specialist

Related Posts