The Strange Case of Contactless Payments Under PSD2

November 25, 2020

Earlier this year, I covered the Advocate General’s opinion in the Denizbank case relating to contactless payments. Part 1 set out the facts and considered the first of four issues under PSD2 that had been referred to the European Court of Justice (ECJ) by the Austrian appeal court, while Part 2 considered the other three issues. Alarmingly, the ECJ recently agreed with the AG on the first three issues, but fortunately disagreed on the fourth. The implications of the decision are explained below, but in summary the ECJ held that: 

  1. the use of the unilateral change mechanism for amending payment services contracts is not restricted to “the essential elements” of the contract.

2. the contactless feature of a credit or debit card is a separate payment instrument in its own right.

3. the issuer can escape liability for unauthorised low-value contactless payments made with a multi-functional card, because the cardholder is using the card “anonymously” (and this is not a question of fact requiring proof that the issuer did not know who was using the card in contactless mode).

4. to escape the obligation to enable the user to report the loss, theft, misappropriation or unauthorised use of the contactless functionality (and to avoid liability after reporting), the issuer of the contactless feature must be able to prove that it is unable to block the instrument or prevent its further use.

Unilateral change clauses are not restricted to “the essential elements” of the contract

The ECJ held that the unilateral change mechanism in PSD2 (Directive 2015/2366) can be used for both consumer/micro-enterprise customers and larger corporate customers (subject to the corporate opt-out) and there is no limit to the type of contractual changes that can be made using that mechanism. However, where the customer is a consumer the changes themselves can be assessed for unfairness under the Unfair Terms in Consumer Contracts Directive 1993 (Directive 93/13):

Consequently, the answer to the first question is that Article 52(6)(a) of Directive 2015/2366, read in conjunction with Article 54(1) thereof, must be interpreted to the effect that it governs the information and conditions to be provided by a payment service provider wishing to agree… changes, in accordance with the detailed rules laid down in those provisions, of the framework contract that they have concluded, but does not lay down restrictions regarding the status of the user or the type of contractual terms that may be the subject of such tacit consent, without prejudice, however, where the user is a consumer, to a possible review of the unfairness of those terms in the light of the provisions of Directive 93/13.

The contactless feature of a credit or debit card is a separate payment instrument

The ECJ has held that: 

“…the NFC functionality of a personalised multifunctional bank card, by means of which low-value payments are debited from the associated bank account, constitutes a ‘payment instrument’, as defined in that provision.”

The earlier article explains why this is a surprising conclusion.

This calls into question how the execution of NFC payment transactions is classified for regulatory purposes, as it would seem to mean that a payment transaction initiated by contactless functionality is not one that was made “through a payment card or similar device” and was not “card-based”. 

The use of a credit or debit card for low-value contactless payments is anonymous

Here’s where the reasoning gets tricky.

PSD2 provides (in article 63) that for payment instruments which can only be used for payments not exceeding EUR 30 or which have a spending or storage limit of EUR 150 at any time, issuers may agree with customers that:

(a) [certain liability provisions] do not apply if the payment instrument does not allow its blocking or prevention of its further use;

(b) [certain liability provisions], do not apply if the payment instrument is used anonymously or the payment service provider is not in a position for other reasons which are intrinsic to the payment instrument to prove that a payment transaction was authorised;

The ECJ approached the anonymity point in 63(1)(b) first, and held that:

“…the use of the NFC functionality for the purpose of making low-value payments constitutes ‘anonymous’ use, within the meaning of Article 63(1)(b) of [PSD2], even where the card equipped with that functionality is associated with the bank account of a particular customer. In such a situation, the payment service provider is objectively unable to identify the person who paid using that functionality and thus unable to verify, or even prove, that the transaction was duly authorised by the account holder… 

…a contactless low-value payment using the NFC functionality of a personalised multifunctional bank card constitutes ‘anonymous’ use of the payment instrument in question, within the meaning of that derogation provision. 

The first point to make here is that the requirement for anonymous use and the requirement for proof that a transaction was authorised are two separate conditions which the ECJ seems to have conflated.  

The second point is that the court does not seem to have had a full appreciation of how contactless card payments work today, or that technology could evolve to put these matters beyond any doubt. At any rate, Part 2 of my earlier article explains why contactless use should neither be viewed as ‘anonymous’ nor should an issuer be considered as necessarily unable to prove that a contactless payment was authorised (even if it has been weirdly held to be a payment instrument in its own right).

Finally, the ECJ’s conclusion on Article 63(1)(b) is inconsistent with its own finding in relation to the question of whether the instrument allows blocking or prevention of further use in Article 63(1)(a), discussed below, where the ECJ held the issuer does bear the onus of proof in order to rely on the derogation. 

Where this leaves the use of Strong Customer Authentication in relation to NFC payment transactions is unclear, but the ruling allows banks and other payment servicer providers who issue NFC functionality to agree with customers in their standard terms that:

  • the issuer does not need not prove the authentication and execution of contactless payment transactions;
  • the issuer is not liable for unauthorised contactless payment transactions; and
  • the user loses the cap of EUR 50 on losses resulting from contactless transactions, after notification to the provider of the loss, theft or misappropriation of the contactless payment instrument.

The issuer must be able to prove that it is unable to block or prevent the further use of the contactless feature

To rely on the derogation in Article 63(1)(a), the ECJ held that the issuer:

“… must establish, with the burden of proof being on that provider in the event of a dispute, that that instrument in no way allows, on account of technical reasons, its blocking or prevention of its further use. If the court hearing those proceedings considers that it would have been physically possible to carry out such blocking or to prevent such use, having regard to the objective state of available technical knowledge, but that the provider did not make use of that knowledge, Article 63(1)(a) may not be applied to the benefit of that provider.” 

Again, this is inconsistent with the findings on anonymity under 63(1)(b), where the ECJ declared ‘objectively’ that the issuer of NFC functionality is unable to establish who used the card in that mode. 

If an issuer were confident that it could prove that the NFC functionality does not allow blocking or prevention of its further use, then it could agree with the user in the customer contract that: 

  • the user does not need to inform the issuer of the loss, theft, misappropriation or any unauthorised use of the contactless payment instrument concerned;
  • the issuer does not need to make available to the user the means to make that notification free of charge or to request unblocking of that contactless instrument; and
  • the user remains liable for the financial consequences of any use of the lost, stolen or misappropriated contactless instrument. 

Are these the results that the European Commission would have expected?

profile picture of simon deane johns

Simon Deane-Johns, Consultant Solicitor, Keystone Law and Chair of the SCL Advisory Board