In the second of a two part article, Simon Deane-Johns looks at some surprising consequences (if followed) of the Advocate General’s opinion on contactless payments in Denizbank. In Part 1, he set out the facts and why the outcome could be so important. In this second part he looks at the question of whether contactless payments are anonymous and the outlook for unilateral change clauses.
The Advocate General considers that contactless payments using the contactless functionality on a debit or credit card are "depersonalised" and "anonymous" because the communication between the contactless functionality and the terminal "is sufficient to validate the transaction, irrespective of who is in possession of the card at the time, and dispenses with the need for the cardholder to enter his PIN or provide a handwritten signature." (Click here to read Part 1 for the facts of the case)
There are numerous problems with this view.
The AG draws support from analysis by the European Central Bank and the Euro Retail Payments Board on the development of the ability to have separate contact and contactless devices/procedures, and contactless acceptance. But I do not read anything in either report to support the conclusion that each mode is a separate payment instrument, or that the contactless mode is depersonalised or anonymous.
A payment card might be used by a third party (with or without authorisation) in either contact mode or contactless mode, and payment cards were notorious for high rates of fraud long before the introduction of contactless functionality. Indeed, that explains the industry's decision to introduce the Chip-and-PIN security measure over a decade before the statutory requirement for strong customer authentication in the relevant PSD2 regulatory technical standard. The report from the Euro Retail Payments Board referred to by the AG also explains that adoption rates of Chip-and-PIN cards were still quite low even by 2015, and the ability for them to be used contactlessly was a key driver to improve adoption rates of Chip-and-PIN cards by making it quicker and more convenient to use them for lower value transactions, subject to the industry requirement to enter the PIN from time to time as a guard against unauthorised use. The contactless functionality merely creates the potential for choices to be made about whether and when the user must enter the PIN related to the card. The fraudster takes the risk of being detected if he does not have the PIN.
It is therefore odd to say that contactless functionality added to a card to improve its utility is somehow independent of the card, and that the requirement to be able, if and when challenged, to enter the Personal Identification Number set by the cardholder (who must keep it secret) somehow renders the contactless use of the card "depersonalised" and "anonymous". Furthermore, as explained earlier, it is a legal requirement under the regulatory technical standard that requires SCA that the security credentials for the card (which do not vary for contact or contactless use) must be applied, unless the issuer of the payment instrument/account to which the security credentials relate applies any of the seven exemptions.
Card issuers must also carry out "customer due diligence" on their cardholders, including identify verification and transaction monitoring, before providing them with cards and other payment services.
The entry of the PIN and the lack of a report by the cardholder that the card has been stolen should also make it probable that the cardholder made the contactless transactions since the previous entry of the PIN. This means that the requirement to enter the PIN from time to time is also an important factor in determining the validity of contactless transactions, not to mention the customer identity verification and monitoring obligations that sit behind the issuance of the card/account and PIN.
The AG also relied on the fact that the bank in this case delivered the cards with the contactless functionality automatically enabled so that cardholders might be unaware the functionality existed. Ironically, I would regard this as evidence that the bank saw the contactless functionality as an inherent property of the card itself, not distinct (let alone anonymous!), and it could not then pretend that it was.
In my view, the AG's acceptance of the facts and reasoning on this point also runs contrary to the notion that the contactless functionality could be a separate payment instrument in its own right, since the blocking procedures for the card encompass the contactless functionality.
Can A Bank Make You Agree That Your Card Cannot Be Blocked When It Actually Can Be Blocked?
In this case, the bank stated in its card terms that "it is technically impossible for the debit card to be blocked when used for low-value transactions" and, if lost etc. "it shall still be open to use for low value payments not requiring a PIN up to a value of EUR 75, even after a block has been placed on the card [for higher value transactions]..." so "payments may not exceed EUR 25 per individual transaction and the debit card cannot be blocked for low-value payments made without entering a PIN..."
As the AG noted, even the bank admitted at trial that it can block a multifunctional payment card; and evidence was accepted that "almost all Austrian banks" provide in their terms that "after a blocking notification, the card's [contactless] functionality is required to be and is... blocked." This would be a reference to the card number being blacklisted (on a MATCH list) or placed in a hotlist or blocklist for a specific merchant, as well as the industry and regulatory protocols requiring entry of security credentials explained above. This in turn implies that blocking the contactless functionality is done within the scope of blocking the card itself and this prevents further use. Accordingly, the bank's terms in this case are simply wrong in stating that "it is technically impossible" to block the contactless payments and the requirements for the exclusion are not satisfied.
Indeed, it would also be true to say that the contactless use of the card can be blocked by virtue of the cardholder being unable to enter the PIN when challenged. The legal requirement for the liability exclusion to apply is that the payment instrument does not allow its blocking or prevention of its further use. Therefore it does not matter that one or more unauthorised payment transactions might go through before the card is reported missing or a thief fails to enter the PIN when challenged.
Of course, under English law, these facts would also raise issues under the law of misrepresentation or mistake, for example, which can affect the formation, existence and enforceability of the contract in the first place.
The End Of Unilateral Change In Contracts For Payment Services?
The AG’s view is that PSD2 only allows unilateral change arrangements to be used for "non-essential changes" to framework contracts. To examine this view, it is unfortunately necessary to set out the relevant provisions.
A “framework contract” is:
a payment service contract which governs the future execution of individual and successive payment transactions and which may contain the obligation and conditions for setting up a payment account;
The three provisions set out below then inter-operate to govern how framework contracts are agreed and updated. The first point to note is that it is mandatory to enable payment service providers and customers to agree a unilateral change process: "Member States shall ensure... if agreed... in accordance with Article 54... Any changes...specified in Article 52 shall be proposed...". Secondly, there is no distinction made for the type of changes to the framework contract that can be covered by the unilateral change process, except to say that changes in interest or exchange rates based on agreed reference may be applied immediately and without notice if that is also agreed.
Article 51 Prior general information
1. Member States shall require that, in good time before the payment service user is bound by any framework contract or offer, the payment service provider provide the payment service user on paper or on another durable medium with the information and conditions specified in Article 52...
2. If the framework contract has been concluded at the request of the payment service user using a means of distance communication which does not enable the payment service provider to comply with paragraph 1, the payment service provider shall fulfil its obligations under that paragraph immediately after conclusion of the framework contract.
3. The obligations under paragraph 1 may also be discharged by providing a copy of the draft framework contract including the information and conditions specified in Article 52.
Article 52 Information and conditions
Member States shall ensure that the following information and conditions are provided to the payment service user:...6. on changes to, and termination of, the framework contract:
(a) if agreed, information that the payment service user will be deemed to have accepted changes in the conditions in accordance with Article 54, unless the payment service user notifies the payment service provider before the date of their proposed date of entry into force that they are not accepted;...
(c) the right of the payment service user to terminate the framework contract and any agreements relating to termination in accordance with Article 54(1) ...
Article 54 Changes in conditions of the framework contract
1. Any changes in the framework contract or in the information and conditions specified in Article 52 shall be proposed by the payment service provider in the same way as provided for in Article 51(1) and no later than 2 months before their proposed date of application. The payment service user can either accept or reject the changes before the date of their proposed date of entry into force.
Where applicable in accordance with point (6)(a) of Article 52, the payment service provider shall inform the payment service user that it is to be deemed to have accepted those changes if it does not notify the payment service provider before the proposed date of their entry into force that they are not accepted. The payment service provider shall also inform the payment service user that, in the event that the payment service user rejects those changes, the payment service user has the right to terminate the framework contract free of charge and with effect at any time until the date when the changes would have applied.
2. Changes in the interest or exchange rates may be applied immediately and without notice, provided that such a right is agreed upon in the framework contract and that the changes in the interest or exchange rates are based on the reference interest or exchange rates agreed on in accordance with point (3)(b) and (c) of Article 52...
By requiring member states to provide a unilateral change mechanism without in any way limiting the type of changes for which they may be used, PSD2 does not prevent them from protecting consumers against the abuse of such arrangements under their local laws.
The need to balance the cost and practicalities of maintaining consumer contracts with consumer protection is recognised in the recitals to PSD2:
(57) In practice, framework contracts and the payment transactions covered by them are far more common and economically significant than single payment transactions. If there is a payment account or a specific payment instrument, a framework contract is required.
(60) The way in which the required information is to be given by the payment service provider to the payment service user should take into account the needs of the latter as well as practical technical aspects and cost-efficiency depending on the situation with regard to the agreement in the respective payment service contract.
(63) In order to ensure a high level of consumer protection, Member States should, in the interests of the consumer, be able to maintain or introduce restrictions or prohibitions on unilateral changes in the conditions of a framework contract, for instance if there is no justified reason for such a change.
However, I do not see how this last recital can be read as contemplating that unilateral change arrangements should only be used for “non-essential changes”. Rather, it should be construed as a reference to national contract laws which protect consumers from the abuse of unilateral change arrangements more generally.
In this regard it is important to recall that PSD2 is a ‘maximum harmonisation directive’ so member states cannot depart from it except where expressly permitted. The operative provisions do not allow a departure, but the need for the unilateral change arrangement to be "agreed" in Article 56(2)(a) provides the opportunity for member states to apply local law "restrictions or prohibitions" of the kind contemplated by recital 63, namely "in the interests of the consumer... for instance if there is no justified reason for such a change."
In my view, this is to be read as not imposing any conditions on the types of change for which unilateral change arrangements can be made, while allowing for restrictions or prohibitions relating to changes generally. For example, under English law1, and independently of the unilateral change arrangements in the Payment Services Regulations 2017, the parties to a contract can agree that one party has the right to unilaterally vary it, but some constraints apply to the effect. For instance:
In the case at hand, my view is that neither the unilateral change clause itself nor the type of change for which it was used was unfair or unreasonable etc.. The problems for the bank arise in relation to the specific clauses that wrongly claim the bank is unable to prove a payment was authorised or is technically unable to block contactless use and so on. These fall to be dealt with under local contract law (whether under UCTA, or on grounds of misrepresentation or mistake mentioned earlier). It is neither necessary nor appropriate to go the lengths of construing contactless functionality as a separate or anonymous payment instrument or limiting the types of change for which unilateral change arrangements can be used.
What is a non-essential change?
At any rate, even if the relevant provisions in PSD2 were to support the restriction of unilateral change arrangements to "non-essential changes" (which they do not, as explained above) that would beg the question what a "non-essential change" might be (and, if it is non-essential, why the service provider would bother with the change at all).
The risk of creating uncertainty on this point is that service providers will err on the side of caution, thereby increasing cost and inconvenience to consumers with the risk that their payment services will suddenly cease working for lack of agreement to contract changes deemed to be verging on “essential”.
Indeed, an essential change (to comply with a change in the law or improved security, for example) might be very much in the consumer's interest, particularly where necessary to efficiently ensure the continued use of the service, while minimising the associated cost and inefficiency (as per recital 60). It would seem harsh and disproportionate to create the real risk that consumers’ use of payment services will be suddenly interrupted merely for failing to read their correspondence and signify acceptance to changes that could otherwise have been rightly taken for granted, or if not agreed, to exercise their right of termination.
 Under Irish law, PSD2 is implemented by the European Union (Payment Services) Regulations 2018, including the unilateral change arrangement (Regulation 78). In addition, the European Communities (Unfair Terms in Consumer Contracts) Regulations, 1995 allows terms under which a seller or supplier reserves the right to alter unilaterally the conditions of a contract of indeterminate duration, provided that he is required to inform the consumer with reasonable notice and that the consumer is free to dissolve the contract.
Simon Deane-Johns, Consultant Solicitor, Keystone Law and Chair of the SCL Advisory Board