The European Communities (Payment Services) Regulations S.I. 383 of 2009 (the “Regulations”) govern, amongst other things, liability for unauthorised payment transactions and the Financial Services Ombudsman has the task of adjudicating on any disputes that arise.
If a payment services user (Customer) becomes aware of an unauthorised transaction, within 13 months of its occurrence, and duly notifies their payment services provider (Bank) of same, the Regulations provide that the Bank shall refund the Customer. The Bank will not be required to issue a refund if it can prove that the Customer authorised the transaction, although the Bank will generally not, in that regard, be solely permitted to rely on the fact that the transaction was so authenticated (e.g. where a PIN is used without error).
The Customer will, however, be liable for the first €75 in losses if the unauthorised transaction arose due to the payment instrument (e.g. debit card) being either lost or stolen or if the accompanying security features (e.g. PIN number/password) were not kept safe by the Customer.
The Customer is liable for the entire amount of losses if the Customer acted fraudulently or either intentionally or with gross negligence failed to:
- use the payment instrument in accordance with its governing terms and conditions;
- keep the instrument’s security features safe; or
- notify the Bank without undue delay of the instrument’s loss, theft, misappropriation or its unauthorised use.
Again, however, the Bank will generally not, in that regard, be solely permitted to rely on the fact that the transaction was authenticated (e.g. where a PIN is used without error) in seeking to prove that the Customer acted fraudulently, intentionally or with gross negligence.
While deliberate or fraudulent actions are well established concepts, “gross negligence” is not defined in the Regulations and does not exist as a concept as distinct from negligence in Irish civil law. However, effect must be given to the expression “gross negligence” as the phrase appears in the Regulations.
The notion of “gross negligence” is thus an important matter for customers and institutions alike and has, helpfully, been reviewed by the High Court and Supreme Court, in deciding the case of ICDL Saudi Arabia v. European Computer Driving Licence Foundation Limited  IEHC 343;  IESC 55.
While the case had a complex background and history, the issue before the court was whether the Defendant’s breach of contract amounted to gross negligence as a clause in the pertinent agreement limited the Defendant’s liability, except for damage “caused by a wilful act or gross negligence”.
In the High Court, Clarke J. considered the wording of the limitation clause and said that, as a matter of construction, “one would expect persons to mean something different by the use of the term “gross” negligence rather than the simple use of the term “negligence”. Why else would the word “gross” be used? Obviously negligence implies a breach of a duty of care. However, anyone involved with negligence litigation will be more than familiar with cases where the margin by which someone has failed to meet the duty of care imposed on them is large. It seems to me that that is the ordinary meaning of the term “gross negligence”. It is a degree of negligence where whatever duty of care may be involved has not been met by a significant margin”. Clarke J. went on to state that a person accused of a breach said to be the result of gross negligence would have to have acted in a manner that was “significantly careless as to its obligations”. On appeal, a majority of the Supreme Court upheld the High Court’s decision that gross negligence must mean more than mere negligence, involving conduct exhibiting a significant degree of carelessness.