Under Article 74 of the Payment Services Directive (EU) 2015/2366 (“PSD2”), a payer may be required to bear the losses of unauthorised payment transactions up to a maximum of €50 provided the specified conditions are met. This is implemented in the UK by Regulation 77 of the Payment Services Regulations 2017 (“PSRs2017”) which has reduced, in accordance with the discretion given to Member States, the maximum amount of €50 to £35 (the “£35 Rule”).
The rationale for allocating certain liability to a payer is described in Recital 71 PSD2 as follows: “In order to provide an incentive for the payment service user to notify, without undue delay, the payment service provider of any theft or loss of a payment instrument and thus to reduce the risk of unauthorised payment transactions, the user should be liable only for a very limited amount, unless the payment service user has acted fraudulently or with gross negligence. In that context, an amount of EUR 50 seems to be adequate in order to ensure a harmonised and high-level user protection within the Union.”
The principle seems to be straightforward. However, there appear to be considerable uncertainties in interpreting the wording of the provisions (in both Article 74 PSD2 and Regulation 77 PSRs2017). Such uncertainties potentially have significant practical implications for payment service providers (“PSP”), not least with respect to the overarching Principles for Business in the FCA Handbook which apply to PSPs that are credit institutions and are scheduled to apply to non-bank PSPs on 1 August 2019.
This discussion focuses on the wording of Regulation 77 PSRs2017.
References to “Regulations” are to those in PSRs2017 unless otherwise indicated. Where relevant, references are also made to the Approach Document for Payment Services and E-Money published by the Financial Conduct Authority (the “FCA Approach Document”). For ease of reference, each relevant provision of Regulation 77 is reproduced verbatim below.
(1) Subject to paragraphs (2), (3) and (4), a payment service provider which is liable under regulation 76(1) may require that the payer is liable up to a maximum of £35 for any losses incurred in respect of unauthorised payment transactions arising from the use of a lost or stolen payment instrument, or from the misappropriation of a payment instrument.
(2) Paragraph (1) does not apply if—
(a) the loss, theft or misappropriation of the payment instrument was not detectable by the payer prior to the payment, except where the payer acted fraudulently; or
(b) the loss was caused by acts or omissions of an employee, agent or branch of a payment service provider or of an entity which carried out activities on behalf of the payment service provider.
(3) The payer is liable for all losses incurred in respect of an unauthorised payment transaction where the payer—
(a) has acted fraudulently; or
(b) has with intent or gross negligence failed to comply with regulation 72 (obligations of the payment service user in relation to payment instruments and personalised security credentials).
(4) Except where the payer has acted fraudulently, the payer is not liable for any losses incurred in respect of an unauthorised payment transaction—
(a) arising after notification under regulation 72(1)(b);
[The remaining provisions of Regulation 77(4) are not discussed here.]
Regulations 77(1) and (2) effectively set out four conditions to be met before the £35 Rule can be triggered. Regulations 77(3) and (4) do not impose such conditions; rather, they set out circumstances where the £35 Rule will become entirely irrelevant as the payer is either liable for all losses or not liable for any.
Condition A under 77(1)
The first condition is that the payment service provider (“PSP”) must be liable under Regulation 76(1) (“Condition A”).
Regulation 74(1) provides that a payment service user is entitled to the remedy under (amongst others) Regulation 76 only if he notifies the PSP within 13 months of any unauthorised payment transaction (the “74(1) notification”). In other words, if the payer did not make a 74(1) notification with respect to the particular unauthorised transaction, he will not be entitled to the remedy under Regulation 76. Accordingly the PSP will not be liable under Regulation 76(1).
Therefore, Condition A is effectively that the payer must have made the 74(1) notification of the relevant unauthorised payment transaction.
While not expressly set out in PSRs2017 (nor in PSD2), the logical conclusion is that if the payer failed to make a 74(1) notification with respect to an unauthorised transaction (ignoring the other relevant provisions of Regulation 77), the payer would have to bear all the losses of that unauthorised transaction that was not notified to the PSP (at least as a matter of PSRs2017) since the payer will not be entitled to the redress. In other words, the £35 Rule would become irrelevant.
There is nothing in the PSRs2017 that prevents the PSP, in such circumstances, from voluntarily providing some form of redress. Presumably, if the PSP chooses voluntarily to provide any redress, the PSP may require the payer to bear whatever share of the losses it deems appropriate.
However, these points are not entirely clear and there is no specific guidance at the EU level nor from the FCA.
Condition B under 77(1)
The second condition is that the unauthorised transaction must arise from the use of a lost or stolen or misappropriated payment instrument (“Condition B”).
“Payment instrument” is a specifically defined term and means any (a) personalised device or (b) personalised set of procedures agreed between the payment service user and the payment service provider, in both cases where used by the payment service user in order to initiate a payment order.
It is clear that a payment card would fall within the definition of payment instrument. However, it is less clear whether a “payment account” (as defined in PSRs2017) is also a “payment instrument” for these purposes. Given that personalised procedures will invariably have been agreed (for initiating payments) when a payment account is set up, such procedures would likely fall within the second limb of the definition of payment instrument. While a “payment account” in and of itself would not be a “payment instrument” (since a “payment account” is defined by reference to an account being used for execution of payment transactions, i.e. not initiation), it seems that no practical distinction should be made between the defined terms “payment instrument” and “payment account” for the purposes of Regulation 77.
The more difficult question is what “misappropriation” means. During the legislative process, the Council added certain wording to clarify that “misappropriation of a payment instrument” would only happen where the customer failed to keep safe his personal security credentials. However, this wording is not included in the final text of PSD2. This seems to indicate that “misappropriation” is not or should not be limited to misuse of personal security credentials. Other than that, it is not clear what amounts to “misappropriation” for these purposes.
Then the issue becomes: how should a PSP assess whether or not Condition B is met? This may be particularly difficult in the context of payment accounts since it seems that a payment account can only fall within the misappropriation limb (if “loss” and “theft” are to be understood in their ordinary sense).
The wording also suggests that if the unauthorised transaction arises from something other than the loss/theft/misappropriation of a payment instrument, then the £35 Rule does not apply. However, given the broad definition of “payment instrument” and the potentially wide scope of “misappropriation” (as discussed herein), it seems difficult to envisage a situation where an unauthorised transaction would arise from something other than the loss/theft/misappropriation of a payment instrument.
Condition C under 77(2)(a)
The third condition is that the loss/theft/misappropriation of the payment instrument must have been detectable to the payer before the particular unauthorised transaction (“Condition C”).
According to the FCA, this means whether or not the loss/theft/misappropriation was possible to be detected (see 8.218, FCA Approach Document).
This condition carves out payer fraud.
However, only fraud is carved out. This gives rise to the following question: if the payer failed with intent or gross negligence to detect the loss/theft/misappropriation (provided that such failure did not amount to fraud), then could it still be said that detection was not possible?
In other words, what are the criteria in assessing detectability for this purpose? Is detectability specific to each individual payer or is the standard that of a third hypothetical “reasonable person”?
Both PSD2 and PSRs2017 are silent on these points and there appears to be no specific guidance either.
Condition D under 77(2)(b)
The fourth condition is that a PSP or its agent/employee etc must not have caused “the loss” (“Condition D”).
The wording refers to the loss not having been caused by “a” payment service provider. Does that mean that if “any” PSP (or its agents etc) in the processing chain did or omitted to do something that could be regarded as having caused the loss, then the payer’s PSP cannot exercise the discretion under the £35 Rule? If so, that does not seem to be consistent with the expressed rationale for the £35 Rule. It also seems odd to require the payer’s PSP to effectively bear the consequences of actions/omissions of another PSP that the payer’s PSP may not even have any direct relationship with.
Further, the wording suggests that the relevant PSP’s action/omission must have caused the loss. It is not clear what would be the test of causality for this purpose (e.g. whether the action or omission of the PSP/agent must be the sole cause, main cause or merely contributory). As noted in Condition B above, the unauthorised transaction must arise from the loss/theft/misappropriation of a payment instrument. Arguably, the loss of an unauthorised transaction in these circumstances is caused by the loss/theft/misappropriation of the payment instrument.
Payer liability under 77(3) and77(4)(a)
Regulation 77(3)(a) appears to be straightforward. If the payer acted fraudulently, then they would be made to bear all the losses of an unauthorised transaction.
Regulation 77(3)(b), on the other hand, seems to give rise to a number of issues.
The wording of Regulation 77(3)(b) suggests that the payer must have failed (with intent or gross negligence) to comply with Regulation 72 in its entirety before they can be made to bear all the losses. The FCA also seems to imply that this is the case (see 8.220, the FCA Approach Document).
If this interpretation is correct, then the UK position seems to deviate from the text of PSD2 which provides (in Article 74) that the payer must bear all losses of an unauthorised transaction if the losses were incurred by the payer “failing to fulfil one or more of the obligations set out in Article 69 [i.e. Regulation 72 PSRs2017] with intent or gross negligence” (emphasis added).
If Regulation 77(3)(b) should be read as if the wording “one or more” were inserted, that would make it consistent with Article 74 PSD2. However, that would create a conflict with Regulation 77(4)(a).
There are three obligations for a payment service user under Regulation 72 (which implements Article 69 PSD2):
- 72(1)(a) - Use the payment instrument in accordance with the relevant terms and conditions;
- 72(1)(b) - Notify the PSP without undue delay of the loss, theft, misappropriation or unauthorised use of the payment instrument; and
- 72(3) - Take all reasonable steps to keep safe personalised security credentials relating to a payment instrument.
Accordingly, where the payer did not act fraudulently and the payer failed (with intent or gross negligence) to comply with 72(1)(a) and 72(3) but complied with 72(1)(b), then the payer must bear all the losses of the unauthorised transaction since he failed with intent or gross negligence to comply with two of his obligations under Regulation 72 (if Regulation 77(3)(b) were to be read consistently with PSD2 as noted above).
However, since the payer complied with Regulation 72(1)(b) (i.e. the payer has notified the PSP of the loss/theft/misappropriation of the relevant payment instrument), the payer cannot be made to bear any losses of the unauthorised transaction (which happened after the 72(1)(b) notification) in accordance with Regulation 77(4)(a).
This conflict is also in Article 74 of PSD2 (between the third sub-paragraph of Article 74(1) and Article 74(3)).
It may be that the wording in Regulation 77(3)(b) is meant to avoid the apparent conflict in the wording of PSD2 itself. If that is the case, then Regulation 77(3)(b) should be read in accordance with its express wording. That is, the payer must have failed (intentionally or with gross negligence) to comply with all the obligations under Regulation 72 in order to be made fully liable.
However, such an interpretation would seem to create another deviation from Article 74 PSD2.
Under Article 74 PSD2, Member States are given the discretion to reduce the €50 maximum liability for the payer if the payer has “neither acted fraudulently nor intentionally failed to fulfil its obligations under Article 69”. The UK reduced the €50 to £35 to implement this discretion (as indicated in the HM Treasury consultation and the explanatory memorandum to PSRs2017).
Accordingly, where Conditions A to D are met and the payer did not act fraudulently but the payer failed intentionally to comply with one or more (but not all) of the obligations under Regulation 72 (e.g. the payer did not notify under Regulation 72(1)(b)), the payer cannot be made to bear all the losses since the payer did not fail to comply with all the obligations under Regulation 72 (as required under Regulation 77(3)(b)); the payer can be required to pay £35 (i.e. the £35 Rule applies) since all the conditions are met.
However, under PSD2, the maximum €50 liability cannot be reduced (to £35) for the payer because the payer failed intentionally to fulfil its obligations under Article 69 PSD2 (i.e. Regulation 72 PSRs2017).
If the wording of the payer liability provisions under both PSRs2017 and PSD2 is to be read as analysed here, it seems that the only certainty is that where a payer acted fraudulently then the payer must bear all the losses of the relevant unauthorised transactions. Apart from that, it is not entirely clear in what circumstances a PSP may exercise the discretion under the £35 Rule and require a payer to be liable for the maximum liability of £35 (or €50).
Given such uncertainty, it remains to be seen how much of an incentive the payer liability provisions could produce (as envisaged under the expressed rationale for these requirements). Further, the potential confusion may make it difficult for PSPs to explain e.g. in their terms and conditions when their customers can be liable and to what extent. This in turn may put PSPs at risk of breaching the relevant information and transparency requirements (e.g. Schedule 4 paragraph 5(d) of PSRs2017 requires PSPs to provide information on Regulation 77).
In addition, as noted above, the Principles for Business in the FCA Handbook already apply to PSPs that are also credit institutions and they are scheduled to apply to non-bank PSPs from 1 August 2019. Principle 7 requires them to communicate information to customers in a way that is “clear, fair and not misleading”. The uncertainties may also put PSPs at risk of breaching Principle 7 if PSPs are unable to explain Regulation 77 clearly when providing information to their customers as required under PSRs2017. This is particularly so given that there is currently limited guidance as regards how the Principles for Business should apply to non-bank PSPs in practice (see our discussion on this topic at https://www.bclplaw.com/en-GB/thought-leadership/new-fca-rules-for-payment-firms-from-1-august-2019-what-does.html).