Search This Blog

Tuesday, 19 May 2020

Can A Bank Make You Agree That Your Card Cannot Be Blocked When It Actually Can Be Blocked?

This is the fifty seventh fourth post in a series about some awkward issues under PSD2 that were recently referred to the European Court of Justice. The initial post sets out the facts and the four issues referred to the ECJ. The second post addresses the Avocate General's opinion that the contactless feature of a credit or debit card is a separate payment instrument in its own right. The third examines the AG's view that making contactless payments with a debit or credit payment card means the cardholder is using the card "anonymously". In this post, I explore whether a card issuer can agree with the cardholder that it is not technically feasible to block the card or prevent further use of the payment instrument if it is lost, stolen etc., even when it is possible to block it. Again, the two prior judgments in the Austrian courts effectively found that the bank cannot validly get customers to agree to something that is factually wrong. In this instance the AG appears to agree (and that it is possible to block contactless use).
 
[Update, spoiler alert 17.11.20: the ECJ agreed with the AG. See end of this post]

This issue is important because payment service providers could escape certain liability if contactless functionality is treated separately as a "payment instrument which, according to the framework contract, solely concerns individual payment transactions not exceeding EUR 30... if the payment instrument does not allow its blocking or prevention of its further use."

In this case, the bank stated in its card terms (the "framework contract") that "it is technically impossible for the debit card to be blocked when used for low-value transactions" and, if lost etc. "it shall still be open to use for low value payments not requiring a PIN up to a value of EUR 75, even after a block has been placed on the card [for higher value transactions]..."  so "payments may not exceed EUR 25 per individual transaction and the debit card cannot be blocked for low-value payments made without entering a PIN..."

On this point, the AG noted that even the bank admitted at trial that it can could block a multifunctional payment card; and evidence was accepted that "almost all Austrian banks" provide in their terms that "after a blocking notification, the card's [contactless] functionality is required to be and is... blocked." This would be a reference to the card number being blacklisted (on a MATCH list), or placed in a hotlist or blocklist for a specific merchant, as well as the industry and regulatory contactless security protocols explained in the second post on this case. This in turn implies that blocking the contactless functionality is done within the scope of blocking the card itself and this prevents further use. Accordingly, the bank's terms in this case are simply wrong in stating that "it is technically impossible" to block the contactless payments, and the requirements for the exclusion are not satisfied.

Of course, under English law, these facts would also raise issues under the law of mistake, which can affect the formation, existence and enforceability of the contract.

In my view, the AG's acceptance of the facts and reasoning on this point also runs contrary to the notion that the contactless functionality could be a separate payment instrument in its own right, since the blocking procedures for the card encompass the contactless functionality. 

In addition, even if the contactless functionality were construed as a payment instrument in is own right, as the AG suggests, the bank would still fail because, according to the bank's framework contract, the payment instrument does not "solely concern individual payment transactions not exceeding EUR 30." The contract is clear that the cards can be used for higher value payments requiring the entry of a PIN, and the clauses relevant to low-value transactions use language such as "when the debit card is used to make low-value payments without entering a PIN" and "any risk of misuse of the payment card for low-value payments not requiring a PIN" and "the debit card cannot be blocked for low value payments made without entering a PIN." 

Indeed, it would also be true to say that the contactless use of the card can be blocked by virtue of the cardholder being unable to enter the PIN when challenged.

Note, too, that the legal requirement for the liability exclusion to apply is that the payment instrument does not allow its blocking or prevention of its further use. Therefore it does not matter that one or more unauthorised payment transactions might go through before the card is reported missing or a thief fails to enter the PIN when challenged. 

In the final post, I will address the Advocate General's view that the unilateral change mechanism for amending payment services 'framework' contracts cannot be applied to "the essential elements" of the contract, such as those used to add contactless functionality to a payment card (i.e. another payment instrument). This would introduce huge practical challenges - and costs - for all payment service providers seeking to update their contracts to introduce new products and features, as well as aggravation for their customers.

Post Script 17.11.20

The ECJ has agreed with the AG:

"...a payment service provider wishing to exercise the option provided for in Article 63(1)(a) of Directive 2015/2366 may not, in order to relieve itself from its own obligations, simply state, in the framework contract relating to the payment instrument concerned, that it is unable to block that instrument or to prevent its further use. That service provider must establish, with the burden of proof being on that provider in the event of a dispute, that that instrument in no way allows, on account of technical reasons, its blocking or prevention of its further use. If the court hearing those proceedings considers that it would have been physically possible to carry out such blocking or to prevent such use, having regard to the objective state of available technical knowledge, but that the provider did not make use of that knowledge, Article 63(1)(a) may not be applied to the benefit of that provider."

This is inconsistent with the findings on anonymity, however, where the ECJ was prepared to simply accept as fact that the issuer of NFC functionality is unable to establish who used the card in that mode (when that does not seem to be the case and/or technology may evolve to put that beyond doubt).

If an issuer could prove that the instrument does not allow blocking or prevention of further use, then it could agree with the user in the customer contract to disapply: 

  • the requirement of the user to inform the provider without delay of the loss, theft, misappropriation or any unauthorised use of the payment instrument concerned;
  • the need for the provider to make available to the user means to make that notification free of charge or to request unblocking of that instrument; and
  • the provision which relieves the payer from the financial consequences of any use of the lost, stolen or misappropriated instrument that takes place after that notification (except where he or she has acted fraudulently). 

 

No comments:

Post a Comment