Briefly stated, a series of questions has been referred by the Austrian Supreme Court to the European Court of Justice and, alarmingly, the Advocate General has given his opinion to the effect that:
- The contactless feature of a credit or debit card is a separate payment instrument in its own right.
- Making low-value contactless payments with a multi-functional card means the cardholder is using the card "anonymously" (and this means contactless payments are not subject to the obligation of strong customer authentication in the relevant PSD2 regulatory technical standard).
- The issuer of the contactless feature can only use the low-value exclusions from liability for unauthorised transactions in PSD2 if the issuer can show that it is not technically feasible to block the card or prevent further use of the payment instrument if it is lost, stolen, misappropriated or used without authorisation.
- The unilateral change mechanism for amending payment services 'framework' contracts cannot be applied to "the essential elements" of the contract, such as those used to add contactless functionality to a payment card (i.e. another payment instrument).
I have briefly set out the facts of the case below, and will post my thoughts on each of these issues in turn over the coming days, but in summary I do not see how the first two points could be right, for reasons I will explain.
The third issue is a question of fact. In this particluarly case the issuer appears to have created a problem for itself by inserting factually inaccurate provisions in its card terms, so that "according to the framework contract" it was not technically feasible to block contactless use, even though it really is possible to decline the transactions on a stolen card.
The fourth is a really awkward twist in the tale, since it introduces huge practical challenges - and costs - for all payment service providers seeking to update their contracts to introduce new products and features, as well as aggravation for their customers.
The third issue is a question of fact. In this particluarly case the issuer appears to have created a problem for itself by inserting factually inaccurate provisions in its card terms, so that "according to the framework contract" it was not technically feasible to block contactless use, even though it really is possible to decline the transactions on a stolen card.
The fourth is a really awkward twist in the tale, since it introduces huge practical challenges - and costs - for all payment service providers seeking to update their contracts to introduce new products and features, as well as aggravation for their customers.
The Facts
When
it began issuing cards with NFC/contactless functionality, the bank in
this case decided to also amend its payment card terms to avoid
liability for unauthorised payments when the cards were used in contactless mode (i.e. using 'near-field communication' or NFC
functionality).
The bank's new terms said the bank (a)
did not "have to prove" that a contactless payment was authorised; (b)
it was unable to do so; and (c) that it was "technically impossible" for
the card to be blocked when used for low-value transactions, even if
blocked for other types of transactions. On this basis the bank concluded that it was not liable for any unauthorised low-value contactless payments.
Like
all payment service providers, to introduce these changes to its terms
the bank relied on the 'unilateral change' mechanism under PSD2, so that
customers would be deemed to have accepted the changes unless they
notified the bank within two months that changes were not accepted, and
terminated the contract.
Whether
the bank could do this depended on whether the use of the contactless
feature was itself a "payment instrument" independent of the use of the
card in, say, Chip-and-PIN mode, mail-order/telephone order (MOTO) or
indeed online.
Two
Austrian courts held that the contactless mode is not a payment
instrument in its own right, so the bank can't escape liability in this
way. So far, so good, because many card issuers would otherwise need to
review their terms to figure out if they had properly addressed the
contactless as a distinct payment instrument - and maybe many would be
tempted to pull the same stunt.
However, both
the Austrian consumer body who brought the original proceedings (the
VKI) and the bank then appealed to the Austrian Supreme Court, which in turn
referred to the European Court of Justice the issues of whether the
contactless payment feature could be considered a payment instrument in
its own right, and whether the bank could use the 'unilateral change'
mechanism to introduce the exclusion of liability for contactless
payments. The
case actually goes back to before the implementation of PSD2, but the
provisions under the PSD and PSD2 are essentially the same, so the ECJ's
ruling will determine the position under PSD2 as well.
The
preliminary step in ECJ proceedings is the filing of an Opinion of the
Advocate General, with whom the court very often agrees.
No comments:
Post a Comment