Facts

On 11 November 2020 the European Court of Justice (ECJ) issued a decision in Deniz Bank (C-287/19) which clarified that:

  • the near-field communication (NFC) functionality of a personalised multifunctional bank card, by means of which low-value payments are debited from the associated bank account, constitutes a payment instrument;
  • a contactless low-value payment using the NFC functionality of such a personalised multifunctional bank card constitutes anonymous use of the payment instrument; and
  • payment service providers cannot easily avoid their liability under Articles 72, 73 and 74 of the EU Payment Services Directive (PSD II 2015/2366/EU) by simply asserting that it is impossible to block the payment instrument concerned or prevent its continued use where, in light of the objective state of available technical knowledge, that impossibility cannot be established.

Decision

The ECJ decision was based on a request for a preliminary ruling by the Austrian Supreme Court issued in a dispute concerning the standard terms and conditions of Deniz Bank, as initiated by the Association for Consumer Information against various provisions of these terms.

The ECJ also addressed an additional issue relating to the relationship between Article 52(6)(a) of the PSD II on tacit consent and the EU Unfair Consumer Contract Terms Directive (93/13/EEC). The ECJ held that while the information and conditions to be provided by payment service providers must be assessed in accordance with PSD II, this does not prevent a review of whether such terms qualify as unfair terms within the meaning of the EU Unfair Consumer Contract Terms Directive, if the payment service user qualifies as a consumer.

Comment

While NFC technology is a big step towards a user friendly and accessible means of payment for low-value payments, there are some risks involved since, in cases of loss or theft, the instrument can be used anonymously by non-authorised persons. No authentication is needed in the transaction and, as such, the question arises of who bears the risk of an unauthorised NFC transaction.

The ECJ held that payment service providers cannot avoid liability by simply asserting that payment instruments cannot be blocked if such an impossibility cannot be established. The ECJ also considered that the Supreme Court (OGH 25 January 2019, 8 Ob 24/18i) had already confirmed that Section 64(1)(3) of the Payment Services Act 2018 imposes a performance obligation on payment service providers, in a case also regarding the blocking of a card as a result of loss or theft of a bank card.

The latter will – by means of appropriate technical equipment – ensure that any further use of a card is blocked as soon as the provider receives notification from a customer. This performance obligation can be complied with only if the blocking mechanism works automatically and requires no additional action. Assuming that the technical means are available to immediately block the further use of a bank card, the ECJ decision could be read in a way that banks must apply more effort when drafting their terms and conditions in order to avoid taking on the risk of unauthorised NFC transactions.

Austrian banks obviously tend to draft their terms and conditions in a way that may not be fully in line with the EU payment services directives.