In cases where the payer could not possibly detect the loss, theft or misappropriation of his instrument before it was used, is it correct to state that there can be no liability at all, including if the payer has acted with gross negligence?

We are seeing an increase in the number of phishing attacks. In many cases, the PSP refuses to apply the rule in Article 74 (1), second subparagraph (a) because they are of the opinion that the victim has acted with gross negligence, which would be an exception to the second paragraph.

According to Recital (7) of the PSD2, “In recent years, the security risks relating to electronic payments have increased. […] Safe and secure payment services constitute a vital condition for a well-functioning payment services market. Users of payment services should therefore be adequately protected against such risks. Payment services are essential for the functioning of vital economic and social activities”. Thus, the aim is to protect consumers. The Article 74 (1) should be read bearing in mind this objective.

In Belgian national law, the case of loss, theft or misappropriation of a payment instrument refers, notably, to hacking, phishing or skimming of payment instrument. In other words, "misappropriation" also covers cases where personalised security credentials has been stolen while the user is still in possession of the payment instrument. The aim is to protect the victim of the fraud. In this sense, the existence or not of gross negligence on the part of the victim of the fraud should therefore not be relevant in the case where the payer could not have detected the fraud, even if he committed gross negligence. Any other interpretation would make this provision meaningless.

Is this interpretation complying with the Article 74 PSD2?

The answer is no. Gross negligence incurs payer´s liability with no cap. In case the payer did not act with fraud or gross negligence, the payer may nevertheless be liable for lost, stolen or misappropriated payment instrument up to a maximum of 50 euros unless such a situation was not detectable to the payer or the loss was caused by acts of the PSP.

Article 74(1) of Directive (EU) 2366/2015 (PSD2) - third sub paragraph - is the general rule on payer’s liability for unauthorised payment transactions. The payer shall bear all the losses relating to any unauthorised payment transactions if they are incurred by the payer i) acting fraudulently or ii) failing to fulfil one of its obligations set out in article 69 with intent or gross negligence.

Article 74(1) (first subparagraph) stipulates that the payer may (it is therefore only an option for the Member State) (nevertheless) bear losses up to 50 euros for unauthorised transactions following loss, theft etc. of a payment instrument. This subparagraph is to be understood as applying in the case where the payer did not act fraudulently and had not failed to fulfil one of its obligations with intent or gross negligence.

Article 74 (1) (second subparagraph) disapplies the above option to oblige the payer to bear losses up to 50 euros established in the first subparagraph

a) where the payer could not know that the payment instrument was lost or stolen before it was fraudulently used (except if the payer acted himself fraudulently), and

b) where the loss was caused by an act of the payment services provider, PSP (imprudent sending by post of a card + pin-code for example).

Only the payer’s fraudulent act is indeed mentioned as an exception to a) above, but not negligence as such.

In fine, in the overall case where the payer acted fraudulently or failed to fulfil one of its obligations set out in Article 69 PSD2 with intent or gross negligence, his liability cannot in any way be capped according to the third subparagraph of Article 74(1).