New rules on authorised push payment fraud in the UK

Yesterday was a big day for UK consumers when the new rules on compensating victims of authorised push payment fraud (APP fraud) came into force.

APP fraud is when consumers are tricked into sending money to the fraudster. It can happen in various ways, e.g. via impersonation fraud, romance fraud or email takeover fraud. The point is that the consumer makes the transfer of the money (and therefore the transaction is authorised by the consumer), and this fact differentiates the type of fraud from others where the consumer does not consent to the transaction e.g. when the consumers' bank card is stolen and is used for purchases (unauthorised transaction). APP fraud is the most prevalent fraud in the UK, and in Europe. The number of consumers affected increases year by year.

UK reforms started under the pressure of the consumer group Which? by submitting a Super-Complaint to the Payment Systems Regulator, noting the increasing prevalence of APP fraud and calling for rules to tackle the problem. They pointed out that the general rule of shifting the liability for the loss from the consumer onto the bank applied to all unauthorised transactions, but it does not apply to authorised transactions, and they argued that there are no legitimate reasons for maintaining this exception.

In 2019 the Contingent Reimbursement Model Code was adopted. This voluntary code was signed by most major retail banks. However, although the Code established the desired main rule, it had numerous exceptions, such as effective warnings and gross negligence. After a while, it became apparent that the Code was not as effective as it could be, and the Government decided to take action. The Financial Services and Markets Act 2023, in Section 72, deals with the payment service provider's liability for fraudulent transactions, empowering the Payment Systems Regulator to bring rules in the area. These rules (PSR Specific Direction 20) entered into force yesterday:

• the new rules apply to all payment service providers, not just banks
• the rules protect individuals, microenterprises and charities
• rules apply to UK domestic payments only using the Faster Payment System
• the rules provide for mandatory reimbursement except when consumers were complicit in fraud or grossly negligent, the Regulator, however, clarified that the gross negligence exception is a high bar and does not apply to vulnerable consumers
• firms can choose to have a £100 excess (except in the case of vulnerable consumers)
• the maximum amount claimed can be £85,000, or firms can opt for a higher threshold internally
• reimbursement amount is shared 50-50 between sending and receiving bank
• there are set claims and reimbursement deadlines.

The new rules are certainly welcomed. APP fraud caused a lot of consumer detriment, and the lack of effective rules led to legal uncertainty. It is a positive development that there are much fewer exceptions in the new rules. However, exceptions and limits do exist, e.g. the rules do not apply to international transactions, and there is uncertainty about how the gross negligence exception will be enforced and who will be considered vulnerable consumers for the purposes of the exceptions. These nuances will need to be carved out by practice, and the Financial Ombudsman Service, which handles consumer complaints, is likely to play a key role.

Although these rules apply to UK domestic transactions only, they are helpful to know given the prevalence of APP fraud in other countries, including EU Member States and can be beneficial in developing PSD3. 

C-191/17 AG Tanchev on the notion of 'payment account'

Last week Advocate General Tanchev delivered a not very ‘consumer friendly’ opinion in case C-191/17 Budeskammer fur Arbeiter und Angestellt v ING-DiBa Direktbank Austria Nidererlassung der ING-DiBA AG. Referred by the Oberster Gerichtshof (Supreme Court of Austria) this case involves the the interpretation of Article 4 (14) of Directive 2007/64/EC on payment services in the internal market (PSD 1).

Representing consumer interests the Budeskammer fur Arbeiter und Angestellt brought an action against ING-DiBa Direktbank Austria alleging that the bank’s ‘Direkt-Sparen’  (‘direkt-savings’) product (referred to as online direct savings account) contains a large number of standard terms and conditions that are not compliant with the Austrian law transposing PSD1. Given the special nature of the financial product, the subject of the dispute became the scope of PSD1, i.e. whether this particular kind of account qualifies for a payment account within the meaning of PSD1.

Article 4 (14) PDS1 provides that a 'payment account' is an account held in the name of one or more payment service users which is used for the execution of payment transactions. The definition itself neither specially refers to nor specially excludes the particular product in question.

What is an online direkt savings account and how it works?

The online direct savings account is a particular kind of bank account. It is labelled as a savings account, i.e. that should be used for depositing money for saving purposes. however, access to this account is granted via online banking, enabling consumers to make deposits and withdrawals from the account. Any transfer however must be carried out  through another account called a reference account. The reference account must be a current account opened in Austria, but can be held by any Austrian bank, it does not have to be held with the same bank that holds the online direst savings account. A consumer is able to decide, without any restriction or notice when and in what amount the consumer transfers money between the online direct savings account and the reference account. 

Is the online savings account covered by PSD1?

Interpreting the provision in question in the context of other provisions of PSD1 (other definitions within Art. 4, Art. 2, and the Annex) and related EU legislation (Directive 2014/92/EU and Regulation 260/2012) AG Tanchev concluded that the particular product cannot be considered to be a payment account within the meaning of Article 4 (14) of PDS1, because this account does not involve ‘direct participation in payment transactions with third parties’. 

Our evaluation

Although AG Tanchev rightly said that the mere labeling of an account as a ‘savings account’ is not in itself an indication that the account does not constitutes a ‘payment account’ within the meaning of PSD1, what seems to have been determinative in his reasoning was that the online direct savings account is not intended to be used for transactions between the consumer (account holder) and third parties, essentially accepting the argument of the defendant bank. Whilst this may be true, if the account allows for  consumers to execute payment services consumers would surely deserve to have the same level of protection that belongs to users to payment accounts. According to AG Tanchev, this protection will be provided for consumers via the protection they enjoy buy the underlying, reference account. Whilst this may be correct, by the same token, applying a different regime for the two accounts creates uncertainty and opens a potential protection gap for consumers. In case of a future dispute, the bank  holding the online direct savings account would be able to  use the same argument as a shield against their liability; that the higher level of protection offered by PSD1 attached to the reference account does not apply the transaction executed though the online savings account, because the transaction was attached to that separate account and not to the reference account. The situation gets even more complicated leaving consumers with less access to redress when the two accounts are held by different banks.

At this instance we must agree with the EU Commission’s submission that argued against the restrictive approach in interpreting the scope of PSD1. The EU Commission stressed that the purpose of PDS1 is to confer protection on the users of payment services: as mentioned in recital 46 and in the articles of Title IV of PSD1. The accounts covered by PSD1 benefit from certain minimum regulatory requirements for the proper execution and processing of payment transactions, and such protection is denied to consumers in the event of a restrictive interpretation of the notion of a ‘payment account’ within the meaning of PSD1 (para 21).

Whilst the opinion involves the interpretation of PSD1, it remains relevant in the light of the current PSD2 that contains exactly the same provision in Article 4 (12) and seems to makes no special reference to the features of the product under scrutiny here.

Provision of information on a durable medium: AG Bobek on Case C‑375/15

Today, an interesting opinion by AG Michal Bobek has been published. It concerns more directly the field of e-banking, but also touches on a question of more general relevance to consumer law, namely when information can be said to have been "provided" to consumers and what constitutes a "durable medium" allowing prolonged accessibility of the information. 

In the case under review, a bank was using its e-banking mailbox as a tool to communicate changes in its terms and conditions to its customers. The question before the court of justice boiled down to whether this practice complied with the Payment Services Directive (Directive 2007/64/EC), which requires information on contractual changes to be timely provided to consumers on a durable medium. 

The AG starts with pointing out that, in his opinion, "providing" the information is a separate requirement than the "durable medium". 

The "durable medium" requirement has been the object of some discussion; the AG concludes that the most reasonable understanding of this requirement- not only in the context of this directive- is that it does not entail that information should be provided on a physical or "hardware" support, but that only two main characteristics should be guaranteed: 

1) accessibility for an appropriate amount of time; 

2) unaltered "reproducibility", which entails both the possibility to store the information for the consumer and the impossibility for the service provider to alter the contents of said information.

According to Bobek, it will be difficult for internal mailboxes to fulfill these requirements on their own merits- in other words, the mailbox can hardly be the "support" or durable medium on which information is provided. However, they can more easily be a transmission mechanism for the transmission of information on a durable medium- such as, we understand, a PDF file. 

On the other hand, even in case reasons would exist for the national court to consider the information as given on a durable medium, in itself the transmission via internal mailbox cannot be considered as "provision" of information. The information can, under the directive, only be considered to have been "made available" to the consumer. 

Provision of information, according to the AG, can be said to have been accomplished if a further alert is sent to the consumer through an instrument that he would more easily have regular access to- such as a personal email address or home mail. 

Although this seems to set the bar pretty high, the solution presented could still be seen as more lenient to service providers than the Court's precedent in Content Services, which had considered an email containing a link to a webpage not to represent "giving" of information under the Consumer Credit Directive (2008/48/EC). While the AG seems tempted to suggest that Content Services should be overturned or at least delimited, he mostly directs his efforts at distinguishing the two cases, by pointing out that the two directives (Payment Services and Consumer Credit) employ different language and also pursue different goals. Additionally, the AG observes that in a framework service contracts as the one at hand in the present case, the parties can agree that in general communication will take place via internal emails, thus in this case, once a consumer is alerted, "clicking several times or even typing a user name and passwords" are not actions which is unreasonable to require from a consumer to "receive" information sent to them (see para 82).

  

The opinion addresses several potentially contentious issues- which is confirmed by the fact that several governments (including the Italian and Polish governments) and the Commission intervened in the procedure. 

PS On a side, the opinion also touches on the question of whether the right to be provided information (in a certain way) can be waived by means of consent to standard terms. In this case, the question is not addressed by means of the Unfair Terms Directive- however, the court case stemmed from an injunction by a consumer association which sought to prevent the bank's continued use of a term by which the consumers agreed to information concerning contractual changes being provided in the way discussed. The Commission claimed this was a valid term, the AG disagrees.