Global menu

Our global pages


New challenges posed by the Payment Services Regulations 2017 – how an ASPSP can recover customer compensation for unauthorised payments caused by a TPP

New challenges posed by the Payment Services Regulations 2017 – how an ASPSP can recover customer compensation for unauthorised payments caused by a TPP
  • United Kingdom
  • Financial services
  • Financial services - Digital Financial Services


Payment service providers (“PSPs”) are grappling with changes to the UK payment services regulatory regime introduced by the Payment Services Regulations 2017 (“PSRs”). These include changes to the liability regime where customers seek compensation for disputed transactions. This regime has previously been described by the Financial Conduct Authority (“FCA”) as “complex”, and the Financial Ombudsman Service (“FOS”) has acknowledged that such complaints are “rarely clear-cut”.

Customers can now seek a refund from account servicing payment service providers (“ASPSPs”) for loss caused by third party providers (“TPPs”) when making payment transactions regulated by the PSRs. This has caused some controversy in the industry, raising the question of when ASPSPs must compensate customers when a TPP has caused loss, and what legal recourse the ASPSP might have against the TPP to recover sums paid.

We set out below the “threshold” questions for an ASPSP to consider when it receives a customer notification for compensation and how an ASPSP can recover compensation from a TPP.

Customer compensation - threshold questions

There are four “threshold” questions that we would suggest considering as a starting point when an ASPSP receives a customer notification for a refund for an unauthorised transaction, and an ASPSP’s duty under Principle 6 to treat customers fairly will underpin this analysis.

1. First, does the customer’s loss arise from an unauthorised transaction? The burden of proof is on the ASPSP to show that the customer authorised the transaction. This is rarely straightforward. It is not sufficient for an ASPSP to say that the apparent use of a password or card and PIN conclusively proves that the customer authorised a payment. The question will generally be determined by all of the circumstances of the transaction, which could include looking at the customer’s account history and whether the transactions were out of the ordinary based on their spending habits and locations.

2. Second, has the customer’s notification to the ASPSP been made: (a) without undue delay; and (b) in any event, no later than 13 months after the debit date, on becoming aware of the unauthorised transaction? Even so, customers can still make a FOS complaint and/or issue a claim against the ASPSP within the statutory limitation period. As well, FOS cases suggest the 13 month time limit relates only to claims for a refund under the PSRs; it does not entitle ASPSPs to refuse, for example, to investigate and respond to customer complaints in relation to disputed transactions.

3. Third, has the customer’s loss been incurred from the use of a lost or stolen payment instrument, or from the misappropriation of a payment instrument? In such cases the ASPSP might be entitled to require the customer to pay up to a maximum of £35 in respect of the loss. There are exceptions to this—notably where the loss, theft or misappropriation of the payment instrument was not detectable by the customer prior to the payment (unless the customer has acted fraudulently).

4. Fourth, has the customer (a) acted fraudulently or (b) with intent or gross negligence failed to comply with the ASPSP’s obligations in relation to the customer’s payment instrument, failed to notify the ASPSP in relation to the loss of the payment instrument, or failed to take reasonable steps to keep personalised security credentials safe? Proving “gross negligence” can be difficult, not least because there is no legal definition of this term. It is generally taken to mean more than mere carelessness and FCA guidance states that the customer must have shown a “very significant degree of carelessness”. FOS decisions suggest that the analysis is finely balanced: a customer who kept their debit card and PIN together in their wallet was held to have been grossly negligent when they were stolen in public; whereas a customer who kept their debit card and PIN together in their bedroom drawer was not grossly negligent when they were stolen from there.

Recovery from a TPP

The other major change to the liability regime is the new obligation on ASPSPs to compensate customers for unauthorised transactions where the loss is caused by an authorised TPP, and the corresponding rights of recourse and action that ASPSPs have against such TPPs.

Whether the TPP is a payment initiation service provider (“PISP”) or account information service provider (“AISP”), the ASPSP has a right of recourse pursuant to the PSRs to recover compensation from them. Where an unauthorised transaction initiated by a PISP occurs, the PISP holds the burden of proof to show that the transaction was authenticated, accurately recorded and not affected by a technical breakdown or other deficiency linked to the payment initiation service.

Failure by the TPP to compensate the ASPSP gives rise to a right of action pursuant to the PSRs for breach of a regulatory requirement. The ASPSP might also consider bringing a civil claim against the TPP in common law negligence, although there will be some practical issues to take into account. These include whether: the TPP can be identified; the TPP has the means from which the ASPSP can recover its loss; the value of the ASPSP’s loss justifies the time and cost of litigation; the ASPSP has the appetite to pursue litigation which is inherently risky and could become protracted; and potential reputational concerns in using a public dispute resolution process.

Industry developed solutions which enable communication and exchange of information between ASPSPs and TPPs in relation to complaints and disputes involving both parties should also be considered.

What this means for ASPSPs in practice

This is a high volume and complex area for ASPSPs to manage. We expect the FCA to be particularly interested in whether ASPSPs’ policies and procedures result in consistent decision making and good outcomes for customers. ASPSPs should also have in place appropriate governance and oversight to maintain the quality of these processes, identify trends, manage emerging risks, and measure outcomes. All of this should form part of a holistic approach to unauthorised transactions which will likely include communicating with customers to raise awareness of unauthorised transactions and fraudulent activity, ensuring that customers are not deterred from making claims due to onerous claims procedures, and ensuring that account terms and conditions correctly reflect the appropriate regulatory requirements.

For more information on the legal rights and obligations arising under the PSRs, or to receive a copy of our regular Payment Matters briefing on payment services in the United Kingdom and European Union, please contact us directly.