Global menu

Our global pages

Close

Advocate General opinion concerning the application of consumer protection rules and PSD2 to contactless payment cards in the case of DenizBank AG v Verein fur Konsumenteninformation (Case C 287/19)

  • United Kingdom
  • Payment systems and digital commerce
  • Financial institutions

21-05-2020

On 30 April 2020, the Court of Justice of the European Union (CJEU) published an opinion by Advocate General Campos Sánchez-Bordona concerning the interpretation of consumer protection rules when applied to the Payments Services Directive 2015/2366 (PSD2) specifically in respect of cards with near-field communication (NFC) functionality or commonly referred to as contactless payment cards (CPC).

NFC functionality is a key component of CPC, and allows for one-off payments of up to 50 Euros* (£45 in the UK) or multiple payments cumulatively worth 150 Euros* without the use of a personal identification number (PIN) to authenticate a payment. (*these are the increased thresholds to support consumers who choose to pay using CPC during the COVID-19 outbreak).

Personalised multifunctional payment cards are payment cards with a combination of anonymised NFC and personalised PIN functionality to authorise transactions. Clearly, any “non-personalised” or “anonymised” functionality poses a heightened security risk in respect of fraud. However, NFC has been proven to significantly increase the speed at checkout for consumers. As a result, finding the right balance between the two is essential to the viability of CPC. 

PSD2 seeks to strike a balance between payments being processed more quickly through the use of NFC functionality, and the risk of improper use of the card which is beyond the control of the card holder and the issuing bank. In light of these objectives, the referring court sought a preliminary ruling from the CJEU on the following issues:

1. Whether NFC functionality of a personalised multifunctional payment card should  be classified as a payment instrument as defined in Article 4(14) PSD2?

It was proposed that NFC functionality of a personalised multifunctional payment card must be classified as a payment instrument. As such, users of NFC-enabled cards would benefit from the protections afforded by PSD2.

2. What are the obligations on the issuing institution where CPC cards with NFC functionality cannot be blocked or prevented from further use and what is the liability of the issuing institution where the payment card is used anonymously?

A institution issuing a personalised multifunctional payment card to which NFC functionality has been added may be exempt from certain obligations under PSD2 if it can demonstrate that it is not technically feasible to block that card or prevent its further use in the event of loss, theft, misappropriation or unauthorised use. The obligations which it can agree with the customer to disapply relate to the notification of lost or stolen payment instruments and the liability position relating to the subsequent use of the payment instrument after it has been lost or stolen. In these circumstances, the issuing institution can essentially increase the payer’s liability for losses incurred, as it has no power to block the payment instrument and limit such losses. Many NFC enabled cards on the market can of course be blocked, so this exemption is unlikely to be of use to most PSPs.

The Advocate General proposed that the making of low-value contactless payments using the NFC functionality of a personalised multifunctional payment card constitutes an instance of that card being used ‘anonymously’ within the meaning of Article 63(1)(b) of PSD2. Therefore, if the holder of a personalised payment card explicitly consents to the inclusion of NFC functionality on that card, then the issuing PSP will not be liable for unauthorised transactions made when being used as a CPC (subject also to this position being reflected and agreed to by the customer in the issuing PSP’s terms).

3. Can a customer consent to a change of contractual obligations proposed by the PSP simply by not rejecting it?

It was proposed that implied acceptance cannot be extended to all of the framework contract’s conditions and should only be available for non-essential terms despite the right to make unilateral changes and deem acceptance of them under Article 52(6)(a) of PSD2. The addition of NFC functionality to a personalised card concerns the provision of a new service to the payment contract or an “essential change” to the conditions of the framework contract. Therefore the customer, once informed of the advantages and risks associated with the card’s NFC functionality, must unequivocally give their explicit consent to the inclusion of the “essential change” relating to that payment instrument or be asked to agree to a new framework contract.

The Advocate General’s opinion does not tightly define “essential changes”. Therefore, looking at this more broadly, it will be important for issuing institutions to understand how  this obligation to get customer consent for “essential changes” may affect their ability to make significant terms changes and their associated notice of variation processes. The risk of changes being deemed invalid by a court can of course not be ignored.  However, from a UK perspective, we see it very unlikely that there will be a change to existing legislation or further FCA guidance that will further limit the ability to make unilateral changes to framework contracts in the short term.

The Advocate General’s opinion still has to be accepted by the Court of Justice of the EU and we do not expect any decision to require a change in approach from UK payment service providers in the near future. We will continue to provide further updates on this matter in due course. If you have any concerns with the Advocate General’s opinion, please do get in touch.