Article 67 - the payer’s refund rights in case of direct debits
Article 67 (1) of the European Commission’s (the Commission’s) proposal for a revised Payment Services Directive ( ) (see ‘related links’ below) contains a new paragraph regarding the payer’s refund rights in case of direct debits. On a positive note, it appears that there is common ground between the parliamentary amendments (please refer to amendment 144 in the report of the European Parliament Economic and Financial Affairs Committee (ECON) included in the ‘related links’ below) and the European Central Bank’s (ECB’s) opinion (see ‘related links’ below) on the Commission’s proposal (please refer to amendment 29 in the ECB’s opinion) that refund rights should not be dependent on the underlying commercial transaction. (It should always be remembered that this debate does not affect in any way the refund rights for unauthorised transactions.) Both the ECB and the European Parliament have understood that the approach as proposed in (please refer to Article 67 (1) last subparagraph ) would conflict with the currently unlimited refund rights under the Direct Debit ( ) Core Scheme.
Furthermore, it is clear that it does not make sense that payment service providers ( ) would have the role of assessing whether underlying contractual obligations between the creditor and the debtor have been fulfilled or not. However, it must also be noted that the suggestions from both the European Parliament (please refer to amendment 144) and from the ECB (please refer to amendment 29) do not provide for a satisfactory outcome concerning the refund rights for direct debits.
The European Parliament’s amendment 144 is not practicable as it foresees to include an unconditional right to refund for direct debits and to couple it with the conditional refund right under Article 67 (1) first subparagraph. (The proposed wording says “… in addition to …”) This proposal seems to overlook that an unconditional right to refund is not compatible with a conditional refund right and both rights cannot exist next to each other. Consequently, the European Parliament’s amendment 144 is not satisfactory. Furthermore, the European Parliament’s amendments 146, 147 and 148 in the context of refund rights provide for the possibility of fragmentation at European Union ( ) Member State level on important aspects which are very relevant from the operational perspective for the Core Scheme. If adopted and implemented at Member State level such Member State discretion would risk jeopardising the operation of the common Core Scheme - the migration to which is about to be completed for the euro-countries by August 2014 in accordance with Regulation (No) 260/ 20121.
On the other hand, the ECB’s suggestion in amendment 29 of its opinion introduces the notion of a ‘no-refund direct debit’ but there seems to be an important weakness that comes with the approach as put forward by the ECB. The ECB’s amendment 29 does not seem to provide for a solution to the issue that the processing of such direct debit collections without a refund right must be clearly limited to the operation of a specific payment scheme which has been specifically engineered for the processing of such no-refund direct debit collections (i.e. without a refund right and outside the operation of the Core Scheme). It must be excluded by designating a separate payment scheme for such purposes that ‘no-refund direct debits’ can be processed via the Core Scheme. Otherwise, the operation of the Core Scheme could be ‘contaminated’ with the processing of any incompatible ‘no-refund direct debits’. Such contamination could seriously undermine the trust in the operation of the Core Scheme. It should be noted that it is not sufficient that the payer and the payee would be required to agree separately on a ‘no-refund direct debit’ in respect of any listed goods and services and to clearly mention the absence of the unconditional refund right in the mandate. It would also need to be ensured that the processing of such a ‘no-refund direct debit’ is only allowed within the limitations of a separate (no-refund) payment scheme. This aspect of clear limitation for any ‘no-refund direct debits’ to a separate (no-refund) payment scheme is missing from the ECB’s amendment 29.
It must therefore be concluded that none of the proposals or amendments from the European Parliament or from the ECB for a new Article 67 (1) are satisfactory. The European institutions will need to recognise that including an unconditional refund right in the revised PSD (in addition to the unconditional refund right already being provided with the Core Scheme) would come with the risk that there would be zero flexibility in the future that any other direct debit scheme for consumers can be developed going forward. If they wish to leave flexibility for another direct debit scheme (e.g. by allowing for the processing of ‘no-refund direct debits’ in limited cases) then there needs to be a link to a (separate) payment scheme in the revised PSD in order to make sure that the operation of the Core Scheme is not jeopardised.
Inclusion of third party payment service providers ( ) in
It seems generally recognised that the inclusion of third party payment service providers ( ) within the scope of although inevitable implies a significant level of additional complexity in the area of transparency, security, allocation of liabilities, let alone the aspects of data protection.2 The current proposals are not yet suitable to meet this challenge.
Wider use of personalised security credentials is problematic
The European Parliament’s amendments (please refer to amendments 119 – 130) are based on the concept – similarly to the Commission’s proposal – that who are authorised by the payer (i.e. the payment service user) to provide payment services as described under Article 58 (1) are authorised to have access to the personal security credentials of the payer (payment service user).
This approach as proposed by the Commission and the European Parliament is in direct contradiction with the fundamental IT security principle that personalised credentials used to authenticate the payment service user must remain personal and must not be made accessible to any third party. This security principle was also endorsed by the ECB / Eurosystem’s SecuRePay Forum3 in its draft recommendations for the security of payment account access from January 2013 and the ECB / Eurosystem’s Public Note on Security of Payment Account Access Services, published in March 2014.
The opinion of the ECB on the proposed equally recommends (please refer to amendment 24 therein) to change the approach and instead to require to ensure so-called ‘strong customer authentication’ for the initiation of payments or access to account information, either by redirecting the payment service user in a secure manner to its account servicing payment service provider (AS ) for such authentication or by issuing their own personalised security features for such authentication. The ECB’s amendment 24 would bring the future PSD back to a reasonable approach to IT security in the interest of payment service users for situations where the use of is authorised. This is even more important in light of the fact that for the time being there seems to be consensus between the European Parliament and the Commission that only the operation of larger should be subject to prior authorisation and full supervision by the regulatory authorities (please refer to Article 27 (1) (a) and the European Parliament’s amendment 82).
The term ‘personalised security features’ needs to be defined
While the term ‘personalised security features’ is used in one of the most important sections in the proposal (please refer to Article 58), and in the opinion of the ECB on the proposal (please refer to the ECB amendment 24), it cannot be ignored that there is no definition of this important term proposed in any of the relevant documents (including the Commission’s proposal, the opinion of the ECB on the proposal, the final recommendations from the SecuRePay Forum for the security of internet payments, the draft recommendations from the SecuRePay Forum for the security of payment account access).
The report from the European Parliament recommends replacing the term ‘personalised security features’ with the term ‘personalised security credentials’ throughout the document. It should be recognised that this report seeks to fill the conceptual vacuum by proposing a definition of ‘personalised security credentials’ in its amendment 55. However, it remains doubtful whether it is appropriate to replace the term ‘personalised security features’ as used in Article 58 (2) of with the term ‘personalised security credentials’. It appears from the use of the terms in Article 58 (2) that the Commission had deliberately used the two different terms when drafting Article 58 (2). From the wording of Article 58 (2) it could be concluded that the term ‘personalised security features’ is meant to be broader than the term ‘personalised security credentials’ which only seems to refer to the information or data that can be used for the validation of the identity of a natural or legal person. In light of the confusion around the use of those two terms, which stems from the lack of definition in , it would appear that the onus is on those institutions who propose the use of these terms and these concepts to also offer a suitable definition in order to render their recommendations complete. The proposal from the European Parliament (in amendment 119) to consistently replace the term ‘personalised security features’ with the term ‘personalised security credentials’ might in some cases be inappropriate because it risks being too narrow (depending on the meaning as envisaged by the authors of Article 58 ) as a term.
Notification of the ’ authorisation to the AS prior to any payment initiation is a must
One of the weaknesses of the proposal in the context of the obligations under Article 58 was the lack of clarity about how the account servicing of the payer should be informed about the authorisation of the for a particular payment initiation from the payer (the account holder). Account servicing (AS ) must be notified (in a manner that allows keeping records of such notifications) about the explicit consent from the payer concerning his decision to involve a . It needs to be remembered that a key role of the account servicing is to be the custodian of the funds of the payment service user. It is, for this reason, indispensable that AS are notified of the explicit consent from the payment service user. The proposal lacks clarity in this regard.
The report from the European Parliament in its amendment 116 provides for an important clarification that the AS “shall not deny access” under Article 58 to the “when it (i.e. the AS ) has been authorised to carry out a specific payment on behalf of the payer provided that the payer gives its consent in accordance with Article 57 in an express (explicit?) manner.” (Parenthesis added.) This amendment 116 from ECON is fully in line with recommendations from several stakeholders that there must be clarity and certainty that the AS will be notified (and it is important that this notification takes place ‘ex ante’) about the consent (i.e. the authorisation) from the payment service user in the case of each payment initiation or account information service. Otherwise, account servicing cannot comply with their responsibility of custodian of the funds of the payment service user.
The liability for errors or failures resulting from involvement cannot belong to the AS
Under no circumstances should the AS be held liable for the ’s mistakes, failures or for specific risks (including man-in-the-middle-attacks) that result from the ’ sphere or activities. The only exception to this principle could be envisaged in the event of an agreement between the and AS concerning the terms of payment order initiations and account information services by such .
The ECB opinion in its amendment 27 is aligned with the Commission’s proposal and equally foresees the obligation of the AS to refund the payment service user in cases of unauthorised transactions resulting from involvement (Article 65 (2) ). It keeps the liability versus the payment service user and consequently also the burden of recovery (from the ) on the AS in the event of any mistake or failure by a . It is not clear from the ECB explanations why it is felt that the AS should carry the risk of recovery (having to claim a compensation from the ) and the insolvency risk for a provider that was chosen by the .
Amendment 27 in its explanation mentions that “from a customer perspective, it is natural that the payer would turn to the AS for a refund, since their relationship with the may only take place on a one-off basis, e.g. for payment initiation.” It could be questioned if this perspective and reasoning is appropriate. It would appear that it makes sense that instead a payment service user is held liable for his/ her decisions or choices - and that the responsibility and the risk together with the burden of recovery (from a ) of any losses are kept with the person or entity where the relevant decision was made.
The ECB’s amendment 27 however proposes to align the rules about the right of recourse (Article 82 ) for unauthorised transactions with the rules in case of defective, late or non-executed transactions. Such alignment about the right of recourse for both scenarios, (unauthorised transactions and, on the other hand, non-execution, defective or late execution of a transaction), appears sensible.
The European Parliament in its amendment 137 equally proposes to place an obligation on the AS to refund the in cases of unauthorised transactions. However, it places the burden of proof (“if the cannot demonstrate that it is not liable …”) on the that it is not liable for unauthorised payment transactions. This amendment from the European Parliament is an improvement versus the Commission proposal for Article 65 (2) .
Why should AS carry the burden to recover losses incurred from defective or unauthorised transactions from ?
Placing the burden of recovery on the AS would constitute a very important and additional type of exposure for every AS . Such new exposure would – from a legislative perspective - be unusual and inappropriate given that the AS has no role in appointing or mandating a nor in limiting the use of any . It is a basic principle of proper liability allocation that the risk exposure is with those actors who are able to control a risk or are able to make a particular choice. In this case it is the payment service user who takes the relevant decision and who is in a position to control the risks. If the risk allocation and the risks would remain in the revised PSD with the AS who have no role in appointing or mandating a , then this allocation would introduce an important element of risk distortion into the revised PSD. Such risk distortion, if upheld in the future legislation, would consequently have to be reflected in the prudential risk profiles for AS .
Legal basis for recovery by AS of additional cost is unclear
While Article 82 (1) would seem to provide for a legal basis for AS being able to claim and recover from a any losses or sums paid under Article 80 (and according to ECB amendment 30 also for losses or sums paid under Article 65 ), it is noteworthy that any ‘further financial compensation’, (which would be legitimate but strictly beyond the claim itself under Article 80 and – according to the ECB’s amendment 30 – also for claims under Article 65), should be claimed in accordance with ‘agreements between …’ and ‘the law applicable to the agreement between them’ in accordance with Article 82 (2) .
It should be noted that neither the Commission’s proposal nor the European Parliament’s report provide for any clarity on how AS should be (legally) able to recover their ‘additional cost’ incurred after having refunded a payment service user in the case of an unauthorised transaction or late or defective execution of a transaction in accordance with Articles 65 (2) or 80 (1), third subparagraph of . AS would inevitably incur cost (internal and external cost including potential legal fees) for stepping in (in the form of refunding the payment service user) for and for subsequently pursuing their claims against any in the event that a would be liable to the payment service user and to the AS for an unauthorised or defective, late or non-executed transaction (Article 65 (2), second sentence, Article 80 (1) and (2) ). An AS must be able – where justified - to recover such cost from those parties who could be responsible for generating defective or unauthorised transactions.
If further ‘financial compensation’ can (only) be claimed on the basis of ‘agreements between ’ and if it is unclear whether an agreement between a (also being part of the wide category of ) and an AS can - as a matter of principle - be made a requirement it would seem unclear on what legal grounds AS would be able to claim or recover their cost incurred for pursuing their legitimate interests versus in the event of unauthorised or defective transactions. It is noteworthy that the European Parliament’s amendment 125 is in direct contradiction with the logic in Article 82 (2) that further financial compensation between (including between AS and ) may be determined in accordance with agreements between them. Amendment 125 of the European Parliament specifies that “TPPs shall not be required to enter into contractual relationships with account servicing in the context of payment initiation or account information services.”
However, the future PSD must provide for a clear legal basis for such legitimate claims by AS and enable them to recover their cost should the concept be upheld that AS must step in and refund payment service users in the event of an unauthorised or defective payment transaction resulting from involvement. Currently, the amendment 125 proposed by the European Parliament is not compatible with the concept proposed in Article 82 (2) , (whereby further financial compensation may be determined in accordance with agreements), creating a vacuum in this context. Neither the report from the European Parliament nor the proposed ECB amendments have appropriately dealt with this issue.
Furthermore, it appears questionable if it makes sense that the legal basis for claims by an AS for pursuing further financial compensation against a should be left to contractual relationships. From a legislative (systematic) perspective it would most likely be appropriate that a legal basis for the recovery of such cost be inserted into Article 82 and the reference to possible contractual claims be replaced with such legislative solution as it is already foreseen for claims under Article 82 (1) for losses incurred as a result of a refund to the payment service user.
In summary, it must be concluded upon review of the European Parliament’s recent report on that there are several important aspects such as the details of the refund rights for direct debits and the obligations of and AS in the case of payment initiation or account information services via which require further review. None of the submitted proposals for a new Article 67 on refund rights in case of direct debits or regarding the obligations for and AS in the case of payment initiation via are satisfactory at the moment. The arguments laid out in this article illustrate that more detailed work will need to be undertaken before a viable new legislative framework for payment services in the is ready for adoption and implementation.
Hartmut Seibel is Legal Counsel to the .
EPC Blog: PSD2 – The New Article 67, (‘Refunds for Payment Transactions Initiated By or Through a Payee’), Proposed by the European Commission Risks Undermining Consumer’s Unconditional Refund Right for Direct Debits Included with the SEPA Direct Debit Core Scheme
EPC Blog: PSD2 – EPC Identifies Considerable Scope for Amendments of the Proposed New Set of Rules Related to the Activity of Third Party Payment Service Providers Offering Payment Initiation or Payment Account Information Services
European Central Bank (5 February 2014): Opinion on a Proposal for a Directive of the European Parliament and of the Council on Payment Services in the Internal Market and Amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and Repealing Directive 2007/64/EC
European Parliament Economic and Monetary Affairs Committee (ECON) (11 March 2014): Report on the Proposal for a Directive of the European Parliament and of the Council on Payment Services in the Internal Market and Amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC
Regulation (EU) No 260/2012 establishing technical and business requirements for credit transfers and direct debits in euro and amending Regulation (EC) No 924/2009 (the SEPA Regulation) (see Article 5(3) (d) (ii))
Related article in this issue:
Related articles in previous issues:
1 Regulation ( ) 260 / 2012 establishing technical and business requirements for credit transfers and direct debits in euro and amending Regulation (EC) No. 924 / 2009, as amended by Regulation ( ) 248 / 2014.
2 The Opinion of the European Data Protection Supervisor on , dated 5 December 2013, illustrates the challenges that remain to be resolved from the data protection perspective.
3 The European Forum on the Security of Retail Payments (SecuRe Pay Forum) was established in 2011 as a voluntary cooperative initiative between relevant authorities from the European Economic Area – supervisors of payment service providers and overseers in particular – formed with the objective of facilitating common knowledge and understanding of issues related to the security of electronic retail payment services and instruments and, where necessary, issuing recommendations.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.