The Court of Justice of the EU (CJEU) has published an Advocate General's (AG) Opinion in the case of DenizBank AG v Verein für Konsumenteninformation (Case C 287/19) [EU:C:2020:322] on the application of the revised Payment Services Directive (Directive (EU) 2015/2366) (PSD2) to contactless payments and the ability to unilaterally vary a framework contract for the provision of payment services. The opinion discusses the derogation allowed under Article 63(1) of PSD2 in the context of contactless payments and has come to the view that NFC contactless functionality on cards constitutes a payment instrument in its own right, distinct from the use of the card with chip and pin functionality. Most significantly, the opinion also suggests that a customer's explicit consent is needed to vary the terms and conditions of a payment services contract for all but non-essential changes.
DenizBank's terms and conditions sought to take advantage of a derogation under Article 63(1) of PSD2 which enabled it, amongst other things, to exclude itself from liability for unauthorised transactions where a card was used to initiate low-value payments using contactless functionality. The bank's framework contract also allowed for implied acceptance of terms by customers, as permitted under Article 52(6)(a) of PSD2, which extended to any type of contractual changes including the addition of NFC contactless functionality to its bank cards.
The referring court raised concerns regarding potential detriment to consumers arising from the use of contactless cards (in this case, resulting in the consumer's responsibility for loss associated with the unauthorised use of the card by a third party). It therefore sought preliminary ruling from the CJEU on the following issues:
- Whether the fact that payment cards are NFC-enabled allows that functionality to be classified as a payment instrument as defined by Article 4(14) of PSD2?
- If NFC enabled contactless functionality is a separate payment instrument:
- Is the use of such functionality considered as anonymous use of the payment instrument so that the derogation in Article 63(1)(b) of PSD2 is applicable?
- Is Article 63(1)(a) to be interpreted as meaning that a Payment Service Provider (PSP) can rely on that derogation only if it can be established, according to the objective state of technical knowledge, that the payment instrument does not allow its blocking or prevention of its further use?
- Can a customer be taken to have accepted the changes to a framework contract by simply not rejecting them?
Key outcomes from The Opinion
The AG concluded that:
- On the facts of the Denzibank terms and conditions, the NFC functionality of a personalised multifunctional payment card was to be classified as a separate payment instrument. Multi-functional cards therefore feature two different and separate payment instruments:
- the personalised device that requires strong authentication (e.g. chip and pin); and
- a "set of procedures" using NFC (or contactless functionality) for making low value payments.
- The AG noted that using NFC functionality must be regarded as anonymous use of a payment instrument as the issuing institution cannot demonstrate that the payment was indeed authorised by the card holder.
- The derogation under Article 63(1)(a) can be used by a PSP issuing a personalised multifunctional payment card to which NFC functionality has been added only in circumstances where it can demonstrate that it is not technically feasible to block that card or prevent its further use in the event of loss, theft, misappropriation or unauthorised use.
- Implied or tacit acceptance of terms of a framework contract by a customer as permitted under Article 52(6)(a) of PSD2 must be strictly interpreted and may not apply to "essential" elements of the contract, which in this case included terms relating to contactless functionality of a payment card.
Possible impact on firms
The conclusion reached that a payment card can incorporate separate payment instruments (as opposed to being one payment instrument that can be used in a number of ways and with authentication being carried out in different ways depending upon how that payment instrument is being used) is probably a surprising one. It has consequences for how these cards and the credentials are issued and what might amount to an unsolicited payment instrument.
If this decision is followed by the CJEU this could mean that the issuance of new contactless cards, to replace cards without such functionality, could only be issued at the cardholder's request. It might also call into question the ability to roll out other authentication mechanisms, such as OTP authentication for e-commerce transactions.
The finding of the AG in this opinion that a customer's explicit consent is needed to vary T&Cs of a payment services contract for all but non-essential changes does have the potential to have a wider impact.
Currently, Article 52(6)(a) of PSD2 permits a PSP to unilaterally vary a customer's framework contract for payment services by giving two months advance personal notice of the changes and the PSP is able to treat the changes as accepted if the customer does not notify the PSP to the contrary before they come into effect. The AG opinion states that this provision should be restricted to "non-essential" changes only. This would mean that deemed acceptance of terms changes, including potentially acceptance by conduct, would only be sufficient to enable non-essential changes.
The AG does not define what is meant by an "essential change". The AG does point out that in his view, the introduction of a new payment instrument coupled with the use of the derogation allowed under Article 63 (which enables the PSP to shift liability for unauthorised transactions made using the new payment instrument) constitutes the provision of either a new service or amounts to an essential change to the conditions of a framework contract. In either case a customer must provide their unequivocal explicit consent.
In our view, a key driver for the AG reaching the view he did was the fact that a customer's liability exposure was increased without the customer indicating it wanted the new functionality on its card. The AG's opinion clearly felt uncomfortable that a bank could fundamentally increase the liability exposure of the customer in that way. This looks like a change that is so significant, it changes the initial bargain and therefore, a customer's consent must be obtained. So it appears that "essential" probably means something akin to the "essential characteristics" of the product or service. However, beyond that there remains uncertainty. Is the price (such as the interest rate) an essential characteristic? Or are we simply looking at non-core terms that are key?
In reaching that view, the AG has certainly strained the interpretation of the PSD2 provisions to such an extent that it reads in requirements that are simply not in the legislation as drafted.
We wonder whether the AG should have looked beyond the PSD2 for its approach and considered whether, for example, a variation power that enabled a bank to impose liabilities on a customer they did not have previously by providing a service that was never asked for, was an unfair term? The AG could also have drawn upon principles established in the EBA Guidelines on product oversight and governance arrangements for retail products (EBA/GL/2015/18) in relation to a detrimental operation of the change to the product. Instead, there appears to have been a significant change to what is a clear provision of the PSD2 to achieve a policy objective on the facts of a particular case.
In the UK, card issuers have not, as far as we have seen, sought to impose liability on customers for contactless payments in the way that Denzibank did. While the case could ultimately be distinguishable on the facts, the wider ramifications could be significant if this approach is confirmed by the CJEU.