The Court of Justice of the EU yesterday handed down its judgment in the case of DenizBank AG v Verein für Konsumenteninformation (Case C 287/19).

This case considers the interpretation of the Payment Services Directive (PSD) and follows a worrying Advocate General's Opinion (AG Opinion) earlier this year. 

WHAT WAS ALL THE FUSS ABOUT?

Readers will recall that the AG Opinion found the following:

• NFC / Contactless functionality on payment cards constituted a separate payment instrument, distinct from the Chip and PIN functionality on the card.
• The NFC functionality, therefore, could fall within the low value payment instrument exemptions under the PSD, which meant that a payment service provider could include wide exclusions of liability for unauthorised transactions resulting from the use of the contactless card;
• However, the provisions of the PSD that enable changes to terms to be made by "tacit acceptance" by giving 2 months' notice was limited to "non-essential" changes only, so that express consent was required for other changes.
• The introduction of terms, including exclusions of liabilities, relating to contactless card functionality, coupled with an automatic switch on of the contactless capability of the card when it was used was not permitted under the PSRs and required the customer to expressly agree to these changes.

The industry was particularly concerned about the ramifications for contactless cards, but was also concerned about the wider potential impacts on future and historic practices around changes to terms and conditions, particularly in relation to open ended agreements, such as bank accounts.

THE GOOD NEWS

Tacit agreement provisions are subject to unfair terms legislation

The CJEU's judgment on tacit acceptance is not as damaging as a decision based on the reasoning in the AG Opinion would have been. The court found that the PSD provisions dealing with changes to framework contracts in Art 52(6)(a) and 54(1) were all found within Title III to the PSD, which itself deal with "Transparency of Conditions and Information Requirements". On this basis, the CJEU found that these provisions do not actually set the obligations between the parties (i.e. they do not permit or prevent tacit acceptance). They simply provide for how a firm must communicate with a customer where tacit acceptance is provided for in the agreement.

On this basis, the CJEU found that, how a contract could be varied or provisions added was a matter for consideration taking account of unfair contract terms obligations. The court did not elaborate further on whether terms that had enabled the introduction of the contactless functionality provisions in the Denizbank agreements were fair or not and referred to the previous CJEU decisions, including the EU case of RWE Vertrieb.

Given UK firms will have variation provisions in their terms and conditions that will have taken account of unfair terms obligations, there will be no immediate impact of the decision on these terms. 

Contactless functionality can benefit from the low value payment instrument derogations

The CJEU did not depart significantly from the AG Opinion on the interpretation of a payment instrument. It found that the definition of a "payment instrument" in Article 4(14) was to be read as comprising a "personalised device" and/or "a set of procedures" that did not have to be personalised (i.e. that the UK's transposition of the Payment Services Regulations (PSRs) is incorrect in requiring both limbs of the definition to be "personalised"). As the use of the card only required it to be held against the NFC reader, the CJEU appeared to accept that it was not a personalised device, but that the set of procedures were not personalised and so the contactless card was a payment instrument.

There are questions around the logicality of the reasoning in some respects. For example, it is not clear what could be a payment instrument that was only a non-personalised device – since any device has to be used to make a payment. It seems to us that the error in the reasoning is that there are no procedures needed to complete a contactless payment – just the use of the device (card) itself when it comes into contact with an NFC reader. The use of the card itself in this way means there are no procedures used to authenticate. However, the decision of the CJEU on this is not materially different to the AG Opinion.

The CJEU went on to more clearly consider the extent to which the contactless payment instrument was anonymous. It found that the fact that the card was associated with a named cardholder did not make the procedures anonymous. The key consideration was whether the payment service provider could objectively identify the person who paid using the functionality. Since this was not possible, the procedures were anonymous. Again, there are potentially areas of weakness in these arguments and a confusion in the reasoning between an ability to identify a customer as opposed to knowing the person making the payment is doing something you would hope only your customer would be able to do. You never identify the person making the payment from the procedures being used to authenticate. The decision also makes little sense when read against the RTS on secure customer authentication and why contactless payments feature in an exemption when the RTS appears not to be applicable at all to anonymous payment instruments according to Recital 8. However, at least the position is perhaps legally a clearer articulated one than in the AG Opinion.

As a result, the CJEU finds that the contactless functionality was to be legally regarded as falling within the low value payment instrument exemptions. However, it found that, since these cards were operationally capable of being blocked from use, it was not open to Denizbank to simply include a term in the agreement providing that they were not, and then exclude liability for contactless use after the time that a customer had reported them lost or stolen. Denizbank therefore lost on this element of the judgment, but won on their wider ability to exclude liability.

The UK's contactless limits exceed the low-value payment limits in any event. However, were this not the case, the judgment actually provides a firm with a greater possibility to exclude liability for certain unauthorised transactions. It may also be open to argument that a firm now does not have to comply with the contactless transaction limits in the RTS at all – at least not without UK legislation implementing them for higher value contactless payments under the PSRs.

THE POSSIBLE STING IN THE TAIL

Legitimacy of wide rights of variation to make "extensive" changes to terms

The CJEU has attempted to limit the scope of tacit acceptance to changes to existing terms of a framework contract. It states that these are "changes that do not affect the conditions of the framework contract to such an extent that the proposal from the service provider would in reality consist of the conclusion of a new contract". The court does not say what should happen where the variation is so extensive as to be a new contract.

On the logic of the CJEU approach, since the PSRs provisions on variation do not prescribe the obligations of the parties and only provide for information, this would lead to the conclusion that any such changes are not actually covered or restricted at all by the PSRs. However, we suspect that this was not the result intended to be indicated by the court.

It is interesting that the Austrian Court who referred the case is said to have repeatedly held that extensive changes to conditions of the framework contract by the payment services provider may not be agreed by way of tacit consent by the customer. The CJEU does not appear to have endorsed this domestic approach, but by finding that "extensive changes" which may be such to give rise to a new payment service seems to enable the court to continue to find in this way without falling into difficulties under the maximum harmonisation provisions of the PSRs. The CJEU does not give any findings as to fairness of the changes under unfair terms legislation – and that decision is remitted to the domestic court. This may open the way for a court going forward to be more robust around the fairness of terms that seem to enable more extensive changes to terms being made. For example, terms that permit product migrations might be at risk. We assume that the CJEU had a degree of comfort that the domestic court in Austria looks set to find against Denizbank on the question of the way in which the contactless functionality provisions have been implemented. We can see that this indicated a potential future trajectory. 

Impacts on interpretation of "payment instruments"

The judgment has left it open to argue that each set of procedures associated with a payment card needs to be treated as a separate payment instrument. There may be room to argue that the CJEU findings on this were more around the need to identify separately the legal treatment of each set of procedures within the context of the PSD, rather than finding that each set of procedures were a standalone payment instrument. The impact of having factually separate payment instruments is that this could impact on processes around the sending of unsolicited payment instruments, and credit tokens. Firms may want to look at their processes around this and make some changes to try and assist with these issues going forward. 

…AND WHAT ABOUT BREXIT?

Nothing in the decision will be impacted by changes being made by Brexit and the EU Exit amended and on-shored versions of the legislation of EU requirements. As a case decided before 31 December 2020, it will need to be taken into account in UK courts post Brexit.

Of course, if the CJEU do continue down the more restrictive unfair terms / extensive amendments potential arguments, such cases may not need to be taken into account by the UK Courts. However, on consumer protection grounds, it is not inconceivable that the Courts or FCA would not want to adopt a similar approach.