Legal Insight
December 2022
Christina Koliatou, LL.M, PgCert
Summary: Given the huge increase in the volume and speed of remote payment transactions via the Internet and mobile phones, as well as the new forms of illegal activity in the online space, such as electronic fraud through data interception, commonly known as "phising", payment service providers are called upon to establish payment systems and security mechanisms that, on the one hand, serve the needs of their customers with speed and consistency, and on the other hand, ensure their absolute security in the context of both self-service and online payment. This article seeks to (a) set out the obligations of such providers, who must always act with a view to eliminating any element or event that could harm the interests of their customers, both in terms of preventive measures and in terms of the secure execution of orders, (b) describe the issue of liability for compensation in the event of the execution of an unauthorised payment order, and (c) indicate the appropriate action to be taken by the defrauded party.
[1] The practice of "phising"
The problem that is being faced, more and more often nowadays, is the electronic phishing of personal data (interception of personal data) through e-mails or sms, which have misleading content and are supposed to come from a legitimate organisation/bank/company. Through these e-mails/sms, the perpetrators aim to extract confidential data, such as online banking username, passwords, debit/credit card details, etc..
They then use this data to carry out unauthorised financial transactions that ultimately cause financial loss to the alleged originator of the transaction. The majority of the perpetrators claim, through these messages, either a problem with the account of the deceived person, or a service upgrade action, or confirmation of personal data, or invitations to visit websites or forms that open via links and look very similar to the authentic ones.
In the press release published on 23-05-2022 by the Ministry of Citizen through the Hellenic Police Headquarters, regarding the most common methods used by the perpetrators, it is mentioned indicatively that "Usually the perpetrators, in order to deceive their victims, take advantage of the current socio-economic conditions [... ] send a message to the victim's mobile phone, asking him/her to "click" on the link, resulting in a website similar to the bank's, where - as in the previous case - the victims enter their personal bank codes "supposedly" to confirm the transaction, so that the perpetrators gain access to them and transfer sums of money [...]".
[2] The obligations of payment service providers
The payment service provider, immediately upon receipt of the payment order, must, inter alia, apply the strict authentication procedure, the exceptions provided for in relation to the application of the security requirements of strict identification, and protect the confidentiality and integrity of the payment service users' personalised security credentials. In particular, it must provide or make available to the payer, among other information, the reference data enabling the payer to identify the payment transaction and, where applicable, the information relating to the payee, and coordinate a system of documentation procedures for verifying the authenticity of the order through the payee's dynamic log-in, which is governed by strict security requirements and based on solutions such as the creation and validation of one-time passwords (OTPs), digital passwords, digital passwords, and the creation and validation of the payment transaction.
At the same time, it may apply the exceptions to the principle of strict identification of the customer, taking into account at least the following factors, depending on the risk, provided for in Article 18 of Regulation (EU) 389/2018: a) the previous charges of the individual payment service user; b) the history of payment transactions of each of the payment service users of the payment service provider; c) the location of the payer and the payee at the time of the payment transaction, in cases where the device or the account of the payment service provider is used for payment transactions; d) the location of the payer and the payee at the time of the payment transaction; e) the location of the payment service provider; f) the location of the payment service user at the time of the payment transaction; g) the location of the payment service provider at the time of the payment transaction; h) the location of the payment service user at the time of the payment transaction (d) the identification of non-routine payments made by the payment service user in relation to his payment transaction history.
It must prevent the execution of any payment order, in the event that it detects (in the context of the operation of the tracing mechanism) (a) an unusual charge or unusual behaviour of the payer; (b) unusual information about the payer's access through the device/software; (c) a malware attack at any stage of the verification process; (d) a known fraud scenario in the payment services industry; (v) an unusual location of the payer; (e) a high-risk location of the payee.
Thus, the payment service provider is responsible for the security measures, which must be proportionate to the risks associated with these services, and must, in particular, establish a framework to reduce risks and maintain effective incident management procedures, and is also responsible for any shortcomings in the mechanisms that it must put in place. It is not acceptable for the provider to abdicate responsibility, to shift the relevant risks and the associated harmful consequences, as this would not be in line with the purpose of protecting payment service users, and in particular consumers, nor with the rule that payment service providers assume responsibility for taking appropriate security measures.
In fact, the relevant liability of the provider is also emphasised by the case law of the CJEU, which states that "if the payment service provider could relieve itself of its liability simply by claiming that it is unable to block the payment instrument or prevent its further use, it could easily, by proposing a technically inferior offer, burden the user of its services with the risks of unauthorised payments".
[3] Establishing the liability of payment service providers, both in case of non-implementation of the strict customer identification procedure and in case of non-implementation of a security mechanism (prevention of execution of a risky order) despite the existence of strong indications of fraud risk
The Law 4537 /2018 which transposed the revised Directive 2015/2366/EU on payment services (PSD II), as well as the Delegated Regulation (EU) 2018/389, supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council as regards regulatory technical standards for strong customer authentication and common and secure open communication standards, governs electronic payment services and introduces, in accordance with Article 103 of the aforementioned Law, a mandatory law in favour of users, from which payment service providers are prohibited to derogate to the detriment of payment service users, unless the possibility of derogation is expressly provided for and they may decide to offer only more favourable conditions to payment service users.
The provisions of Articles 71, 88, 92 and 95 of Law No. 4537/2018, provide for universal liability of the provider and exemption from it only for unusual and unforeseen circumstances (article 92), which are beyond the control of the invoking party and whose consequences could not be avoided despite all efforts to the contrary, but also a special notification procedure for outage events, which therefore cannot be characterized as unforeseen, since they are regulated in detail in articles 94 et seq. of the above law. It should be noted that, under the system of this law, the risks to the operation and security of the system, which are often invoked by providers, do not constitute non-routine and unforeseeable events, as has already been ruled in the judgment of the Thessaloniki Court of First Instance No 10/2021, with the result that the damage to users caused by their selection is borne by the providers.
According to article 64 of Law 4537/2018, a payment transaction is considered approved only if the payer has given his consent to its execution. A payment transaction may be approved by the payer either before, or if there is an agreement between the payer and the payment service provider concerned after its execution. If no consent has been given, the payment transaction shall be considered as unauthorised. According to Article 71 of Law 4537/2018, the payment service provider shall restore an unauthorised or incorrectly executed payment transaction to the payment service user only if the latter notifies without undue delay the payment service provider as soon as he/she becomes aware of any such payment transaction that gives rise to a claim for compensation and at the latest within a period of thirteen (13) months from the date of billing. The above time limit shall not apply where the payment service provider has not provided or made available the information required by law in relation to the payment transaction in question.
Furthermore, according to Article 73 of Law no. 4537/2018, in the case of an unauthorized payment transaction, the payer's payment service provider, upon discovery or notification, shall immediately and in any case, no later than the end of the next business day, return the amount of the unauthorized payment transaction to the payer, unless the payer's payment service provider has reasonable grounds to suspect that fraud has been committed and notifies in writing the reasons to the General Secretariat of Commerce and Consumer Protection (GGEPK).
It is noted that, according to paragraph 1 of article 72 of Law 4537/2018, the payment initiation service provider bears the burden of proof that, within its scope of competence, the authenticity of the payment transaction has been identified and that it has been accurately recorded and has not been affected by technical failure or other malfunction related to the payment service with which it has been entrusted. In particular, it is provided that 'If the payment service user denies that he has authorised an executed payment transaction or claims that the payment transaction was not correctly executed, the payment service provider concerned must prove that the payment transaction has been identified as authentic and that the payment transaction has been accurately recorded, entered in the payment accounts and not affected by a technical breakdown or other malfunction of the service provided by the payment service provider [...] The payment service provider shall, in accordance with the provisions of this Regulation, ensure that the payment transaction has been correctly executed and that the payment transaction has been correctly recorded, entered in the payment accounts and not affected by a technical breakdown or other malfunction of the service provided by the payment service provider [...].The payment service provider, including, where applicable, the payment initiation service provider, shall provide evidence to prove fraud or gross negligence on the part of the payment service user."
Therefore, the payment service provider may be held liable, who is obliged to return the amount charged without authorisation, as well as to pay any further compensation, in case he did not comply with his obligations, as provided for in Law 4537/2018 and, among others, his obligation to strictly identify the user and verify the authenticity of the order, as well as to prevent the execution of an order, in case a dangerous transaction is detected, but also the non-implementation of security mechanisms for tracing them.
It should be noted that for the establishment of the liability of the payment service provider, the general provisions of the CC on the fulfilment of the obligation are also applicable, which do not cease to function as a supplement to Law 4537/2018, thus constituting converging legal bases at an intra-contractual level for the claim for compensation in the event of damage to the defrauder.
In addition, the liability of payment service providers is also provided for in article 8 of Law 2251/1994 ("Liability of the service provider"), as amended by Law 4512/2018 and in force, which is in line with the provisions of Law 4537/2018. Therefore, if, in the context of the provision of services, the payment service provider manifests conduct not corresponding to the reasonably expected security, i.e. the transactional obligations of precaution and security, then this conduct is both illegal and culpable, if both the conditions of illegality and culpability are met. In order to establish liability in the person of the provider at fault under that Article, one of the parties must be providing services, i.e. providing a service in an independent manner in the exercise of a professional activity. Furthermore, that party must cause material or non-material damage, unlawfully and culpably, by an act or omission in the course of providing those services to the consumer. In this context, the injured party must prove the damage and the causal link between the provision of the service and the damage. The service provider bears the burden of proving that it is not unlawful and is not at fault.
Finally, it is noted that liability can also be established under the provisions on tort, in the context of which it is necessary to establish the concept of wrongfulness in the damage to property. In principle, under the CC, property damage is recoverable only in the event of a breach of a protective law or of damage caused by fraudulent and unlawful conduct. However, there is now a clear tendency to broaden the concept of unlawful damage and, by extension, the protection of property under the tort provisions. The general clauses of morality and good faith (CC 281, 288) impose a duty of security and precaution on all persons subject to the law with regard to the legitimate interests, rights and goods of third parties with whom they come into contact. That duty of security and precaution is all the more acute in the context of the relationship of trust between payment service providers and users and of the providers' obligation to inform, warn and protect the customer, in the context of which the providers are required to manage the legitimate interests and goods of their customers. That legal relationship constitutes a legal interest protected by the provisions on morality and good faith and, consequently, on the basis of those provisions, the user may establish the concept of wrongfulness required for the application of the provisions on tort (914 et seq. CC) and, by extension, bring an action on the basis of those provisions against the provider responsible for causing the damage to the provider, proving the provider's fault.
[4] Instead of an epilogue - A practical approach
From the above, it can be concluded that given the increase in cases of electronic fraud (also through phishing), for the avoidance of which recommendations are made by, among others, the Ministry of Citizen Protection and the Consumer Advocate, the Electronic Crime Authority, the Bank of Greece, the Hellenic Police and the Hellenic Banking Association, while at the same time, on the initiative of Europol, an information campaign is being carried out under the auspices of the eComm 2022 action, in which our country is also taking part, users of payment services should be particularly careful during their transactions, but also when receiving messages (sms) and e-mails with reference to hyperlinks and requests supposedly for updating or entering their codes and other data.
At the same time, however, if payment service providers do not maintain a strict security system and assess the imminent risks of suspicious transactions, do not inform payment service users of the suspicious payment orders in question and, at the same time, do not comply with all their obligations to strictly identify and verify the authenticity of the transaction, with the result that the user is ultimately harmed, the latter may (and should) immediately report the incident to the payment service provider concerned.
In the event that the provider does not comply by returning the unauthorised amount of the charge, the user may bring a claim against the provider (credit institution, etc. ) to claim its return, but also any further compensation, due to the further financial loss he may suffer, but also the moral damage, in the context of both intercontractual or tort liability, as well as the Law 4537/2018, and the Consumer Protection Law (Law 2251/1994).