- Query in any language with multilingual search
- Access EUR-Lex and EU Commission case law
- See relevant paragraphs highlighted instantly
Similar Documents
Explore similar documents to your case.We Found Similar Cases for You
Opinion of Advocate General Medina delivered on 9 January 2025.
ECLI:EU:C:2025:8
62023CC0665
With us you find everything. Try it now!
I imagine what I want to write in my case, I write it in the search engine and I get exactly what I wanted. Thank you!
Valentina R., lawyer
Provisional text
delivered on 9 January 2025 (1)
Case C-665/23
IL
Veracash SAS
(Request for a preliminary ruling from the Cour de cassation (Court of Cassation, France))
( Reference for a preliminary ruling – Payment services in the internal market – Directive 2007/64/EC – Unauthorised payment transactions – Notification of unauthorised payment transactions – Notification deadline – Delay in notification which is not intentional or the result of gross negligence – Obligation of the payment service provider to issue a refund – Payer’s liability for unauthorised payment transactions )
1.The present case concerns certain aspects of liability for unauthorised transactions set out in Directive 2007/64/EC. (2) It raises the question of the interrelationship between the provisions of that directive which govern, more particularly, the obligation of the payer to notify without undue delay of any unauthorised transaction and the consequences of failing to do so, where the unauthorised transaction is the result of the unauthorised use of a payment instrument. Following its judgment in CRACAM, (3) this case affords the Court a further opportunity to explore the balance to be struck between the interests of the payer and the payment service provider.
II. Legal context
‘The payment service user entitled to use a payment instrument shall have the following obligations:
(a) to use the payment instrument in accordance with the terms governing the issue and use of the payment instrument; and
(b) to notify the payment service provider, or the entity specified by the latter, without undue delay on becoming aware of loss, theft or misappropriation of the payment instrument or of its unauthorised use.’
3. Under Article 58 of Directive 2007/64, entitled ‘Notification of unauthorised or incorrectly executed payment transactions’:
‘The payment service user shall obtain rectification from the payment service provider only if he notifies his payment service provider without undue delay on becoming aware of any unauthorised or incorrectly executed payment transactions giving rise to a claim, including that under Article 75, and no later than 13 months after the debit date, unless, where applicable, the payment service provider has failed to provide or make available the information on that payment transaction in accordance with Title III.’
4. Article 60 of Directive 2007/64, entitled ‘Payment service provider’s liability for unauthorised payment transactions’, provided, in paragraph 1:
‘Member States shall ensure that, without prejudice to Article 58, in the case of an unauthorised payment transaction, the payer’s payment service provider refunds to the payer immediately the amount of the unauthorised payment transaction and, where applicable, restores the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place.’
‘1. By way of derogation from Article 60 the payer shall bear the losses relating to any unauthorised payment transactions, up to a maximum of EUR 150, resulting from the use of a lost or stolen payment instrument or, if the payer has failed to keep the personalised security features safe, from the misappropriation of a payment instrument.
3. In cases where the payer has neither acted fraudulently nor with intent failed to fulfil his obligations under Article 56, Member States may reduce the liability referred to in paragraphs 1 and 2 of this Article, taking into account, in particular, the nature of the personalised security features of the payment instrument and the circumstances under which it was lost, stolen or misappropriated.
4. The payer shall not bear any financial consequences resulting from use of the lost, stolen or misappropriated payment instrument after notification in accordance with Article 56(1)(b), except where he has acted fraudulently.’
B. National law
6. Directive 2007/64 was transposed into national law by ordonnance n° 2009-866 du 15 juillet 2009 relative aux conditions régissant la fourniture de services de paiement et portant création des établissements de paiement (Order No 2009-866 of 15 July 2009 on the conditions governing the supply of payment services and creating payment institutions), which introduced, in particular, Articles L. 133-17, L. 133-18, L. 133-19 and L. 133-24 of the code monétaire et financier (Monetary and Financial Code), applicable in the main proceedings.
7. According to Article L. 133-17(I) of the Monetary and Financial Code, ‘upon becoming aware of the loss, theft, misappropriation or unauthorised use of the payment instrument or of the data associated with it, the payment service user shall, without undue delay and for the purposes of blocking the instrument, inform his or her payment service provider, or the entity specified by his or her provider.’
8. According to Article L. 133-18 of that code:
‘In the case of an unauthorised payment transaction reported by the user under the conditions prescribed in Article L. 133-24, the payment service provider shall refund to the payment service user forthwith the amount of the unauthorised payment transaction and, where applicable, shall restore the payment account that had been debited with that amount to the situation that would have existed if the unauthorised payment transaction had not taken place.
The payer and his or her payment service provider may decide on additional compensation on a contractual basis.’
‘I. In the case of an unauthorised payment transaction following the loss or theft of a payment instrument, the payer shall, prior to the notification stipulated in Article L. 133-17, bear the losses associated with the use of the lost or stolen instrument subject to a ceiling of EUR 150.
The payer shall not be held liable, however, in the case of an unauthorised payment transaction carried out without the use of the personalised security features.
II. The payer shall not be held liable where the unauthorised payment transaction was carried out by misappropriation, without the payer’s knowledge, of the payment instrument or of the data associated with it.
Likewise, he or she shall not incur liability in the event of misuse of the payment instrument if he or she was in physical possession of the instrument when the unauthorised payment transaction took place.
III. Except where he or she has acted fraudulently, the payer shall not bear any financial consequences if the payment service provider does not provide appropriate means of notification so that the payment instrument may be blocked, as stipulated in Article L. 133-17.
10. Finally, under Article L. 133-24 of that code:
‘The payment service user shall notify the payment service provider without undue delay of any unauthorised or incorrectly executed payment transactions and no later than 13 months after the debit date, failing which he or she will be time-barred, unless the payment service provider has failed to provide or make available the information on that payment transaction in accordance with Book III, Title I, Chapter IV.
Except where the user is a natural person acting otherwise than for business or professional purposes, the parties may decide to derogate from this article.’
III. The dispute in the main proceedings and the questions referred for a preliminary ruling
11. IL opened a gold deposit account with Veracash SAS. On 24 March 2017, Veracash sent to IL’s address a new cash withdrawal and payment card. IL claimed that he had neither requested nor received that card and that daily withdrawals from his account had been made from 30 March to 17 May 2017 which he had not authorised. IL brought proceedings against Veracash before the tribunal de grande instance d’Évry (4) (Regional Court, Évry, France) for reimbursement and payment of damages.
12. Since his action was partially dismissed at first instance, IL brought an appeal before the cour d’appel de Paris (Court of Appeal, Paris, France). His appeal was dismissed by judgment of 3 January 2022 on the ground, in particular, that he could not rely on the provisions of Article L. 133-18 of the Monetary and Financial Code because he had not reported the transactions at issue ‘immediately’ (5) and ‘without undue delay’ to Veracash. That finding was based on the fact that IL had sent a disputed transaction form to Veracash on 23 May 2017, almost two months after the first disputed withdrawal.
13. IL brought an appeal on a point of law before the Cour de cassation (Court of Cassation, France), which is the referring court. He invokes two grounds of appeal. By the first part of the second ground of appeal, (6) IL complains that, by ruling as it did, the cour d’appel de Paris (Court of Appeal, Paris) had failed to take account of the fact that the payer has 13 months after the debit date to notify of the transaction and thus infringed Article L. 133-24 of the Monetary and Financial Code, as applicable in the case in the main proceedings.
14. The referring court states that the outcome of the dispute depends on whether the payment service provider can refuse to reimburse the amount of an unauthorised transaction where the payer, despite having notified that transaction within 13 months of the debit date, delayed in doing so, without that delay having been intentional or the result of gross negligence on his or her part.
15. The position of the parties in the main proceedings differs on that matter. IL, the appellant in the main proceedings, claims, primarily, that the payment service user has 13 months from the debit date to notify of the unauthorised transaction. Veracash, the respondent in the main proceedings, contends that by providing, in Article L. 133-24 of the Monetary and Financial Code, the obligation of the user to notify of an unauthorised transaction without undue delay subject to a 13-month time limit, the legislature intended to establish a double time limit and that the 13-month time limit is a final deadline. It adds that the scheme of that provision requires that, as soon as the payment service user becomes aware of an irregularity, he or she should react immediately by notifying the service provider thereof.
16. According to the referring court, a literal reading of Article 58 of Directive 2007/64 may, as the cour d’appel de Paris (Court of Appeal, Paris) held, lead to the conclusion that the payment service provider is entitled to refuse to reimburse the amount of an unauthorised payment transaction on the sole ground of the payment service user’s late notification, even though the notification was made within the 13-month time limit.
17. However, the referring court considers that such an interpretation seems difficult to reconcile with Article 61(2) of Directive 2007/64. It follows from that provision that the payer is deprived of his or her right to reimbursement only if, inter alia, he or she has failed to fulfil one or more of his or her obligations under Article 56 of that directive with intent or gross negligence, including the obligation to inform the payment service provider without undue delay of the loss, theft or misappropriation of the payment instrument or of its unauthorised use.
18. The referring court notes that, when the Court was called on to interpret Article 58 of Directive 2007/64 in its judgment in CRCAM, it did not have to rule on the consequences of the payer’s non-compliance with the obligation to inform the payment service provider without undue delay of an unauthorised transaction.
19. Even though the referring court recognises the interest in encouraging the payer to be diligent in informing the payment service provider, it considers that, in the light of Article 61(2) of Directive 2007/64, the EU legislature did not intend to penalise all delays, whatever the circumstances, by totally depriving the payer of the right to reimbursement.
21. In the light of the foregoing, the Cour de cassation (Court of Cassation) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Must Articles 56, 58, 60 and 61 of [Directive 2007/64] be interpreted as meaning that the payer is deprived of the right to reimbursement of the amount of an unauthorised transaction if he [or she] delayed in notifying his [or her] payment service provider of the unauthorised payment transaction, even though he [or she] did so within 13 months from the debit date?
(2)In the event that the answer to Question 1 is in the affirmative, is the deprivation of the payer’s right to reimbursement conditional on the fact that the lateness of the notification is intentional or the result of gross negligence on the part of the payer?
(3)In the event that the answer to Question 1 is in the affirmative, is the payer deprived of the right to reimbursement of all the unauthorised transactions or only those which could have been prevented if the notification had not been late?
22.Veracash, the Czech and French Governments and the European Commission submitted written observations.
23.By its first question, the referring court asks, in essence, whether Article 58 of Directive 2007/64, read in the light of Articles 56, 60 and 61 thereof, must be interpreted as meaning that the payer is deprived of the right to reimbursement of the amount of an unauthorised transaction if he or she was late in notifying the payment service provider of that transaction, despite doing so within 13 months from the debit date.
24.In order to answer that question, I will first give a general overview of the provisions governing the contractual obligations of the parties in relation to payment instruments and unauthorised payment transactions and the rules on liability for losses arising from unauthorised transactions. (7) I will then provide some clarification on the interrelationship between the notification obligations of the payer.
1. The contractual obligations of the parties and the liability for losses arising from unauthorised transactions
25.Broadly speaking, it is possible to identify two sets of provisions of relevance to the case in the main proceedings. Articles 56 and 57 of Directive 2007/64 establish the contractual obligations of the payment service user (8) and the payment service provider (9) in relation to payment instruments. Articles 58 to 61 of that directive concern unauthorised payment transactions, covering the duty of notification of the payment service user, the burden of proof and the liability of each of the parties.
26.Article 56 governs the contractual obligations of the payment service user in relation to payment instruments. Thus, the payment service user is required to use the payment instrument in accordance with the stipulated terms, keep the personalised security features of the payment instrument safe and notify the payment service provider without undue delay on becoming aware of the loss, theft or misappropriation of the payment instrument or of its unauthorised use.
27.For its part, the payment service provider, pursuant to Article 57(1)(a) and (b), is required, inter alia, to make sure that the personalised security features of the payment instrument are accessible only to the payment service user and to refrain from sending an unsolicited payment instrument, except where a previous payment instrument is to be replaced. Moreover, pursuant to Article 57(1)(c), the payment service provider must ensure that appropriate means are available at all times to enable the payment service user to make a notification under Article 56(1)(b) in the event of loss, theft or misappropriation of the payment instrument or of its unauthorised use. Finally, according to Article 57(1)(d), the payment service provider must prevent all use of the payment instrument after that notification has been made.
28.Article 58 concerns, inter alia, (10) unauthorised payment transactions. (11) It imposes on the payment service user a general obligation to notify as a prerequisite in order to obtain rectification from the payment service provider. (12) The payment service user must notify the payment service provider ‘without undue delay on becoming aware of any unauthorised … payment transactions giving rise to a claim … and no later than 13 months after the debit date’. The only exception to that obligation is where the payment service provider has failed to provide or make available the information on that payment transaction in accordance with Title III of Directive 2007/64.
29.Article 59 of that directive includes, as part of the rules on liability in the case of unauthorised transactions, provisions governing the burden of proof which are favourable to the payment service user. In essence, the burden of proof lies with the payment service provider, who must prove that the transaction has been authenticated, accurately recorded and entered in the accounts. (13)
30.In practice, the result of the system of proof established by Article 59 of Directive 2007/64 is that, once the notification laid down in Article 58 of that directive has been carried out within the period prescribed therein, the payment service provider becomes subject to an immediate repayment obligation, in accordance with Article 60(1) thereof. (14)
31.Article 61 governs the payer’s liability in the specific situation where the losses arising from an unauthorised transaction result from the use of a payment instrument that was lost, stolen or misappropriated. It follows from paragraph 1 of that article that the payer’s liability for unauthorised transactions is limited, up to a maximum of EUR 150. (15) However, the payer’s liability is unlimited where he or she has acted fraudulently or has failed to fulfil one or more of the obligations under Article 56 (including the obligation to notify the loss, theft or misappropriation of the payment instrument or of its unauthorised use) with intent or gross negligence. It follows from Article 61(4) that, following notification of the loss, theft or misappropriation of the payment instrument, the payer no longer bears any financial consequences, except where he or she has acted fraudulently.
32.It follows from the presentation of the legal framework set out above that the user has a general obligation of diligence with regard to the payment instrument. A specific manifestation of the duty of diligence is the obligation to notify. (16) That obligation occupies a central place in the context of the rules on liability for unauthorised transactions, serving as a ‘yardstick’ for the allocation of responsibility between the payer and the service provider for any unauthorised transactions. (17)
33.It is possible to identify at least three situations that trigger the obligation of the user to notify.
34.The first situation is where the user becomes aware of the loss, theft or misappropriation of the payment instrument or of its unauthorised use. In that situation, Article 56(1)(b) of Directive 2007/64 requires the payment service user to notify the service provider without undue delay. The objective of that notification, as is apparent from Article 57(1)(d) of that directive, read in the light of recital 32 thereof, is to allow the payment service provider to block the payment instrument and prevent further unauthorised use.
35.The second situation is where the user becomes aware of an unauthorised transaction. In such a case, pursuant to Article 58 of that directive, the user must notify the payment service provider without undue delay in order to obtain rectification of the unauthorised transaction. The objective of the notification obligation under that article is to allow the payer to contest and obtain reimbursement of unauthorised transactions.
36.Whereas Article 56(1)(b) has a preventive function, in that it enables the payment instrument to be blocked and guards against the risk of unauthorised transactions, Article 58 has mainly a compensatory function, in that it allows reimbursement of the unauthorised transaction. (18)
37.The third situation is where the previous two situations occur (almost) simultaneously. As the Commission rightly observed in its pleadings, and as appears to be the case in the main proceedings, an unauthorised transaction may be subsequent to the loss, theft, misappropriation or unauthorised use of the payment instrument. In such a situation, the notification obligations resulting from Article 56(1)(b) and Article 58 must be applied in a coherent manner. To ensure coherence, the notification (and contestation) of an unauthorised transaction under Article 58 must be regarded as encompassing the notification under Article 56(1)(b). In this type of situation the notification of the unauthorised transaction serves both a preventive function and a compensatory function and supersedes the notification under Article 56. (19)
3. The time frame for notification under Article 58 of Directive 2007/64
38.Article 58 of Directive 2007/64 requires the payer to discharge his or her duty to notify the payment service provider within a specific time frame. In order to obtain rectification from the provider, the notification must be made ‘without undue delay on becoming aware of any unauthorised … payment transactions … and no later than 13 months after the debit date’.
39.The issue raised by the first question is whether late notification deprives the payment service user of the right to obtain rectification even where the notification takes place within 13 months after the debit date. The reply to that question depends on whether the obligation to notify ‘without undue delay’ on becoming aware of the unauthorised transaction is a distinct and separate condition which applies cumulatively together with the obligation to notify within 13 months from the debit date.
40.In accordance with settled case-law, in interpreting a provision of EU law, it is necessary to consider not only its wording, but also the context in which it occurs and the objectives pursued by the rules of which it is part. The origins of a provision of EU law may also provide information relevant to its interpretation. (20)
41.As regards, in the first place, the wording of Article 58, it must be observed at the outset that the temporal conditions for the notification are linked with the expression ‘and no later than’. That expression appears to indicate that Article 58 sets out two distinct conditions, both of which must be complied with in order to give rise to the right to rectification.
42.Moreover, the two temporal conditions are different in nature and scope.
43.As regards notification ‘without undue delay’, it should be noted that Directive 2007/64 does not define that expression. (21) As the French Government essentially submitted, depending on the language version, that expression may be interpreted as underscoring the immediate nature of the notification (22) or the excessively long nature of the delay. (23)
44.Despite the different nuances depending on the language version, it must be pointed out that Article 58 does not refer to an immediate action. This indicates a certain leeway in assessing the promptness of the payer’s reaction on a case-by-case basis. Thus, the payer must act as soon as possible, in view of the circumstances. In any event, it may not be considered that the payer is late if he or she was actually unaware of the event giving rise to the unauthorised transaction. (24)
45.Recital 31 of Directive 2007/64 confirms that interpretation, stating that the payment service user should inform the payment service provider ‘as soon as possible’ about any contestations concerning allegedly unauthorised transactions.
46.In the light of recital 31, the expression ‘without undue delay’ must be understood as requiring the payment service user to act swiftly, which is to be assessed, as the Commission essentially observed, having regard to the circumstances.
47.The need to take into account the circumstances of each case indicates, as the Czech Government essentially submitted, that the requirement to notify ‘without undue delay’ is a subjective one. Its subjective nature results also from its starting point, which is the knowledge of the unauthorised transaction.
48.As opposed to that subjective temporal condition, the condition that notification must be made no later than 13 months after the debit date is an objective one. Indeed, the lapse of 13 months can be objectively determined and does not depend on the circumstances of the case. Moreover, the date on which the 13 months starts to run does not depend on the payer being aware of the unauthorised transaction (which, besides, might be hard to determine), but on the debit date.
49.The Court made clear in its judgment in CRCAM that the period of 13 months is a ‘maximum period’ within which notification must be made. (26) A user who has not reported to his or her payment service provider an unauthorised transaction within that time limit cannot trigger the liability of that service provider, including on the basis of the general law, and therefore cannot obtain repayment of that unauthorised transaction. (27) As Veracash submitted, the period of 13 months is a final deadline (‘délai butoir’) within which notification must take place.
50.It follows from the above that the obligation to notify ‘without undue delay’ is separate from the obligation to notify within the deadline of 13 months. The failure of the payment service user to notify ‘without undue delay’ on becoming aware of the unauthorised transaction may not simply be ‘offset’ by a notification which takes place within 13 months after the debit date.
51.In the second place, a contextual interpretation of Article 58 of Directive 2007/64 confirms the literal interpretation of that provision.
52.The Court held in its judgment in CRCAM
that Article 58, to which reference is made in Article 60(1) of that directive, imposes on the payment service user a general obligation to notify. As I have pointed out above, the notification occupies a central place in the context of the rules on liability governing unauthorised payment transactions. Accepting that the payer can wait 13 months before contesting a transaction he or she has become aware of weakens the effectiveness of the obligation to notify ‘without undue delay’. In the specific situation where the unauthorised transaction is the result of the loss, theft or misappropriation of the payment instrument, the late notification of that transaction delays the adoption of measures by the payment service provider in accordance with Article 57(1)(d) of Directive 2007/64. Moreover, late notification of unauthorised transactions of which the payer has become aware delays triggering the payment service provider’s liability under Article 60 of that directive. Thus, as the Commission essentially submitted, late notification of unauthorised transactions of which the payer has become aware also undermines the objectives of Article 57(1)(d) and Article 60 thereof.
53.In the third place, a teleological interpretation of Article 58 of Directive 2007/64 supports the literal and contextual interpretation of that provision. In the specific situation where the losses relating to an unauthorised transaction result from the loss, theft or misappropriation of a payment instrument, the late notification prevents the payment service provider from immediately adopting measures and aggravates the risk of unauthorised transactions. Thus, undue delay in notifying the payment service provider undermines the preventive purpose of notification.
54.Moreover, as the Commission essentially pointed out, an interpretation according to which the payer is entitled to obtain rectification even if he or she failed to notify without undue delay undermines legal certainty and the balancing of interests between the payment service provider and the payment service user.
55.In the fourth place, the background to Directive 2007/64 supports the interpretation which follows from a literal, contextual and teleological interpretation of Article 58 of that directive.
56.It is apparent from the travaux préparatoires that the Commission’s original proposal for a directive did not impose any time limit comparable to that laid down by Article 58 of Directive 2007/64, which was introduced during the legislative process. The introduction of the uniform period of 13 months was not, however, intended to substitute the obligation to notify without undue delay. As the Court pointed out in its judgment in CRCAM , it soon became apparent that the introduction of that period was indispensable in order to guarantee legal certainty for the user of those services and their provider. The provision of a maximum period of 13 months ensures that the payment transaction becomes definitive upon expiry of that period. The objective to ensure that a transaction becomes definitive does not affect, however, the distinct obligation of the user to notify without undue delay.
57.It follows that the payment service user must observe both conditions set out in Article 58 of Directive 2007/64. This is without prejudice to the application of Article 61(2) of that directive, which governs the liability of the payer when the losses relating to an unauthorised transaction result, inter alia, from failure to notify the loss, theft or misappropriation of the payment instrument with intent or gross negligence, which is the subject of the second question referred.
58.In view of all of the above, Article 58 of Directive 2007/64, read in the light of Articles 56, 60 and 61 thereof, must be interpreted as meaning that the payer is, in principle, deprived of the right to reimbursement of the amount of an unauthorised transaction if he or she was late in notifying the payment service provider of that transaction, despite doing so within 13 months of the debit date. This is without prejudice to the application of Article 61(2) of Directive 2007/64.
The second question
59.Although in its second question the referring court does not mention a specific provision of Directive 2007/64, it is nevertheless apparent from the order for reference that it seeks an interpretation of Article 61(2) of that directive, read in the light of Article 56(1)(b) thereof. Moreover, the second question is asked if the answer to the first question is in the affirmative.
60.Thus, by its second question, the referring court asks, in essence, whether Article 61(2) of Directive 2007/64, read in the light of Article 56(1)(b) of that directive, must be interpreted as meaning that, in the event of losses relating to an unauthorised transaction resulting from the loss, theft or misappropriation of the payment instrument or of its unauthorised use, a payer is deprived of the right to reimbursement only if he or she failed to notify the payment service provider with intent or gross negligence.
61.Article 61 of Directive 2007/64 establishes specific provisions applicable to the rules on liability for losses relating to unauthorised transactions resulting from the use of lost, stolen or misappropriated payment instruments. More particularly, it follows from Article 61(2) of that directive, read in the light of Article 56(1)(b) thereof, that the payer is liable for all the losses relating to any unauthorised transactions if he or she incurred them, inter alia, by failing to notify the payment service provider of the loss, theft or misappropriation of the payment instrument or of its unauthorised use, with intent or gross negligence.
62.Article 61(2) does not explicitly refer to the notification obligation under Article 58. However, as pointed out above, depending on the situation and the course of events, when the unauthorised transaction is the result of the loss, theft or misappropriation of a payment instrument, the notification of an unauthorised transaction under Article 58 encompasses the notification under Article 56(1)(b). In such situations, in order to ensure a coherent interpretation of Article 61(2), Article 56(1)(b) and Article 58, the notification under Article 58 must be subject to the conditions set out in Article 61(2).
63.Thus, the payer is deprived of the right to reimbursement if he or she failed to notify the unauthorised transaction subsequent to the loss, theft or misappropriation of the payment instrument ‘with intent or gross negligence’.
64.It follows from recital 33 of Directive 2007/64 that in order to assess possible negligence, account should be taken of all the circumstances. According to that recital, the evidence and degree of alleged negligence should be evaluated according to national law.
65.While the concept of negligence implies an unintentional act or omission by which the person responsible breaches his or her duty of care, the concept of ‘gross negligence’ can only refer to a patent breach of such a duty of care. Directive 2015/2366, although not applicable in the case in the main proceedings, confirms that interpretation of the concept of ‘gross negligence’. Recital 72 thereof states that ‘gross negligence should mean more than mere negligence, involving conduct exhibiting a significant degree of carelessness’.
66.In any event, it follows from Article 59(2) of Directive 2007/64 that the mere use of the payment instrument is not sufficient to prove in itself that the payer acted fraudulently or failed with intent or gross negligence to fulfil one or more of his or her obligations under Article 56 thereof.
67.Accordingly, for the purposes of Article 61(2) of Directive 2007/64, a mere breach of the duty of care, or ‘simple negligence’ as the Commission put it, will not be sufficient to preclude reimbursement of the payer. Thus, as the referring court rightly observed, Article 61(2) does not ‘penalise’ all delays in notification irrespective of the circumstances and the payer’s behaviour. Only a delay in notification, which is due to the payer acting with intent or gross negligence, results in the loss of the right to reimbursement.
68.In view of the foregoing, Article 61(2) of Directive 2007/64, read in the light of Article 56(1)(b) of that directive, must be interpreted as meaning that, in the event of losses relating to unauthorised transactions which the payer notified late with intent or gross negligence, a payer is deprived of the right to reimbursement in relation to all unauthorised transactions or only such transactions which could have been prevented if the notification had not been late.
The third question
69.Although in its third question the referring court does not mention a specific provision of Directive 2007/64, it is nevertheless apparent from the order for reference that it seeks an interpretation of Article 61(2) of that directive and more particularly of the scope of unauthorised transactions of which the payer bears the risk. Moreover, the third question is asked if the answer to the first question is in the affirmative.
70.Thus, by its third question, the referring court asks, in essence, whether Article 61(2) of Directive 2007/64 must be interpreted as meaning that, in the event of losses relating to unauthorised transactions which the payer notified late with intent or gross negligence, that payer is deprived of the right to reimbursement in relation to all unauthorised transactions or only such transactions which could have been prevented if the notification had not been late.
71.In that regard, in accordance with the settled case-law cited above, in interpreting a provision of EU law, it is necessary to consider not only its wording, but also the context in which it occurs and the objectives pursued by the rules of which it is part.
72.First, with regard to the wording of Article 61(2) of Directive 2007/64, that provision states that the payer is to bear ‘all the losses relating to any unauthorised payment transactions’ if he or she incurred them, inter alia, by failing to fulfil his or her notification obligation with intent or gross negligence. On the one hand, the expressions ‘all the losses’ and ‘any unauthorised payment transactions’ appear to indicate that the scope of the transactions in respect of which a payer fails to fulfil his or her obligations must be construed broadly. There is no distinction between transactions that could have been avoided and transactions that could not have been avoided if there had been timely notification.
73.On the other hand, the expression ‘losses … incurred’ establishes a causal link between the losses and the behaviour of the payer who ‘incurred’ them by failing, inter alia, to notify. The requirement of that causal link could be interpreted, as the Commission essentially argued, as indicating that only losses resulting from transactions that could have been prevented by timely notification are covered.
74.However, I consider that the context and the objective of Article 61(2) of Directive 2007/64 instead indicate that the payer bears all the losses of all unauthorised transactions if he or she failed to notify them with intent or gross negligence.
75.In the second place, with regard to the context of that provision, it must be recalled, first of all, that the payer’s unlimited liability hinges on fraudulent action or on intent or gross negligence in failing to comply with one or more of his or her obligations under Article 56 of Directive 2007/64. It follows from that provision that such behaviour must have consequences for the payer, namely the loss of the right to reimbursement.
76.Next, as I have already pointed out, notification occupies a central place in the system of liability for unauthorised transactions. Particularly where the contested transaction is the result of the unauthorised use of a payment instrument, notification has a preventive function, enabling the payment service provider to block the payment instrument and to reduce the risk of unauthorised payment transactions. The rules on liability for such unauthorised transactions rest on the presumption that they could have been avoided with timely notification. It would be contrary to the logic of the system of liability to distinguish, for the purposes of the right to reimbursement, between two categories of transactions, that is, those that could have been avoided and those that could not have been avoided.
77.In the third place, the purpose of Article 61(2) of Directive 2007/64 and the provisions of which it forms part bears out that conclusion. The rules on liability for unauthorised transactions that are the result of the loss, theft or misappropriation of the payment instrument seek to balance the interests of the payer and the payment service provider. It would be contrary to the balancing of interests of the contractual parties if the scope of the liability were to be narrowed so that it covered only part of the unauthorised transactions. It would also undermine the objective of encouraging the payer to notify the payment service provider without undue delay.
78.In view of the above, I consider that Article 61(2) of Directive 2007/64 must be interpreted as meaning that, in the event of losses relating to unauthorised transactions which the payer notified late with intent or gross negligence, the payer is deprived of the right to reimbursement in relation to all unauthorised transactions, as opposed to only those transactions which could have been prevented if the notification had not been late.
Conclusion
79.In view of all of the above, I propose that the Court answer the questions referred by the Cour de cassation (Court of Cassation, France) as follows:
(1)Article 58 of Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC, read in the light of Articles 56, 60 and 61 thereof, must be interpreted as meaning that the payer is, in principle, deprived of the right to reimbursement of the amount of an unauthorised transaction if he or she was late in notifying the payment service provider of that transaction, despite doing so within 13 months of the debit date. This is without prejudice to the application of Article 61(2) of Directive 2007/64.
(2)Article 61(2) of Directive 2007/64, read in the light of Article 56(1)(b) of that directive,
must be interpreted as meaning that, in the event of losses relating to an unauthorised transaction resulting from the loss, theft or misappropriation of the payment instrument or of its unauthorised use, a payer is deprived of the right to reimbursement only if he or she failed to notify the payment service provider with intent or gross negligence.
(3) Article 61(2) of Directive 2007/64
must be interpreted as meaning that, in the event of losses relating to unauthorised transactions which the payer notified late with intent or gross negligence, the payer is deprived of the right to reimbursement in relation to all unauthorised transactions, as opposed to only those transactions which could have been prevented if the notification had not been late.
*
1Original language: English.
2Directive of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC (OJ 2007 L 319, p. 1). It was repealed and replaced by Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ 2015 L 337, p. 35). In view of the facts of the dispute in the main proceedings and as the referring court also indicates, the present case is governed by Directive 2007/64.
3Judgment of 2 September 2021 (C‑337/20, EU:C:2021:671; ‘the judgment in CRACAM’).
4Renamed ‘tribunal judiciaire d’Évry’ (Court of Évry, France) on 1 January 2020.
5The reference in that judgment to the obligation to notify the transaction ‘immediately’ is in all likelihood due to the inclusion of that word in the general terms and conditions governing the use of the ‘Veracard’ card, reproduced in that judgment.
6The reference for a preliminary ruling concerns only the first part of the second ground of appeal.
7See Μavromati, D., The Law of Payment Services in the EU: The EC Directive on Payment Services in the Internal Market, Kluwer Law International, Alphen aan den Rijn, 2008, p. 220 et seq.
8According to Article 4, point 10, of Directive 2007/64, ‘payment service user’ means a natural or legal person making use of a payment service in the capacity of either payer or payee, or both. The concepts of ‘payer’ and ‘payee’ are defined in points 7 and 8 of that article.
9As defined in Article 4, point 9, of Directive 2007/64.
10That provision also covers ‘incorrectly executed payment transactions’. As the case in the main proceedings concerns transactions that were not authorised by the payer, as opposed to transactions that do not comply with the payer’s instructions, I shall concentrate on the situation of unauthorised payment transactions.
11The circumstances under which a payment transaction is to be considered to be unauthorised are set out in Article 54 of Directive 2007/64.
12See, to that effect, the judgment in CRCAM (paragraph 33).
13The judgment in CRCAM (paragraph 40).
14Ibid.
15See, Geva, B., ‘The EU payment services directive: An outsider’s view’, Yearbook of European Law, Vol. 28, No 1, 2009, pp. 177 to 215, at p. 200, pointing out that this limited liability exists even where the payer is faultless and unaware of the circumstances requiring notice to be given under Article 56 of Directive 2007/64.
16See, Bourguignon, C., ‘L’utilisateur dans la nouvelle loi sur les services de paiement : entre protection et responsabilisation’, in Jacquemin, H., Michaux, B. and Bourguignon, C., Actualités en droit du numérique, Anthemis, Limal, 2019, pp. 153 to 215, at p. 206.
17Ibid., at p. 207, which describes the obligation to notify as a ‘curseur de la répartition des responsabilités’. In the same vein, see Guimarães, M.R. and Steennot, R., ‘Allocation of liability in case of payment fraud: who bears the risk of innovation? A comparison of Belgian and Portuguese law in the context of PSD2’, European Review of Private Law, Kluwer Law International, 2022, Vol. 30, No 1, pp. 29 to 72, at p. 46, according to whom ‘the eventual causation between the [user’s] behaviour and unauthorised payment transactions ends with the notification’.
18See, Torck, S., ‘Délai de contestation des opérations de paiement non autorisées : renvoi préjudiciel de la Cour de Cassation’, Revue de droit bancaire et financier, n° 2, 2024, commentaire 28.
19Ibid.; Torck, S. observes that the contestation based on Article 58 replaces the notification under Article 56, which has become ineffective as a result of the circumstances (‘la contestation fondée sur l’article 58 prend le relais du signalement fondé sur l’article 56, rendu inefficace par les circonstances’).
20The judgment in CRCAM (paragraph 31 and the case-law cited).
21In its submissions, the French Government provided an analysis of the expression ‘without undue delay’, taking into consideration the obligations imposed on the Commission or the Member States in other acts of EU law. However, I consider that the differences between an EU institution or a Member state authority and a private person, namely the payer, preclude any analogy.
22That appears to be the case in the French (‘sans tarder’), Dutch (‘onverwijld’), German (‘unverzüglich’), Greek (‘αμελλητί’) and Italian (‘senza indugio’) language versions.
23That appears to be the case in the English (‘without undue delay’), Spanish (‘sin tardanza injustificada’) and Latvian (‘bez liekas kavēšanās’) language versions.
24See Storck, M. et al., Code Monétaire et Financier. Annoté et commenté, 14th edition, Dalloz, Paris, 2024, p. 170, and Hennard, G., ‘Loi sur les services de paiement : l’exécution des opérations de paiement – Responsabilités en cas d’inexécution ou d’exécution incorrecte des opérations de paiement’, in Betalingsdiensten / Services de paiement, 1st edition, Intersentia, Bruxelles, 2011, pp. 137 to 194, at p. 172.
25See, Guimarães, M.R. and Steennot, R., op. cit., footnote 17, at p. 48.
26See, to that effect, the judgment in CRCAM (paragraphs 38 and 50).
27The judgment in CRCAM (paragraph 36).
28Ibid., paragraph 33.
29See point 32 of the present Opinion.
30See points 34 and 36 of the present Opinion.
31Implementing the Community Lisbon programme: Proposal for a directive of the European Parliament and of the Council on payment services in the internal market and amending Directives 97/7/EC, 2000/12/EC and 2002/65/EC (COM(2005) 603 final).
32See Opinion of Advocate General Saugmandsgaard Øe in CRCAM (C‑337/20, EU:C:2021:564, points 44 to 46).
33The judgment in CRCAM (paragraph 48).
34Ibid., paragraph 49.
35See point 31 of the present Opinion.
36Point 37 of the present Opinion.
37See, to that effect, judgment of 3 June 2008, Intertanko and Others (C‑308/06, EU:C:2008:312, paragraphs 75 and 76).
38See, Guimarães, M.R. and Steennot, R., op. cit., footnote 17, at p. 50, with examples from national case-law.
39Point 40 of the present Opinion.