As legislative negotiations over the draft Payment Services Directive 3 (PSD3) and Payment Services Regulation (PSR) intensify, the debate over how — and to what extent — authorized payment fraud should be addressed through liability rules for payment service providers (PSPs) has gained urgency. (See, for example, the contribution by Emanuel von Praag).
With experience representing over 1,600 victims of cross-border authorized push payment (APP) fraud, we at EFRI consider this a critical issue. However, it is equally important to recognize that even in the area of unauthorized payment fraud, enforcing existing protections under PSD2 remains problematic across EU Member States.
Duty of Care obligations for PSPs and for customers.
A recent study by the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband, vzbv) critically examines how German payment service providers have interpreted and applied the duty of care obligations for both payment service providers (PSPs) and payment service users (PSUs) over the past few years. The analysis is based on consumer complaints and independent research, highlighting significant gaps in how PSPs handle fraud prevention and consumer complaints in unauthorized fraud cases.
Current EU Framework for unauthorized payment transactions!
Under current EU legislation, in cases of unauthorized payment fraud—where a payment transaction is carried out without the consent of the payment service user (PSU)—Article 73 of PSD2 (§ 675u BGB) requires that, if the PSU promptly reports the unauthorized transaction, the payment service provider (PSP) must refund the amount within one banking day. The only exception is if the PSP can prove that the PSU acted fraudulently or with gross negligence, in which case the refund may be denied. Legally the burden to proof authorization is with the PSP. If the transaction is due to the use of a stolen or lost payment instrument or other misuse of a payment instrument where the consumer was in a position to be aware of the loss, the affected account holder is liable for an initial amount of just 50 euros. Consumers
are only obliged to compensate the full amount if the losses are due to intentional or
grossly negligent infringement of their legal obligations pursuant to § 675l (1) BGB or the conditions for the issuing and use of the payment instrument.
Reality looks different
According to Article 73 of the Payment Services Directive, service providers are obliged
to promptly refund unauthorised payments “in any event”. Consequently, it is thus banks that have to prove users acted in a grossly negligent manner in order to hold them liable – if necessary as plaintiff in court. However, this is not the case in practice. Very often the PSUs have to defend themselves against the accusation of gross negligence while the service providers offset their obligations – for example, to restore the account bal-
ance within one bank working day in the case of fraud – against claims for compensa-
tion from the consumer. Service providers also repeatedly manage to evade their obligation to provide evidence of authorisation by a de facto reversing the legal dispute.
They achieve this by putting themselves in a position where prima facie evidence is sufficient, so that they do not have to submit tangible evidence to the court.
Another aspect is that it often takes German PSPs several weeks to examine a case without, in the meantime, refunding the amount. If the assessment ultimately concludes that the
consumer has not acted with gross negligence, then not refunding the consumer immediately would constitute a clear violation of § 675u BGB.
Inconsistent Interpretations of "Gross Negligence"
Current debates on gross negligence predominantly focus on payment service users, with limited attention given to the duty of care standards expected of payment service providers. This imbalance, compounded by inconsistent definitions of negligence across jurisdictions, creates significant liability risks for all parties involved.
So, PSUs are often required to check websites and relevant security warnings to avoid potentially being accused of neglecting due diligence obligations if they are the victims of a scam. If consumers miss the warnings, banks and savings institutions may refuse to reimburse them for any money lost.
On the other hand there are almost no clearly defined obligations for PSPs to monitor for and prevent fraudulent activity. For example, banks are not legally required to flag or block suspicious transactions, even when patterns clearly deviate from a customer’s normal behavior.
Summarizing the German Study identified six serious issues:
Inconsistent Behaviour:
PSPs do not act consistently to help consumers recognize scams. Their warnings and processes often contradict each other, making it hard for users to distinguish legitimate communications from fraud attempts.Incomprehensible Texts and Processes:
Warning messages and procedures are often confusing, preventing consumers from understanding risks and thus failing to prevent fraud effectively.Difficulty Making Contact:
Many consumers report that reaching their bank in emergencies is slow or impossible, delaying critical actions like blocking accounts during fraud incidents.Inadequate Transaction Analysis:
PSPs frequently fail to detect or act on unusual account activities—such as sudden increases in transfer limits or atypical international transactions—that could signal fraud.Inappropriate Technological Design:
Banking systems are not sufficiently robust against social engineering and technical manipulation, making it too easy for scammers to exploit both consumers and system weaknesses.Behaviour Harmful to Consumers:
After fraud occurs, consumers often receive inadequate support, face bureaucratic hurdles, or are denied compensation, even when they acted promptly
Conclusion and Recommendations
The study concludes that the current system disproportionately burdens consumers and does not provide adequate incentives for PSPs to prevent fraud. The authors call for:
Clearer, more enforceable due diligence obligations for PSPs.
Improved technological safeguards and consumer-friendly processes.
More accessible and responsive customer service during fraud emergencies.
A legal framework that holds PSPs accountable for failing to prevent or respond to fraud, rather than shifting liability onto consumers.
