Article 22 of Law 5019/2023 (Government Gazette A' 27/14.02.2023) (hereinafter, the "Law") introduces provisions regarding the limitation of payers' liability for unauthorized payment transactions, by amending par. 1 of Article 74 of Law 4537/2018 on payment services accordingly.
In particular, payment service providers (such as credit institutions) will be required to implement additional safeguards compared to those currently in place for online consumer transactions. Otherwise, they will be held liable for compensating the customers who fell victims to electronic fraud (''phishing'') for amounts in excess of 1,000 euros.
The provisions shall enter into force on September 1, 2023.
Necessity of the provision
According to the Law’s explanatory statement, the new provision aims to protect consumers from "phishing", i.e. fraudulent practices (fake websites, e-mails or notifications), by which perpetrators are informed or steal the secret codes ("PIN ”, “TAN”) of consumers in the context of online transactions and money transfers.
Pursuant to the Directive (EU) 2015/2366 on payment services (‘‘PSD II’’), Member States may reduce the liability of the payer in cases of gross negligence. This option was not adopted by Law 4537/2018 which transposed PSD II.
Considering the experience of other countries that have provided for a quantitative limitation of the consumer's liability in cases of gross negligence (Sweden, Denmark and Norway), as well as the need to protect consumers in view of the extent of the "phishing", it it was deemed necessary to introduce relevant provisions.
The new provision in particular
• According to the new provision, the payer shall bear all of the losses relating to any unauthorised payment transactions if they were incurred by the payer acting fraudulently or fraudulently failing to fulfil its obligations (notably, breach of his obligation to notify the payment service provider without undue delay on becoming aware of the loss, theft, misappropriation or unauthorised use of the payment instrument, not taking reasonable steps to keep its personalised security credentials safe, e.g. secret password).
• However, if the payer is a consumer and his losses are due to gross negligence, his liability is limited to the amount of 1,000 euros, taking into account the facts of the specific case and, in particular, the nature of the personalised security credentials and the specific circumstances under which the payment instrument was lost, stolen or misappropriated. As a result, the loss is shared between the consumer and the payment service provider, rather than falling solely on the consumer.
• The above quantitative limitation of the consumer’s liability shall not apply - as a result of which the consumer shall bear all of the losses - if the payment service provider proves that it has in place and implements additional, effective and more advanced transaction control mechanisms than those it generally implements for the transactions’ strong authentication, for transactions that may cause losses of more than 1,000 euros. Indicatively, such additional mechanisms include control mechanisms that make use of artificial intelligence technologies or an additional code or biometric identification or telephone confirmation.
Conclusions
The deadline for payment service providers to design and implement the enhanced security measures required by the new framework is September 1, 2023.
Currently, when making payment transactions online, the ‘’Strong Customer Authentication’’ is mainly based on two (2) factors, such as the use of a one-time password (OTP) via SMS combined with a code that the customer knows (e.g. web banking code). Adapting to the new requirements will necessitate the addition of an extra layer of security for customer authentication.
The measures and tools that will be eventually adopted by payment service providers will be challenging in term of avoiding the complication of electronic transactions of more than 1,000 euros.