1.Member States shall ensure that a payment transaction is considered to be authorised only if the payer has given consent to execute the payment transaction. A payment transaction may be authorised by the payer prior to or, if agreed between the payer and the payment service provider, after the execution of the payment transaction.
2.Consent to execute a payment transaction or a series of payment transactions shall be given in the form agreed between the payer and the payment service provider. Consent to execute a payment transaction may also be given via the payee or the payment initiation service provider.
In the absence of consent, a payment transaction shall be considered to be unauthorised.
3.Consent may be withdrawn by the payer at any time, but no later than at the moment of irrevocability in accordance with Article 80. Consent to execute a series of payment transactions may also be withdrawn, in which case any future payment transaction shall be considered to be unauthorised.
4.The procedure for giving consent shall be agreed between the payer and the relevant payment service provider(s).
1.Member States shall ensure that an account servicing payment service provider shall, upon the request of a payment service provider issuing card-based payment instruments, immediately confirm whether an amount necessary for the execution of a card-based payment transaction is available on the payment account of the payer, provided that all of the following conditions are met:
(a)the payment account of the payer is accessible online at the time of the request;
(b)the payer has given explicit consent to the account servicing payment service provider to respond to requests from a specific payment service provider to confirm that the amount corresponding to a certain card-based payment transaction is available on the payer’s payment account;
(c)the consent referred to in point (b) has been given before the first request for confirmation is made.
2.The payment service provider may request the confirmation referred to in paragraph 1 where all of the following conditions are met:
(a)the payer has given explicit consent to the payment service provider to request the confirmation referred to in paragraph 1;
(b)the payer has initiated the card-based payment transaction for the amount in question using a card based payment instrument issued by the payment service provider;
(c)the payment service provider authenticates itself towards the account servicing payment service provider before each confirmation request, and securely communicates with the account servicing payment service provider in accordance with point (d) of Article 98(1).
3.In accordance with Directive 95/46/EC, the confirmation referred to in paragraph 1 shall consist only in a simple ‘yes’ or ‘no’ answer and not in a statement of the account balance. That answer shall not be stored or used for purposes other than for the execution of the card-based payment transaction.
4.The confirmation referred to in paragraph 1 shall not allow for the account servicing payment service provider to block funds on the payer’s payment account.
5.The payer may request the account servicing payment service provider to communicate to the payer the identification of the payment service provider and the answer provided.
6.This Article does not apply to payment transactions initiated through card-based payment instruments on which electronic money as defined in point (2) of Article 2 of Directive 2009/110/EC is stored.
1.Member States shall ensure that a payer has the right to make use of a payment initiation service provider to obtain payment services as referred to in point (7) of Annex I. The right to make use of a payment initiation service provider shall not apply where the payment account is not accessible online.
2.When the payer gives its explicit consent for a payment to be executed in accordance with Article 64, the account servicing payment service provider shall perform the actions specified in paragraph 4 of this Article in order to ensure the payer’s right to use the payment initiation service.
3.The payment initiation service provider shall:
(a)not hold at any time the payer’s funds in connection with the provision of the payment initiation service;
(b)ensure that the personalised security credentials of the payment service user are not, with the exception of the user and the issuer of the personalised security credentials, accessible to other parties and that they are transmitted by the payment initiation service provider through safe and efficient channels;
(c)ensure that any other information about the payment service user, obtained when providing payment initiation services, is only provided to the payee and only with the payment service user’s explicit consent;
(d)every time a payment is initiated, identify itself towards the account servicing payment service provider of the payer and communicate with the account servicing payment service provider, the payer and the payee in a secure way, in accordance with point (d) of Article 98(1);
(e)not store sensitive payment data of the payment service user;
(f)not request from the payment service user any data other than those necessary to provide the payment initiation service;
(g)not use, access or store any data for purposes other than for the provision of the payment initiation service as explicitly requested by the payer;
(h)not modify the amount, the payee or any other feature of the transaction.
4.The account servicing payment service provider shall:
(a)communicate securely with payment initiation service providers in accordance with point (d) of Article 98(1);
(b)immediately after receipt of the payment order from a payment initiation service provider, provide or make available all information on the initiation of the payment transaction and all information accessible to the account servicing payment service provider regarding the execution of the payment transaction to the payment initiation service provider;
(c)treat payment orders transmitted through the services of a payment initiation service provider without any discrimination other than for objective reasons, in particular in terms of timing, priority or charges vis-à-vis payment orders transmitted directly by the payer.
5.The provision of payment initiation services shall not be dependent on the existence of a contractual relationship between the payment initiation service providers and the account servicing payment service providers for that purpose.
1.Member States shall ensure that a payment service user has the right to make use of services enabling access to account information as referred to in point (8) of Annex I. That right shall not apply where the payment account is not accessible online.
2.The account information service provider shall:
(a)provide services only where based on the payment service user’s explicit consent;
(b)ensure that the personalised security credentials of the payment service user are not, with the exception of the user and the issuer of the personalised security credentials, accessible to other parties and that when they are transmitted by the account information service provider, this is done through safe and efficient channels;
(c)for each communication session, identify itself towards the account servicing payment service provider(s) of the payment service user and securely communicate with the account servicing payment service provider(s) and the payment service user, in accordance with point (d) of Article 98(1);
(d)access only the information from designated payment accounts and associated payment transactions;
(e)not request sensitive payment data linked to the payment accounts;
(f)not use, access or store any data for purposes other than for performing the account information service explicitly requested by the payment service user, in accordance with data protection rules.
3.In relation to payment accounts, the account servicing payment service provider shall:
(a)communicate securely with the account information service providers in accordance with point (d) of Article 98(1); and
(b)treat data requests transmitted through the services of an account information service provider without any discrimination for other than objective reasons.
4.The provision of account information services shall not be dependent on the existence of a contractual relationship between the account information service providers and the account servicing payment service providers for that purpose.
1.Where a specific payment instrument is used for the purposes of giving consent, the payer and the payer’s payment service provider may agree on spending limits for payment transactions executed through that payment instrument.
2.If agreed in the framework contract, the payment service provider may reserve the right to block the payment instrument for objectively justified reasons relating to the security of the payment instrument, the suspicion of unauthorised or fraudulent use of the payment instrument or, in the case of a payment instrument with a credit line, a significantly increased risk that the payer may be unable to fulfil its liability to pay.
3.In such cases the payment service provider shall inform the payer of the blocking of the payment instrument and the reasons for it in an agreed manner, where possible, before the payment instrument is blocked and at the latest immediately thereafter, unless providing such information would compromise objectively justified security reasons or is prohibited by other relevant Union or national law.
4.The payment service provider shall unblock the payment instrument or replace it with a new payment instrument once the reasons for blocking no longer exist.
5.An account servicing payment service provider may deny an account information service provider or a payment initiation service provider access to a payment account for objectively justified and duly evidenced reasons relating to unauthorised or fraudulent access to the payment account by that account information service provider or that payment initiation service provider, including the unauthorised or fraudulent initiation of a payment transaction. In such cases the account servicing payment service provider shall inform the payer that access to the payment account is denied and the reasons therefor in the form agreed. That information shall, where possible, be given to the payer before access is denied and at the latest immediately thereafter, unless providing such information would compromise objectively justified security reasons or is prohibited by other relevant Union or national law.
The account servicing payment service provider shall allow access to the payment account once the reasons for denying access no longer exist.
6.In the cases referred to in paragraph 5, the account servicing payment service provider shall immediately report the incident relating to the account information service provider or the payment initiation service provider to the competent authority. The information shall include the relevant details of the case and the reasons for taking action. The competent authority shall assess the case and shall, if necessary, take appropriate measures.
1.The payment service user entitled to use a payment instrument shall:
(a)use the payment instrument in accordance with the terms governing the issue and use of the payment instrument, which must be objective, non-discriminatory and proportionate;
(b)notify the payment service provider, or the entity specified by the latter, without undue delay on becoming aware of the loss, theft, misappropriation or unauthorised use of the payment instrument.
2.For the purposes of point (a) of paragraph 1, the payment service user shall, in particular, as soon as in receipt of a payment instrument, take all reasonable steps to keep its personalised security credentials safe.
1.The payment service provider issuing a payment instrument shall:
(a)make sure that the personalised security credentials are not accessible to parties other than the payment service user that is entitled to use the payment instrument, without prejudice to the obligations on the payment service user set out in Article 69;
(b)refrain from sending an unsolicited payment instrument, except where a payment instrument already given to the payment service user is to be replaced;
(c)ensure that appropriate means are available at all times to enable the payment service user to make a notification pursuant to point (b) of Article 69(1) or to request unblocking of the payment instrument pursuant to Article 68(4); on request, the payment service provider shall provide the payment service user with the means to prove, for 18 months after notification, that the payment service user made such a notification;
(d)provide the payment service user with an option to make a notification pursuant to point (b) of Article 69(1) free of charge and to charge, if at all, only replacement costs directly attributed to the payment instrument;
(e)prevent all use of the payment instrument once notification pursuant to point (b) of Article 69(1) has been made.
2.The payment service provider shall bear the risk of sending a payment instrument or any personalised security credentials relating to it to the payment service user.
1.The payment service user shall obtain rectification of an unauthorised or incorrectly executed payment transaction from the payment service provider only if the payment service user notifies the payment service provider without undue delay on becoming aware of any such transaction giving rise to a claim, including that under Article 89, and no later than 13 months after the debit date.
The time limits for notification laid down in the first subparagraph do not apply where the payment service provider has failed to provide or make available the information on the payment transaction in accordance with Title III.
2.Where a payment initiation service provider is involved, the payment service user shall obtain rectification from the account servicing payment service provider pursuant to paragraph 1 of this Article, without prejudice to Article 73(2) and Article 89(1).
1.Member States shall require that, where a payment service user denies having authorised an executed payment transaction or claims that the payment transaction was not correctly executed, it is for the payment service provider to prove that the payment transaction was authenticated, accurately recorded, entered in the accounts and not affected by a technical breakdown or some other deficiency of the service provided by the payment service provider.
If the payment transaction is initiated through a payment initiation service provider, the burden shall be on the payment initiation service provider to prove that within its sphere of competence, the payment transaction was authenticated, accurately recorded and not affected by a technical breakdown or other deficiency linked to the payment service of which it is in charge.
2.Where a payment service user denies having authorised an executed payment transaction, the use of a payment instrument recorded by the payment service provider, including the payment initiation service provider as appropriate, shall in itself not necessarily be sufficient to prove either that the payment transaction was authorised by the payer or that the payer acted fraudulently or failed with intent or gross negligence to fulfil one or more of the obligations under Article 69. The payment service provider, including, where appropriate, the payment initiation service provider, shall provide supporting evidence to prove fraud or gross negligence on part of the payment service user.
1.Member States shall ensure that, without prejudice to Article 71, in the case of an unauthorised payment transaction, the payer’s payment service provider refunds the payer the amount of the unauthorised payment transaction immediately, and in any event no later than by the end of the following business day, after noting or being notified of the transaction, except where the payer’s payment service provider has reasonable grounds for suspecting fraud and communicates those grounds to the relevant national authority in writing. Where applicable, the payer’s payment service provider shall restore the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place. This shall also ensure that the credit value date for the payer’s payment account shall be no later than the date the amount had been debited.
2.Where the payment transaction is initiated through a payment initiation service provider, the account servicing payment service provider shall refund immediately, and in any event no later than by the end of the following business day the amount of the unauthorised payment transaction and, where applicable, restore the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place.
If the payment initiation service provider is liable for the unauthorised payment transaction, it shall immediately compensate the account servicing payment service provider at its request for the losses incurred or sums paid as a result of the refund to the payer, including the amount of the unauthorised payment transaction. In accordance with Article 72(1), the burden shall be on the payment initiation service provider to prove that, within its sphere of competence, the payment transaction was authenticated, accurately recorded and not affected by a technical breakdown or other deficiency linked to the payment service of which it is in charge.
3.Further financial compensation may be determined in accordance with the law applicable to the contract concluded between the payer and the payment service provider or the contract concluded between the payer and the payment initiation service provider if applicable.
1.By way of derogation from Article 73, the payer may be obliged to bear the losses relating to any unauthorised payment transactions, up to a maximum of EUR 50, resulting from the use of a lost or stolen payment instrument or from the misappropriation of a payment instrument.
The first subparagraph shall not apply if:
(a)the loss, theft or misappropriation of a payment instrument was not detectable to the payer prior to a payment, except where the payer has acted fraudulently; or
(b)the loss was caused by acts or lack of action of an employee, agent or branch of a payment service provider or of an entity to which its activities were outsourced.
The payer shall bear all of the losses relating to any unauthorised payment transactions if they were incurred by the payer acting fraudulently or failing to fulfil one or more of the obligations set out in Article 69 with intent or gross negligence. In such cases, the maximum amount referred to in the first subparagraph shall not apply.
Where the payer has neither acted fraudulently nor intentionally failed to fulfil its obligations under Article 69, Member States may reduce the liability referred to in this paragraph, taking into account, in particular, the nature of the personalised security credentials and the specific circumstances under which the payment instrument was lost, stolen or misappropriated.
2.Where the payer’s payment service provider does not require strong customer authentication, the payer shall not bear any financial losses unless the payer has acted fraudulently. Where the payee or the payment service provider of the payee fails to accept strong customer authentication, it shall refund the financial damage caused to the payer’s payment service provider.
3.The payer shall not bear any financial consequences resulting from use of the lost, stolen or misappropriated payment instrument after notification in accordance with point (b) of Article 69(1), except where the payer has acted fraudulently.
If the payment service provider does not provide appropriate means for the notification at all times of a lost, stolen or misappropriated payment instrument, as required under point (c) of Article 70(1), the payer shall not be liable for the financial consequences resulting from use of that payment instrument, except where the payer has acted fraudulently.
1.Where a payment transaction is initiated by or through the payee in the context of a card-based payment transaction and the exact amount is not known at the moment when the payer gives consent to execute the payment transaction, the payer’s payment service provider may block funds on the payer’s payment account only if the payer has given consent to the exact amount of the funds to be blocked.
2.The payer’s payment service provider shall release the funds blocked on the payer’s payment account under paragraph 1 without undue delay after receipt of the information about the exact amount of the payment transaction and at the latest immediately after receipt of the payment order.
1.Member States shall ensure that a payer is entitled to a refund from the payment service provider of an authorised payment transaction which was initiated by or through a payee and which has already been executed, if both of the following conditions are met:
(a)the authorisation did not specify the exact amount of the payment transaction when the authorisation was made;
(b)the amount of the payment transaction exceeded the amount the payer could reasonably have expected taking into account the previous spending pattern, the conditions in the framework contract and relevant circumstances of the case.
At the payment service provider’s request, the payer shall bear the burden of proving such conditions are met.
The refund shall consist of the full amount of the executed payment transaction. The credit value date for the payer’s payment account shall be no later than the date the amount was debited.
Without prejudice to paragraph 3, Member States shall ensure that, in addition to the right referred to in this paragraph, for direct debits as referred to in Article 1 of Regulation (EU) No 260/2012, the payer has an unconditional right to a refund within the time limits laid down in Article 77 of this Directive.
2.However, for the purposes of point (b) of the first subparagraph of paragraph 1, the payer shall not rely on currency exchange reasons if the reference exchange rate agreed with its payment service provider in accordance with point (d) of Article 45(1) and point (3)(b) of Article 52 was applied.
3.It may be agreed in a framework contract between the payer and the payment service provider that the payer has no right to a refund where:
(a)the payer has given consent to execute the payment transaction directly to the payment service provider; and
(b)where applicable, information on the future payment transaction was provided or made available in an agreed manner to the payer for at least 4 weeks before the due date by the payment service provider or by the payee.
4.For direct debits in currencies other than euro, Member States may require their payment service providers to offer more favourable refund rights in accordance with their direct debit schemes provided that they are more advantageous to the payer.
1.Member States shall ensure that the payer can request the refund referred to in Article 76 of an authorised payment transaction initiated by or through a payee for a period of 8 weeks from the date on which the funds were debited.
2.Within 10 business days of receiving a request for a refund, the payment service provider shall either refund the full amount of the payment transaction or provide a justification for refusing the refund and indicate the bodies to which the payer may refer the matter in accordance with Articles 99 to 102 if the payer does not accept the reasons provided.
The payment service provider’s right under the first subparagraph of this paragraph to refuse the refund shall not apply in the case set out in the fourth subparagraph of Article 76(1).