How UOKiK understands liability for unauthorized transactions
On 16th November 2022 the Polish Antitrust and Consumer Protection Authority (Prezes UOKiK) issued a position on the interpretation of the provisions of the Payment Services Act with regard to unauthorized payment transactions. The position explains the difference between authorization and authentication of a payment transactions, as well as sets out a very strict funds return policy for payment services providers (including: banks, national payment institutions, small payment institutions, electronic money institutions).
How to understand the authentication of a payment transaction?
According to the Payment Services Act authentication means a procedure, which allows the payment service provider to verify the identity of a payment service user or the validity of the use of a specific payment instrument, including the use of the user’s personalized security credentials. In practice – according to UOKiK – authentication means the performance of specific technical activities in the manner provided for in the contract between the payment services provider and the payer.
How to understand the authorization of a payment transaction?
According to UOKiK, authorization consists of two elements, which should exist jointly:
- authentication (currently: strong customer authentication – SCA),
- consent of the payer.
What is crucial, according to UOKiK – it should be indicated that the payer, when reporting an unauthorized payment transaction to its payment service provider, thus declares that she or he has not consented to the execution of the transaction. In other words, if the payer states that a given payment transaction is unauthorized, the payment services provider is by law obliged to treat such transaction as unauthorized.
Obligations of payment services provider in connection with an unauthorized payment transaction
In the event of an unauthorized payment transaction, the payer’s payment services provider shall immediately, not later than by the end of a business day following the day on which the payer’s complaint or notification was received, reimburse the payer with the amount of the unauthorized payment transaction. If the payer makes use of a payment account, the payer’s payment services provider must restore the debited payment account to the status in which it would have been if the unauthorized payment transaction had not occurred.
In other words, if the payer states that a given payment transaction is unauthorized, the payment services provider has 24 hours to refund the payer’s payment account with full value of the payment transaction, which has been contested by the payer as unauthorized.
There are two exceptions, where the payer’s payment services provider does not have to provide a refund:
- payer’s payment services provider has a reasonable and properly documented basis to suspect fraud and has accordingly informed in writing authorities appointed to prosecute criminal offences,
- more than 13 months have passed since the contested payment transaction took place.
Can payment services providers refuse the refund?
According to UOKiK, the fact that a given payment provider contests or questions the payer’s notification, does not constitute a basis for refusing the refund. The same goes for the payer’s potential liability for unauthorized payment transactions – such liability does not constitute a basis for refusing the refund.
In accordance with art. 46.3 Payment Services Act the payer is responsible for the full amount of unauthorized transactions if she or he has caused them to take place intentionally or as a result of a breach that has been intentional or resulted from gross negligence.
In other words, if it is the payer who should be held liable for an unauthorized transaction, the payment services provider should first refund the transaction amount and then submit a claim against the payer.
What are the grounds for a claim against the payer?
If (upon refunding the payment transaction) the payer’s payment services provider decides to submit a claim against the payer, it can use one of the two below grounds / options:
- proving that a given transaction was properly authorized (the burden of proof lies on the provider),
- proving that a given transaction was unauthorized, however due to the payer’s fault (intentionally or as a result of gross negligence).
Such claims are examined by the Polish common (civil) courts.