Unauthorised transactions: Exclusive application of the PSP liability regime

In a ruling dated 27 March 2024 (no. 22-21.200), the French Supreme Court (‘Cour de Cassation’) - citing European case law - held that a payment service provider can only be held liable for an unauthorised or incorrectly executed payment transaction on the basis of the liability regime defined in articles L.133-18 et seq. of the French Monetary and Financial Code (CMF), to the exclusion of any other liability regime under national law.

In the event of unauthorised payment transactions, the payment service user may not request the court to pay damages on any other basis, in addition to or instead of reimbursement. Only the reimbursement of unauthorised transactions may be claimed by the payment service user, in accordance with the procedures set out in articles L. 133-18 et seq. of the CMF.

The circumstances that led the French Supreme Court to rule on the exclusive nature of the liability regime for payment service providers

The dispute that gave rise to the judgment under review concerned a company that had discovered fraudulent bank transactions in its accounts. The company had noted the closure of its term account and four fraudulent transfers, sent by e-mail, to accounts located abroad. She brought proceedings against the bank providing the payment services, seeking an order to repay the sums debited and to pay damages on the grounds that the bank had failed in its duty of care. The Metz Court of Appeal upheld the company's claims (CA Metz, 7 July 2022, no. 20/0166).

The bank then appealed to the French Supreme Court, criticising the decision handed down by the Metz Court of Appeal for ordering it to pay damages for the loss caused by the fraudulent transfers and by the closure of the account, and invoking the case law of the CJEU on the exclusivity of the liability regime for payment service providers. The French Supreme Court was thus called upon to rule on the exclusive or non-exclusive nature of the liability regime for payment service providers under the PSD1 Directive.

A welcome ruling given the hesitations of the lower courts on the question of the exclusive nature of the liability regime for payment service providers

In its judgment of 2 September 2021 (C-337/20), the CJEU ruled that the PSD1 Directive precluded Member States from maintaining a parallel liability regime. This position was reiterated in the "Beobank" ruling of 16 March 2023 (C-351-21), which was referred to by the French Supreme Court in its ruling of 27 March 2024.

However, domestic courts have not uniformly applied the European position, creating a degree of judicial uncertainty. While some courts have refused claims for compensation on a different basis (see in particular CA Riom, 28 June 2023, no. 21/01744 ; CA Metz, 9 February 2023, no. 21/01729), others have accepted them (see in particular CA Douai, 21 December 2023, no. 22/02871 ; CA Paris, 8 November 2023, no. 21/20107). Although the French Supreme Court had already been able to refer to the aforementioned CJEU judgment of 2 September 2021 in a judgment of 9 February 2022 (no. 17-19.441), the legal issue before it did not allow it to take a position on the exclusive nature of the liability regime for payment service providers.

A ruling in line with the position of the CJEU and consistent with the regime resulting from the PSD1 Directive

In its ruling of 27 March 2024, the French Supreme Court followed the case law of the CJEU, holding that payment services users can only seek to hold their banks liable on the basis of the liability regime for payment service providers set out in articles L.133-18 to L.133-24 of the CMF, to the exclusion of any alternative liability regime. This solution will undoubtedly reassure banking institutions in the face of increasing fraud and prevent cumulative claims for reimbursement and damages.

This ruling is also consistent with the regime resulting from the PSD1 Directive, which is based on harmony between the obligations of the payment service provider and the payment service user. The payment service provider is required to make a certain amount of information available to its customer, in particular information relating to the execution of payment transactions. This information enables the payment service user to identify a fraudulent transaction and, in accordance with article L. 133-24 of the CMF, to report it to his bank within thirteen months, failing which it will be time-barred. If the report is made within the time limit, article L.133-18 of the CMF obliges the bank to reimburse the payment service user, unless the latter can demonstrate that the disputed transaction was not affected by a technical fault and that the user committed gross negligence, which can be particularly complicated. However, payment service users could circumvent this obligation to notify within thirteen months if they were authorised to hold their bank liable on the basis of a liability regime other than that resulting from articles L.133-18 to L.133-24 of the CMF, which would then be subject to the ordinary five-year limitation period.

The exclusive nature of the liability regime for payment service providers therefore ensures that the harmony established by the European legislator is not disrupted, at a time when fraudulent transactions are constantly increasing and diversifying.

Towards tougher rules for payment service users?

The exclusive nature of the liability regime means that fraudulent transactions must be notified within thirteen months. Unexpectedly, some courts have interpreted the scope of European case law to hold that the user's failure to bring legal action within thirteen months of the debit of the fraudulent transaction - and not to notify his bank of the transaction - deprived him of his right to bring an action on any grounds against the payment service provider (see in particular, CA Douai, 21 March 2024, no. 23/02376 ; CA Aix-en-Provence, 6 June 2024, no. 23/13540).

This interpretation goes beyond the requirements of the PSD1 Directive (see Recital 31) and raises questions about the sustainability of this solution.

In its decision of 27 March 2024, the French Supreme Court puts an end to the hesitations in case law concerning payment transactions. Payment transactions can now only be challenged on the basis of the liability regime for payment service providers resulting from the transposition of the PSD1 Directive.