Time is of essence also for payment users when fighting payment fraud
On August 1st, 2025, the Court of Justice of the European Union (the “Court”) issued a judgement in Case C‑665/23 (IL v Veracash SAS) concerning the rights of payment service users to refunds in the case of unauthorized transactions, which clarifies the conditions under which payment users are protected in such instances. The key takeaway from this judgement concerns the liability of the payment service provider in cases of unauthorized payments, specifically the interpretation of the conditions under which such liability may be retained.
The request for a preliminary ruling was submitted by the Cour de cassation (France) in proceedings between IL, a payment service user, and Veracash SAS, a payment service provider, concerning the reimbursement of amounts relating to an unauthorized payment transaction notified by the consumer almost two months after the first disputed withdrawal.
Under Directive 2007/64/EC on payment services in the internal market[1] (the “PSD”) a payment user must notify their payment service provider of any unauthorized transaction both ‘without undue delay’ and no later than 13 months after the debit date[2]. Although the judgment of the Court was rendered in the context of a repealed directive – PSD having been repealed by Directive (EU) 2015/2366 (the “PSD2”), the relevant provisions in the current legislation remain almost identical. Consequently, the Court’s interpretation remains fully relevant for the application of present–day EU payment services law.
In response to the referring court’s questions on whether the service provider’s liability in unauthorized payments were met, ECJ held that:
(i) the payment service user is, in principle, deprived of the right to obtain rectification of a transaction if he or she did not notify his or her payment service provider without undue delay on becoming aware of an unauthorized payment transaction, even though he or she notified it to that payment service provider within 13 months after the debit date. In this context, the court emphasized that the payment service user’s obligation to notify ‘without undue delay’ is autonomous and pursues a different objective from the one referring to the maximum 13-month time limit running from the debit date.
While this is consistent with the existing ECJ case law[3] which held that the payment service user’s obligation to notify any unauthorized transaction is a prerequisite for that regime to apply for the benefit of that user, the present judgement clarifies that such notification obligation must be assessed on a case-by-case basis and should be complied with autonomously in order for the payment service provider to be held liable.
(ii) in the event of an unauthorized payment transaction resulting from the use of a lost, stolen or misappropriated payment instrument, or from any unauthorized use of such an instrument notified within 13 months after the debit date, that payer is– in principle and except where the payer has acted fraudulently – to be deprived of his or her right to obtain actual rectification of that transaction only if he or she delayed notifying it to his or her payment service provider with intent or gross negligence consisting in a serious breach of a duty of care.
The existence of intent or gross negligence on the part of the payment service user should be assessed by taking into consideration all the circumstances of the case and the available evidence, with the degree of alleged negligence evaluated in accordance with national law.
(iii) in the event of successive unauthorized payment transactions, resulting from the use of a lost, stolen or misappropriated payment instrument or any unauthorized use of such an instrument, notified within the 13-month time limit after the debit dates of those transactions, if the payment service user partially failed to notify them to his or her payment service provider with intent or gross negligence, that payer shall be, in principle, deprived of the right to obtain a refund only for the losses resulting from the transactions which he or she delayed in notifying to his or her payment service provider with intent or gross negligence.
While confirming that the 13-month time limit does not provide a safe harbor for such notifications, the Court reiterated once again that the payment service user must notify any such unauthorized transactions without undue delay. The right to reimbursement by the payment service provider is therefore no longer applicable in cases where such notifications are delayed with intent or gross negligence, as assessed under applicable national law.
Thus, in a regulatory environment putting increasing pressure on payment service providers to fight payment fraud as also reflected by the latest discussions[4] on the payments legislation package proposed by the European Commission in June 2023, prompt action by payment users in case of unauthorized payments remains essential for ensuring legal certainty, limiting losses and last but not least preserving the liability of the payment service provider in such cases.
[1] Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC
[2] Article 58 in question states that “The payment service user shall obtain rectification from the payment service provider only if he notifies his payment service provider without undue delay on becoming aware of any unauthorized or incorrectly executed payment transactions giving rise to a claim, including that under Article 75, and no later than 13 months after the debit date, unless, where applicable, the payment service provider has failed to provide or make available the information on that payment transaction in accordance with Title III.”
[3] Judgment of 2 September 2021, CRCAM, C‑337/20
[4] Council agrees its position on a more modern payment service framework in the EU – Consilium
Authored by: Simona Petrișor – Partner, Cristina Palade – Junior Associate