–

the French Government, by N. Vincent and E. de Moustier, acting as Agents,

–

the Czech Government, by M. Smolek, J. Vláčil and J. Očková, acting as Agents,

–

the Italian Government, by G. Palmieri, acting as Agent, assisted by F. Meloncelli, avvocato dello Stato,

–

the European Commission, by H. Tserepa-Lacombe and T. Scharf, acting as Agents,

1

This request for a preliminary ruling concerns the interpretation of Article 58 of Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market, amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC (OJ 2007 L 319, p. 1).

2

The request has been made in proceedings between, on the one hand, DM, as manageress of the company Groupe centrale automobiles (‘GCA’), and LR, as joint and several guarantor of GCA, and, on the other hand, the caisse régionale de Crédit agricole mutuel d’Alpes-Provence (‘CRCAM’) concerning the application of the latter’s contractual liability under the general law for breach of its duty of care.

3

Recital 1 of Directive 2007/64 stated as follows:

‘It is essential for the establishment of the internal market that all internal frontiers in the [European Union] be dismantled so as to enable the free movement of goods, persons, services and capital. The proper operation of the single market in payment services is therefore vital. At present, however, the lack of harmonisation in this area hinders the operation of that market.’

4

Recital 4 of that directive states:

‘It is vital, therefore, to establish at [EU] level a modern and coherent legal framework for payment services, whether or not the services are compatible with the system resulting from the financial sector initiative for a single euro payments area, which is neutral so as to ensure a level playing field for all payment systems, in order to maintain consumer choice, which should mean a considerable step forward in terms of consumer cost, safety and efficiency, as compared with the present national systems.’

5

Recital 31 of Directive 2007/64 was worded as follows:

‘In order to reduce the risks and consequences of unauthorised or incorrectly executed payment transactions the payment service user should inform the payment service provider as soon as possible about any contestations concerning allegedly unauthorised or incorrectly executed payment transactions provided that the payment service provider has fulfilled his information obligations under this Directive. If the notification deadline is met by the payment service user, he should be able to pursue those claims within the prescription periods pursuant to national law. This Directive should not affect other claims between payment service users and payment service providers.’

6

Recital 47 of that directive stated as follows:

‘The payer’s payment service provider should assume liability for correct payment execution, including, in particular, the full amount of the payment transaction and execution time, and full responsibility for any failure by other parties in the payment chain up to the account of the payee. As a result of that liability the payment service provider of the payer should, where the full amount is not credited to the payee’s payment service provider, correct the payment transaction or without undue delay refund to the payer the relevant amount of that transaction, without prejudice to any other claims which may be made in accordance with national law. This Directive should concern only contractual obligations and responsibilities between the payment service user and his payment service provider. …’

7

Article 1(2) of Directive 2007/64 provided:

‘2. This Directive also lays down rules concerning transparency of conditions and information requirements for payment services, and the respective rights and obligations of payment service users and payment service providers in relation to the provision of payment services as a regular occupation or business activity.’

8

Article 2 of that directive was worded as follows:

‘1.   This Directive shall apply to payment services provided within the [European Union]. However, with the exception of Article 73, Titles III and IV shall apply only where both the payer’s payment service provider and the payee’s payment service provider are, or the sole payment service provider in the payment transaction is, located in the [European Union].

2.   Titles III and IV shall apply to payment services made in euro or the currency of a Member State outside the euro area.

3.   Member States may waive the application of all or part of the provisions of this Directive to the institutions referred to in Article 2 of Directive 2006/48/EC [of the European Parliament and of the Council of 14 June 2006 relating to the taking up and pursuit of the business of credit institutions (OJ 2006 L 177, p. 1)] with the exception of those referred to in the first and second indents of that article.’

9

Article 4 of Directive 2007/64 provided:

‘For the purposes of this Directive, the following definitions shall apply:

…

…

…’

10

Article 51(1) of that directive provided:

‘Where the payment service user is not a consumer, the parties may agree that Article 52(1), Article 54(3), and Articles 59, 61, 62, 63, 66 and 75 shall not apply in whole or in part. The parties may also agree on a time period different from that laid down in Article 58.’

11

Article 58 of Directive 2007/64 was worded as follows:

‘The payment service user shall obtain rectification from the payment service provider only if he notifies his payment service provider without undue delay on becoming aware of any unauthorised or incorrectly executed payment transactions giving rise to a claim, including that under Article 75, and no later than 13 months after the debit date, unless, where applicable, the payment service provider has failed to provide or make available the information on that payment transaction in accordance with Title III.’

12

Article 59(1) of that directive provided:

‘Member States shall require that, where a payment service user denies having authorised an executed payment transaction or claims that the payment transaction was not correctly executed, it is for his payment service provider to prove that the payment transaction was authenticated, accurately recorded, entered in the accounts and not affected by a technical breakdown or some other deficiency.

…’

13

Article 60 of that directive was worded as follows:

‘1.   Member States shall ensure that, without prejudice to Article 58, in the case of an unauthorised payment transaction, the payer’s payment service provider refunds to the payer immediately the amount of the unauthorised payment transaction and, where applicable, restores the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place.

2.   Further financial compensation may be determined in accordance with the law applicable to the contract concluded between the payer and his payment service provider.’

14

The first and second subparagraphs of Article 75(1) of that directive provided:

‘1. Where a payment order is initiated by the payer, his payment service provider shall, without prejudice to Article 58, Article 74(2) and (3), and Article 78, be liable to the payer for correct execution of the payment transaction, unless he can prove to the payer and, where relevant, to the payee’s payment service provider that the payee’s payment service provider received the amount of the payment transaction in accordance with Article 69(1), in which case the payee’s payment service provider shall be liable to the payee for the correct execution of the payment transaction.

Where the payer’s payment service provider is liable under the first subparagraph, he shall without undue delay refund to the payer the amount of the non-executed or defective payment transaction and, where applicable, restore the debited payment account to the state in which it would have been had the defective payment transaction not taken place.’

15

Article 86(1) of Directive 2007/64 provided:

‘Without prejudice to Article 30(2), Article 33, Article 34(2), Article 45(6), Article 47(3), Article 48(3), Article 51(2), Article 52(3), Article 53(2), Article 61(3), and Articles 72 and 88 in so far as this Directive contains harmonised provisions, Member States shall not maintain or introduce provisions other than those laid down in this Directive.’

16

Directive 2007/64 was replaced by Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ 2015 L 337, p. 35, and corrigendum OJ 2018 L 102, p. 97).

17

Article 71(1), Article 73(1), Article 89(1) and Article 107(1) of Directive 2015/2366 correspond, respectively and in essence, to Article 58, Article 60(1), the first and second subparagraphs of Article 75(1) and Article 86(1) of Directive 2007/64.

18

Article L. 133‑18 of the Code monétaire et financier (Monetary and Financial Code), in the version resulting from Order No 2009‑866 of 15 July 2009 on the conditions governing the supply of payment services and creating payment institutions (JORF of 16 July 2009, text No 13) (‘the Monetary and Financial Code’), provides:

‘In the case of an unauthorised payment transaction reported by the user under the conditions prescribed in Article L. 133‑24, the payment service provider shall refund to the payment service user forthwith the amount of the unauthorised payment transaction and, where applicable, shall restore the payment account that had been debited with that amount to the situation that would have existed if the unauthorised payment transaction had not taken place.

The payer and his payment service provider may decide on additional compensation on a contractual basis.’

19

Article L. 133‑24 of the Monetary and Financial Code is worded as follows:

‘The payment service user shall notify his payment service provider without undue delay of any unauthorised or incorrectly executed payment transactions and no later than 13 months after the debit date, failing which he or she will be time-barred, unless the payment service provider has failed to provide or make available the information on that payment transaction in accordance with Book III, Title I, Chapter IV.

Except where the user is a natural person acting otherwise than for business or professional purposes, the parties may decide to derogate from this article.’

20

Article 1147 of the Civil Code, in the version applicable to the dispute in the main proceedings (‘the Civil Code’) states:

‘The party on whom an obligation is imposed shall be ordered, when appropriate, to pay damages, either by reason of the non-performance of the obligation, or because of delayed performance, whenever he or she cannot demonstrate that the cause of non-performance is external and cannot be attributed to him or her, and that there was no bad faith on his or her part.’

21

Article 2313 of the Civil Code provides:

‘A guarantor may raise, as against the creditor, all defences which are available to the principal debtor and are inherent in the debt;

However, a guarantor may not raise defences which are purely personal to the debtor.’

22

On 22 December 2008, the CRCAM granted GCA a current account credit facility guaranteed by a joint and several guarantee provided by LR.

23

After terminating this credit facility, the CRCAM brought proceedings against LR, as guarantor, for payment. LR maintained that, by making transfers to third parties without the authorisation of GCA, the CRCAM had breached its duties and that the amount of those transfers should be deducted from the sums claimed from him.

24

On the basis of Article L. 133‑24 of the Monetary and Financial Code, the Cour d’appel d’Aix-en-Provence (Court of Appeal, Aix-en-Provence, France) considered that LR’s objections were inadmissible, since he had not respected the 13-month period laid down for that purpose under that provision, and that they were time-barred in respect of those challenges.

25

In the appeal brought before the Cour de cassation (Court of Cassation, France), LR notes that, pursuant to Article L. 133‑24 of the Monetary and Financial Code, he is barred from challenging those transfers, since he did not respect the 13-month period laid down in that regard.

26

Nevertheless, he maintains that the immediate repayment of unauthorised payment transactions reported by the user of a payment service to a bank, laid down in Article L. 133‑18 of the Monetary and Financial Code, does not preclude that bank from being held liable under the general law where it has breached its duty of care.

27

According to LR, the transfers at issue in the main proceedings made by the CRCAM without GCA’s authorisation constitute a breach of contract, which must be remedied on the basis of Article 1147 of the Civil Code, since the objection which he thus raises is not personal to that company, but also concerns him directly.

28

LR takes the view that the Cour d’appel d’Aix-en-Provence (Court of Appeal, Aix-en-Provence) infringed, inter alia, Article 1147 of the Civil Code by holding that his challenges to the sums, which were the subject of the transfers at issue in the main proceedings, were inadmissible as being time-barred, on the ground that the operation of the account at issue in the main proceedings was governed by the provisions of the Monetary and Financial Code.

29

In those circumstances, the Cour de cassation (Court of Cassation) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

30

By its first question, the referring court asks, in essence, whether Article 58 and Article 60(1) of Directive 2007/64 must be interpreted as precluding a payment service user from being able to trigger the liability of the provider of those services on the basis of a liability regime other than that provided for by those provisions, in the case where that user has failed to fulfil his or her obligation to notify laid down in that Article 58.

31

In accordance with settled case-law, in interpreting a provision of EU law, it is necessary to consider not only its wording, but also the context in which it occurs and the objectives pursued by the rules of which it is part. The origins of a provision of EU law may also provide information relevant to its interpretation (judgment of 24 March 2021, MCP, C‑603/20 PPU, EU:C:2021:231, paragraph 37 and the case-law cited).

32

In the first place, as regards, first, the wording of paragraph 1 of Article 60 of Directive 2007/64, under the heading ‘Payment service provider’s liability for unauthorised payment transactions’, it must be stated that it provides that Member States must ensure that, without prejudice to Article 58 of that directive, in the case of an unauthorised payment transaction, the payment provider refunds to the payer immediately the amount of that transaction and, where applicable, restores the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place.

33

Second, Article 58 of that directive, to which reference is made in Article 60(1) thereof, imposes on the payment service user a general obligation to notify any unauthorised or incorrectly executed transaction. Thus, the rectification of such a transaction is possible only if the user reports that transaction to his or her payment service provider no later than 13 months after the relevant debit date.

34

Accordingly, it follows from the reference made by Article 60(1) of Directive 2007/64 to Article 58 thereof, and from recital 31 of that directive, that the regime governing liability of the payment service provider in the case of unauthorised payment is subject to notification, by the user of those services, of any unauthorised transaction to that service provider.

35

In that regard, the expression ‘without prejudice to Article 58’ appearing in Article 60(1) of Directive 2007/64 means, as the Advocate General observed in point 40 of his Opinion, that Article 58 of that directive should not be undermined, which means that the liability of the payment service provider for unauthorised transactions cannot arise beyond the time limit laid down in that Article 58.

36

It follows that a user who has not reported to his or her payment service provider an unauthorised transaction, within 13 months after the debit of that transaction, cannot trigger the liability of that service provider, including on the basis of the general law and, therefore, cannot obtain repayment of that unauthorised transaction.

37

In the second place, the contextual interpretation of Article 60(1) of Directive 2007/64 confirms the literal interpretation of that provision.

38

First of all, Article 58 and Article 60 of that directive form part of Chapter 2, under the heading ‘Authorisation of payment transactions’, of Title IV, itself entitled ‘Rights and obligations in relation to the provision and use of payment services’, which comprises five chapters, and the procedure for notification within a maximum period of thirteen months applies both in the case of unauthorised transactions, referred to in Article 60 of that directive, and in the case of non-executed or defectively executed transactions, referred to in Article 75 of that directive.

39

In the broad logic of that liability regime, the obligation of the payment service user to notify any unauthorised transaction is the condition for that regime to be able to apply for the benefit of the user, otherwise referred to as the payer in certain provisions of Directive 2007/64.

40

Next, Article 59 of that directive includes, in the regime liability in the case of unauthorised transactions, a mechanism for the burden of proof which is favourable to the payment service user. In essence, the burden of proof lies with the payment service provider, who must prove that the transaction has been authenticated, accurately recorded and entered in the accounts. In practice, the system of proof set by that Article 59 leads, once the notification laid down in Article 58 of that directive has been carried out within the period prescribed therein, to make the payment service provider subject to an immediate repayment obligation, in accordance with Article 60(1) of that directive.

41

It should be noted that Article 86 of Directive 2007/64, under the heading ‘Full harmonisation’, provides that ‘without prejudice to [several provisions of that directive which it sets out] in so far as this Directive contains harmonised provisions, Member States shall not maintain or introduce provisions other than those laid down in this Directive’. None of Articles 58, 59 and 60 of that directive is among the provisions in respect of which Article 86 grants Member States freedom of action in their implementation.

42

It follows that the liability regime for payment service providers laid down in Article 60(1) of Directive 2007/64 and in Articles 58 and 59 of that directive has been the subject of full harmonisation, with the result that the Member States cannot maintain a parallel liability regime in respect of the same operative event.

43

In the third place, the teleological interpretation of Article 58 and of Article 60(1) of Directive 2007/64 supports the literal and contextual interpretations of those provisions.

44

As the Advocate General observed in point 58 of his Opinion, it is apparent in particular from recitals 1 and 4 of that directive that the EU legislature sought to create a single market for payment services by replacing the 27 existing national systems, the coexistence of which gave rise to confusion and suffered from a lack of legal certainty, with a harmonised legal framework defining the rights and obligations of payment service users and payment service providers.

45

The harmonised liability regime for unauthorised or incorrectly executed operations established by Directive 2007/64 could be placed in competition with an alternative liability regime laid down under national law, based on the same facts and the same basis, only on condition that the regime thus harmonised is not adversely affected and the objectives and effectiveness of that directive are not undermined.

46

It follows that a competing liability regime which would allow the payment service user to trigger the liability of the provider of such services for that transaction beyond the period of 13 months and without having notified the unauthorised transaction concerned would be incompatible with Directive 2007/64.

47

In the fourth place, the background to Directive 2007/64 reinforces the interpretation which follows from a literal, contextual and teleological interpretation of Article 60(1) of that directive.

48

As the Advocate General observed in points 44 to 46 of his Opinion, it soon became apparent, during the legislative process which led to the adoption of Directive 2007/64, that the introduction of a uniform period for notification by the payment service user, in the event of unauthorised transactions or non-executed or incorrectly executed transactions, was indispensable in order to guarantee legal certainty for the user of those services and their provider.

49

In this respect, both the Presidency of the Council of the European Union, by its proposals made on 15 June 2006 (8623/06 ADD), and the European Parliament, in particular in its report of 20 September 2006 on the proposal for a directive of the European Parliament and of the Council on payment services in the internal market, amending Directives 97/7/EC, 2000/12/EC and 2002/65/EC (COM(2005) 603 – C6-0411/2005 -2005/0245(COD)), and the European Economic and Social Committee, in its Opinion of 23 December 2006 on the matter of ‘Implementing the Community Lisbon programme: Proposal for a Directive of the European Parliament and of the Council on payment services in the internal market and amending Directives 97/7/EC, 2000/12/EC and 2002/65/EC’ (COM(2005) 603 final), demonstrated the need to ensure such legal certainty and, to that end, to provide that the payment transaction must be definitive upon expiry of the period for notification by the payment service user.

50

The EU legislature therefore chose to introduce the obligation to notify unauthorised or incorrectly executed transactions into a separate provision, in this case Article 58 of Directive 2007/64, which imposes a maximum period of 13 months, and to provide, in the provision relating to the liability of the payment service provider, namely Article 60 of that directive, an express reference to that obligation.

51

In that way, the EU legislature made, in as clear a manner as possible, the link between the liability of the payment service provider and the observance by the user of those services of the maximum period of 13 months to notify any unauthorised transaction in order to be able, therefore, to trigger the liability of that service provider. In so doing, it also made the unequivocal decision not to allow that user, upon expiry of that period, to bring an action for liability against that provider in the case of an unauthorised transaction.

52

It follows from all of the foregoing that the answer to the first question is that Article 58 and Article 60(1) of Directive 2007/64 must be interpreted as precluding a payment service user from being able to trigger the liability of the provider of those services on the basis of a liability regime other than that provided for by those provisions, in the case where that user has failed to fulfil his or her obligation to notify laid down in that Article 58.

53

By its second question, the referring court asks, in essence, whether, if the answer to the first question is in the affirmative, Article 58 and Article 60(1) of Directive 2007/64 must be interpreted as precluding the guarantor of a payment service user from relying, by reason of the failure of the payment service provider to fulfil his or her obligations relating to an unauthorised transaction, on the civil liability of such a provider, the beneficiary of the guarantee, in order to challenge the amount of the guaranteed debt, in accordance with a national contractual liability regime under the general law.

54

It should be noted, first, that Article 1(2) of Directive 2007/64 states that that directive lays down the respective rights and obligations of payment service users and payment service providers in relation to the provision of such services as a regular occupation or business activity, in accordance with recital 47 thereof, according to which that directive concerns only ‘contractual obligations and responsibilities between the payment service user and his payment service provider’.

55

Second, according to Article 2 of that directive, the latter is applicable to payment services provided within the European Union, it being specified that Title IV of that directive, which contains Articles 58 to 60 thereof, is to apply only where both the payer’s payment service provider and that of the beneficiary are, or the sole payment service provider intervening in the payment transaction is, located in the European Union.

56

It is thus apparent from those provisions that Directive 2007/64 concerns the relationship between the payment service user and the provider of those services, without any provision of that directive referring to the guarantor of a payment service user.

57

In that regard, Article 4.10 of that directive defines the payment service user as a natural or legal person making use of a payment service in the capacity of either payer or payee, or both. For their part, points 7 and 8 of that article define ‘payer’ and ‘payee’ as, respectively, a natural or legal person who holds a payment account and allows a payment order from that payment account, or, where there is no payment account, a natural or legal person who gives a payment order, and a natural or legal person who is the intended recipient of funds which have been the subject of a payment transaction.

58

A contract of guarantee is a separate contract from that which binds the creditor and the debtor, by which the guarantor, who is a third party to that contractual relationship, has, as his or her role, to guarantee to the creditor, in this case, the payment service provider, payment of what the debtor, in this case, the payment service user, may have to pay to the latter, under the guaranteed obligation, which consists of the debt owed by the debtor to the creditor.

59

In this respect, the guarantor is not covered by the concept of ‘payment service user’, his or her role not being even close to that of a ‘payer’ or to that of a ‘payee’ within the meaning of Article 4.7 and 4.8 of Directive 2007/64.

60

Thus, that directive imposes rights and obligations only with regard to the payment service providers and the users of such services and does not cover the situation of the guarantor of such users.

61

As regards the regime for the liability of the payment service provider laid down in Article 60(1) of Directive 2007/64, that provision refers to the payer only, as the beneficiary of the repayment of an unauthorised transaction.

62

For its part, Article 58 of that directive imposes the obligation of notification provided by it on the payment service user alone, provided that, in accordance with Title III of that directive, the payment service provider has provided or made available to that user the information on the unauthorised or incorrectly executed payment transaction.

63

Thus, as the Advocate General observed, in essence, in point 86 of his Opinion, the liability regime provided for in Article 60(1) of Directive 2007/64 is based on a balance between the obligation to provide information, which is borne by the payment service provider, and the obligation to notify any unauthorised transaction within a period of 13 months, which is imposed on the payment service user, which makes it possible to trigger the strict liability of that service provider, with no requirement for that user to prove fault or negligence.

64

Consequently, in order to trigger the liability of a payment service provider by reason of unauthorised transactions by the user of such services, the guarantor of a user cannot benefit from the liability regime provided for in Article 60(1) of Directive 2007/64, but must have recourse to the possibilities afforded to him or her under national law. Accordingly, the guarantor cannot be required to comply with the obligation to notify such operations laid down in Article 58 of that directive.

65

The view of the French and Czech Governments that there would be a risk that the provisions of Directive 2007/64 might be circumvented if the obligation to notify unauthorised transactions was not imposed on the guarantor of a payment service user cannot be accepted.

66

As is apparent from paragraphs 58 to 60 of this judgment, a contract of guarantee between a payment service provider and a guarantor is not governed by the provisions of Directive 2007/64 or, indeed, by those of any other instrument of EU law. Such a contract continues therefore to be subject to the rights and obligations established under the applicable national law.

67

As the Advocate General observed in point 94 of his Opinion, if the applicable national law so provides, the payment service provider may be held liable for his or her negligence in the execution of a payment transaction, in particular if he or she has failed to verify that that transaction has in fact been authorised by the payment service user, in so far as such negligence has caused loss to a third party, such as the guarantor.

68

In that regard, the possibility for the guarantor to rely on the provisions of national law to reduce his or her obligations toward the creditor benefiting from the guarantee, in the event of negligence on the part of that creditor in the execution of a payment transaction, does not affect in any way the contractual relationship established between the creditor and the debtor, respectively, the payment service provider and the user of such services, which, for its part, is governed by the provisions of Directive 2007/64.

69

It follows from the foregoing that the answer to the second question is that Article 58 and Article 60(1) of Directive 2007/64 must be interpreted as not precluding the guarantor of a payment service user from relying, by reason of a failure on the part of the payment service provider to fulfil its obligations relating to an unauthorised transaction, on the civil liability of such a provider, which is entitled to the guarantee, in order to challenge the amount of the guaranteed debt, in accordance with a contractual liability regime under the general law.

70

Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (Fourth Chamber) hereby rules: