Provisional text

JUDGMENT OF THE COURT (Fifth Chamber)

11 July 2024 (*)

(Reference for a preliminary ruling – Free movement of capital – Payment services in the internal market – Directive 2007/64/EC – Concept of ‘payment instrument’ – Power of attorney of an agent acting on behalf of the account holder – Copy of the power of attorney with an ‘apostille’ certificate – Articles 54 and 59 – Consent to the execution of a payment transaction – Concept of ‘authentication’ – Unauthorised payment transactions – Liability of the payment service provider for those transactions – Burden of proof)

In Case C‑409/22,

REQUEST for a preliminary ruling under Article 267 TFEU from the Apelativen sad – Sofia (Court of Appeal, Sofia, Bulgaria), made by decision of 9 June 2022, received at the Court on 21 June 2022, in the proceedings

UA

v

‘Eurobank Bulgaria’ AD

THE COURT (Fifth Chamber),

composed of E. Regan, President of the Chamber, Z. Csehi (Rapporteur), M. Ilešič, I. Jarukaitis and D. Gratsias, Judges,

Advocate General: M. Campos Sánchez-Bordona,

Registrar: R. Stefanova-Kamisheva, Administrator,

having regard to the written procedure and further to the hearing on 28 September 2023,

after considering the observations submitted on behalf of:

–        UA, by V.B. Hambardzhiev and I.S. Velinova, advokati,

–        ‘Eurobank Bulgaria’ AD, by K.S. Chuturkova, advokat,

–        the Bulgarian Government, by T. Mitova, R. Stoyanov and L. Zaharieva, acting as Agents,

–        the Czech Government, by M. Smolek, J. Očková and J. Vláčil, acting as Agents,

–        the Italian Government, by G. Palmieri, acting as Agent, and by P. Pucciariello, avvocato dello Stato,

–        the European Commission, by G. Koleva and H. Tserepa-Lacombe, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 30 November 2023,

gives the following

Judgment

1        This request for a preliminary ruling concerns the interpretation of Article 4(19) and (23) of Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC (OJ 2007 L 319, p. 1), read in conjunction with Article 59(1) thereof.

2        The request has been made in proceedings between UA, an Italian national, and ‘Eurobank Bulgaria’ AD, a bank established in Bulgaria (‘Eurobank’), concerning (i) the payment of sums of money corresponding to unauthorised banking transactions on the assets in the bank account of the applicant in the main proceedings, (ii) compensation for the material damage caused by those banking transactions and (iii) the applicable statutory default interest.

 Legal context

 European Union law

3        As set out in the third sentence of recital 33 of Directive 2007/64:

‘Contractual terms and conditions relating to the provision and use of a payment instrument, the effect of which would be to increase the burden of proof on the consumer or to reduce the burden of proof on the issuer should be considered null and void.’

4        Article 2 of that directive, entitled ‘Scope’, provided, in paragraph 1:

‘This Directive shall apply to payment services provided within the [European] Community. …’

5        Article 4 of that directive, entitled ‘Definitions’, was worded as follows:

‘For the purposes of this Directive, the following definitions shall apply:

…

(3)      “payment service” means any business activity listed in the Annex;

…

(5)      “payment transaction” means an act, initiated by the payer or by the payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and the payee;

…

(16)      “payment order” means any instruction by a payer or payee to his payment service provider requesting the execution of a payment transaction;

…

(19)      “authentication” means a procedure which allows the payment service provider to verify the use of a specific payment instrument, including its personalised security features;

…

(23)      “payment instrument” means any personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used by the payment service user in order to initiate a payment order;

…’

6        Article 54 of that directive, entitled ‘Consent and withdrawal of consent’, provided:

‘(1)      Member States shall ensure that a payment transaction is considered to be authorised only if the payer has given consent to execute the payment transaction. A payment transaction may be authorised by the payer prior to or, if agreed between the payer and his payment service provider, after the execution of the payment transaction.

(2)      Consent to execute a payment transaction or a series of payment transactions shall be given in the form agreed between the payer and his payment service provider.

In the absence of such consent, a payment transaction shall be considered to be unauthorised.

(3)      Consent may be withdrawn by the payer at any time, but no later than the point in time of irrevocability under Article 66. Consent to execute a series of payment transactions may also be withdrawn with the effect that any future payment transaction is to be considered as unauthorised.

(4)      The procedure for giving consent shall be agreed between the payer and the payment service provider.’

7        Article 55 of Directive 2007/64, entitled ‘Limits of the use of the payment instrument’, provided, in paragraph 1:

‘In cases where a specific payment instrument is used for the purposes of giving consent, the payer and his payment service provider may agree on spending limits for payment transactions executed through that payment instrument.’

8        Under Article 58 of that directive, entitled ‘Notification of unauthorised or incorrectly executed payment transactions’:

‘The payment service user shall obtain rectification from the payment service provider only if he notifies his payment service provider without undue delay on becoming aware of any unauthorised or incorrectly executed payment transactions giving rise to a claim, including that under Article 75, and no later than 13 months after the debit date, unless, where applicable, the payment service provider has failed to provide or make available the information on that payment transaction in accordance with Title III.’

9        Article 59 of that directive, entitled ‘Evidence on authentication and execution of payment transactions’, was worded as follows:

‘(1)      Member States shall require that, where a payment service user denies having authorised an executed payment transaction or claims that the payment transaction was not correctly executed, it is for his payment service provider to prove that the payment transaction was authenticated, accurately recorded, entered in the accounts and not affected by a technical breakdown or some other deficiency.

(2)      Where a payment service user denies having authorised an executed payment transaction, the use of a payment instrument recorded by the payment service provider shall in itself not necessarily be sufficient to prove either that the payment transaction was authorised by the payer or that the payer acted fraudulently or failed with intent or gross negligence to fulfil one or more of his obligations under Article 56.’

10      Article 60 of that directive, entitled ‘Payment service provider’s liability for unauthorised payment transactions’, stated:

‘(1)      Member States shall ensure that, without prejudice to Article 58, in the case of an unauthorised payment transaction, the payer’s payment service provider refunds to the payer immediately the amount of the unauthorised payment transaction and, where applicable, restores the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place.

(2)      Further financial compensation may be determined in accordance with the law applicable to the contract concluded between the payer and his payment service provider.’

11      Article 86 of Directive 2007/64, entitled ‘Full harmonisation’, provided:

‘(1)      Without prejudice to Article 30(2), Article 33, Article 34(2), Article 45(6), Article 47(3), Article 48(3), Article 51(2), Article 52(3), Article 53(2), Article 61(3), and Articles 72 and 88 in so far as this Directive contains harmonised provisions, Member States shall not maintain or introduce provisions other than those laid down in this Directive.

…

(3)      Member States shall ensure that payment service providers do not derogate, to the detriment of payment service users, from the provisions of national law implementing or corresponding to provisions of this Directive except where explicitly provided for therein.

However, payment service providers may decide to grant more favourable terms to payment service users.’

 Bulgarian law

12      Under Article 51 of the Zakon za platezhnite uslugi i platezhnite sistemi ot 2009 g. (Law on payment services and payment systems of 2009) (DV No 23 of 27 March 2009), in the version applicable to the dispute in the main proceedings (‘the ZPUPS’):

‘(1)      A payment transaction is authorised if the payer has ordered it or has consented to its execution. In the absence of consent, a payment transaction shall be considered to be unauthorised.

(2)      The payer shall authorise the payment transaction prior to its execution or, if agreed between the payer and the payer’s payment service provider, after the transaction has been executed.’

13      Article 56 of the ZPUPS was worded as follows:

‘(1)      Where a payment service user denies authorising the execution of a payment transaction or claims that a payment transaction was not correctly executed, the payment service provider shall bear the burden of proving that the payment transaction was authenticated, accurately recorded, entered in the accounts and not affected by a technical breakdown or other defect.

(2)      Authentication is a procedure which allows the payment service provider to verify the legality of the use of a specific payment instrument, including its personalised security features. …’

14      Article 57(1) of the ZPUPS provided:

‘In the event of an unauthorised payment transaction, the payer’s payment service provider shall immediately refund to the payer the value of the unauthorised payment transaction and, where applicable, restore the debited payment account to the state in which it would have been prior to the execution of the unauthorised payment transaction.’

15      Article 58(2) of the ZPUPS provided:

‘The payer shall bear all the losses associated with any unauthorised payment transactions if the payer caused them by acting fraudulently or by failing, with intent or gross negligence, to fulfil one or more of the payer’s obligations under Article 53. In those situations, the payer shall bear the loss irrespective of the amount.’

16      Article 75 of the Zakon za zadalzheniyata i dogovorite (Law on Obligations and Contracts) (DV No 275 of 22 November 1950), in the version applicable to the dispute in the main proceedings (‘the ZZD’), provides:

‘(1)      The obligation must be performed in favour of the creditor or of a person authorised by the creditor, by a court or by operation of the law. The performance shall otherwise only be valid if the creditor has ratified it or derived benefit from it.

(2)      The debtor shall be discharged of liability where that debtor has, in good faith, performed an obligation vis-à-vis a person who, on the basis of clear circumstances, appears to be entitled to receive the performance. The true creditor shall have a right of action against the person who received the performance. Performance vis-à-vis a creditor who is subject to a lack of capacity shall discharge the debtor of liability if that performance has benefited the creditor.’

17      Article 422 of the Targovski zakon (Commercial Code) (DV No 48 of 18 June 1991), in the version applicable to the dispute in the main proceedings, provides as follows in paragraph 3:

‘In the event that the deposit document issued has been lost, destroyed or stolen, the depositor must inform the bank immediately in writing. The bank shall not be liable if, acting in good faith before receiving the notification, it paid a sum to a person who, on the basis of clear circumstances, appears to be entitled to receive that sum.’

 ‘The dispute in the main proceedings and the questions referred for a preliminary ruling

18      On 22 November 2017, the applicant in the main proceedings and Eurobank concluded an agreement to set up a current account, by which Eurobank undertook to set up and administer an open-ended account in the name of the account holder and to provide him with payment services. The applicant in the main proceedings submits that, in the context of his investment projects, he made a total of 12 transfers to his bank account, into which a total of EUR 999 860 was paid.

19      The applicant in the main proceedings claims that when he visited a branch of Eurobank on 6 February 2018 to make a banking transaction with his assets, an employee of the bank concerned informed him that the balance on his account was only EUR 16 000 and provided him with a statement for his account to that effect for the period from the opening of the account, that is to say, 22 November 2017, to 6 February 2018. According to the applicant in the main proceedings, he became aware at that moment that a certain ‘MK’, who was, the applicant asserts, unknown to him, had carried out banking transactions on his account, by means of six separate transfer orders totalling EUR 982 000, on presentation of a copy of a power of attorney dated 1 December 2017 and allegedly issued by an Italian notary registered with the College of Notaries of Milan (Italy) (‘the power of attorney at issue in the main proceedings’).

20      It is clear from the order for reference that that copy of the power of attorney at issue in the main proceedings was not signed by the applicant in the main proceedings.

21      In those circumstances, the applicant in the main proceedings, first, on 6 March 2018, sent Eurobank a report concerning the unlawful transfer of his assets to MK and requested that he be refunded the amount claimed, to his bank account. Second, he sent a copy of that report to the Balgarska Narodna Banka (Bulgarian National Bank, ‘the BNB’), on 8 March 2018. Lastly, he sent a written request for information about the power of attorney at issue in the main proceedings to the Italian notary concerned. That notary replied that he had neither drawn up nor certified any power of attorney whatsoever in the name of MK, appointing MK as an agent to carry out transactions on the bank accounts belonging to the applicant in the main proceedings, and added that the power of attorney at issue in the main proceedings was ‘certainly “a forgery”’. That notary also informed the applicant in the main proceedings that, on 20 February 2018, he had received an email from a Eurobank employee requesting confirmation of the validity of the power of attorney at issue in the main proceedings. In his reply to that email, he had made clear that the power of attorney in question should be regarded as a ‘forgery’, and had the next day reported the use of a ‘false power of attorney’ to the College of Notaries of Milan.

22      The applicant in the main proceedings asserts that Eurobank’s employees acted with gross negligence when they allowed MK to dispose of the funds available on his account on presentation of a power of attorney that was irregular since it did not bear the signature of the applicant in the main proceedings.

23      Eurobank states that, on 22 November 2017, when the applicant in the main proceedings opened his current account at one of its branches, the branch employee understood that the applicant intended to use an agent to manage that account. Because of the international transactions expected on that account and in order to provide remote access and enable the monitoring of fund movements on that account, the applicant in the main proceedings was offered online banking services, a system of notifications by text message (SMS) and a debit card, but declined to avail himself of those services.

24      Eurobank does not dispute the facts set out by the applicant in the main proceedings. Nevertheless, it states that MK presented to the relevant employee of the bank, first of all on 15 December 2017 and subsequently at the time of each payment order, a power of attorney dated 1 December 2017, certified by an Italian notary on 5 December 2017 as being a true copy of the original. That copy bore an ‘apostille’ certificate issued by the competent authority, that is to say, the Sostituto Procuratore della Repubblica Italiana (Deputy Prosecutor of the Italian Republic), and both the copy and the ‘apostille’ certificate had been translated from Italian into Bulgarian by a sworn translator.

25      Eurobank acknowledges that, on 20 February 2018, it enquired of that notary whether the power of attorney at issue in the main proceedings had been properly drawn up and entered in his notarial register; whether the notarised copy of that power of attorney had the same legal force as the power of attorney itself; and whether it was standard practice to issue such copies, sending him a scanned copy of the power of attorney in question. Although he did not provide a precise, clear answer to the questions put to him as described, the notary in question replied that the document presented to Eurobank was a ‘forgery’.

26      On 27 February 2018, Eurobank sent an email request to the Deputy Prosecutor of the Italian Republic who had, by his signature, authenticated the notarised copy of the power of attorney at issue in the main proceedings by means of an ‘apostille’ certificate. In response to that request, Eurobank received official confirmation from the Procura di Monza (Public Prosecutor’s Office, Monza, Italy) that the ‘apostille’ certificate issued on 12 December 2017 on the copy of that power of attorney was valid.

27      The Sofiyski gradski sad (Sofia City Court, Bulgaria), applying the ZPUPS, upheld the claims of the applicant in the main proceedings. That court held that a bank is, prima facie, liable for unauthorised transactions, unless they were executed as a result of the account holder failing, with intent or gross negligence, to fulfil the obligations on account holders, in which case the value of the transaction in question is not refunded to the account holder, irrespective of the amount of that transaction. According to that court, since the defendant in the main proceedings had neither claimed nor demonstrated the existence of such conduct by the applicant in the main proceedings, it was not necessary to examine the claims made by the defendant in the main proceedings concerning any good faith on its part.

28      Eurobank lodged an appeal against the judgment delivered at first instance, before the Apelativen sad – Sofia (Court of Appeal, Sofia), which is the referring court.

29      In the light of Article 86 of Directive 2007/64, which determines the extent to which that directive provides for full harmonisation, the referring court is uncertain whether, where a payment service provider has acted in good faith and the payment instrument presented to it was formally regular, Article 75(2) of the ZZD can apply in the circumstances of the case in the main proceedings. As provided in that Article 75(2), a debtor is discharged of liability where the debtor has, in good faith, performed an obligation vis-à-vis a person who, on the basis of clear circumstances, is entitled to receive the performance.

30      The referring court also notes that the power of attorney at issue in the main proceedings is a copy, on which an ‘apostille’ certificate has been placed, of the original of the power of attorney concerned that bears the principal’s signature certified by a notary. Under Article 2 of the Convention abolishing the requirement of legalisation for foreign public documents, concluded in The Hague on 5 October 1961 (‘the Hague Convention’), the legalisation of a document by means of an ‘apostille’ certificate means the formality for certifying the authenticity of the signature and the capacity in which the person signing the document, that is to say, in this case, the notary, has acted.

31      In addition, the referring court considers that, since such a power of attorney authorises the agent to make disposals of the assets on the bank account concerned, it could be classified as a ‘payment instrument’ within the meaning of Article 4(23) of Directive 2007/64, inasmuch as that power of attorney forms part of a procedure used by the payment service user in order to initiate a payment order.

32      That court further states that, in order to be authorised, a payment transaction must have been executed on the basis of the payer’s consent in accordance with Article 54(1) of that directive. According to the referring court, that consent requirement involves proving the authorship of the declaration of intent evidenced by the payment order, and such proof is linked to the authentication of the payment transaction, that is to say, to a procedure enabling the payment service provider to verify the use of a specific payment instrument, including its personalised security features.

33      In addition, that court notes that, under Article 59 of Directive 2007/64, the burden of proving that a payment transaction was authenticated is to be borne by the payment service provider concerned. In this case, if Eurobank proves that it authenticated the payment instrument in question, by establishing that the power of attorney at issue in the main proceedings was regular, the payer’s consent would be established and the payment transactions made with that instrument would be considered to have been ‘authorised’ within the meaning of Article 54 of that directive.

34      In those circumstances the Apelativen sad – Sofia (Court of Appeal, Sofia) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)      Does a power of attorney by which the agent makes a disposal of assets on behalf of the payer by means of a payment order constitute a payment instrument within the meaning of Article 4(23) of [Directive 2007/64]?

(2)      Does the “apostille” certificate placed on a document by the competent foreign authority in accordance with the [Hague Convention] form part of the authentication procedure for both the payment instrument and the payment transaction within the meaning of Article 4(19) of that directive, in conjunction with Article 59(1) thereof?

(3)      If the payment instrument (including one authorising a third person to make disposals on behalf of the payer) is formally (prima facie) regular, can the national court assume that the payment transaction is authorised, that is to say, that the payer has consented to its execution?’

 Consideration of the questions referred

 The first question

35      By its first question, the referring court asks, in essence, whether Article 4(23) of Directive 2007/64 must be interpreted as meaning that a power of attorney, by which the holder of a bank account authorises an agent to make a disposal of assets, on that account, by means of a payment order, constitutes a ‘payment instrument’ within the meaning of that provision.

36      In order to answer that question, it must be recalled first of all that, in accordance with settled case-law, in order to determine the scope of a provision of EU law, it is necessary to consider not only its wording, but also the context in which it occurs and the objectives pursued by the rules of which it is part (judgment of 13 July 2023, G GmbH, C‑134/22, EU:C:2023:567, paragraph 25 and the case-law cited).

37      Article 4(23) of Directive 2007/64 defines the concept of ‘payment instrument’ within the meaning of that directive as ‘any personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used by the payment service user in order to initiate a payment order’.

38      It can be seen from its wording that Article 4(23) distinguishes between two categories of payment instrument. There are, on the one hand, personalised devices. In accordance with the case-law, in order for it to be considered to be personalised, a payment instrument must allow the payment service provider to verify that the payment order was initiated by a user authorised to do so (judgments of 9 April 2014, T-Mobile Austria, C‑616/11, EU:C:2014:242, paragraph 33, and of 11 November 2020, DenizBank, C‑287/19, EU:C:2020:897, paragraph 70).

39      On the other hand, the concept of ‘payment instrument’ also includes any set of procedures agreed between the payment service user and the payment service provider.

40      Furthermore, it should be noted that the use of that personalised device and/or that set of procedures must, in itself, make it possible to initiate a payment order. In that regard, it is clear from the wording of Articles 55 to 57 of Directive 2007/64 that a ‘payment instrument’ is issued and made available to the payment service user by that user’s payment service provider. Moreover, pursuant to Article 2(1) of that directive, read in conjunction with Article 4(3) and with point 5 of the Annex thereto, that directive applies to payment services, which include any business activity listed in that Annex, and in particular to the issuing and/or acquiring of payment instruments.

41      In the circumstances of this case, a specific, express power of attorney granted by the holder of a bank account to an agent, authorising the latter to carry out transactions on that account and which, therefore, creates only a legal link between the holder of that account and the holder’s agent, such as the power of attorney at issue in the main proceedings, cannot, in itself, be regarded as capable, in isolation, of initiating a payment order within the meaning of Article 4(23) of Directive 2007/64.

42      Consequently, a power of attorney, such as the power of attorney at issue in the main proceedings, by means of which the holder of a bank account unilaterally authorises an agent to make a disposal of assets on the account holder’s behalf, does not, taken in isolation, constitute a ‘payment instrument’ within the meaning of Article 4(23) of Directive 2007/64.

43      However, it is apparent from the clarifications provided by the referring court that, in the circumstances of the dispute in the main proceedings, the general terms and conditions of the agreement to set up a current account, concluded on 22 November 2017 between Eurobank and the applicant in the main proceedings, expressly provided that the account in question could be operated through an agent authorised by means of a notarially certified power of attorney containing an explicit declaration of the intention to make disposals with the funds in that account.

44      Subject to the checks which it is for the referring court to carry out, it therefore appears that, in circumstances such as those of the dispute in the main proceedings, the use of such a power of attorney in conjunction with a payment order issued by the agent appointed in that power of attorney is capable of forming part of a ‘set of procedures’ agreed between the payment service user and the payment service provider, which may be used by that payment service user in order to initiate a payment order, within the meaning of Article 4(23) of Directive 2007/64.

45      Consequently, it must be held that, as the Advocate General noted in essence in points 49 to 51 of his Opinion, a power of attorney issued by the holder of a bank account, associated with a payment order issued by the agent appointed in that power of attorney, can constitute a component of the set of procedures agreed between the payment service provider and the user of those services in order to initiate a payment order, within the meaning of that provision.

46      It must also be noted in that regard that a contractual term allowing the use of a power of attorney in the context of a set of procedures constituting a payment instrument cannot reduce the high degree of scrutiny of whether the payment transaction has been authorised, which is incumbent upon the payment service provider. In the context of that scrutiny, that provider may be required, inter alia, to verify, in the light of the applicable national rules, the probative value of the power of attorney and the identity of the person who presents him or herself as the agent and relies on that power of attorney in order to initiate a payment order.

47      In the light of the foregoing, the answer to the first question referred is that Article 4(23) of Directive 2007/64 must be interpreted as meaning that a power of attorney, by which the holder of a bank account authorises an agent to make a disposal of assets, on that account, by means of a payment order, does not, in itself, constitute a ‘payment instrument’ within the meaning of that provision. However, a set of procedures, agreed between the holder of that account and the payment service provider, which allows the agent appointed in such a power of attorney to initiate a payment order from that account, may be classified as a ‘payment instrument’.

 The second and third questions

48      As a preliminary point, it should be recalled that, in the procedure for cooperation between national courts and the Court of Justice, it is for the latter to provide the referring court with an answer which will be of use to it and enable it to decide the case before it. With that in mind, the Court may have to reformulate the questions referred to it (judgment of 25 January 2024, Parchetul de pe lângă Curtea de Apel Craiova, C‑58/22, EU:C:2024:70, paragraph 44 and the case-law cited). Moreover, the Court may find it necessary to interpret provisions of EU law to which the national court has not referred in its questions, extracting, in particular from the grounds of the order for reference, the points of EU law which require interpretation, having regard to the subject matter of the dispute (see, to that effect, judgment of 5 December 2023, Nordic Info, C‑128/22, EU:C:2023:951, paragraph 99 and the case-law cited).

49      In this case, the wording of the second question includes a reference to, inter alia, the Hague Convention, to which the European Union is not a party and which contains no term conferring jurisdiction on the Court of Justice.

50      In accordance with settled case-law, the power under Article 267 TFEU to provide interpretations by way of preliminary rulings extends only to rules which are part of EU law. In particular, in the case of international agreements, it is settled that such agreements concluded by the European Union form an integral part of its legal order and can therefore be the subject of a request for a preliminary ruling. On the other hand, the Court does not, in principle, have jurisdiction to interpret, in preliminary ruling proceedings, international agreements concluded between Member States and non-member countries (judgment of 17 July 2014, Qurbani, C‑481/13, EU:C:2014:2101, paragraphs 21 and 22 and the case-law cited).

51      It is only where and in so far as the European Union has assumed the powers previously exercised by the Member States in the field to which an international convention not concluded by the European Union applies and, therefore, the provisions of the convention have the effect of binding the European Union that the Court has jurisdiction to interpret such a convention (judgment of 17 July 2014, Qurbani, C‑481/13, EU:C:2014:2101, paragraph 23 and the case-law cited).

52      In this case, as the Advocate General noted in point 72 of his Opinion, EU law contains no specific provision applicable to the legalisation of a power of attorney for the purpose of operating a payment account. Accordingly, the Court cannot have jurisdiction to interpret directly the rules relating to an ‘apostille’ certificate placed on such a power of attorney by a competent foreign authority under the Hague Convention. Nevertheless, there is nothing to prevent the Court, when it is interpreting the provisions of Directive 2007/64, from clarifying whether or not a payment transaction executed by the payment service provider on the basis of a notarised power of attorney bearing the ‘apostille’ certificate established by the Hague Convention must be regarded as being authorised.

53      In that regard, as is apparent from paragraph 44 of the present judgment, a power of attorney, such as that at issue in the main proceedings, is only one component of the set of procedures agreed between the payment service user and the provider of those services and by means of which that user initiates a payment order. However, it is clear from the explanations provided by the referring court that, by its second and third questions, it is enquiring as to the circumstances in which the use of such a power of attorney in conjunction with a payment order issued by the agent could be evidence of the ‘consent’ of the holder of the bank account concerned.

54      Consequently, the scope of those questions must be extended to include the interpretation of Article 54(1) and (2) of Directive 2007/64, which governs the matter of consent to a payment transaction. Furthermore, since, under the third question, the referring court asks whether the fact that the payment instrument is formally regular is sufficient to establish the payer’s consent to the payment transaction, it is also necessary to interpret Article 59(2) of that directive, which sets out a rule relating to the standard of proof required to establish such consent. Lastly, since, as set out in paragraphs 57 to 59 of the present judgment, the provisions of that directive to which those questions relate are, by virtue of Article 86(1) thereof, fully harmonised provisions, the questions referred must be found to refer also to that provision.

55      Therefore, it must be considered that, by its second and third questions, which must be examined together, the referring court is enquiring, in essence, whether Article 54(1) and (2), Article 59(1) and (2) and Article 86(1) of Directive 2007/64 must be interpreted as meaning that, where a payment transaction was executed on the basis of a power of attorney granted by the holder of the bank account, which was formalised as a notarial document and bears an ‘apostille’ certificate, and the account holder disputes the validity of that power of attorney and, therefore, that consent was given to that payment transaction, the fact that the power of attorney in question appears to be formally regular is sufficient for it to be assumed that that payment transaction was authorised.

56      In the first place, the referring court appears to consider that, on the basis of the Court’s answers to the questions referred, it will be able to draw conclusions, for the purposes of assessing the liability of the payment service provider, as to the application of Article 75(2) of the ZZD, which lays down the general liability regime relating to the performance of obligations, based on the principle of the debtor’s good faith, according to which a debtor is discharged of liability if the debtor has in good faith performed an obligation vis-à-vis a person who, on the basis of clear circumstances, appears to be entitled to receive the performance concerned.

57      It must be borne in mind that the regime governing the liability of payment service providers for unauthorised or incorrectly executed transactions, laid down in Article 60(1) and in Articles 58 and 59 of Directive 2007/64, has been the subject of full harmonisation pursuant to Article 86(1) of that directive. That has the result that both a parallel liability regime in respect of the same operative event and a competing liability regime allowing the payment service user to trigger that liability on the basis of other operative events are incompatible with that directive. The regime governing the liability of payment service providers for unauthorised or incorrectly executed transactions established in Directive 2007/64 can therefore be placed in competition with an alternative liability regime laid down under national law, based on the same facts and the same basis, only on condition that the alternative liability regime in question does not adversely affect the regime thus harmonised or undermine the objectives and effectiveness of that directive (see, to that effect, judgment of 16 March 2023, Beobank, C‑351/21, EU:C:2023:215, paragraphs 37 and 38).

58      Accordingly, as the Advocate General stated in point 99 of his Opinion, a Member State cannot temper the harmonised regime governing the liability of payment service providers for unauthorised or incorrectly executed payment transactions established in Directive 2007/64 by having recourse to national rules that establish attenuated liability for those providers.

59      The same finding must be made in relation to the provisions on the payer’s consent to the payment transaction and on the withdrawal of that consent, laid down in Article 54 of Directive 2007/64. In common with Articles 58 to 60 of that directive, Article 54 of the directive is not among the provisions in respect of which Article 86(1) of that directive grants Member States freedom of action in their implementation (see, by analogy, judgment of 2 September 2021, CRCAM, C‑337/20, EU:C:2021:671, paragraph 41).

60      In the second place, it is apparent from paragraph 1 of Article 59 of Directive 2007/64, entitled ‘Evidence on authentication and execution of payment transactions’, that, where a payment service user denies having authorised an executed payment transaction or claims that the payment transaction in question was not correctly executed, it is for that user’s payment service provider to prove that the payment transaction in question was authenticated, accurately recorded and entered in the accounts.

61      It can also be seen, from Article 59(2) of Directive 2007/64, that where a payment service user denies having authorised a payment transaction which has been executed, the use of a payment instrument, as recorded by the payment service provider, is in itself not necessarily sufficient to prove that that payment transaction was authorised by the payer.

62      Lastly, it can be seen, from Article 54(1) and (2) of Directive 2007/64, that in the absence of the payer’s consent to the execution of the payment transaction, which must be given in the form agreed between the payer and the payer’s payment service provider, the payment transaction is considered to be unauthorised.

63      It can be inferred from those provisions that it is for the payment service provider to prove that the payment service user authorised the payment transaction by giving consent to that transaction in the form agreed between the parties.

64      That allocation of the burden of proof onto the payment service provider is borne out by the obligation on that provider to authenticate the payment transaction. The concept of ‘authentication’ is defined in Article 4(19) of Directive 2007/64 as referring to a procedure which allows the payment service provider to verify the ‘use of a specific payment instrument, including its personalised security features’.

65      As regards the concept of ‘use of a specific payment instrument’, it can be seen from Article 55(1) of Directive 2007/64 that a payment instrument may be used for the purposes of a payment service user giving consent to the execution of a payment transaction.

66      In those circumstances, as the European Commission notes, it is apparent from a combined reading of all those provisions that the obligation on a payment service provider to authenticate a payment transaction is intended to verify the use of the payment instrument in order to establish that the user of those services has given consent to the execution of that payment transaction, which can, therefore, be considered to be authorised.

67      In this case, the referring court enquires whether the presentation of a copy of the power of attorney at issue in the main proceedings, bearing an ‘apostille’ certificate placed on it by the competent authority of another State that is a party to the Hague Convention and which it therefore considers to be formally regular, is in itself sufficient for it to find that the payment service provider has demonstrated, in order not to incur liability, that the payment transaction in question had been authorised, that is to say, that the user of those payment services had given consent to that transaction being executed.

68      In that regard, it must be observed, as the Advocate General noted, in essence, in point 87 of his Opinion, that the harmonised regime governing the liability of payment service providers for unauthorised or incorrectly executed transactions, laid down in Article 60(1) and Articles 58 and 59 of Directive 2007/64, rests on three essential and interconnected elements, namely, an obligation to notify on the part of the payment service user, the imposition of the burden of proof on the provider of those services and, lastly, in the absence of proof, liability on the part of that provider, depending on whether the transaction in question was unauthorised or incorrectly executed.

69      Within that harmonised regime governing liability in the case of unauthorised or incorrectly executed transactions, Article 59 of Directive 2007/64 establishes a burden of proof mechanism favourable to the payment service user. In essence, the burden of proof lies with the payment service provider, which must prove that the payment transaction has been authenticated, accurately recorded and entered in the accounts. In practice, provided that the notification laid down in Article 58 of that directive has been given within the period prescribed in that article, the evidential regime set in that Article 59 has the effect of rendering that provider subject to an immediate repayment obligation, in accordance with Article 60(1) of that directive (judgment of 2 September 2021, CRCAM, C‑337/20, EU:C:2021:671, paragraph 40).

70      As noted in paragraph 63 of the present judgment, it can be inferred from Article 54(1) and (2) and Article 59(1) of Directive 2007/64 that that provider is required to prove that it in fact carried out the authentication of the payment transaction in question and that the payment service user consented to that payment transaction in the form agreed between the parties. The resulting burden of proof on that provider is therefore, as the Advocate General stated in point 98 of his Opinion, a very heavy one.

71      Moreover, it must be held that, as the Advocate General observed in point 63 of his Opinion, a power of attorney is one of the legal acts by which a payment service user can express consent to the execution of payment transactions made from that user’s account by the user’s agent within the limits of the power of attorney granted. Accordingly, the verification of whether such a power of attorney is formally regular may, where applicable, form part of the procedure for authenticating a payment instrument of which that power of attorney is a component, and may, therefore, be one of the items of evidence enabling a service provider to prove that the user in fact consented to a payment transaction that has been disputed by that user.

72      Indeed, as the Bulgarian Government and the Commission correctly observed, the methods of proof by which it can be established that the payment transaction in question was ‘authorised’ by the payment service user within the meaning of Articles 54 and 59 of Directive 2007/64, and, in particular, the procedure for verifying the authenticity of a power of attorney, are not harmonised by that directive and are, accordingly, governed by national law.

73      First, as recalled in paragraph 61 of the present judgment, under Article 59(2) of Directive 2007/64, where a payment service user denies having authorised an executed payment transaction, as occurred in the case in the main proceedings, the use of a payment instrument, as recorded by the payment service provider, is in itself not necessarily sufficient to prove that that payment transaction was authorised by the payer.

74      Second, since, as recalled in paragraphs 58 to 60 of the present judgment, Directive 2007/64 seeks to achieve full harmonisation in the matters it regulates, it must be held that the condition, laid down in Article 54(2) of that directive, that consent to the execution of a payment transaction must be given in the form agreed between the payment service user and the payment service provider necessarily constitutes a requirement that the Member States must implement and from which they may not derogate. Nor is there anything in the scheme of Article 54 to suggest that, when it laid down in precise terms the requirement that, if there is no such consent, the payment transaction in question is to be considered to be unauthorised, the EU legislature intended only that determination of whether a payment was authorised should be limited to verifying the formal regularity of the legal acts used to give that consent.

75      Third, under Article 86(3) of Directive 2007/64, Member States are to ensure that payment service providers do not derogate, to the detriment of payment service users, from the provisions of national law implementing or corresponding to the provisions of that directive.

76      It should also be noted that, in accordance with the third sentence of recital 33 of Directive 2007/64, all contractual terms and conditions relating to the provision and use of a payment instrument, the effect of which would be to reduce the burden of proof on the issuer should be considered to be null and void.

77      In the light of the foregoing, the fact that the payment transactions in question were initiated by an agent holding a power of attorney, on which an ‘apostille’ certificate had been placed by the competent authority of a foreign State, cannot successfully be relied on by the provider of those services in order to lessen its obligation to prove that the payment transaction was authorised.

78      It follows that, where, as in the case in the main proceedings, the user of the payment service disputes the authenticity of the power of attorney being relied against that user and denies having authorised the payment transactions which have been executed, it is not sufficient merely to verify that the power of attorney is formally regular in order to demonstrate that those transactions were authorised and, therefore, to relieve that payment service provider of its heightened responsibility, without that payment service provider demonstrating that, by means of that power of attorney, the payment service user concerned duly consented to those transactions, in accordance with the procedure for giving consent agreed with that provider.

79      That finding is borne out by the objectives pursued by Directive 2007/64. Accordingly, it is apparent in particular from recitals 1 and 4 of that directive that the EU legislature sought to create a single market for payment services by replacing existing national systems, the coexistence of which gave rise to confusion and suffered from a lack of legal certainty, with a harmonised legal framework defining the rights and obligations of payment service users and payment service providers (judgment of 2 September 2021, CRCAM, C‑337/20, EU:C:2021:671, paragraph 44). That interpretation corresponds furthermore to the aims set out in recitals 21 and 22 of that directive, that is to say, the protection of payment service users and, in particular, consumer protection (see, by analogy, judgment of 25 January 2017, BAWAG, C‑375/15, EU:C:2017:38, paragraph 45).

80      The requirement that payment instruments must be authenticated, which takes into account the procedure agreed between the payment service user and that user’s payment service provider in order for that user to give consent and, consequently, cannot be limited to examining the purely formal regularity of the legal acts used to give that consent, is indispensable for the proper functioning of the single market for payment services since that requirement ensures an appropriate level of legal certainty and of protection for the users of payment services.

81      In those circumstances, the referring court will be required to examine whether the payment service provider concerned has demonstrated, having regard to the burden of proof on that provider pursuant to Article 59(1) of Directive 2007/64, that the payment service user had consented, in the form agreed with that provider, to the execution of the payment transactions at issue in the main proceedings.

82      In that regard, subject to the checks to be carried out by the referring court, Clauses V.22 and V.25 of the framework contract concluded between the payment service user concerned and the payment service provider appear to require that, where a disposal is made through an agent, the agent present the original of the power of attorney issued to him or her and that the power of attorney be signed, since the payment service provider has a duty to verify, from a formal perspective, the powers of attorney presented to it and the signatures on them.

83      However, in this case, the power of attorney at issue in the main proceedings seems not to meet those contractual requirements, since it appears clear from the order for reference that it was only a copy and that it did not bear the signature of the principal, that is to say, the user of the payment services in question. Those are, however, matters to be determined by the referring court.

84      Moreover and in any event, as is clear from paragraph 78 of the present judgment, the production of a specific power of attorney granted by the holder of a payment account to an agent and authorising the latter to carry out transactions on a bank account, the use of which was agreed in a framework contract, does not relieve the payment service provider of its obligation to verify the use of a payment instrument and the authentication of a payment transaction in accordance with the procedure for giving consent agreed between the payer concerned and that payment service provider. Accordingly, as stated in paragraph 46 of the present judgment, a contractual term allowing a power of attorney to be used in the context of a set of procedures constituting a personalised payment instrument cannot reduce the high degree of scrutiny incumbent on that payment service provider as regards whether the payment transaction was authorised.

85      Lastly it should be noted that, under Article 61(2) of Directive 2007/64, the payer is to bear all the losses relating to any unauthorised payment transactions if they were incurred as a result of the payer acting fraudulently or failing to fulfil one or more of the payer’s obligations under Article 56 of that directive with intent or gross negligence.

86      It follows from that provision that a payment service provider may be relieved of its liability in the case of an unauthorised payment transaction if it proves that the payer acted fraudulently or failed, with intent or gross negligence, to fulfil one or more of the payer’s obligations under Article 56 of that directive.

87      In the light of all the foregoing, the answer to the second and third questions is that Article 54(1) and (2), Article 59(1) and (2) and Article 86(1) of Directive 2007/64 must be interpreted as meaning that, where a payment transaction was executed on the basis of a power of attorney granted by the holder of the bank account, which was formalised as a notarial document and bears an ‘apostille’ certificate, and the account holder disputes the validity of that power of attorney and, therefore, that consent was given to that payment transaction, the fact that the power of attorney in question is formally regular is not sufficient for it to be assumed that that transaction was authorised, and the payment service provider must demonstrate that, by means of that power of attorney, the payment service user duly expressed agreement, in accordance with the procedure for giving consent agreed with that provider, to the payment transaction in question.

 Costs

88      Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (Fifth Chamber) hereby rules:

1.      Article 4(23) of Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC

must be interpreted as meaning that a power of attorney, by which the holder of a bank account authorises an agent to make a disposal of assets, on that account, by means of a payment order, does not, in itself, constitute a ‘payment instrument’ within the meaning of that provision. However, a set of procedures, agreed between the holder of that account and the payment service provider, which allows the agent appointed in such a power of attorney to initiate a payment order from that account, may be classified as a ‘payment instrument’.

2.      Article 54(1) and (2), Article 59(1) and (2) and Article 86(1) of Directive 2007/64

must be interpreted as meaning that where a payment transaction was executed on the basis of a power of attorney granted by the holder of a bank account, which was formalised as a notarial document and bears an ‘apostille’ certificate, and the account holder disputes the validity of that power of attorney and, therefore, that consent was given to that payment transaction, the fact that the power of attorney in question is formally regular is not sufficient for it to be assumed that that transaction was authorised, and the payment service provider must demonstrate that, by means of that power of attorney, the payment service user duly expressed agreement, in accordance with the procedure for giving consent agreed with that provider, to the payment transaction in question.

[Signatures]

*      Language of the case: Bulgarian.