Choose the experimental features you want to try

This document is an excerpt from the EUR-Lex website

Document 62022CC0409

    Opinion of Advocate General Campos Sánchez-Bordona delivered on 30 November 2023.
    UA v EUROBANK BULGARIA.
    Request for a preliminary ruling from the Apelativen sad - Sofia.
    Reference for a preliminary ruling – Free movement of capital – Payment services in the internal market – Directive 2007/64/EC – Concept of ‘payment instrument’ – Power of attorney of an agent acting on behalf of the account holder – Copy of the power of attorney with an ‘apostille’ certificate – Articles 54 and 59 – Consent to the execution of a payment transaction – Concept of ‘authentication’ – Unauthorised payment transactions – Liability of the payment service provider for those transactions – Burden of proof.
    Case C-409/22.

    ECLI identifier: ECLI:EU:C:2023:936

     OPINION OF ADVOCATE GENERAL

    CAMPOS SÁNCHEZ-BORDONA

    delivered on 30 November 2023 ( 1 )

    Case C‑409/22

    UA

    v

    EUROBANK BULGARIA

    (Request for a preliminary ruling from the Apelativen sad – Sofia (Court of Appeal, Sofia, Bulgaria))

    (Reference for a preliminary ruling – Free movement of capital – Payment services in the internal market – Directive 2007/64/EC – Concept of ‘payment instrument’ – Power of attorney of an agent acting on behalf of the account holder – Copy of the power of attorney with an ‘apostille’ – Evidence of authenticity – Concept of ‘payment transaction’ – Rights and obligations associated with the provision and use of payment services – Unauthorised payment transactions – Liability of the payment service provider)

    1.

    Directive 2007/64/EC ( 2 ) and Directive (EU) 2015/2366, ( 3 ) which has replaced the former since 13 January 2018, govern the provision of payment services in the internal market. Payment services are evolving rapidly as a result of advances in technology. ( 4 )

    2.

    The proceedings in which this reference for a preliminary ruling has been made are between a Bulgarian bank and a customer, who denies having made certain disposals from his current account. The customer has claimed that the bank should reimburse the funds transferred.

    3.

    In that context, the Court is required to clarify the concepts of ‘payment instrument’ ( 5 ) and ‘authentication’ used by Directive 2007/64, which applies ratione temporis to the case in the main proceedings.

    4.

    The Court will also have to develop its as-yet inchoate case-law on the liability of payment service providers (‘PSPs’) where payment transactions are not authorised by users.

    I. Legislative framework

    A.   European Union law Directive 2007/64

    5.

    Article 4(19) and (23) gives the following definitions:

    ‘For the purposes of this Directive, the following definitions shall apply:

    19.

    “authentication” means a procedure which allows the payment service provider to verify the use of a specific payment instrument, including its personalised security features;

    23.

    “payment instrument” means any personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used by the payment service user in order to initiate a payment order’.

    6.

    Under Article 54 (‘Consent and withdrawal of consent’):

    ‘1.   Member States shall ensure that a payment transaction is considered to be authorised only if the payer has given consent to execute the payment transaction. A payment transaction may be authorised by the payer prior to or, if agreed between the payer and his payment service provider, after the execution of the payment transaction.

    2.   Consent to execute a payment transaction or a series of payment transactions shall be given in the form agreed between the payer and his payment service provider.

    In the absence of such consent, a payment transaction shall be considered to be unauthorised.

    3.   Consent may be withdrawn by the payer at any time, but no later than the point in time of irrevocability under Article 66. Consent to execute a series of payment transactions may also be withdrawn with the effect that any future payment transaction is to be considered as unauthorised.

    4.   The procedure for giving consent shall be agreed between the payer and the payment service provider.’

    7.

    Article 59 (‘Evidence on authentication and execution of payment transactions’) states:

    ‘1.   Member States shall require that, where a payment service user denies having authorised an executed payment transaction or claims that the payment transaction was not correctly executed, it is for his payment service provider to prove that the payment transaction was authenticated, accurately recorded, entered in the accounts and not affected by a technical breakdown or some other deficiency.

    2.   Where a payment service user denies having authorised an executed payment transaction, the use of a payment instrument recorded by the payment service provider shall in itself not necessarily be sufficient to prove either that the payment transaction was authorised by the payer or that the payer acted fraudulently or failed with intent or gross negligence to fulfil one or more of his obligations under Article 56.’

    8.

    Article 60 (‘Payment service provider’s liability for unauthorised payment transactions’) provides that:

    ‘1.   Member States shall ensure that, without prejudice to Article 58, in the case of an unauthorised payment transaction, the payer’s payment service provider refunds to the payer immediately the amount of the unauthorised payment transaction and, where applicable, restores the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place.

    …’

    9.

    Article 86 (‘Full harmonisation’) states:

    ‘1.   Without prejudice to Article 30(2), Article 33, Article 34(2), Article 45(6), Article 47(3), Article 48(3), Article 51(2), Article 52(3), Article 53(2), Article 61(3), and Articles 72 and 88 in so far as this Directive contains harmonised provisions, Member States shall not maintain or introduce provisions other than those laid down in this Directive.

    3.   Member States shall ensure that payment service providers do not derogate, to the detriment of payment service users, from the provisions of national law implementing or corresponding to provisions of this Directive except where explicitly provided for therein.

    However, payment service providers may decide to grant more favourable terms to payment service users.’ ( 6 )

    B.   Bulgarian law

    10.

    Article 75(2) of the Zakon za zadalzheniata i dogovorite (Law on obligations and contracts) provides:

    ‘…

    The debtor shall be discharged of his or her debt where he or she has fulfilled, in good faith, an obligation vis-à-vis a person who, on the basis of clear circumstances, appears to be entitled to receive performance. …’.

    11.

    Article 57(1) of the Zakon za platezhnite uslugi i platezhnite sistemi (Law on payment services and payment systems) of 2009 ( 7 ) reads:

    ‘In the event of an unauthorised payment transaction, the payment service provider shall immediately refund to the payer the amount of the unauthorised payment transaction and, if necessary, restore the payer’s payment account to the state in which it was prior to the execution of the unauthorised payment transaction.’

    II. The facts, the dispute and the questions referred

    12.

    In the order for reference, instead of setting out the facts it considers to have been proven, the referring court describes the facts invoked by each party in the proceedings. They are as follows.

    A.   Facts according to the applicant (UA)

    13.

    UA and Eurobank EFG Bulgaria AD (‘Eurobank’) concluded a current account agreement in Sofia (Bulgaria) on 22 November 2017. Under the agreement, the bank undertook to open and maintain an open-ended current account in euros in UA’s name in order to provide him with payment services. UA paid a total of EUR 999860 into the account in various transfers.

    14.

    On 6 February 2018, UA visited the bank branch to make a transaction on his account, but a Eurobank employee informed him that the balance was only EUR 16000.

    15.

    UA asserts that this surprised him and that, after he had requested an explanation, the employee provided him with a bank statement showing the movements on the account from the opening of the account to 6 February 2018.

    16.

    In the light of that statement, UA established that a person not known to him, named MK, had made disposals of funds in the account by means of six individual transfer orders with a total value of EUR 982000, without valid authorisation from UA, as the account holder, since he had not issued MK with any form of power of attorney.

    17.

    The Eurobank employee explained to UA that those unilateral dispositive transactions had been carried out by MK, who had presented himself as the depositor’s agent and provided a power of attorney dated 1 December 2017, certified by an Italian notary.

    18.

    UA showed the employee that the document in question did not contain his signature as principal, and took the following steps to protect his interests: (a) on 6 March 2018, he notified Eurobank that his funds had been improperly disposed of and requested that they be reimbursed; (b) on 8 March 2018 he sent a copy of that notification to the Central Bank of the Republic of Bulgaria and sent a written enquiry to the notary. The notary replied, stating that he had neither drawn up nor certified a power of attorney in favour of MK, that the power of attorney was ‘a forgery’ and that he had reported the foregoing to both Eurobank, in response to its enquiry of 20 February 2018, and the College of Notaries of Milan (Italy).

    B.   Facts according to the defendant (Eurobank)

    19.

    Eurobank acknowledges that UA visited the bank branch with two Italian nationals on 22 November 2017. During the conversation, the Eurobank employee understood that UA intended to use an agent to operate the current account he was going to open. UA declined the online banking services, SMS notifications and bank card that the bank offered him.

    20.

    On 15 December 2017, an individual (MK) who presented himself as UA’s agent, visited the branch and produced to the Eurobank employee a copy, notarised by the Italian notary on 5 December 2017, of the power of attorney dated 1 December 2017.

    21.

    The authenticity of that copy had been certified by means of an ‘apostille’ and all the documents had been translated from Italian into Bulgarian by a sworn translator. The power of attorney was specific (express) and authorised the agent to make disposals with the funds in UA’s account.

    22.

    For each of the six transfer orders, MK produced the original copy of the power of attorney.

    23.

    On the date on which UA became aware of the six disposals of the funds in his current account (6 February 2018), he did not report the purported irregularities to the bank employees. He did not do so until 20 February 2018. On 6 March 2018 he submitted to the bank a written report alleging those unauthorised disposals and claiming reimbursement of his funds.

    24.

    Eurobank accepts that, on 20 February 2018, it sent the notary a scanned copy of the power of attorney and asked him whether the power of attorney of 1 December 2017 had been duly filed and entered in his register, whether the the power of attorney had the same legal effects as the power of attorney itself and whether the making of such copies was in line with standard practice. The notary replied only with the following: ‘The attached document is a forgery. Do not use it’.

    25.

    On 27 February 2018, Eurobank sent a written enquiry to the Deputy Prosecutor of the Italian Republic, who, with his signature, had certified the copy of the power of attorney at issue by means of an ‘apostille’ under the Hague Apostille Convention. ( 8 ) The Public Prosecutor’s Office in Monza (Italy) confirmed that the ‘apostille’ had been issued on 12 December 2017, that is to say, it officially confirmed that the ‘“apostille” placed on the copy of the power of attorney is valid’.

    C.   Summary of each party’s case

    26.

    According to UA, the Eurobank employees acted imprudently and with gross negligence by allowing a person with no power of representation to dispose of the funds in his current account. The power of attorney produced contained a prima facie irregularity and was not such that it could be accepted because the principal’s signature was absent. Eurobank should therefore have refused to execute the six transactions at issue.

    27.

    Eurobank claims that:

    The document produced was a copy of the power of attorney and not the power of attorney itself, and therefore did not contain the principal’s signature;

    by means of the ‘apostille’, the competent Italian authority certified the authenticity of the signatures and the identity of the stamps on the documents, confirming that the copy of the power of attorney had been notarised, that is to say, confirming the authenticity of the document, which means that the copy in question could be used in Bulgaria;

    the six payment transactions were executed in favour of a ‘putative creditor’, and, according to a clause of the General Terms and Conditions of the agreement, in conjunction with Article 75(2) of the Bulgarian Law on obligations and contracts, ‘the bank shall not be liable for the sums paid and disposals made under a power of attorney where it has not been notified in writing of the revocation of the power of attorney and where, before receiving such notification, it has in good faith paid a sum to a person who, on the basis of clear circumstances, appeared to be entitled to receive it’.

    D.   The dispute and the questions referred

    28.

    On 4 February 2019, UA brought proceedings against Eurobank before the Sofiyski gradski sad (Sofia City Court, Bulgaria). By its judgment of 13 May 2021 that court upheld the application and ordered Eurobank to reimburse EUR 982000 to UA for the unauthorised payment transactions. ( 9 )

    29.

    Eurobank has brought an appeal against the first instance judgment to the Apelativen sad Sofia (Court of Appeal, Sofia, Bulgaria), which has referred the following questions to the Court of Justice:

    ‘(1)

    Does a power of attorney by which the agent makes a disposal of assets on behalf of the payer by means of a payment order constitute a payment instrument within the meaning of Article 4(23) of [Directive 2007/64]?

    (2)

    Does the “apostille” certificate placed on a document by the competent foreign authority in accordance with the 1961 Hague Convention Abolishing the Requirement of Legalisation for Foreign Public Documents form part of the authentication procedure for both the payment instrument and the payment transaction within the meaning of Article 4(19) of that directive, in conjunction with Article 59(1) thereof?

    (3)

    If the payment instrument (including one authorising a third person to make disposals on behalf of the payer) is formally (prima facie) regular, can the national court assume that the payment transaction is authorised, that is to say, that the payer has consented to its execution?’

    III. Procedure before the Court

    30.

    The request for a preliminary ruling was received at the Court on 21 June 2022.

    31.

    UA, Eurobank, the Bulgarian, Czech and Italian Governments and the European Commission lodged written observations.

    32.

    Following the submission of observations, by an addendum received at the Court on 13 January 2023, the referring court supplemented its order with certain additional information.

    33.

    The Court invited the parties to make submissions at the hearing on whether the information contained in that addendum is relevant for the purposes of responding to the request for a preliminary ruling.

    34.

    Only the Bulgarian Government and the Commission appeared at the hearing, which was held on 28 September 2023.

    IV. Assessment

    A.   Question 1

    35.

    The referring court enquires whether ‘a power of attorney by which the agent makes a disposal of assets on behalf of the payer by means of a payment order’ can be described as a payment instrument within the meaning of Article 4(23) of Directive 2007/64.

    36.

    Article 4 of Directive 2007/64 contains two definitions, for the purposes of that directive:

    ‘Payment instrument’ means ‘any personalised device and/or set of procedures agreed between the payment service user and the payment service provider and used by the payment service user in order to initiate a payment order’ (point 23).

    ‘Payment order’ means ‘any instruction by a payer or payee to his payment service provider requesting the execution of a payment transaction’ (point 16).

    37.

    This means that both a physical device (card or mobile telephone) and a set of procedures (PINs, TANs, DigiPass, Bizum, usernames, passwords and so forth) agreed between the payment service user ( 10 ) and the PSP in order to initiate a payment order will be payment instruments within the meaning of Directive 2007/64.

    38.

    Specifically, a user can arrange with a PSP that, using a set of procedures agreed between both parties, he or she will use those procedures to order the PSP to execute a payment transaction (to place, transfer or withdraw funds).

    39.

    Article 4(23) of Directive 2007/64 uses a very broad definition of ‘payment instrument’, with the effect that the type of technology, means of transmitting the payment order and possession of the security elements are not decisive, even where the security elements are in the possession of the user. ( 11 )

    40.

    According to the Court’s case-law, ( 12 ) payment instruments may be:

    Personalised, that is to say, they enable the PSP to verify that the payment order has been initiated by a user authorised to do so;

    Non-personalised, where the PSPs ‘are not required to prove that the transaction in question was authenticated in the situation referred to in Article 59 of that directive [2007/64]’.

    41.

    In the judgment in T-Mobile Austria the Court clarified the interpretation to be given to Article 4(23) of Directive 2007/64, in view of the discrepancy between the different language versions as regards use of the term ‘personalised’ in conjunction with the expressions ‘any … device’ and ‘set of procedures’. It held that in order for a payment instrument to be considered to be personalised it must allow the PSP to verify that the payment order was initiated by a user authorised to do so. ( 13 )

    42.

    The definition in Article 4(23) of Directive 2007/64 may therefore include a set of procedures agreed between the PSP and the user and used by the latter in order to initiate a payment order. ( 14 )

    43.

    In the present case, the document provided to Eurobank was a copy of the specific (express) power of attorney purportedly issued by an Italian notary, by means of which UA authorised the agent to dispose of funds in his current account. The copy was certified by an ‘apostille’ and translated into Bulgarian by a sworn translator.

    44.

    In principle, a specific, express power of attorney granted by the holder of the payment account ( 15 ) to an agent, authorising the latter to carry out transactions debited from a bank account, is not, subject to what I am about to add, a payment instrument. As such, that power of attorney does not enable the PSP to verify that the payment order was initiated by a user authorised to do so and is not an instrument provided to the holder of a payment account by the PSP.

    45.

    However, as I have already indicated, according to Article 4(23) of Directive 2007/64, a payment instrument may consist of a set of procedures‘agreed’ between the PSP and the user. Nothing stands in the way of the power of attorney forming part of that set of procedures, although for it to do so, there would need to be a prior agreement between the holder of the payment account and the PSP.

    46.

    In consonance with that requirement, Article 54(1) and (2) of Directive 2007/64 provides that a payment transaction is considered to be authorised only if the payer has given consent to execute the payment transaction, and that consent is to be given in the form agreed between the payer and the PSP. In the absence of such consent, a payment transaction is to be considered to be unauthorised.

    47.

    The nub of the question referred is whether such agreement between the user and the PSP actually existed. In order to dispel the uncertainty on that point, the Apelativen sad Sofia (Court of Appeal, Sofia) added an addendum to its order for reference, from which it can be deduced that the framework contract ( 16 ) between Eurobank and UA is governed by the General Terms and Conditions signed on 22 November 2017 and contains the following clauses:

    Under Clause V.22, the account holder may dispose of the funds personally or through an agent authorised by means of a notarially certified power of attorney, containing an explicit declaration of intent to carry out dispositive transactions with the funds in the payment account. In order for disposals of funds to be made through an agent, the agent must produce the original of the power of attorney and a valid identity document.

    Under Clause V.25, the bank must carry out a formal verification of the powers of attorney produced to it and the signatures on them.

    48.

    It appears, therefore, that there was an agreement between UA (as holder of the payment account) and Eurobank (as PSP) which provided for the possibility of using a notarised power of attorney to make disposals with the funds in the account. To that end, the contract concluded between those two parties included a set of steps (a procedure) which had to be followed in order for the PSP to execute a payment order attributed to the user.

    49.

    From that perspective, it can be found that, by means of a notarised power of attorney, the holder of the payment account indirectly conveys to the PSP its intention to perform payment transactions debited from the funds in the payment account. A power of attorney of this kind is, then, the initial element in the set of procedures ‘agreed’ between the PSP and the user in order to execute a payment order.

    50.

    To the same extent, the power of attorney can be described as a non-personalised (or indirect ( 17 )) payment instrument, because the agent can operate the payment account by presenting his or her notarised power of attorney or duly certified copy and is not required to submit a transfer order signed manually by the account holder. If such a manuscript order from the account holder were required, notarised powers of attorney for managing payment accounts would be meaningless, because account holders would always need to perform the transactions and endorse them with their signature.

    51.

    It is true that the power of attorney is not issued by the PSP but by the account holder to a third party, to enable the latter to order payment transactions on behalf of the account holder. However, that circumstance does not mean that it cannot be considered to be an element in the set of procedures agreed between both parties and which constitutes the payment instrument. By analogy, a transfer ordered in person at the bank branch, by means of a manuscript order issued by the account holder, is also a payment instrument, even though it is not issued by the PSP.

    52.

    The approval of the PSP, given in the framework contract which allows the use of a notarised power of attorney, in itself shows that the PSP has indirect control over this type of payment instrument, since it can allow or refuse its use by the account holder.

    53.

    I would note at this stage that the debate has focused on whether Clauses V.22 and V.25 of the framework contract between the credit institution and its customer strictly required production of the original of the power of attorney, in the absence of which Eurobank could not allow the disposals of funds. It will be for the referring court to interpret the terms of that framework contract, in relation to such facts as it finds to be proven.

    54.

    Subject to the referring court’s assessment of the agreement, my view is that, in reply to the first question referred, Article 4(23) of Directive 2007/64 should be interpreted as meaning that a specific, express power of attorney granted by the holder of the payment account to an agent so that the agent can dispose of funds is not, prima facie, a payment instrument, unless the account holder and the PSP have so agreed in the clauses of the framework contract between them.

    55.

    If they do so agree, the notarised power of attorney would form part of a set of procedures agreed between the PSP and the user of the payment service in order to initiate a payment order. Since it is not inconceivable that this has occurred in the present case, the way is open for an examination of the following questions referred.

    B.   Question 2

    56.

    The referring court seeks to ascertain whether the ‘apostille’ placed on a document by the competent foreign authority in accordance with the Apostille Convention ‘form[s] part of the authentication procedure for both the payment instrument and the payment transaction within the meaning of Article 4(19) of [Directive 2007/64], in conjunction with Article 59(1) thereof’.

    57.

    I shall examine separately the points that this question raises in respect of authentication and in respect of the Apostille Convention.

    1. Authentication

    58.

    Directive 2007/64 refers to authentication in a dual context:

    In Article 4(19) it defines authentication as a ‘procedure which allows the payment service provider to verify the use of a specific payment instrument, including its personalised security features’. ( 18 )

    It adds, in Article 59(1), that where a user denies having authorised a payment transaction ( 19 ) the PSP will have to prove that it was authenticated, accurately recorded, entered in the accounts and not affected by a technical breakdown or some other deficiency.

    59.

    The PSP must use authentication to verify that the account holder has consented to one or more payment transactions being carried out. Authentication (of the payment instrument and of the transaction itself) confers reliability on any transactions the agent may order and is crucial if the PSP is to execute payment orders correctly and to be exempt from liability.

    60.

    If the user denies authorising the payment transaction, the burden of proof therefore lies on the PSP. The reversal of the burden of proof is particularly favourable to users: the PSP must demonstrate the circumstances which, under Directive 2007/64, would relieve it of its reimbursement obligation in relation to payment transactions that the account holder denies having authorised.

    61.

    Imposing the burden of proof on the PSP in such a situation is consistent with Article 54(1) of Directive 2007/64: payment transactions may be considered to be authorised only if the payer has given consent to execute the payment transaction prior to or, if agreed between the payer and the PSP, after the execution of the payment transaction. In the absence of such consent, a payment transaction is to be considered to be unauthorised.

    62.

    Under Article 54(2) of Directive 2007/64, consent to execute a payment transaction or a series of payment transactions is to be given in the form agreed between the payer and the PSP. As I have repeatedly stated and has occurred here, the user and the PSP may agree that an express power of attorney can be used to express consent and to enable the agent to make disposals of the funds in the payment account.

    63.

    The power of attorney is therefore one of the instruments by means of which payment service users express their consent to payment transactions, by the agent, being made from their account.

    64.

    Against that background, since the PSP bears the burden of proving consent by the holder of the payment account, in order not to incur liability it must exercise the utmost care in performing the procedure for authenticating the power of attorney.

    65.

    Where a notary is involved, that factor, prima facie, ensures that the power of attorney is genuine and reliable. Such notarial involvement is however not regulated in Directive 2007/64 and must comply with the provisions of national law. ( 20 )

    66.

    Put simply, where the user and the PSP have agreed that a power of attorney forms part of the set of procedures agreed in order to initiate a payment order, authentication of the power of attorney is indispensable to the PSP verifying that the account holder has authorised the agent to carry out payment transactions.

    67.

    It remains for me to examine how the existence of the ‘apostille’ under the Hague Convention affects the procedure for authenticating the power of attorney.

    2. The Apostille Convention

    68.

    According to the information provided by the referring court and the parties, a problem arose concerning the authenticity of the document that MK produced to Eurobank.

    69.

    It would appear that MK provided a copy, certified by the notary in Milan and with the ‘apostille’ of the Italian authority competent to perform that formality, of the original power of attorney.

    70.

    In response to Eurobank’s enquiries, the notary informed it that the power of attorney was a forgery. However, according to the letters rogatory ordered by the referring court, the Italian authority confirmed that the ‘apostille’ accompanying the copy of the power of attorney was genuine. ( 21 )

    71.

    The referring court will have to resolve that discrepancy in order to ascertain whether fraudulent conduct has occurred. It will also be for that court to interpret the framework contract between UA and Eurobank, in the light of national law, in order to determine whether, according to the terms of that contract, it was not sufficient to provide a copy of the notarised power of attorney ( 22 ) and that its original, duly signed by the principal, had to be provided.

    72.

    EU law contains no specific provision applicable to the legalisation of a notarised power of attorney for the purpose of operating a payment account. Regulation (EU) 2016/1191 ( 23 ) established a simplified procedure for legalising public documents, but those documents do not include a notarised power of attorney granted in order to operate a payment account. ( 24 )

    73.

    The referring court asserts that the Apostille Convention ( 25 ) applies to the legalisation in Bulgaria of a notarised power of attorney in order to make disposals with the funds in a bank account. According to the convention (point (c), second paragraph of Article 1), notarial acts are public documents.

    74.

    Under that convention, which concerns public documents which have been executed in the territory of one Contracting State and which have to be produced in the territory of another Contracting State:

    Each Contracting State is to exempt from legalisation documents to which the convention applies and which have to be produced in its territory.

    The only formality that may be required in order to certify the authenticity of the signature, the capacity in which the person signing the document has acted and, where appropriate, the identity of the seal or stamp which it bears, is the addition of the certificate described in Article 4, issued by the competent authority of the State from which the document emanates.

    75.

    In short, the convention replaces the cumbersome traditional legalisation process with a single formality, that is to say, the issuing of an authentication certificate known as an ‘apostille’, by the home State. The ‘apostille’ certifies the authenticity of the origin of a public document, meaning that it can be produced in a foreign country, provided that the country in question is a Contracting Party to the convention. Apostillisation therefore has the same effect as legalisation. ( 26 )

    76.

    Although the Court does not have jurisdiction to interpret the Apostille Convention (because it does not form part of EU law), it is at liberty, in the course of interpreting the provisions of Directive 2007/64, to confirm to the referring court that the ‘apostille’ affixed by a foreign authority by virtue of the convention is one of the means that the PSP may use when authenticating a payment instrument, where it is contained in a foreign public document.

    C.   Question 3

    77.

    The referring court seeks to ascertain whether, where a payment instrument is formally (prima facie) regular, it can assume that the account holder has authorised the payment transaction, that is to say, has consented to its execution.

    78.

    In order to answer that question, the Court must first address the harmonised regime governing the liability of PSPs ( 27 ) and users when dealing with payment transactions not authorised by the user.

    79.

    I shall examine the features of that liability regime before setting out a number of considerations that may be of use to the referring court when applying it to this case.

    1. Liability of PSPs when dealing with payment transactions not authorised by the user

    80.

    According to Article 60 of Directive 2007/64, in conjunction with Articles 58 and 59 thereof, liability for losses suffered as a result of unauthorised payment transactions lies, in principle, with the PSP rather than the user. Nevertheless, in certain circumstances users may be required to bear those losses.

    81.

    The referring court’s question seeks to determine whether merely formal (prima facie) authentication of the payment instrument relieves the PSP of liability.

    82.

    The considerations set out by the referring court in the order for reference appear to support the conclusion that, in the view of that court:

    A literal interpretation of the grounds for exemption from liability contained in Directive 2007/64 would mean that a PSP, ‘although acting in good faith (with due commercial care), would be fully liable for the unauthorised payment transaction made … in order to be exempt from liability, the [PSP] must prove a qualified form of fault on the part of the payer, who must have acted with intent (including fraudulent intent) or gross negligence’.

    It adds that such an interpretation would expose the PSP to the risk of incurring significant pecuniary losses, even if it acted in good faith, that is to say, despite taking all necessary measures to comply with the legal requirements and good commercial practice. It would to that extent undermine the smooth implementation of the provision of payment services and thereby run counter to the purpose of Directive 2007/64 of promoting the free movement of services and capital.

    Another outcome could however be achieved by adopting a teleological, logical and systematic interpretation of the grounds provided for in Directive 2007/64 for exempting PSPs from liability.

    83.

    In interpreting the provisions of EU law, it is necessary to consider not only their wording but also the context in which they occur and the objectives pursued by the rules of which they are part. ( 28 )

    84.

    The Court has in fact already confirmed, with respect to the applicable provisions of Directive 2007/64, that:

    On a literal interpretation of Articles 58 and 60 of Directive 2007/64, the liability of the PSP in the case of unauthorised payment is subject to the user notifying the unauthorised transaction. If the user does not notify the PSP of an unauthorised transaction, within no more than 13 months after the debit of that transaction, the user cannot trigger the liability of the PSP, including on the basis of the general law and, therefore, cannot obtain repayment. ( 29 )

    A literal and contextual interpretation of Article 60(1) of Directive 2007/64 confirms that reasoning, which applies to both unauthorised transactions and incorrectly executed transactions. ( 30 ) That article is couched in terms of prompt action: the PSP must immediately refund the amount of the transaction to the payer and, where applicable, restore the payment account that has been debited with that amount to the situation that would have existed if the unauthorised payment transaction had not taken place.

    The teleological interpretation of Article 58 and Article 60(1) of Directive 2007/64 supports the literal and contextual interpretations of those provisions. ( 31 )

    The background to Directive 2007/64 ( 32 ) supports the foregoing considerations and the assertion that national law cannot establish a different liability regime. ( 33 )

    85.

    Once the indispensable notification of any unauthorised transaction has been given within the prescribed time limit, the PSP is subject to an immediate repayment obligation.

    86.

    That liability regime includes the mechanism referred to above for allocating the burden of proof, which is particularly favourable to users: it is the PSP and not the user that must demonstrate the circumstances that exempt it from the repayment obligation, that is to say, it must prove that the payment transaction was authenticated, accurately recorded and entered in the accounts. ( 34 )

    87.

    As Advocate General Saugmandsgaard Øe summarised in his Opinion in CRCAM, ‘the EU legislature has thus established a liability regime which rests on three essential and interconnected elements: an obligation to notify on part of the payment service user … the imposition of the burden of proof on the payment service provider … and, lastly, in the absence of proof, liability on the part of the service provider, pursuant to Articles 60 and 75 of that directive, depending on whether the transaction was unauthorised, not executed or incorrectly executed’. ( 35 )

    88.

    Article 86 of Directive 2007/64, entitled ‘Full harmonisation’, provides that ‘without prejudice to [several provisions of that directive which it sets out] in so far as this Directive contains harmonised provisions, Member States shall not maintain or introduce provisions other than those laid down in this Directive’.

    89.

    Since Articles 58, 59 and 60 of Directive 2007/64 are not among the provisions in respect of which Article 86 allows the Member States freedom of action, the Court has concluded that the liability regime for PSPs in those articles has been the subject of full harmonisation, with the result that the Member States cannot maintain a parallel liability regime in respect of the same operative event. ( 36 )

    90.

    Recitals 1 and 4 of Directive 2007/64 are in the same vein: the harmonised liability regime under the directive may not be placed in competition with an alternative liability regime laid down under national law, based on the same facts and the same basis, that adversely affects the objectives and the effectiveness of that directive. ( 37 )

    2. Effects of the liability regime for PSPs on these proceedings

    91.

    It is common ground that, within the period laid down in Article 58 of Directive 2007/64, UA, as the holder of the payment account, informed Eurobank of the existence of the unauthorised payment transactions carried out by its purported agent MK.

    92.

    As an authentication element that in its view proves the user’s consent, Eurobank relies on the copy, bearing an ‘apostille’, of the power of attorney granted by UA to MK in the presence of an Italian notary. The notary, however, states that the power of attorney and the copy were forgeries. The copy that MK produced to the bank for the purpose of ordering the transfers apparently bore no signature by the principal, the holder of the account, meaning that the bank was not able to conduct a comparison of signatures. Nor is there any record that Eurobank used alternative means (such as a recorded telephone call) to satisfy itself that UA had consented to the transfer orders submitted by MK.

    93.

    According to Article 59(2) of Directive 2007/64, if a user denies having authorised an executed payment transaction (as has occurred here), the use of a payment instrument recorded by the PSP ‘shall in itself not necessarily be sufficient to prove either that the payment transaction was authorised by the payer or that the payer acted fraudulently or failed with intent or gross negligence to fulfil one or more of his obligations under Article 56’.

    94.

    That rule supports the inference that use of the payment instrument produced to Eurobank in the form of a (forged) power of attorney, even though it was certified and bore an ‘apostille’, may be insufficient to demonstrate authorisation by the payer.

    95.

    If the circumstances of the case aroused reasonable doubts concerning the payment instrument, the PSP had a greater duty of care when verifying that it was genuine, in order to dispel those doubts and be completely certain that the holder of the payment account had authorised the transactions at issue. Only that approach upholds the guiding principle of Directive 2007/64, that is to say, the aim of protecting payment service users, in particular when they are consumers. ( 38 )

    96.

    I believe that, given the peculiar circumstances of this case, the PSP was not entitled to confine itself to carrying out a purely formal (prima facie) authentication of a notarised copy of a power of attorney, bearing an ‘apostille’ affixed by the competent authority of a foreign State.

    97.

    In order to enhance the protection of payment service users, Directive 2007/64 and its successor, Directive 2015/2366, have introduced the ‘pay first and argue later’ principle in relation to the liability of PSPs. ( 39 )

    98.

    As already stated, it is for the PSP to provide evidence proving that the user consented to a payment transaction or has been fraudulent or grossly negligent. The burden of proof imposed on the PSP is, I repeat, a very heavy one.

    99.

    The harmonised regime governing the liability of PSPs for unauthorised payment transactions cannot be tempered by recourse to national provisions ( 40 ) under which the liability of PSPs is attenuated compared with the more stringent liability resulting from Directive 2007/64. The national court must give precedence to Directive 2007/64 and apply Article 86 thereof in conjunction with Articles 58, 59 and 60.

    100.

    The argument outlined by the referring court – that a rigorous liability regime protecting users would have an adverse impact on the PSPs’ activity – is insufficient to rebut the foregoing. The European legislature has weighed up the pros and cons of both alternatives and has elected the one it considers best in the common interest.

    101.

    Within the alternative included in Directive 2007/64, the formal and substantive authentication of payment instruments is essential in order to provide legal certainty for the parties to payment transactions. It is equally indispensable for the proper functioning of the EU payment system, which promotes the free movement of capital.

    102.

    In short, my view is that Articles 58, 59 and 60 of Directive 2007/64, in conjunction with Article 86 thereof, must be interpreted as meaning that, where there are circumstances giving rise to legitimate doubts as to the validity of the payment instrument:

    merely formal (prima facie) authentication of that payment instrument does not relieve PSPs of liability for executing payment transactions that are not authorised by the payer; and

    a liability regime established by the domestic law of a Member State does not comply with those articles in so far as it provides that PSPs are exempt from liability or have attenuated liability for unauthorised payment transactions where they carry out a merely formal (prima facie) authentication of the payment instrument.

    V. Conclusion

    103.

    In the light of the foregoing considerations, I propose that the Court should answer the Apelativen sad Sofia (Court of Appeal, Sofia, Bulgaria) as follows:

    Article 4(19) and (23) and Articles 58, 59 and 60, in conjunction with Article 86, of Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC

    must be interpreted as meaning that:

    (1)

    A specific, express power of attorney granted by the holder of the payment account authorising an agent to dispose of funds in that account is not, prima facie, a payment instrument, unless the holder of the payment account and the payment service provider have agreed that it is and have expressly so provided in the clauses of the framework contract between them. If they do so agree, the notarised power of attorney would form part of a set of procedures agreed between the payment service provider and the user of that service in order to issue a payment order.

    (2)

    The ‘apostille’ certificate placed on a document by the competent foreign authority in accordance with the Convention of 5 October 1961 Abolishing the Requirement of Legalisation for Foreign Public Documents (the Apostille Convention) is one of the means that the payment service provider may use to authenticate a payment instrument, where that instrument is contained in a foreign public document.

    (3)

    In the event of payment transactions being executed where those transactions are not authorised by the payer, the national court must disregard a regime governing the liability of payment service providers established by the domestic law of a Member State if it does not adhere strictly to the provisions of Articles 58, 59 and 60 of Directive 2007/64, in conjunction with Article 86 thereof.

    (4)

    Where there are circumstances giving rise to legitimate doubts as to the validity of the payment instrument and the user denies having authorised a payment transaction that has already been executed, a payment service provider who performs a merely formal (prima facie) authentication of that payment instrument is not exempt from liability for execution of that transaction.


    ( 1 ) Original language: Spanish.

    ( 2 ) Directive of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC (OJ 2007 L 319, p. 1; corrigendum, OJ 2009 L 187, p. 5).

    ( 3 ) Directive of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ 2015 L 337, p. 35).

    ( 4 ) The European Commission has begun the process to update Directive 2015/2366. See A study on the application and impact of Directive (EU) 2015/2366 on Payment Services (PSD2), FISMA/2021/OP/0002.

    ( 5 ) On the uncertainty to which this concept has given rise, see Opinion of the European Banking Authority on its technical advice on the review of Directive (EU) 2015/2366 on payment services in the internal market (PSD2), EBA/Op/2022/06, of 23 June 2022, pp. 111 and 112.

    ( 6 ) The content of the articles quoted was reproduced, with few modifications, by Directive 2015/2366 when it repealed Directive 2007/64.

    ( 7 ) Repealed with effect from 6 March 2018 but applicable in this case.

    ( 8 ) Convention of 5 October 1961 Abolishing the Requirement of Legalisation for Foreign Public Documents (‘the Apostille Convention’). The convention, and the related documents, can be found on the website of the Hague Conference on Private International Law (www.hcch.net), under the heading ‘Conventions and other Instruments’, specialised section ‘Apostille’.

    ( 9 ) It also ordered it to pay UA EUR 1 182.40 by way of compensation for material damage and EUR 74521 by way of interest.

    ( 10 ) On the concepts of ‘payment services’ and ‘payment service user’, see judgment of 11 April 2019, Mediterranean Shipping Company (Portugal) – Agentes de Navegação (C‑295/18, EU:C:2019:320, paragraphs 37 to 48 and 54).

    ( 11 ) That assertion is in line with the Court’s case-law according to which ‘Article 4(23) of Directive 2007/64 must be interpreted as meaning that both the procedure for ordering transfers by means of a transfer order form signed by the payer in person and the procedure for ordering transfers through online banking constitute payment instruments within the meaning of that provision’ (judgment of 9 April 2014, T-Mobile Austria, C‑616/11, EU:C:2014:242, ‘the judgment in T-Mobile Austria’, paragraphs 29 to 44).

    ( 12 ) Judgment in T-Mobile Austria, paragraphs 33 and 34, and judgment of 11 November 2020, DenizBank (C‑287/19, EU:C:2020:897, paragraphs 69 to 72).

    ( 13 ) Judgment in T-Mobile Austria, paragraphs 31 and 33.

    ( 14 ) For example, the Court considered the near-field communication functionality – the ‘contactless payment’ functionality in common parlance – of personalised multifunctional bank cards to be a non-personalised payment instrument, while the other functionalities of those cards are personalised payment instruments. See judgment of 11 November 2020, DenizBank (C‑287/19, EU:C:2020:897, paragraph 79), and my Opinion delivered on 30 April 2020, DenizBank (C‑287/19, EU:C:2020:322, points 29 to 51).

    ( 15 ) On the concept of a payment account under Article 4(14) of Directive 2007/64, see judgment of 4 October 2018, ING-DiBaDirektbank Austria (C‑191/17, EU:C:2018:809).

    ( 16 ) According to Article 4(12) of Directive 2007/64, ‘framework contract’ means ‘a payment service contract which governs the future execution of individual and successive payment transactions and which may contain the obligation and conditions for setting up a payment account’.

    ( 17 ) Judgment in T-Mobile Austria, paragraph 39, mentions one of the most common instances of personalised payment instruments: ‘the ordering of transfers generally requires the payer to submit a sample of his handwritten signature to the credit institution when opening the payment account, to use particular transfer order forms, and to endorse them with his handwritten signature. That credit institution may authenticate the payment order within the meaning of Article 4.19 of [Directive 2007/64], by comparing the handwritten signature endorsed on the transfer order form with the sample handwritten signature lodged by the payer beforehand.’

    ( 18 ) Directive 2015/2366 has supplemented that definition by stating in Article 4(29) that in addition to verifying the payment instrument, authentication allows the PSP ‘to verify the identity of a payment service user’. Article 4(30) of Directive 2015/2366 introduces the innovation of ‘strong customer authentication’, namely ‘an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data’.

    ( 19 ) Article 4(5) of Directive 2007/64 defines ‘payment transaction’ as ‘an act, initiated by the payer or by the payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and the payee’.

    ( 20 ) According to the Bulgarian Government, those provisions require a notary to certify the signature on powers of attorney for the disposal of funds in payment accounts.

    ( 21 ) The ‘apostille’ certifies only the authenticity of the signature, the capacity in which the person signing the document has acted and, where appropriate, the identity of the seal or stamp which the document bears (see Article 5 of the Apostille Convention).

    ( 22 ) Eurobank argues that under Bulgarian and Italian law a notarially certified copy of a public document (in this case, a power of attorney) has the same evidential value as its original.

    ( 23 ) Regulation of the European Parliament and of the Council of 6 July 2016 on promoting the free movement of citizens by simplifying the requirements for presenting certain public documents in the European Union and amending Regulation (EU) No 1024/2012 (OJ 2016 L 200, p. 1). The abolition of legalisation and similar formalities, for documents issued in a Member State in the context of the regulation in question, is a principle common to the EU regulations on judicial cooperation in civil matters: see, for example, Article 61 of Regulation (EU) No 1215/2012 of the European Parliament and of the Council of 12 December 2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (OJ 2012 L 351, p. 1).

    ( 24 ) Under Article 2 of the regulation, its application is limited to public documents issued by the authorities of a Member State in accordance with its national law which have to be presented to the authorities of another Member State and the primary purpose of which is to establish one or more of the facts about a person’s civil status that are relevant to freedom of movement in the territory of the European Union (birth, death, name, nationality and so forth).

    ( 25 ) Italy and Bulgaria, in common with all the other EU Member States, are parties to the Apostille Convention. However, the European Union is not a party and that convention does not form part of EU law.

    ( 26 ) For an exhaustive explanation of implementation of the convention, see Practical Handbook on the Operation of the Apostille Convention, Hague Conference on Private International Law, The Hague, 2023.

    ( 27 ) On the liability of PSPs, see Guimarães, M.R., ‘Los medios de pago en el derecho europeo y en los instrumentos europeos de armonización del derecho privado’, Banca, Borsa, Titoli di Credito, 2017, No 4, pp. 571 to 574; Janczuk-Gorywoda, A., ‘Enforcing smart: exploiting complementarity of public and private enforcement in the Payment Services Directive 2’, in Cherednychenko, O. and Andenas, M., Financial Regulation and Civil Liability in European Law, Edward Elgar, 2020, pp. 115 to 137; and Paglietti, C.M., ‘Restitution and Liability in the Multilevel Regulatory Framework of Unauthorized Digital Payment Transactions’, European Review of Private Law, 2022, No 1, p. 165.

    ( 28 ) Judgments of 24 March 2021, MCP (C‑603/20 PPU, EU:C:2021:231, paragraph 37), and of 2 September 2021, CRCAM (C‑337/20, EU:C:2021:671, ‘the judgment in CRCAM’, paragraph 31).

    ( 29 ) Judgment in CRCAM, paragraphs 34 and 36.

    ( 30 ) Judgment in CRCAM, paragraphs 37 to 42.

    ( 31 ) Judgment in CRCAM, paragraphs 43 to 46.

    ( 32 ) Judgment in CRCAM, paragraphs 47 to 51.

    ( 33 ) In paragraphs 41 and 42 of the judgment in CRCAM, the Court confirmed that the liability regime for PSPs in Directive 2007/64 ‘has been the subject of full harmonisation, with the result that the Member States cannot maintain a parallel liability regime in respect of the same operative event’.

    ( 34 ) In practice, the system of proof set by Article 59 of Directive 2007/64 has the effect, once the notification provided for in Article 58 of that directive has been carried out within the period prescribed therein, that the PSP is subject to an immediate repayment obligation (judgment in CRCAM, paragraph 40).

    ( 35 ) Opinion in Case C‑337/20, EU:C:2021:564, point 53.

    ( 36 ) Judgment in CRCAM, paragraphs 41 and 42.

    ( 37 ) Judgment in CRCAM, paragraphs 44 and 45. See also the Opinion of Advocate General Szpunar delivered on 7 July 2022, Beobank (C‑351/21, EU:C:2022:541, points 42, 43 and 50).

    ( 38 ) Judgments of 25 January 2017, BAWAG (C‑375/15, EU:C:2017:38, paragraph 45), and of 2 April 2020, PrivatBank (C‑480/18, EU:C:2020:274, paragraph 66).

    ( 39 ) See Guimarães, M.R. and Steennot, R., ‘Allocation of Liability in Case of Payment Fraud: Who Bears the Risk of Innovation? A Comparison of Belgian and Portuguese Law in the Context of PSD2’, European Review of Private Law, 2022, No 1, pp. 47 and 48.

    ( 40 ) The national provisions adduced in this case include Article 75(2) of the Bulgarian Law on obligations and contracts. According to that article, a debtor is to be discharged of his or her debt where he or she has fulfilled, in good faith, an obligation vis-à-vis a person who, on the basis of clear circumstances, appears to be entitled to receive performance. That general liability regime is therefore not consistent with the specific regime for PSPs derived from Articles 58, 59, 60 and 86 of Directive 2007/64.

    Top