Liability of online platforms under the new payment services regulation? What the Digital Services Act has to do with the new Payment Package

After the European Commission published drafts of a third Payment Services Directive (“PSD3“) and a Payment Services Regulation (“PSR“) as part of a “Payment Package” in mid-2023, the European Parliament published a legislative resolution on 23 April 2024 with various proposed amendments to PSR (“Draft PSR“) and PSD3 (see here for a summary of the main new regulations in PSD3 and PSR). The Draft PSR proposes a series of regulations to prevent spoofing and now also intends to make online platforms much more liable than under the Commission’s draft.

“Spoofing”

“Spoofing” is a form of disguising one’s own identity in order to trick a payer into carrying out a payment transaction that they do not want. The main aim of spoofing is to deceive the victim into believing that the fake identity or message is genuine. In the payment sector – as the Draft PSR also states – this refers to cases where fraudsters pretend to be employees of a customer’s payment service provider or a relevant body that could be associated with a trusted source of the customer, such as a central bank or government agency. Fraudsters misuse the name, postal address, email address or telephone number of the payment service provider or authority in order to gain the customer’s trust and persuade them to carry out certain actions.

“Spoofing” in the Draft PSR– providers of electronic communications services

The Draft PSR now also wants to oblige “providers of electronic communications services” to cooperate with payment service providers in combating fraud and otherwise be liable for damages in the event of fraud under certain conditions. According to the definition now included in the Draft PSR, the term “electronic communications service provider” should also include providers under the DSA in addition to providers under the European Electronic Communications Code (Directive (EU) 2018/1972, “EECCD“). The DSA does not contain a definition of a “provider”, but covers all providers of intermediary services, i.e. not just providers of online platforms. In addition to providers of caching services or pure transmission services, this also includes hosting services, of which online platforms are only a sub-category.

However, the Draft PSR seems to have online platforms in particular in mind within the meaning of the DSA, as the Parliament believes that online platforms can also contribute to the increase in the number of fraud cases and that they should therefore be held liable, in addition to the DSA, “if fraud is directly attributable to fraudsters using their platform to defraud consumers if they have been informed of fraudulent content on their platform and have not removed it“.

According to the EECCD, electronic communications services include, inter alia, internet access services and interpersonal communications services. “Providers” under the EECCD could also include providers of electronic communications networks.

What exactly does the draft regulate?

The Draft PSR stipulates in Art. 59 para. 1 that the payer’s payment service provider is liable “if the payer is manipulated by a third party who, using the name or e-mail address or telephone number of the consumer’s payment service provider or another similar public or private entity, posed as an employee of that entity and [….] this manipulation subsequently resulted in authorised fraudulent payment transactions“, provided that the payer has reported the fraud to the police and has not acted intentionally or with gross negligence and cooperates in the investigation of the case.

What is new is that the Draft PSR now imposes liability on the provider of electronic communications services in certain circumstances. If the providers of electronic communications services do not remove the fraudulent or unlawful content after being informed of it (e.g. by the payment service provider), they should reimburse the payment service provider for the full amount of the authorised fraudulent payment transaction.

It is noticeable that the cases of spoofing described in the Draft PSR do not correspond to the currently widespread cases of fraud in the area of online platforms. While spoofing typically involves an alleged employee of the payment service provider deceiving the consumer, cases of fraud in connection with online platforms often follow a pattern whereby the fraudster registers as a merchant on a platform and directs the customer via a link or other means to an area outside the platform where they are asked to submit payment details via fake payment pages or other means. Even if the spoofing variant described in Art. 59 of the Draft PSR therefore does not appear at first glance to address cases of fraud on online platforms, such an interpretation can nevertheless be drawn from a broad understanding.

This is because even in cases of fraud using online platforms, the fraudster usually acts under a false identity, for example by using third-party user accounts or payment data or fake payment pages. It should also be noted that the Draft PSR explicitly includes providers within the meaning of the DSA in the definition of electronic communications service providers. Moreover, Art. 2 para. 9a of the Draft PSR declares that Art. 59 of the Draft PSR applies accordingly to online platforms (which is superfluous from a legal point of view). Even if the regulatory technique of the Draft PSR contains a number of ambiguities and raises questions, it nevertheless appears to be the legislator’s aim to also establish liability for online platforms.

The intention is probably that the platforms will be held more liable at the latest when a payment service provider or a third party notifies the online platform of a case of fraud by a seller registered on the online platform and the online platform does not remove the “illegal content”. In principle, this is nothing new, as an online platform must take action anyway if it becomes aware of illegal content, as otherwise the liability exemptions under the DSA (which already existed under the E-Commerce Directive) will no longer apply. However, the DSA itself does not contain a liability basis and does not regulate the liability of several parties among themselves. In contrast, the Draft PSR now stipulates that providers of electronic communications services, i.e. also providers of online platforms, are liable to the payment service provider if they have been informed of the fraudulent or illegal content, have not removed it and the consumer has both reported the fraud to the police without delay and informed their payment service provider (Art. 59 para. 5 sentence 2 Draft PSR). This also avoids any questions regarding the internal liability of the two obligated parties: Payment service provider and provider of electronic communications services. It is unclear whether this liability should only apply to subsequent transactions or already to the first reported transaction. In conjunction with the liability relief for hosting services (including online platforms) under Art. 6 para. 1 DSA, liability for subsequent transactions should only be considered if the provider had no knowledge of the first reported transaction. It remains to be seen whether this is also the intention under the Draft PSR.

In the case of online platforms, this illegal content is likely to be, in particular, the offers posted on the platform by this trader or other consumers.

What else do providers of electronic communications services need to consider?

Art. 59 of the Draft PSR now requires providers of electronic communications services to fulfil various one-off and ongoing compliance measures.

After being informed by a payment service provider, they must act immediately to ensure that appropriate organisational and technical measures are taken to ensure the security and confidentiality of communications in accordance with the Directive on Privacy and Electronic Communications (Directive 2002/58/EC), in particular with regard to caller ID and email address. This obligation should primarily apply to providers within the meaning of the EECCD.

Providers of electronic communications services must also take all necessary educational measures, including alerting their customers by all appropriate means and media, when new forms of online fraud emerge, taking into account the needs of their most vulnerable customer groups. They must provide their customers with clear guidance on how to recognise fraud attempts and make them aware of the measures and precautions they need to take to avoid falling victim to fraudulent activities. This therefore goes beyond the more reactive obligations of the DSA. They must also inform their customers about the procedure for reporting fraudulent behaviour and how they can obtain information about fraud quickly. Finally, “all providers that are part of the fraud chain” must act quickly to ensure that appropriate organisational and technical measures are taken to ensure the protection of payment service users during the execution of transactions. Electronic communications service providers must implement fraud prevention and fraud mitigation techniques to combat fraud, including unauthorised and authorised push payment fraud. The Draft PSR now also extends this obligation to “digital platform providers” without defining them.

Art. 91 para. 3 of the Draft PSR also regulates an audit right for the competent authorities to recognise breaches of the Draft PSR. In addition, according to Art. 96 of the Draft PSR, Member States should – as usual – introduce effective, appropriate and proportionate administrative sanctions and measures applicable to infringements of this Regulation and ensure that they are implemented. This means that it is up to the Member States to decide how they sanction specific infringements and whether there will be fines, for example.

Consequences for practice

The Draft PSR specifies the liability of online platforms in a surprising place, as payment service regulation is typically aimed primarily at payment service providers. The Draft PSR appears to be critical for online platforms, as the conditions for the occurrence of liability are not regulated with absolute clarity and the consequences are difficult to assess. The obligation to introduce compliance obligations for fraud prevention is also likely to entail additional organisational effort for online platforms and corresponding information on fraud prevention also means additional implementation and maintenance effort.