JUDGMENT OF THE COURT (Tenth Chamber)
11 April 2019 (*)
(Reference for a preliminary ruling — Payment services in the internal market — Directive 2007/64/EC — Articles 2 and 58 — Scope — Payment service user — Meaning — Execution of a direct-debit payment order issued by a third party in respect of an account of which that party is not the holder — No authorisation from the holder of the debited account — Unauthorised payment transactions)
In Case C‑295/18,
REQUEST for a preliminary ruling under Article 267 TFEU from the Tribunal da Relação do Porto (Court of Appeal, Oporto, Portugal), made by decision of 21 February 2018, received at the Court on 30 April 2018, in the proceedings
Mediterranean Shipping Company (Portugal) — Agentes de Navegação SA
v
Banco Comercial Português SA,
Caixa Geral de Depósitos SA,
THE COURT (Tenth Chamber),
composed of C. Lycourgos, President of the Chamber, E. Juhász and I. Jarukaitis (Rapporteur), Judges,
Advocate General: H. Saugmandsgaard Øe,
Registrar: A. Calot Escobar,
having regard to the written procedure,
after considering the observations submitted on behalf of
– Mediterranean Shipping Company (Portugal) — Agentes de Navegação SA, by P. Neves de Sousa, advogado,
– Banco Comercial Português SA, by M. Mendes Pereira and N. Carrolo dos Santos, advogados,
– the Portuguese Government, by L. Inez Fernandes, T. Larsen, A. Pimenta and G. Fonseca, acting as Agents,
– the European Commission, by P. Costa de Oliveira and H. Tserepa-Lacombe, acting as Agents,
having decided, after hearing the Advocate General, to proceed to judgment without an Opinion,
gives the following
Judgment
1 This request for a preliminary ruling concerns the interpretation of Articles 2 and 58 of Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC, and repealing Directive 97/5/EC (OJ 2007 L 319, p. 1).
2 The request was made in proceedings between Mediterranean Shipping Company (Portugal) — Agentes de Navegação SA (‘MSC’) and Banco Comercial Português SA (‘BCP Bank’) concerning the reimbursement of certain sums debited from MSC’s account without its consent.
Legal context
EU law
3 Directive 2007/64 was repealed and replaced, with effect from 13 January 2018, by Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64 (OJ 2015 L 337, p. 35). However, given the date at which the material facts arose, the dispute in the main proceedings is still governed by Directive 2007/64.
4 Recitals 3, 4, 24, 31 and 35 of Directive 2007/64 stated:
‘(3) Several [EU] acts have already been adopted in [the] area [of payment services markets of the Member States] … These measures continue to be insufficient. The co-existence of national provisions and an incomplete [EU] framework gives rise to confusion and a lack of legal certainty.
(4) It is vital, therefore, to establish at [EU] level a modern and coherent legal framework for payment services … which is neutral so as to ensure a level playing field for all payment systems, in order to maintain consumer choice, which should mean a considerable step forward in terms of consumer cost, safety and efficiency, as compared with the present national systems.
…
(24) In practice, framework contracts and the payment transactions covered by them are far more common and economically important than single payment transactions. If there is a payment account or a specific payment instrument, a framework contract is required. …
…
(31) In order to reduce the risks and consequences of unauthorised or incorrectly executed payment transactions the payment service user should inform the payment service provider as soon as possible about any contestations concerning allegedly unauthorised or incorrectly executed payment transactions provided that the payment service provider has fulfilled his information obligations under this Directive. …
…
(35) Provisions should be made for the allocation of losses in the case of unauthorised payment transactions. ...’
5 Article 1(1)(a) of that directive provided:
‘This Directive lays down the rules in accordance with which Member States shall distinguish the following six categories of payment service provider:
(a) credit institutions ...’.
6 Article 2 of that directive provided:
‘1. This Directive shall apply to payment services provided within the [European Union]. However, with the exception of Article 73, Titles III and IV shall apply only where both the payer’s payment service provider and the payee’s payment service provider are, or the sole payment service provider in the payment transaction is, located in the European Union.
2. Titles III and IV shall apply to payment services made in euro or the currency of a Member State outside the euro area.
3. Member States may waive the application of all or part of the provisions of … Directive [2006/48/EC of the European Parliament and of the Council of 14 June 2006 relating to the taking up and pursuit of the business of credit institutions (OJ 2006, L 177, p. 1)] to the institutions referred to in Article 2 of Directive 2006/48/EC, with the exception of those referred to in the first and second indent of that article.’
7 Article 3 of that directive listed transactions and services which were excluded from its scope.
8 For the purposes of Directive 2007/64, Article 4 set out the following definitions:
‘…
(3) “payment service” means any business activity listed in the Annex;
…
(5) “payment transaction” means an act, initiated by the payer or by the payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligation between the payer and the payee;
…
(7) “payer” means a natural or legal person who holds a payment account and allows a payment order from that payment account, or, where there is no payment account, a natural or legal person who gives a payment order;
(8) “payee” means a natural or legal person who is the intended recipient of funds which have been the subject of a payment transaction;
(9) “payment service provider” means bodies referred to in Article 1(1) …;
(10) “payment service user” means a person making use of a payment service in the capacity of either payer or payee, or both;
…
(14) “payment account” means an account held in the name of one or more payment service users which is used for the execution of payment transactions;
…
(28) “direct debit” means a payment service for debiting a payer’s payment account, where a payment transaction is initiated by the payee on the basis of the payer’s consent given to the payee, to the payee’s payment service provider or to the payer’s own payment service provider;
…’
9 Title III of that directive, which contained Articles 30 to 50, was entitled ‘Transparency of conditions and information requirements for payment services’. Article 42 of that directive, which was part of Chapter 3 of that title, dedicated to framework contracts, laid down the information and conditions which must be provided to the payment service user. According to Article 42(5)(d), those included how and within what period of time that user was to notify the payment service provider of any unauthorised or incorrectly executed payment transaction in accordance with Article 58 of that directive, as well as the payment service provider’s liability for unauthorised payment transactions in accordance with Article 60. Article 37(2) of that directive, which was part of Chapter 2 of the same title, relating to single payment transactions, made provision for a similar obligation where single payment transactions were at issue.
10 Title IV of Directive 2007/64, comprising Articles 51 to 83, was entitled ‘Rights and obligations in relation to the provision and use of payment services’. Article 54, which was part of Chapter 2 of that title, concerning the authorisation of payment transactions, was entitled ‘Consent and withdrawal of consent’, and provided the following in paragraphs 1 and 2:
‘1. Member States shall ensure that a payment transaction is considered to be authorised only if the payer has given consent to execute the payment transaction. …
2. Consent to execute a payment transaction or a series of payment transactions shall be given in the form agreed between the payer and his payment service provider.
In the absence of such consent, a payment transaction shall be considered to be unauthorised.’
11 Article 58 of that directive, entitled ‘Notification of unauthorised or incorrectly executed payment transactions’, provided:
‘The payment service user shall obtain rectification from the payment service provider only if he notifies his payment service provider without undue delay on becoming aware of any unauthorised or incorrectly executed payment transactions giving rise to a claim … and no later than 13 months after the debit date, unless, where applicable, the payment service provider has failed to provide or make available the information on that payment transaction in accordance with Title III.’
12 Article 59 of that directive, concerning evidence on authentication and execution of payment transactions, stated in paragraph 1:
‘Member States shall require that, where a payment service user denies having authorised an executed payment transaction or claims that the payment transaction was not correctly executed, it is for his payment service provider to prove that the payment transaction was authenticated, accurately recorded, entered in the accounts and not affected by a technical breakdown or some other deficiency.’
13 Article 60 of that directive, which dealt with the payment service provider’s liability for unauthorised payment transactions, provided in paragraph 1:
‘Member States shall ensure that, without prejudice to Article 58, in the case of an unauthorised payment transaction, the payer’s payment service provider refunds to the payer immediately the amount of the unauthorised payment transaction and, where applicable, restores the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place.’
14 The annex to Directive 2007/64 listed the payment services referred to in Article 4(3). Point 3 of that annex stated:
‘Execution of payment transactions, including transfers of funds on a payment account with the user’s payment service provider or with another payment service provider:
– execution of direct debits, including one-off direct debits,
…’
Portuguese law
15 Directive 2007/64 was transposed into Portuguese law by Decreto-Lei No 317/2009 (Decree-Law No 317/2009) of 30 October 2009 (Diário da República, 1st series, No 211, of 30 October 2009), approving, in Annex I, the legal arrangements governing access to the activity of payment institutions and to the provision of payment services.
16 In the version applicable to the main proceedings, Article 2 of those arrangements (‘the RJSP’) laid down definitions which reproduced, in essence, those set out in Article 4 of Directive 2007/64. In particular, Article 2(i), (j) and (m) reproduced the definitions set out in Article 4(7), (8) and (10) of that directive, and Article 69 of the RJSP corresponded, in essence, to Article 58 of that directive.
The dispute in the main proceedings and the questions referred for a preliminary ruling
17 MSC holds an overnight deposit account with BCP Bank. Following an audit conducted in 2014, MSC discovered that that account was being regularly debited by way of direct debits in favour of a third party (‘the principal’) with whom it had no relationship and without it having given any authorisation to BCP Bank to that effect.
18 By letter of 17 November 2014, MSC asked BCP Bank to cancel those direct debits, to reimburse it for the amounts withdrawn and to send it a copy of the documents authorising those direct debits. Following some exchanges between the two entities, BCP Bank cancelled the direct debits and repaid the sum of EUR 683.48, corresponding to the direct debit payments made in October and November 2014.
19 In the course of those exchanges, a copy of the payment authorisation for the direct debits at issue was obtained from Caixa Geral de Depósitos SA where the account which received those direct debits was held (‘the principal’s bank’). BCP Bank was then able to see that that authorisation had not been given by the holder of the debited account, MSC, but by the principal, a third company, for the purpose of making payments to that principal by direct debit from an account, with the result that that authorisation highlighted the existence of a discrepancy between the account number shown and the bank identification number which was MSC’s bank identification number with BCP Bank.
20 On 10 December 2014, MSC contacted BCP Bank again reiterating that its account had been wrongly debited. By letter of 16 December 2014, BCP Bank confirmed that MSC had not given any such authorisation, or that it was at least improper, and that MSC was accordingly entitled to be reimbursed for direct debits executed up to the legal limit of 13 months laid down in Article 69 of the RJSP, that is to say, a sum equivalent to the direct debits made from October 2013 to December 2014. Therefore, the bank ordered that that sum be reimbursed.
21 Subsequently, MSC found that, between May 2010 and September 2013, direct debits had been paid from its account on the basis of that authorisation for a total sum of EUR 8 226.03 (‘the direct debits at issue’). By letter of 3 August 2016, it made a request to BCP Bank that it also be reimbursed for that sum, which request the bank refused.
22 MSC then brought an action before the Tribunal Judicial da Comarca do Porto (District Court, Oporto, Portugal) for an order that BCP Bank repay to MSC the sum corresponding to those direct debits. Since that action — in which BCP Bank summonsed the principal’s bank so as to ensure the possibility of bringing an action for redress — was dismissed as unfounded, MSC brought an appeal before the Tribunal da Relação do Porto (Court of Appeal, Oporto), the referring court.
23 Before that court, MSC argues, inter alia, that the Tribunal Judicial da Comarca do Porto (District Court, Oporto) misinterpreted and misapplied Article 2(i), (j) and (m), and Article 69 of the RJSP, since MSC cannot be classified as a ‘payment service user’, for the purposes of those provisions, nor can it be regarded as such. As a result, the time limit laid down in Article 69 does not apply. In that regard, it submits that it never concluded any contract with BCP Bank, or gave it any order whatsoever authorising the automatic debiting of its account for sums corresponding to the invoices issued by the principal. BCP Bank contends that the appeal should be dismissed.
24 The referring court states that it has been established that BCP Bank periodically sent MSC statements for its account. In addition, that court observes that, since MSC holds a bank account with BCP Bank, a contractual relationship between the two parties, to be understood as the bank framework contract, was created when that account was opened. It adds that MSC did not, however, conclude any contract with that bank authorising the automatic debiting of its account for the amounts contained in the invoices issued by the principal.
25 Referring to the various definitions set out in the RJSP, the national court states that the use of a payment service by means of a payment account presupposes the conclusion beforehand of a framework contract or, in the case of a single payment transaction, the conclusion of a single payment service contract. It considers that, in the present case, in view of the successive transactions that were carried out, their completion necessarily required the conclusion of a framework contract between MSC and BCP Bank and that, in order for BCP Bank to be able to rely on the RJSP, it must adduce evidence of the conclusion of such a contract, which it has not done. That court observes, however, that the RJSP also governs the execution of unauthorised payment transactions, by offering payment service users protection in accordance with Article 69 thereof.
26 Noting that the dispute before it concerns the implementation of direct debits by a credit institution, within the meaning of Article 1(a) of Directive 2007/64, the referring court considers it necessary to determine whether the scope of that directive encompasses circumstances such as those at issue before it and, in the event that it does, whether MSC may be regarded as a ‘payment service user’ for the purposes of Article 58 of that directive.
27 In those circumstances, the Tribunal da Relação do Porto (Court of Appeal, Oporto) decided to stay the proceedings and to refer the following questions to the Court for a preliminary ruling:
‘(1) Must Article 2 of Directive [2007/64] be interpreted to the effect that the scope of that directive, as defined in that article, includes the execution of a direct-debit payment order issued by a third-party on an account which it does not hold, where the holder of that account has not entered into a payment service contract for a single transaction, or a framework contract for the provision of payment services with that credit institution?
(2) If the answer to question 1 is in the affirmative, in those circumstances, can that account holder be considered to be a payment service user for the purposes of Article 58 of that directive?’
Consideration of the questions referred
28 As a preliminary point, it should be noted that, in the wording of its first question, which is also relevant for the examination of the second question, the national court refers to a situation in which a direct-debit payment order issued by a third-party was executed on an account ‘where the holder of that account has not entered into a payment service contract for a single transaction, or a framework contract for the provision of payment services with that credit institution’.
29 However, it is apparent from the file before the Court, first, that MSC, the account holder in question in the main proceedings, holds an overnight deposit account, and therefore a payment account within the meaning of Article 4(14) of Directive 2007/64, with BCP Bank. As the referring court states and as is apparent from recital 24 of that directive, the existence of such an account implies that a framework contract, such as the ones referred to in Title III, Chapter 3 of that directive, was concluded between those two parties. Secondly, the account holder disputes that it is possible for the national provision transposing Article 58 of that directive to be pleaded against it, not because there is no contractual relationship between it and that bank, but because there is no authorisation for the direct debits at issue, whether under such a framework contract or as single payment transactions such as those referred to in Title III, Chapter 2 of that directive.
30 When it states that there is no contractual relationship between MSC and BCP Bank, the referring court is merely indicating that the direct debits at issue were not authorised by MSC with that bank.
31 In addition, it is clear from the order for reference that MSC did not authorise those direct debits by one of the other routes provided for in Article 4(28) of Directive 2007/64 and that the principal was also the payee of those direct debits, within the meaning of Article 4(8) of that directive.
32 Therefore, the issue in the main proceedings concerns direct debits initiated by the payee, which were executed on a payment account of which that payee is not the holder, in a situation where the holder of that account did not consent in any way to those direct debits.
33 The questions referred must be examined in the light of those considerations.
The first question
34 Although in its first question the referring court seeks an interpretation of Article 2 of Directive 2007/64 concerning the scope of that directive, it is nevertheless apparent from the order for reference that only one of the conditions determining that scope is at issue in the main proceedings, that is to say, the one in the first sentence of paragraph 1 of that article, according to which the directive applies to ‘payment services’ provided within the European Union.
35 In those circumstances, and in the light of the preliminary considerations set out in paragraphs 28 to 32 above, by its first question, the referring court asks, in essence, whether Article 2(1) of Directive 2007/64 must be interpreted to the effect that the notion of ‘payment services’, for the purposes of that provision, includes the execution of direct debits, initiated by the payee, on a payment account of which it is not the holder, where the holder of the account thus debited does not consent to those direct debits.
36 In accordance with the settled case-law of the Court, in order to interpret a provision of EU law, it is necessary to consider not only its wording but also the context in which it occurs and the objectives pursued by the rules of which it is part (judgments of 17 November 1983, Merck, 292/82, EU:C:1983:335, paragraph 12, and of 4 October 2018, ING-DiBa Direktbank Austria, C‑191/17, EU:C:2018:809, paragraph 19 and the case-law cited).
37 For the purposes of Directive 2007/64, the notion of ‘payment services’ is defined in Article 4(3) as relating to ‘any business activity listed in the Annex’. Point 3 of that annex states that that notion covers the execution of ‘payment transactions’, which in accordance with Article 4(5) of that directive are acts, initiated by the payer or by the payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and the payee. In accordance with the first indent of point 3 of that annex, those transactions include the execution of direct debits, including one-off direct debits. A ‘direct debit’ is defined in Article 4(28) of that directive, in essence, as ‘a payment service for debiting a payer’s payment account, where a payment transaction is initiated by the payee on the basis of the payer’s consent’ and the notion of ‘payer’ is defined in Article 4(7), inter alia, as ‘a natural or legal person who holds a payment account and allows a payment order from that payment account’.
38 It follows from those provisions that the execution of direct debits initiated by the payee on an account of which it is not the holder comes within the notion of ‘payment services’ in Article 2(1) of Directive 2007/64, even in the absence of any underlying obligations between the payer and the payee, where the payer, as holder of the payment account thus debited, consented to those direct debits. However, those provisions do not in themselves, in the absence of any reference to that effect, make it possible to establish clearly whether the execution of direct debits by the payee on an account of which it is not the holder also comes within that notion where the holder of the debited account did not consent to those direct debits.
39 In those circumstances, it is appropriate to consider the context surrounding the notion of ‘payment services’ and the objectives pursued by that directive.
40 With regard to the context, it must be stated that the execution of direct debits on a payment account in the absence of the consent of the holder of that account is not among the payment transactions which Article 3 of Directive 2007/64 excludes from the scope of that directive.
41 In addition, it should be pointed out that a number of provisions in Directive 2007/64 are intended to govern ‘unauthorised payment transactions’, a concept which, in accordance with Article 54(1) and (2) of that directive, covers transactions executed in the absence of the payer’s consent. The same is true as regards Article 42(5)(d) of that directive which states that the information and conditions which must be provided to the payment service user when a framework contract is concluded include how and within what period of time that user is to notify the payment service provider of any unauthorised or incorrectly executed payment transaction as well as information on the payment service provider’s liability for unauthorised payment transactions, and a similar obligation to provide information is, moreover, laid down by Article 37(2) of that directive for single payment transactions.
42 Similarly, first of all, Article 58 of Directive 2007/64 relates to the notification of unauthorised or incorrectly executed payment transactions. Next, Article 59 of that directive concerns, in essence, the allocation of the burden of proof where a payment service user denies having authorised a payment transaction which has been executed. Finally, Articles 60 and 61 of that directive deal respectively with the liability of the payer’s payment service provider and the payer’s own liability in the event of unauthorised payment transactions.
43 If the fact that the holder of the debited payment account did not consent to the execution of a direct debit on that account meant that such a transaction could be excluded from the notion of ‘payment services’ in Article 2(1) of Directive 2007/64 and, consequently, from the scope of that directive, those provisions, in so far as they concern unauthorised payment transactions, would be devoid of any meaning or practical effect.
44 It is apparent from the context surrounding that notion that it must be interpreted to the effect that it includes the execution of direct debits initiated by the payee on an account of which it is not the holder, even where the holder of the debited account did not consent to those direct debits.
45 That interpretation is supported by the objectives pursued by Directive 2007/64. Thus recitals 3 and 4 of that directive state, in essence, that the coexistence of national provisions and an incomplete EU framework in the area of the payment services markets of the Member States give rise to confusion and a lack of legal certainty, for which reasons it is vital to establish at EU level a modern and coherent legal framework for payment services, which is neutral so as to ensure a level playing field for all payment systems, in order to maintain consumer choice, which should mean a considerable step forward, in particular in terms of safety and efficiency, as compared with the present national systems.
46 In that sense, recital 31 of that directive states, in essence, that, in order to reduce the risks and consequences of unauthorised or incorrectly executed payment transactions, the payment service user should inform the payment service provider as soon as possible about any contestations concerning such transactions. Recital 35 of that directive also states that provisions should be made for the allocation of losses in the case of unauthorised payment transactions.
47 If unauthorised payment transactions, such as the direct debits at issue in the main proceedings, were excluded from the scope of Directive 2007/64, not only would part of those recitals be meaningless, but the achievement of the objectives pursued by that directive, in those recitals, would also be undermined. Such an exclusion would deprive market players of the protection which that directive, by introducing provisions laying down uniform rules at EU level for certain consequences of unauthorised payment transactions, is specifically intended to offer them where such payment transactions are at issue.
48 In the light of all the foregoing considerations, the answer to the first question is that Article 2(1) of Directive 2007/64 must be interpreted to the effect that the notion of ‘payment services’, for the purposes of that provision, includes the execution of direct debits, initiated by the payee, on a payment account of which it is not the holder, where the holder of the account thus debited does not consent to those direct debits.
The second question
49 By its second question, the referring court asks, in essence, whether Article 58 of Directive 2007/64 must be interpreted to the effect that the notion of ‘payment service user’, for the purposes of that article, includes the holder of a payment account on which direct debits were executed without its consent.
50 Article 58 provides, in essence, that the payment service user must obtain rectification from the payment service provider only if it notifies its payment service provider without undue delay on becoming aware of any unauthorised or incorrectly executed payment transactions giving rise to a claim, and no later than 13 months after the debit date, subject to the condition — which is not at issue in the main proceedings — that the payment service provider has complied with certain obligations to provide information.
51 For the purposes of Directive 2007/64, Article 4(10) defines the term ‘payment service user’ as covering ‘a natural or legal person making use of a payment service in the capacity of either payer, payee or both’.
52 Thus, it is true that, in view of the wording of that provision alone, read in conjunction with Article 4(7) and (8) of that directive concerning the terms ‘payer’ and ‘payee’, the holder of a payment account which was debited without its consent does not appear to come within that notion of ‘payment service user’. However, first, as was noted in essence in paragraph 48 above, the execution of direct debits on a payment account, to which the holder of the debited account did not consent, comes within the notion of ‘payment services’ in Article 2(1) of that directive. Secondly, it is clear from the actual wording of Article 58 and its title that it is specifically intended to apply in particular to unauthorised payment transactions.
53 In those circumstances, the notion of ‘payment service user’ must be interpreted to the effect that it includes the holder of a payment account on which direct debits have been executed without its consent. Moreover, for the same reasons as those set out in paragraph 47 above, such an interpretation is consistent with the aims pursued by Directive 2007/64, as set out in paragraphs 45 and 46 above.
54 In the light of the foregoing considerations, the answer to the second question is that Article 58 of Directive 2007/64 must be interpreted to the effect that the notion of ‘payment service user’, for the purposes of that article, includes the holder of a payment account on which direct debits were executed without its consent.
Costs
55 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (Tenth Chamber) hereby rules:
1. Article 2(1) of Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market, amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC, must be interpreted to the effect that the notion of ‘payment services’, for the purposes of that provision, includes the execution of direct debits, initiated by the payee, on a payment account of which it is not the holder, where the holder of the account thus debited does not consent to those direct debits.
2. Article 58 of Directive 2007/64 must be interpreted to the effect that the notion of ‘payment service user’, for the purposes of that article, includes the holder of a payment account on which direct debits were executed without its consent.
[Signatures]