OPINION OF ADVOCATE GENERAL
SAUGMANDSGAARD ØE
delivered on 8 July 2021 (1)
Case C‑337/20
DM,
LR
v
Caisse régionale de Crédit agricole mutuel (CRCAM) – Alpes-Provence
(Request for a preliminary ruling from the Cour de cassation (Court of Cassation, France))
(Reference for a preliminary ruling – Approximation of laws – Directive 2007/64/EC – Payment services in the internal market – Articles 58 to 60 – Rights and obligations of the payment service user and of the payment service provider – Concepts of ‘full harmonisation’ and ‘exhaustive harmonisation’ – Notification of unauthorised payment transactions out of time – Liability of the payment service provider to the payment service user governed solely by Directive 2007/64/EC – Liability of the payment service provider to a third party, such as a guarantor – Scope of Directive 2007/64/EC – Application of rules on liability under national law)
I. Introduction
1. This case concerns the interpretation of Directive 2007/64/EC on payment services, (2) and more specifically its scope.
2. That directive regulates payment transactions between a provider of payment services, such as a banking institution, and an individual or undertaking, the user of those services.
3. In the main proceedings, the payment service provider is also a creditor of the user, who, consequently, is in the position of debtor. The questions referred by the Cour de cassation (Court of Cassation, France) seek to establish whether the provisions of Directive 2007/64 are fully harmonised, such that the Member States have no latitude as regards the liability of the parties to a payment transaction, and whether they affect the relationship between a guarantor of the debt owed by the debtor to the creditor and that creditor.
4. The request for a preliminary ruling has been made in the course of proceedings between DM, the manageress of Groupe centrale automobile SARL, a company (‘GCA’), and LR, the guarantor of that company, on the one hand, and a credit institution, the caisse régionale de Crédit agricole mutuel (CRCAM) Alpes-Provence (‘the bank’), on the other. The appellants in the cassation proceedings submit that while, having regard to the provisions of Directive 2007/64, a company which is in the position of debtor may not hold a credit institution liable for executing payment transactions which the company had not authorised, that directive does not prevent the guarantor from doing so, on the basis of the same facts, if national law so permits.
5. At the conclusion of my analysis, I will propose that the Court should hold that Directive 2007/64 regulates comprehensively the respective contractual obligations and liabilities of the user of payment services and the payment service provider, but that it does not govern the relationship between the guarantor and the payment service provider. In particular, that directive does not prevent the guarantor from holding the service provider liable, if national law so permits, where he or she has acted negligently as against the payment service user, by executing a transaction which the user had not authorised, even though, having regard to that directive, the payment service user cannot himself or herself do so.
II. Legal background
A. European Union law
6. Recitals 4, 31 and 47 of Directive 2007/64 state:
‘(4) It is vital … to establish at Community level a modern and coherent legal framework for payment services, whether or not the services are compatible with the system resulting from the financial sector initiative for a single euro payments area, which is neutral so as to ensure a level playing field for all payment systems, in order to maintain consumer choice, which should mean a considerable step forward in terms of consumer cost, safety and efficiency, as compared with the present national systems.
…
(31) In order to reduce the risks and consequences of unauthorised or incorrectly executed payment transactions the payment service user should inform the payment service provider as soon as possible about any contestations concerning allegedly unauthorised or incorrectly executed payment transactions provided that the payment service provider has fulfilled his information obligations under this Directive. If the notification deadline is met by the payment service user, he should be able to pursue those claims within the prescription periods pursuant to national law. This Directive should not affect other claims between payment service users and payment service providers.
…
(47) The payer’s payment service provider should assume liability for correct payment execution, including, in particular, the full amount of the payment transaction and execution time, and full responsibility for any failure by other parties in the payment chain up to the account of the payee. As a result of that liability the payment service provider of the payer should, where the full amount is not credited to the payee’s payment service provider, correct the payment transaction or without undue delay refund to the payer the relevant amount of that transaction, without prejudice to any other claims which may be made in accordance with national law. This Directive should concern only contractual obligations and responsibilities between the payment service user and his payment service provider. …’
7. Article 4 of that directive provides:
‘For the purposes of this Directive, the following definitions shall apply:
…
7. “payer” means a natural or legal person who holds a payment account and allows a payment order from that payment account, or, where there is no payment account, a natural or legal person who gives a payment order;
…
10. “payment service user” means a person making use of a payment service in the capacity of either payer or payee, or both;
…’
8. Article 51(1) of that directive provides:
‘Where the payment service user is not a consumer, the parties may agree that Article 52(1), Article 54(3), and Articles 59, 61, 62, 63, 66 and 75 shall not apply in whole or in part. The parties may also agree on a time period different from that laid down in Article 58.’
9. Under Article 58 of that directive:
‘The payment service user shall obtain rectification from the payment service provider only if he notifies his payment service provider without undue delay on becoming aware of any unauthorised or incorrectly executed payment transactions giving rise to a claim, including that under Article 75, and no later than 13 months after the debit date, unless, where applicable, the payment service provider has failed to provide or make available the information on that payment transaction in accordance with Title III.’
10. Article 59(1) of Directive 2007/64 reads as follows:
‘Member States shall require that, where a payment service user denies having authorised an executed payment transaction or claims that the payment transaction was not correctly executed, it is for his payment service provider to prove that the payment transaction was authenticated, accurately recorded, entered in the accounts and not affected by a technical breakdown or some other deficiency.’
11. Article 60 of that directive provides:
‘1. Member States shall ensure that, without prejudice to Article 58, in the case of an unauthorised payment transaction, the payer’s payment service provider refunds to the payer immediately the amount of the unauthorised payment transaction and, where applicable, restores the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place.
2. Further financial compensation may be determined in accordance with the law applicable to the contract concluded between the payer and his payment service provider.’
12. The first and second subparagraphs of Article 75(1) of that directive provide:
‘Where a payment order is initiated by the payer, his payment service provider shall, without prejudice to Article 58, Article 74(2) and (3), and Article 78, be liable to the payer for correct execution of the payment transaction, unless he can prove to the payer and, where relevant, to the payee’s payment service provider that the payee’s payment service provider received the amount of the payment transaction in accordance with Article 69(1), in which case, the payee’s payment service provider shall be liable to the payee for the correct execution of the payment transaction.
Where the payer’s payment service provider is liable under the first subparagraph, he shall, without undue delay, refund to the payer the amount of the non-executed or defective payment transaction, and, where applicable, restore the debited payment account to the state in which it would have been had the defective payment transaction not taken place.’
13. Article 86(1) of Directive 2007/64 provides:
‘Without prejudice to Article 30(2), Article 33, Article 34(2), Article 45(6), Article 47(3), Article 48(3), Article 51(2), Article 52(3), Article 53(2), Article 61(3), and Articles 72 and 88 in so far as this Directive contains harmonised provisions, Member States shall not maintain or introduce provisions other than those laid down in this Directive.’
14. Directive 2007/64 has been replaced by Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64. (3)
15. Article 71(1), the first subparagraph of Article 72(1), Article 73(1), Article 89(1) and Article 107(1) of Directive 2015/2366 essentially correspond to Article 58, Article 59(1), Article 60, the first and second subparagraphs of Article 75(1), and Article 86(1) of Directive 2007/64, respectively. (4)
B. French law
16. The provisions of Directive 2007/64, as transposed into French law, appear in the code monétaire et financier (Monetary and Financial Code), in the version resulting from Order No 2009-866 of 15 July 2009 on the conditions governing the supply of payment services and creating payment institutions (JORF, 16 July 2009, text No 13) (‘the Monetary and Financial Code’).
17. Article L.133-18 of the Monetary and Financial Code, which transposed Article 60 of Directive 2007/64, provides:
‘In the case of an unauthorised payment transaction reported by the user under the conditions prescribed in Article L.133 24, the payment service provider shall refund to the payment service user forthwith the amount of the unauthorised payment transaction and, where applicable, shall restore the payment account that had been debited with that amount to the situation that would have existed if the unauthorised payment transaction had not taken place.
The payer and his payment service provider may decide on additional compensation on a contractual basis.’
18. Article L.133-23 of the Monetary and Financial Code transposed Article 59 of Directive 2007/64.
19. Article L.133-24 of the Monetary and Financial Code, which transposed Article 58 of Directive 2007/64, is worded as follows:
‘The payment service user shall notify his payment service provider without undue delay of any unauthorised or incorrectly executed payment transactions and no later than 13 months after the debit date, failing which he will be time-barred, unless the payment service provider has failed to provide or make available the information on that payment transaction in accordance with Book III, Title I, Chapter IV.
Except where the user is a natural person acting otherwise than for business or professional purposes, the parties may decide to derogate from this article.’
20. Article 1147 of the Civil Code provides:
‘The party on whom an obligation is imposed shall be ordered, when appropriate, to pay damages, either by reason of the non-performance of the obligation, or because of delayed performance, whenever he or she cannot demonstrate that the cause of non-performance is external and cannot be attributed to him or her, and that there was no bad faith on his or her part.’
21. Article 2313 of the Civil Code provides:
‘A guarantor may raise, as against the creditor, all defences which are available to the principal debtor and are inherent in the debt;
However, a guarantor may not raise defences which are purely personal to the debtor.’
III. The main proceedings, the questions referred for a preliminary ruling and the procedure before the Court
22. On 22 December 2008, the bank granted GCA a current account credit facility, which was guaranteed by LR on a joint and several basis.
23. After terminating that credit facility, the bank demanded payment from LR under the guarantee. LR contended that the bank had breached its duties by making unauthorised transfers to third parties, and that the amount of those transfers should be deducted from the sums which it sought from LR.
24. The cour d’appel d’Aix-en-Provence (Court of Appeal, Aix-en-Provence, France) held, on the basis of Article L.133-24 of the Monetary and Financial Code, which transposes Article 58 of Directive 2007/64, that LR’s objections were inadmissible, as the period of 13 months for challenging the payments at issue, laid down by that provision, had expired before the objections had been raised, and they were therefore time-barred.
25. In the appeal brought before the Cour de cassation (Court of Cassation), LR and the manager of GCA, DM, accept that that period of 13 months had expired. They submit, however, that that provision of the Monetary and Financial Code does not prevent liability from arising on the part of the bank under the general law, as provided for by Article 1147 of the Civil Code, in a case where it has breached its duty of care.
26. LR and DM maintain that the fact that the bank made the transfers at issue without GCA’s authorisation constitutes a breach of contract, in respect of which damages are payable pursuant to Article 1147 of the Civil Code.
27. The referring court states that, under national law, a guarantor may raise, as against the creditor, all defences which are available to the principal debtor and are inherent in the debt, and in particular any set-off to which the principal debtor would be entitled as against the creditor. It adds that this rule may apply where the creditor is in breach of his or her obligations towards the principal debtor, giving rise to civil liability and a consequent obligation to pay damages to the principal debtor as compensation for his or her loss.
28. The referring court also states that, by virtue of Article 1147 of the Civil Code, any breach of a contractual obligation that causes damage to the person to whom the obligation is owed gives rise to a liability, on the part of the person subject to the obligation, in respect of that damage.
29. The referring court is, however, unsure as to whether it is open to the guarantor to rely on the ordinary rules of contractual liability, having regard to the rules on liability laid down by Directive 2007/64 and transposed by the Monetary and Financial Code.
30. In those circumstances, the Cour de cassation (Court of Cassation) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Is Article 58 of Directive [2007/64] to be interpreted as establishing a liability regime for unauthorised or incorrectly executed payment transactions made by payment service providers, precluding any action under the ordinary rules of civil liability in respect of the same acts for breach by that provider of the obligations imposed on him or her by national law, in particular where the payment service user fails to inform the payment service provider of the unauthorised or incorrectly executed payment transaction within 13 months of the date of debit?
(2) If the answer to the first question is in the affirmative, does that same article preclude the payment service user’s guarantor from invoking the ordinary rules of civil liability in respect of the same facts against the payment service provider, beneficiary of the guarantee, in order to challenge the amount of the secured debt?’
31. The request for a preliminary ruling, dated 16 July 2020, was lodged at the Court Registry on 23 July 2020.
32. The French, Czech and Italian Governments, as well as the European Commission, lodged written observations and also responded in writing to the questions posed by the Court on 8 March 2021.
IV. Analysis
33. By its request for a preliminary ruling, the referring court asks the Court to clarify the interaction between the rules governing the liability of a payment service provider laid down by Articles 58 to 60 of Directive 2007/64 and the ordinary rules of civil liability laid down by national law. More specifically, the referring court wishes to know, essentially, first, whether Article 60 of Directive 2007/64, read in conjunction with Articles 58 and 59 of that directive, precludes any action invoking liability on the part of the payment service provider under the ordinary rules of contractual liability, in particular where the period for notifying an unauthorised transaction (5) has expired (first question referred) and, secondly, whether the same applies in the case where such an action is brought by a third party, namely the service user’s guarantor (second question referred).
34. With a view to answering the referring court, I think it would be helpful to explain the liability regime established by Directive 2007/64, in particular in Articles 58 to 60 of that directive, and to determine whether a concurrent liability regime can apply, before considering whether it is open to a third party, such as the service user’s guarantor, to invoke liability on the part of the payment service provider on the basis of that concurrent regime.
A. The liability regime for service providers as laid down by Directive 2007/64 (first question referred)
35. By its first question, the referring court seeks to establish, essentially, whether the liability regime for payment service providers laid down by Directive 2007/64 in respect of unauthorised payment transactions excludes any action based on civil liability arising under the general law, by virtue of the same facts, from a breach by that service provider of the obligations imposed on him or her by national law.
36. While the French and Czech Governments, as well as the Commission, in submissions advanced in the alternative, contend that the liability regime established by Directive 2007/64 leaves no room for a regime of contractual liability to apply, under the general law, to the same transactions, the Italian Government considers that the two liability regimes can coexist.
37. At the conclusion of an analysis based on the wording and context of Articles 58 and 60 of Directive 2007/64, and informed by the objectives of that directive, (6) I take the view that the regime governing the liability of payment service providers to payment service users in the case where an unauthorised transaction has taken place, as laid down by that directive, has been fully harmonised and thus excludes any concurrent liability regime.
38. As regards, first, the wording of Articles 58 and 60 of Directive 2007/64, I note that Article 58 introduces a general obligation to notify any unauthorised or incorrectly executed transaction, such that the service user obtains rectification of an unauthorised or incorrectly executed transaction only if he or she notifies it to his or her service provider, which he or she must do no later than 13 months after the relevant debit date.
39. Article 60 of that directive relates specifically to the service provider’s liability for unauthorised transactions. (7) Article 60(1) provides that Member States must ensure that, without prejudice to Article 58, the payment service provider refunds to the payer immediately the amount of an unauthorised payment transaction.
40. The expression ‘without prejudice to Article 58’, used in Article 60 of Directive 2007/44, means that Article 58 of that directive is not to be undermined. It follows, to my mind, that the service provider is liable for an unauthorised transaction only where the service user has duly followed the notification procedure laid down by Article 58 of the directive, which is subject to a maximum period of 13 months from the debit date.
41. It is apparent from recital 31 of Directive 2007/64 – which states that, if the notification deadline is met by the payment service user, he or she should be able to pursue a claim based on the payment not having been authorised – that this is a condition of liability.
42. Those provisions, read together, thus lead to the conclusion that a service user who has not notified his or her service provider, within 13 months of the debit, of an unauthorised transaction, cannot invoke liability on the part of the service provider, (8) including under the general law, and therefore cannot obtain a refund in respect of the unauthorised transaction. (9)
43. That interpretation is supported by an examination of the context of those provisions, including their ‘external’ context, or in other words the travaux préparatoires, and their ‘internal’ or systemic context, or in other words their interrelationship with the other provisions of Directive 2007/64, taken as a whole. (10)
44. First, it is apparent from the travaux préparatoires that the Commission’s original proposal for a directive (11) did not impose any time limit, comparable to that laid down by Article 58 of Directive 2007/64, for the service user to notify an unauthorised transaction. It was simply provided that the payer was to inform his or her payment service provider without undue delay, on becoming aware of any unauthorised transaction, errors or other irregularity. No reference was made to that notification obligation in the article relating to the payment service provider’s liability, corresponding to Article 60 of the directive.
45. Nevertheless, the introduction of a uniform time limit soon came to be seen as indispensable as a means of guaranteeing legal certainty for the payment service user and payment service provider in the event of an unauthorised or incorrectly executed payment transaction. This is apparent from the various proposals of the Council, (12) the Opinion of the European Economic and Social Committee, (13) the Report of the European Parliament (14) and the Opinions of the various Parliamentary committees. (15) All of those participants in the preparation of Directive 2007/64 referred to the need to ensure such legal certainty and, to that end, to provide for the payment transaction to be definitive upon expiry of that period. (16)
46. One of the proposals made in the course of the legislative process (17) was to insert, in the specific article concerning the payment service provider’s liability, a condition relating to the payment service user’s obligation to notify the service provider, within a prescribed period, that one or more payment transactions had not been authorised. Ultimately, the legislature chose to insert the notification obligation in a separate provision – in the event, Article 58 of Directive 2007/64, which lays down a maximum period of 13 months – and to make express reference to that obligation in the provision concerning the payment service provider’s liability, namely Article 60 of that directive.
47. Thus, a link between the liability of the payment service provider and compliance by the service user with the maximum period was clearly established by the legislature, such that upon expiry of that period, the user would no longer be able to bring an action against the service provider seeking to establish the latter’s liability in respect of an unauthorised transaction.
48. Secondly, the ‘internal’ or systemic context of Articles 58 and 60 of Directive 2007/64 points in the same direction. It is clear from this too that the harmonisation for which the EU legislature has provided, in the field covered by those articles, is full harmonisation and does not permit the adoption of provisions other than those adopted by that legislature.
49. I would observe, first, that Directive 2007/64 provides for a liability regime as between the payment service user and the payment service provider covering both unauthorised payment transactions (in particular Articles 58 to 60) and non-execution or defective execution of transactions (in particular Article 75).
50. In all those cases, the notification obligation imposed on the payment service user by Article 58 of Directive 2007/64, requiring notification within 13 months, plays a crucial role. I have demonstrated this in relation to unauthorised transactions. In relation to the non-execution or defective execution of transactions, I would point out that Article 75 of Directive 2007/64, which is the counterpart to Article 60 of that directive, contains an identically worded reference to Article 58, providing that the payment service provider’s liability is ‘without prejudice to Article 58’. Recital 31 of the directive confirms that the notification obligation applies both to unauthorised and to incorrectly executed transactions, and that the payment service provider’s liability for defective execution of transactions is subject to compliance with the period for notification.
51. Furthermore, in cases of unauthorised and of incorrectly executed transactions, Article 59 of Directive 2007/64, which concerns the burden of proof, provides that it is for the payment service provider to prove that the transaction was authenticated, accurately recorded and entered in the accounts.
52. I would point out that Article 59 reverses the burden of proof by imposing it not on the party asserting that an unauthorised transaction has taken place – in other words, the payment service user – but on the payment service provider. It follows that, for a period of 13 months, the payment service provider is subject to a virtually automatic and immediate reimbursement obligation in respect of transactions which were not authorised by the user. (18)
53. The EU legislature has thus established a liability regime which rests on three essential and interconnected elements: an obligation to notify on part of the payment service user, laid down in Article 58 of Directive 2007/64; the imposition of the burden of proof on the payment service provider, pursuant to Article 59 of that directive; and, lastly, in the absence of proof, liability on the part of the service provider, pursuant to Articles 60 and 75 of that directive, depending on whether the transaction was unauthorised, not executed or incorrectly executed.
54. It is apparent from those provisions that the regime governing the liability of the payment service provider to the payment service user constitutes a harmonised regime. In that regard, Article 86 of Directive 2007/64 provides that ‘in so far as this Directive contains harmonised provisions, Member States shall not maintain or introduce provisions other than those laid down in this Directive’. In accordance with the heading of that article, this harmonisation must be regarded as full. I would point out that, in order to distinguish those provisions which are harmonised from those which are not, that Article 86 lists the provisions of Directive 2007/64 which leave a degree of latitude to the Member States. I note that this list does not include Articles 58 to 60, nor, moreover, Articles 74 to 78.
55. It follows, in my view, that national provisions which differ from those in Articles 58 to 60, under which the payment service provider may be liable to the payment service user even where the user has not notified the provider, within 13 months, of the unauthorised debit, would run counter to the liability regime laid down in Articles 58 to 60, and would be contrary to the full harmonisation established by that regime.
56. I cannot therefore subscribe to the Italian Government’s view that a national general-law regime of contractual liability can supplement the regime established by Directive 2007/64 by providing for the payment service provider to be liable to the payment service user regardless of whether the user has complied with the period for notifying unauthorised transactions laid down in Article 58 of that directive.
57. The objectives of Directive 2007/64 support that interpretation.
58. As can be seen from recitals 1 to 5 of that directive, the EU legislature was seeking to create a single market for payment services by replacing the existing 27 national systems, the coexistence of which gave rise to confusion and suffered from a lack of legal certainty, with a harmonised legal framework defining the rights and obligations of payment service users and providers.
59. It follows from the foregoing analysis that the operation, alongside the harmonised liability regime for unauthorised or incorrectly executed transactions established by Directive 2007/64, of a separate, concurrent, liability regime, applicable as a matter of national law, based on the same facts and resting on the same foundations, could be accepted only if it did not undermine the regime established by that directive and did not adversely affect the objectives and utility of that directive. (19) Accordingly, a concurrent liability regime under which a service provider could be held liable to a service user in the event of an unauthorised transaction, despite the user not having complied with the period of 13 months for notification of the transaction, would be incompatible with Directive 2007/64.
60. I therefore propose that the Court’s answer to the first question should be that Articles 58 and 60 of Directive 2007/64 must be interpreted as laying down, in relation to unauthorised payment transactions, a regime governing the liability of the payment service provider to the service user which excludes any other liability regime based on a breach of duty by the service provider in connection with those transactions, such that, where a payment service user has failed to comply with the obligation to notify an unauthorised transaction within 13 months of the debit date, the payment service provider is no longer liable to that user.
B. The rules applicable to the guarantee (second question referred)
61. By its second question, the referring court seeks to establish whether, in a case where, due to non-compliance with the period for notification of an unauthorised transaction, it is no longer open to the payment service user to bring a civil-liability action against the service provider for a breach by that provider of his or her obligations in respect of that transaction, Articles 58 to 60 of Directive 2007/64 also prevent that user’s guarantor from relying, on the basis of the same facts, on the civil liability of the service provider, holder of the guarantee, for the purposes of disputing the amount of the guaranteed debt, in accordance with general rules of national law.
62. While the French and Czech Governments take the view that the notification period which is applicable to the service user, under Article 58 of Directive 2007/64, can also be relied on as against the service user’s guarantor, the Commission submits, to the contrary, that a guarantor does not come within the scope of Article 58, and accordingly is not subject to the liability regime established by that directive in respect of unauthorised transactions, and may therefore bring a liability action against the service provider on the basis of the general rules of national law.
63. In the analysis that follows, I will demonstrate that, while the regime governing the liability of the service provider to the service user, laid down by Directive 2007/64, has been fully harmonised, it does not extend to guarantors.
64. I will begin with some remarks about guarantees and contracts of guarantee.
65. A guarantee secures the payment to the creditor of what is owed to him or her by the debtor in respect of the guaranteed obligation, namely the debt owed by the debtor to the creditor. In no circumstances can the guarantor owe more than the amount of the debtor’s debt. (20) A contract of guarantee is the contract by which the guarantor undertakes to the creditor to pay the debt in the event of default on the part of the debtor. (21) It is of the essence of this contract that it is ancillary to the guaranteed obligation. (22) It is also distinct from the contract between the debtor and creditor. The guarantor is therefore a third party in relation to the contract between the debtor and the creditor.
66. Contracts of guarantee vary a great deal. As the field has not been harmonised, such contracts are subject to the domestic law of the Member States, which may diverge in significant respects. (23) Moreover, guarantee obligations may differ very considerably from one contract of guarantee to another, and may be distinct from the obligations of the principal debtor, which does not affect the debtor’s obligations to the creditor. Thus, the guarantor may agree to guarantee the whole of the debt owed by the principal debtor or merely a part of it, and the duration of his or her obligation may be limited in comparison with the duration of the contract between debtor and creditor. Furthermore, while the date on which the guarantee liability is payable may not be earlier than that on which the principal debt is payable, it may be different, and the contract of guarantee need not be governed by the same law as the principal debt.
67. In the main proceedings, the bank, as creditor, entered into a contract with the debtor, the company GCA, by which it granted GCA a credit facility on its current account, enabling the account to be overdrawn. The bank also entered into a guarantee contract with LR in order to secure, on a joint and several basis, the debt potentially owed to it by GCA.
68. I would reiterate that the fact that harmonisation is full does not mean that it is exhaustive. In relation to directives relating, in particular, to business-to-consumer liability, the Court has held that a directive may, in the matters regulated by it, pursue ‘full harmonisation’ of the laws, regulations and administrative provisions of the Member States, without seeking ‘exhaustively’ to harmonise the field of liability covered by the directive beyond those matters. (24)
69. The expression ‘full harmonisation’ relates to the latitude allowed to the Member States, and thus to the degree of discretion available to them in transposing the points contemplated by Directive 2007/64, while the expression ‘exhaustive harmonisation’ concerns the scope ratione materiae of that directive. (25)
70. In other words, harmonisation may be full in the sense that, as I observed when addressing the first question, the Member States have no latitude as regards the transposition of certain provisions of Directive 2007/64, here Articles 58 and 60 of that directive. It is not open to them to introduce provisions which differ from those contained in those articles. In contrast, harmonisation is not exhaustive, in that it is limited to the fields specifically covered by that directive, with the Member States remaining free to legislate outside those fields, provided that they do not undermine the useful effect of the directive.
71. It is therefore necessary, at this point, to consider the extent of the field covered by Directive 2007/64 in relation to civil liability.
72. To my mind, the liability regime covered by Directive 2007/64 concerns the relationship between the payment service user and the payment service provider. It is not intended to govern the relationship between the service provider and a third party, such as a guarantor.
73. This is apparent, first, from Articles 58 to 60 of the directive, which refer only to the payment service user and the payer, on the one hand, and to the payment service provider, on the other. A guarantor is neither a payment service user nor a payer.
74. A payment service user, under the definition set out in Article 4(10) of Directive 2007/64, is ‘a natural or legal person making use of a payment service in the capacity of either payer or payee, or both’.
75. Article 4(7) of that directive defines a payer as a person who holds a payment account and allows a payment order from that payment account, or, where there is no payment account, who gives a payment order. (26)
76. A guarantor, such as LR, is not in either of those situations and accordingly cannot be regarded as a payer within the meaning of Article 4(10). Equally, such a person is not a payee or a payment service provider.
77. It follows that a guarantor is a third party in relation to the payment service user and the payment service provider referred to in Directive 2007/64, as I stated in point 65 of this Opinion, and does not come within the scope ratione personae of that directive.
78. That interpretation is borne out by the recitals of Directive 2007/64. Recital 5 indicates that the directive defines the rights and obligations of payment service users and providers. Recital 6 states that it was not considered appropriate to lay down a fully comprehensive legal framework.
79. Finally, recital 47 of Directive 2007/64 states that that directive should concern only contractual obligations and responsibilities between the payment service user and his or her payment service provider. This is restated in Article 1(2) of that directive, which concerns the subject matter of the directive and indicates that it lays down the respective rights and obligations of payment service users and payment service providers.
80. It follows from the provisions of Directive 2007/64, read in the light of its recitals, that it does not govern the relationship between the payment service provider and the payment service user’s guarantor.
81. I accordingly share the Commission’s view that the relationship between the payment service provider and the guarantor of the payment service user does not in any way come within the scope of Directive 2007/64.
82. The liability regime established by that directive also points in the same direction.
83. That regime is based on a system of rights and obligations relating solely to the payment service user and the payment service provider, in which the provision of information by the provider to the user plays a major role.
84. Information is mentioned, in fact, as part of the subject matter of Directive 2007/64 (27) and Title III of that directive is devoted entirely to information. That information is crucial because it is the information provided that makes it possible for the payment service user to learn of an unauthorised transaction, to notify it to the service provider within the period laid down by Article 58 and, where appropriate, to invoke the liability of the service provider. I would point out that, under Article 58, notification of an unauthorised transaction must be given within 13 months of the debit date, ‘unless … the payment service provider has failed to provide or make available the information on that payment transaction in accordance with Title III’. (28)
85. The 13-month period is thus applicable only if the information has indeed been provided to the payment service user. I note that the obligation to notify an unauthorised transaction within 13 months of the debit date implies that the payment service user checks his or her accounts at least once every year.
86. A balance is thus struck between, first, the obligation to provide information which is incumbent on the payment service provider, secondly, the duty of care which is incumbent on the payment service user, and is linked to a notification obligation to be complied with by the user before expiry of a period, and thirdly, the triggering of strict liability on the part of the service provider, with no requirement for the user to prove fault or negligence.
87. Moreover, the advantage accorded to the payment service user through the ability to obtain an immediate refund of amounts paid out under unauthorised transactions, provided that he or she has complied with the notification period laid down by Article 58 of Directive 2007/64, corresponds to the legal certainty granted to the payment service provider through the user’s inability to challenge unauthorised payment transactions once the time limit has passed.
88. This balance does not, however, concern third parties such as guarantors. In particular, since a guarantor does not have at his or her disposal, by virtue of Directive 2007/64, the information which is provided to the payment service user and is linked to the 13-month period laid down in Article 58 of that directive, that period cannot be relied upon as against that guarantor.
89. Thus, in the absence of an express provision in that directive designed to extend the system of liability it lays down, as between the payment service user and the payment service provider, to a third party such as a guarantor, it seems to me that it would not be justified to subject such a third party to that system.
90. The argument advanced by the French and Czech Governments, to the effect that permitting the guarantor to dispute the amount of the debt, after expiry of the 13-month period, would be tantamount to circumventing the requirements of Directive 2007/64, and would undermine the useful effect of that directive, has not been substantiated and cannot in my view be accepted.
91. I say this in view of the fundamentally different nature of the contract of guarantee in comparison with the contract for payment services.
92. As I noted in point 65 of this Opinion, a guarantee is intended to secure a debt owed by a debtor to a creditor. A contract of guarantee thus represents a route by which the credit institution can obtain repayment of the debt owed by the debtor. However, the contractual relationship which it creates is distinct from that between the payment service user and the service provider, and concerns only the credit institution, as creditor, and the debtor’s guarantor.
93. The fact that, upon expiry of the 13-month period laid down in Article 58 of Directive 2007/64, the payment service provider is no longer obliged to reimburse the user in respect of unauthorised payment transactions, and the payment service user can no longer challenge the payment transactions effected, does not release the provider from his or her duty of diligence in the execution of such transactions.
94. The payment service provider is obliged to execute payment transactions correctly. Consequently, if he or she is negligent in failing to verify that the transactions have in fact been authorised by the payment service user, and if his or her negligence causes loss to a third party such as the guarantor, there is nothing to prevent him being held liable to that third party, if national law so permits. I would emphasise that, as guarantees are not regulated by Directive 2007/64, or indeed by any other directive, they remain governed by the rules of national law, under which a guarantor may be subject to specific obligations which are distinct from the obligations governing the relationship between the principal debtor and the creditor and do not affect those obligations. (29) Those rules may, in particular, permit the guarantor to reduce the amount of the debt which he or she originally agreed to guarantee. Under those rules, the guarantor may seek damages and, where appropriate, set those damages off against the guaranteed debt.
95. The fact that the guarantor can rely on national law to reduce his or her liability to the creditor does not in any way affect the contractual relationship between the credit institution – the payment service provider – and the debtor – the payment service user. In particular, it does not affect the amount of the debt owed by the latter to the service provider, which may include sums relating to unauthorised transactions which he or she failed to notify within the 13-month period laid down by Article 58 of Directive 2007/64.
96. I would also point out that a guarantee is a supplementary security for the credit institution, intended to secure the payment of the principal debt. Accordingly, if the guarantor’s action is successful and he or she is able to reduce, by way of set-off, the amount which he or she owes to the credit institution, or even to extinguish his or her liability to that institution, this does not affect the institution’s claim against the principal debtor, and therefore does not undermine the effectiveness of Directive 2007/64.
97. As the Commission has pointed out, the legislature did not think fit to extend the system of liability laid down by Directive 2007/64 to third parties, taking the view that the rules applicable to the relationship between the payment service provider and the payment service user should be sufficient to regulate the vast majority of claims arising out of payment transactions, and to reduce the risks and consequences of unauthorised or incorrectly executed transactions. (30)
98. I accordingly take the view that a claim brought by the guarantor, where national law so permits, seeking to invoke the potential liability of the creditor, is an example of a separate claim which may be made in accordance with national law, as referred to in recital 47 of Directive 2007/64, which does not in any way undermine the effectiveness of that directive.
V. Conclusion
99. In the light of the foregoing analysis, I propose that the Court should answer the questions referred by the Cour de cassation (Court of Cassation, France) as follows:
(1) Articles 58 to 60 of Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market, amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC must be interpreted as laying down, in relation to unauthorised payment transactions, a regime governing the liability of the payment service provider to the service user which excludes any other liability regime based on a breach of duty by the service provider in connection with those transactions, such that, where a payment service user has failed to comply with the obligation to notify an unauthorised transaction within 13 months of the debit date, the payment service provider is no longer liable to that user.
(2) Articles 58 to 60 of Directive 2007/64 do not preclude a person other than the payment service user, such as that user’s guarantor, from invoking the civil liability of the payment service provider, under the general law, in respect of an unauthorised payment transaction, including in the case where the payment service user has not notified that transaction to that provider within the period of 13 months as from the unauthorised debit.