Activities of Claude GRUFFAT related to 2023/0210(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on payment services in the internal market and amending Regulation (EU) No 1093/2010
Amendments (103)
Amendment 92 #
Proposal for a regulation
Recital 13
Recital 13
(13) To assess whether a limited network should be excluded from scope, the geographical location of the points of acceptance of such network as well as the number of the points of acceptance should be considered. Specific-purpose instruments should allow the holder to acquire goods or services only in the physical premises of the issuer, whereas usage in an online store environment should not be covered by the notion of premises of the issuer. Specific-purpose instruments should include, depending on the respective contractual regime, cards that can only be used in a particular chain of stores or a particular shopping centre, fuel cards, membership cards, public transport cards, parking ticketing, meal vouchers or vouchers for specific services, which may be subject to a specific tax or labour legal framework designed to promote the use of such instruments to meet the objectives laid down in social legislation, such as childcare vouchers or ecological vouchers. Specific-purpose instruments should also include electronic money-based instruments once they meet the requirements of this exclusion. Payment instruments which can be used for purchases in stores of listed merchants should not be excluded, as such instruments are typically designed for a network of service providers which is continuously growing.
Amendment 100 #
Proposal for a regulation
Recital 31 a (new)
Recital 31 a (new)
(31 a) To process digital payments online or offline, it is essential that front end payment service providers obtain access to near field communication technology (NFC) on mobile devices. These components include, in particular but not exclusively, NFC antennas and the so- called secure elements of mobile devices (e.g.: Universal Integrated Circuit Card (UICC), embedded SE (eSE), and microSD etc). It is therefore necessary to ensure that whenever needed to provide payment services, original equipment manufacturers of mobile devices or providers of electronic communication services would not refuse access to NFC antennas and secure elements. To ensure this also in the digital economy, providers of front-end payment services should be entitled to store software on relevant mobile devices’ hardware in order to make transactions technically possible both online and offline. For this purpose, original equipment manufacturers of mobile devices and providers of electronic communication services should be obliged to provide access on fair, reasonable and non-discriminatory terms to all hardware and software components when needed for online and offline transactions. In all instances, such operators should be obliged to provide adequate capacity on relevant hardware and software features in mobile devices to process online payment transactions and for storing funds on mobile devices for offline payment transactions. This obligation should be without prejudice to Article 6(7) of Regulation (EU) 2022/1925, which obliges gatekeepers to provide, free of charge, effective interoperability with, and access for the purposes of interoperability to, the operating system, hardware or software features of mobile devices, which is applicable to existing and new digital means of payments.
Amendment 118 #
Proposal for a regulation
Recital 79
Recital 79
(79) ConsumPayment service users should be adequately protected in the context of certathe so-called social engineering fraudulent payment transactions that they have authorised without knowing these transactions wer, where the fraudster manipulates the payment service user in performing a certain action, such as initiating a payment transaction, or handing over their security credentials to the fraudulentsters. The number of such type of ‘social engineering’ cases where consumers are misled into authorising a payment transaction to a fraudster has significantly increased in recent years. ‘Spoofing’ cases where fraudsters pretend to be a legitimate payee or an employees of a customer's payment service provider and misuse that person’s or the payment service provider's name, mail address or telephone number to gain the customers’ trust and trick them into carrying-out some actions, are unfortunately becoming more widespread in the Union. Those new types of ‘spoofing’ fraud are blurring the difference that existed in Directive (EU) 2015/2366 between authorised and unauthorised transactions. Means through which the consent may be assumed to be granted are also becoming more complex to identify, as fraudsters can take control of the whole consent and authentication process including of the strong customer authentication completion. The conditions under which the customer authorised a transaction by givinggave his or her permission to ifor making a payment should be taken into due consideration, including by courts, to qualify a transaction as being authorised or unauthorised. A transaction may indeed have been authorised in cirTherefore, where the cumstances where such authorisation was granted on manipulated premises affecting the integrity of the permission. It is therefore no longer possible, as was the case in Directive (EU) 2015/2366, to limit refunds to unauthorised transactions only. It would however be disproportionate and financially very costly to payment services providers to open every fraudulent transaction, authorised or unauthorised, to a systematic refund right. It might also cause moral hazard and a reduction in the customer’s vigilanceomer denies having authorised a payment, the use of the payer's personalised security credentials to authenticate a payment, including where relevant the application of strong customer authentication, should not in itself be sufficient to prove that the payment transaction was authorised by the payer.
Amendment 121 #
Proposal for a regulation
Recital 80
Recital 80
(80) Payment service providers could be also considered as victimhave more means than consumers to put an end to cases of ‘“spoofing’ cases, as their details were usurped. However,”, where the fraudster impersonates an employee of the payment service provider and misuses the payment service provider’s have more means than consname, mail address or telephone numbers to put an end to these fraud casetrick customers into carrying out some actions, through adequate prevention and robust technical safeguards developed with electronic communications services providers such as mobile network operators, internet platforms etc. Those electronic communications services should be obliged to cooperate with payment service providers in the fight against fraud. If they fail to do so, they should be held jointly responsible in the event of fraud. Cases of bank employee impersonation fraud affect the good repute of the bank, of the banking sector as a whole and may cause significant financial damages to Union consumers, affecting their trust in electronic payments and in the banking system. A good-faith consumer who has been the victim of such ‘spoofing’ fraud where fraudsters pretend to be employees of a customer's payment service provider and misuse the payment service provider's name, mail address or telephone number should therefore be entitled to a refund of the full amount of the fraudulent payment transaction from the payment service provider, unless the payer has acted fraudulently or with ‘gross negligence’. As soon as the consumer becomes aware that he or she has been a victim of that type of spoofing fraud, the consumer should without undue delay report the incident to the police, preferably via online complaint procedures, where made available by the police, and to his or her payment service provider, providing every necessary supporting evidence. No refund should be granted where those procedural conditions are not fulfilled.
Amendment 125 #
Proposal for a regulation
Recital 82
Recital 82
(82) To assess possible negligence or gross negligence on the part of the payment service user, account should be taken of all circumstances. The evidence and degree of alleged negligence should generally be evaluated according to national law. However, wFor example, where a payment service user falls victim of social engineering fraud, in order to assess whether the payment service user has acted with gross negligence, account should be taken of all relevant factors, including but not limited to the complexity of the fraud, the personal circumstances of the payment service user, whether the latter had reasonable grounds for believing that he/she was making a payment to a legitimate payee, and whether the payment service provider could have taken additional steps to help prevent the fraud from taking place. While the concept of negligence implies a breach of a duty of care, ‘gross negligence’ should mean more than mere negligence, involving conduct exhibiting a significant degree of carelessness; for example, making a payment to a fraudster without having any reasonable ground for believing the payee to whom the payment was intended is legitimate, or keeping the credentials used to authorise a payment transaction beside the payment instrument in a format that is open and easily detectable by third parties. The fact that a consumer has already received a refund from a payment service provider after having fallen victim of bank employee impersonation fraud and is introducing another refund claim to the same payment service provider after having been again victim of the same type of fraud could be considered as ‘gross negligence’ as that might indicate a high level of carelessness from the user who should have been more vigilant after having already be victim of the same fraudulent modus operandi.
Amendment 132 #
Proposal for a regulation
Recital 100
Recital 100
(100) Fraudsters often target the most vulnerable individuals of our society. The timely detection of fraudulent payment transactions is essential, and transaction monitoring plays an import role in that detection. It is therefore appropriate to require payment service providers to have in place transaction monitoring mechanisms, reflecting the crucial contribution of those mechanisms to fraud prevention, going beyond the protection offered by strong customer authentication, in respect of payment transactions, including transactions involving payment initiation services. Where payment service providers fail to have in place the appropriate mechanisms to prevent fraud, they should be held responsible for covering the losses of payment service users resulting from fraud.
Amendment 134 #
Proposal for a regulation
Recital 103
Recital 103
(103) Fraud in credit transfers is inherently adaptive and comprises an open- ended diversity of practices and techniques, including the stealing of authentication credentials, invoice tampering, and social manipulation. Therefore, to be able to prevent ever new types of fraud, transaction monitoring should be constantly improved, making full use of technology such as artificial intelligence. Often one payment service provider does not have the full picture about all elements that could lead to timely fraud detection. However, it can be made more effective with a greater amount of information on potentially fraudulent activity stemming from other payment service providers. Therefore, sharing of all relevant information between payment service providers should be possiblemandatory. To better detect fraudulent payment transactions and protect their customers, payment services providers should, for the purpose of transaction monitoring, make use of payment fraud data shared by other payment services providers on a multilateral basis such as dedicated IT platforms based on information sharing arrangements. To improve the protection of payers against fraud in credit transfers, payment service providers should be able to rely on information as comprehensive and up to date as possible, namely by collectively using information concerning unique identifiers, manipulation techniques and other circumstances associated with fraudulent credit transfers identified individually by each payment services provider. Before concluding an information sharing arrangement, payment service providers should carry out a data protection impact assessment, in accordance with Article 35 of Regulation (EU) 2016/679. Where the data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons, payment service providers should consult the relevant data protection authority in accordance with Article 36 of that Regulation (EU) 2016/679. A new impact assessment should not be required when a payment service provider joins an existing information sharing arrangement for which a data protection impact assessment has already been carried out. The information sharing arrangement should lay down technical and organisational measures to protect personal data. It should lay down roles and responsibilities under data protection laws, including in case of joint controllers, of all payment service providers.
Amendment 136 #
Proposal for a regulation
Recital 104
Recital 104
(104) For the purpose of exchanging personal data with other payment service providers who are subject to information sharing arrangements, ‘unique identifier’ should be understood as referring to ‘IBAN’ as defined in Article 2 point 15 of Regulation (EU) 260/2012. The unique identifier should be verified for all credit transfers, and not only credit transfers in euro.
Amendment 147 #
Proposal for a regulation
Recital 140 a (new)
Recital 140 a (new)
(140 a)The EBA should be granted all the necessary resources, including human resources, to fulfill their mandate under this Regulation.
Amendment 153 #
Proposal for a regulation
Article 2 – paragraph 2 – point j – point iii
Article 2 – paragraph 2 – point j – point iii
Amendment 159 #
Proposal for a regulation
Article 2 – paragraph 2 – point k
Article 2 – paragraph 2 – point k
Amendment 160 #
Proposal for a regulation
Article 2 – paragraph 2 – point k – paragraph 1
Article 2 – paragraph 2 – point k – paragraph 1
Amendment 162 #
Proposal for a regulation
Article 2 – paragraph 2 – point k – paragraph 1 – point i
Article 2 – paragraph 2 – point k – paragraph 1 – point i
Amendment 163 #
Proposal for a regulation
Article 2 – paragraph 2 – point k – paragraph 1 – point ii
Article 2 – paragraph 2 – point k – paragraph 1 – point ii
Amendment 165 #
Proposal for a regulation
Article 2 – paragraph 2 – point k – paragraph 2
Article 2 – paragraph 2 – point k – paragraph 2
Amendment 174 #
Proposal for a regulation
Article 2 – paragraph 7
Article 2 – paragraph 7
7. By [ OP please insert the date= one year after the date of entry into force of this Regulation], the EBA shall issue Guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010, addressed to the competent authorities designated under this Regulation, on the exclusion for payment transactions from the payer to the payee through a commercial agent referred to in paragraph 2, point (b) of this Articlesubmit draft Regulatory Technical Standards to specify the conditions for the exclusion for payment transactions from the payer to the payee through a commercial agent referred to in paragraph 2, point (b) of this Article. Power is delegated to the Commission to adopt the Regulatory Technical Standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
Amendment 183 #
Proposal for a regulation
Article 3 – paragraph 1 – point 36 a (new)
Article 3 – paragraph 1 – point 36 a (new)
(36 a) ‘e-wallet provider’ means a provider which offers consumers an application to manage one or several payment services within one application without entering at any time into the possession of the funds to be transferred;
Amendment 192 #
Proposal for a regulation
Article 3 – paragraph 1 – point 53
Article 3 – paragraph 1 – point 53
(53) ‘commercial trade name’ means the name which is commonly used by the payee in the course of their trade and marketing to identify itself to the payer;
Amendment 201 #
Proposal for a regulation
Article 5 – paragraph 2
Article 5 – paragraph 2
2. Where a currency conversion service is offered prior to the initiation of the payment transaction and where that currency conversion service is offered at an ATM, at the point of sale or by the payee, the party offering the currency conversion service to the payer shall disclose to the payer all charges and the exchange rate to be used for converting the payment transaction, including prominent and transparent disclosure of any mark-up over the latest available applicable foreign exchange reference rate issued by the relevant central bank.
Amendment 207 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
Natural or legal persons providing cash withdrawal services as referred to in Article 38 of Directive (EU) [PSD3] shall provide or make availablein a prominent and easily understandable manner to their customers information on any charges directly before the customer carries out the withdrawal as well as upon receipt of the cash when the transaction is completed.
Amendment 213 #
Proposal for a regulation
Article 13 – paragraph 1 – introductory part
Article 13 – paragraph 1 – introductory part
1. Payment service providers shall provide or make availablein a prominent and easily understandable manner to payment service users the following information and conditions:
Amendment 218 #
Proposal for a regulation
Article 13 – paragraph 1 – point f
Article 13 – paragraph 1 – point f
(f) where applicable, the estimated charges for currency conversion in relation to credit transfers and money remittance transactions, expressed as a percentage mark-up over the latest available applicable foreign exchange reference rate issued by the relevant central bank as well as in real monetary value in the payer’s currency;
Amendment 221 #
Proposal for a regulation
Article 20 – paragraph 1 – introductory part
Article 20 – paragraph 1 – introductory part
The payment service provider shall provide in a prominent and easily understandable way the following information and conditions to the payment service user:
Amendment 226 #
Proposal for a regulation
Article 20 – paragraph 1 – point c – point v
Article 20 – paragraph 1 – point c – point v
(v) where applicable, the estimated charges for currency conversion services in relation to a credit transfer expressed as a percentage mark-up over the latest available applicable foreign exchange reference rate issued by the relevant central bank, as well as in real monetary value in the payer’s currency;
Amendment 253 #
Proposal for a regulation
Article 31 a (new)
Article 31 a (new)
Article 31a Without prejudice to Article 6(7) of Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828, original equipment manufacturers of mobile devices and providers of electronic communication services within the meaning of Article 2 (1) Directive (EU) 2018/1972 shall allow providers of front end payment services effective interoperability with, and access for the purposes of interoperability to, the hardware features and software features necessary for storing and transferring data to process online or offline transactions, on fair, reasonable and non- discriminatory terms.
Amendment 254 #
Proposal for a regulation
Article 32 – paragraph 1 – introductory part
Article 32 – paragraph 1 – introductory part
1. A credit institution shall only refuse to open or shall only close a payment account for a payment institution for its agents or distributors or for an applicant for a license as a payment institution in cases where it is justified on objective, non- discriminatory and proportionate grounds, in particular in the following cases:
Amendment 256 #
Proposal for a regulation
Article 32 – paragraph 1 – point b
Article 32 – paragraph 1 – point b
(b) there is or has been a material breach of contract committed by the applicant for an account;
Amendment 257 #
Proposal for a regulation
Article 32 – paragraph 1 – point c
Article 32 – paragraph 1 – point c
(c) insufficient information and documents pertaining to matters set out in this paragraph have been received from the applicant for an account;
Amendment 263 #
Proposal for a regulation
Article 32 – paragraph 1 a (new)
Article 32 – paragraph 1 a (new)
1 a. Member States shall ensure that payment institutions have a right of access to payment accounts with one or more credit institutions. Such access shall be sufficiently extensive as to allow payment institutions to provide their payment services in an unhindered, efficient and uninterrupted manner, throughout the period of their authorisation. In the event that a payment institution is not able to open a payment account with a credit institution, or if such payment account is closed, the competent authority shall nominate one or more credit institutions to provide a payment account to that payment institution.
Amendment 265 #
Proposal for a regulation
Article 32 – paragraph 1 b (new)
Article 32 – paragraph 1 b (new)
1 b. Where a credit institution makes a decision to close a payment account in accordance with this paragraph, the account closure shall take effect on expiry of a notice period which shall not be less than 6 months.
Amendment 267 #
Proposal for a regulation
Article 32 – paragraph 3 a (new)
Article 32 – paragraph 3 a (new)
3 a. A credit institution shall also notify the competent authority of its decision to close or to refuse to open a payment account. The competent authorities shall publish aggregate data on payment account refusals and closures.
Amendment 270 #
Proposal for a regulation
Article 32 – paragraph 5 – subparagraph 1
Article 32 – paragraph 5 – subparagraph 1
The EBA shall develop draft regulatory technical standards specifying the harmonised format and information to be contained in the notification and motivation referred to in paragraph 3 of this Article. These draft regulatory technical standards shall also develop the harmonised objectives, powers and procedure to be followed by the competent authorities in respect of appeals referred to them under paragraph 4 of this Article.
Amendment 272 #
Proposal for a regulation
Article 33 – paragraph 1 a (new)
Article 33 – paragraph 1 a (new)
1 a. Payees must offer to payment service users at least one payment method without surcharges which does not rely on the use of a payment initiation service provider.
Amendment 274 #
Proposal for a regulation
Article 33 – paragraph 2 a (new)
Article 33 – paragraph 2 a (new)
2 a. Traders such as creditors and insurance operators shall offer to payment service users a way to share their data which does not rely on the use of account information service providers.
Amendment 275 #
Proposal for a regulation
Article 33 – paragraph 2 b (new)
Article 33 – paragraph 2 b (new)
2 b. Without prejudice to Regulation (EU) 2016/679, payment service providers shall inform consumers in a clear and comprehensible manner when they are presented with a personalised offer that is based on automated processing of personal data.
Amendment 276 #
Proposal for a regulation
Article 33 – paragraph 2 c (new)
Article 33 – paragraph 2 c (new)
2 c. Traders such as creditors and insurance operators shall ensure that the conditions to access their services do not discriminate against consumers legally resident in the Union on grounds of their nationality or place of residence, the location of the payment account, the place of establishment of the payment service provider or the place of issue of the payment instrument within the Union or on any ground referred to in Article 21 of the Charter of Fundamental Rights of the European Union.
Amendment 277 #
Proposal for a regulation
Article 33 – paragraph 2 d (new)
Article 33 – paragraph 2 d (new)
2 d. Any undertaking designated as a gatekeeper, pursuant to Article 3 of Regulation (EU) 2022/1925 on contestable and fair markets in the digital sector, shall not receive access to payment systems as account information service provider.
Amendment 278 #
Proposal for a regulation
Article 33 – paragraph 2 e (new)
Article 33 – paragraph 2 e (new)
2 e. Account information service providers shall not be allowed to combine account information data obtained pursuant to this Regulation with other types of personal data where such combination of data may result in harmful practices such as social scoring. The European Banking Authority shall develop draft Regulatory Technical Standards limiting the combination of data obtained by account information service providers with other types of personal data. The EBA shall submit the Regulatory Technical Standards referred to in this first subparagraph to the Commission by [OP please insert the date= one year after the date of entry into force of this Regulation]. When preparing the draft Regulatory Technical Standards referred to in subparagraph 2, the European Banking Authority shall closely cooperate with the European Data Protection Board established by Regulation (EU) 2016/679. Power is delegated on the Commission to adopt the Regulatory Technical Standards referred to in subparagraph 2 in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
Amendment 286 #
Proposal for a regulation
Article 36 – paragraph 1 – point b
Article 36 – paragraph 1 – point b
(b) the dedicated interface shall apply a re-direction approach to ensure the integrity and confidentiality of the personalised security credentials and of authentication codes transmitted by or through the payment initiation service provider or the account information service provider;
Amendment 297 #
Proposal for a regulation
Article 37 – paragraph 2
Article 37 – paragraph 2
2. AIn line with Regulation 2016/679/EU [GDPR], account servicing payment service providers shall provide account information services providers with at least the samthe information from designated payment accounts and associated payment transactions made available to the payment service user when directly requesting access to the account informationnecessary for the performance of a contract to which the data subject is party, provided that this information does not include sensitive payment data.
Amendment 299 #
Proposal for a regulation
Article 37 – paragraph 3
Article 37 – paragraph 3
3. AIn line with Regulation 2016/679/EU [GDPR], account servicing payment service providers shall provide payment initiation service providers with at least the samthe information onecessary for the initiation and execution of the payment transaction provided or made available to the payment service user when the transaction is initiated directly by the payment service user. That information shall be provided immediately after receipt of the payment order and any update to the information, including but not limited to the payment status, shall be pushed to the payment initiation service provider via the dedicated interface in real-time on an ongoing basis until the payment is finalexecuted or rejected.
Amendment 302 #
Proposal for a regulation
Article 37 – paragraph 3 a (new)
Article 37 – paragraph 3 a (new)
3 a. The processing of customer data shall be limited to what is necessary in relation to the purpose for which it was processed. In accordance with Article 16 of Regulation (EU) No 1093/2010, the European Banking Authority shall develop guidelines on the implementation of this paragraph for payment initiation services and account information services.
Amendment 304 #
Proposal for a regulation
Article 37 – paragraph 3 b (new)
Article 37 – paragraph 3 b (new)
3 b. When preparing the guidelines referred to in paragraph 3a of this Article, the European Banking Authority shall closely cooperate with the European Data Protection Board established by Regulation (EU) 2016/679.
Amendment 307 #
Proposal for a regulation
Article 38 – paragraph 1
Article 38 – paragraph 1
1. Account servicing payment service providers shall take all measures in their power to prevent unavailability and underperformance of the dedicated interface. Unavailability shall be presumed to have arisen when five consecutive requests for access to information for the provision of payment initiation services or account information services receive no response from the account servicing payment service provider’s dedicated interface within 30 seconds.
Amendment 312 #
Proposal for a regulation
Article 40 – paragraph 2
Article 40 – paragraph 2
For the purposes of point (b), where some or all of the information referred to in that point is unavailable immediately after receipt of the payment order, the account servicing payment service provider shall ensure that any information, including but not limited to any payment status update, about the execution of the payment order is made available to the payment initiation service provider immediately after that information becomes available to the account servicing payment service provider.
Amendment 314 #
Proposal for a regulation
Article 43 – paragraph 2 – point a – point v a (new)
Article 43 – paragraph 2 – point a – point v a (new)
(v a) the dates on which data has been accessed and which categories of data have been retrieved when doing so.
Amendment 317 #
Proposal for a regulation
Article 43 – paragraph 2 – point c a (new)
Article 43 – paragraph 2 – point c a (new)
(c a) allow payment services users to opt-out from data sharing with third parties in a general way for all present and future data access permission requests;
Amendment 319 #
Proposal for a regulation
Article 43 – paragraph 2 a (new)
Article 43 – paragraph 2 a (new)
Amendment 320 #
Proposal for a regulation
Article 43 – paragraph 2 b (new)
Article 43 – paragraph 2 b (new)
2 b. Where a payment services user, pursuant to paragraph 2, point b, decides to withdraw data access, the given account information service provider or payment initiation service provider shall no longer withdraw data and shall erase all data received based on the data access permission granted by the payment services user.
Amendment 327 #
Proposal for a regulation
Article 44 – paragraph 1 – subparagraph 2 – point j
Article 44 – paragraph 1 – subparagraph 2 – point j
Amendment 329 #
Proposal for a regulation
Article 44 – paragraph 1 – subparagraph 2 – point k
Article 44 – paragraph 1 – subparagraph 2 – point k
Amendment 332 #
Proposal for a regulation
Article 44 – paragraph 1 a (new)
Article 44 – paragraph 1 a (new)
1 a. Measures and instruments used by account servicing payment service providers in response to suspected fraud or to comply with Regulation (EU) 2016/679 [General Data Protection Regulation] do not constitute prohibited obstacles.
Amendment 337 #
Proposal for a regulation
Article 46 – paragraph 1 – point d
Article 46 – paragraph 1 – point d
(d) ensure that the personalised security credentials of the payment services user are not, with the exception of the payer and the issuer of the personalised security credentials, accessible to other parties including the payment initiation providers itself and that they are transmitted by the payment initiation service provider through safe and efficient channels;
Amendment 338 #
Proposal for a regulation
Article 46 – paragraph 2 – point a
Article 46 – paragraph 2 – point a
(a) use, access or store sensitive payment data of the payment service user;
Amendment 339 #
Proposal for a regulation
Article 47 – paragraph 1 – point b
Article 47 – paragraph 1 – point b
(b) ensure that the personalised security credentials of the payment service user are not accessible to other parties, including the account information service provider itself, with the exception of the user and the issuer of the personalised security credentials, and that when those credentials are transmitted by the account information service provider, transmission is done through safe and efficient channels;
Amendment 342 #
Proposal for a regulation
Article 49 – paragraph 1 a (new)
Article 49 – paragraph 1 a (new)
Amendment 348 #
Proposal for a regulation
Article 50 – paragraph 4
Article 50 – paragraph 4
Amendment 352 #
Proposal for a regulation
Article 51 – paragraph 1
Article 51 – paragraph 1
1. Where a specific payment instrument is used for the purposes of giving permission, the payer and the payer’s payment service provider may agree onshall offer to the payment service user the possibility to set spending limits for payment transactions executed through that payment instrument. By default, spending limits shall be set at a low level. Payment service providers shall not unilaterally increase the spending limits agreed with their payment service users. Payment service users shall be able to restrict the options of how they can change their spending limit with the possibility to allow for a change in spending limits, for example only in the physical premises of their payment service provider and the possibility to apply a change in the spending limit only after a certain time has passed.
Amendment 355 #
Proposal for a regulation
Article 51 – paragraph 2
Article 51 – paragraph 2
2. If agreed in the framework contract, tThe payment service provider may reserve the right toshall block the payment instrument forin case of objectively justified reasonisks relating to the security of the payment instrument, the suspicion of unauthorised or fraudulent use of the payment instrument or, in the case of a payment instrument with a credit line, a significantly increased risk that the payer may be unable to fulfil its liability to pay. Where such blocking does not take place despite reasonable grounds to suspect fraud, the payer shall not bear any financial consequences, except where the payer has acted fraudulently.
Amendment 356 #
Proposal for a regulation
Article 51 – paragraph 4 a (new)
Article 51 – paragraph 4 a (new)
4 a. The burden of proof shall lie with the payment service provider to prove that it has complied with the requirements of this Article.
Amendment 358 #
Proposal for a regulation
Article 53 – paragraph 1 – point c
Article 53 – paragraph 1 – point c
(c) ensure that appropriate means, including free of charge telephone lines allowing for well-qualified personal human support without prior identification and in the official language of the host Member State are available at all times to enable the payment service user (i) to make a notification pursuant to Article 52 point (b), or to request unblocking of the payment instrument pursuant to Article 51(4); (ii) to make a notification about a fraudulent transaction; (iii) to receive qualified advice when suspecting to be victim of a fraud attack.
Amendment 360 #
Proposal for a regulation
Article 53 – paragraph 1 – point f a (new)
Article 53 – paragraph 1 – point f a (new)
(f a) refrain from using unsafe communication patterns, like sending links or documents via e-mail.
Amendment 361 #
Proposal for a regulation
Article 53 – paragraph 2 a (new)
Article 53 – paragraph 2 a (new)
2 a. Where the payer’s payment service provider fails to comply with the obligations set out in this Article, the payer shall not bear any financial losses unless the payer has acted fraudulently.
Amendment 362 #
Proposal for a regulation
Article 53 – paragraph 2 b (new)
Article 53 – paragraph 2 b (new)
2 b. The burden of proof shall lie with the payment service providers to prove that they have complied with the requirements of this Article.
Amendment 371 #
Proposal for a regulation
Article 55 – paragraph 2
Article 55 – paragraph 2
2. Where a payment service user denies having authorised an executed payment transaction, the use of a payment instrument recorded by the payment service provider, including the payment initiation service provider as appropriate, and the use of the payer’s personalised security credentials to authenticate a payment, including where relevant the application of strong customer authentication, shall in itself not be sufficient to prove either that the payment transaction was authorised by the payer or that the payer acted fraudulently or failed with intent or gross negligence to fulfil one or more of the obligations under Article 52. The payment service provider, including, where appropriate, the payment initiation service provider, shall provide supporting evidence to prove fraud or gross negligence on part of the payment service user.
Amendment 378 #
Proposal for a regulation
Article 56 – paragraph 2 – point b
Article 56 – paragraph 2 – point b
(b) provide aevidence to the relevant national authority in a written justification that the payer has acted fraudulently, and provide to the payer a substantiated justification for refusing the refund and indicate the bodies to which the payer may refer the matter in accordance with Articles 90, 91, 93, 94 and 95 if the payer does not accept the reasons provided.
Amendment 379 #
Proposal for a regulation
Article 56 – paragraph 2 – subparagraph 1 (new)
Article 56 – paragraph 2 – subparagraph 1 (new)
The burden of proof shall be on the payment service providers to prove that the payer has acted fraudulently.
Amendment 380 #
Proposal for a regulation
Article 56 – paragraph 6 a (new)
Article 56 – paragraph 6 a (new)
6 a. Set-off against the payer’s claims arising from this Article is not permitted.
Amendment 381 #
Proposal for a regulation
Article 57 – paragraph 1
Article 57 – paragraph 1
1. The payer shall not bear any financial losses for any authorised credit transfer where the payment service provider of the payer failed, in breach of Article 50(1), to notify the payer of a detected discrepancy between the unique identifier and the name of the payee provided by the payer. The payer’s payment service provider shall refund the payer the amount of the financial losses immediately, and in any event no later than by the end of the following business day, after noting or being notified of the financial losses, except where the payer’s payment service provider has reasonable grounds for suspecting that there was no breach of Article 50(1) and communicates those grounds to the relevant national authority in writing.
Amendment 384 #
Proposal for a regulation
Article 57 – paragraph 2 – point b
Article 57 – paragraph 2 – point b
(b) provide aevidence that there was no breach of Article 50(1) to the relevant national authority and provide a substantiated justification for refusing the refund and indicate the bodies to which the payer may refer the matter in accordance with Articles 90, 91, 93, 94 and 95 if the payer does not accept the reasons provided.
Amendment 385 #
Proposal for a regulation
Article 57 – paragraph 5
Article 57 – paragraph 5
5. Paragraphs 1 to 4 shall not apply if the payer has acted fraudulently or if the payer opted out from receiving the verification service in accordance with Article 50(4).
Amendment 387 #
Proposal for a regulation
Article 57 – paragraph 5 a (new)
Article 57 – paragraph 5 a (new)
5 a. The burden of proof shall be on the payment service providers to prove that the payer has acted fraudulently.
Amendment 390 #
Proposal for a regulation
Article 58 – paragraph 1
Article 58 – paragraph 1
Technical service providers, e-wallet providers and operators of payment schemes that either provide services to the payee, or to the payment service provider of the payee or of the payer, shall be liable for any financial damage caused to the payee, to the payment service provider of the payee or of the payer for their failure, within the remit of their contractual relationship, to provide the services that are necessary to enable the application of strong customer authentication.
Amendment 400 #
Proposal for a regulation
Article 59 – paragraph 1
Article 59 – paragraph 1
1. Where a payment services user who is a consumer was manipulated by a third party pretending to be an employee of the consumer’s payment service provider using the name or e-mail address or telephone number of that payment service provider unlawfully and that manipulation gave rise to subsequent fraudulent authorised payment transactions, the payment service provider shall refund the consumer the full amount of the fraudulent authorised payment transaction under the condition that the consumer has, without any delay, notified its payment service provider. Upon receival of the notification, payment service providers shall inform the consumer if a reported of the fraud case to the police and notified its payment service provideris required to further process the consumer's claim.
Amendment 404 #
Proposal for a regulation
Article 59 – paragraph 2 – introductory part
Article 59 – paragraph 2 – introductory part
2. WThe payer’s payment service provider shall refund the payer the amount of the transaction immediately, and in any event no later than by the end of the following business day, after noting or being notified of the manipulation of the transaction, except where the payer’s payment service provider has reasonable grounds to suspect a fraud or a gross negligence by the consumer and communicates those grounds to the relevant national authority in writing. Where the payer’s payment service provider had reasonable grounds for suspecting fraud or a gross negligence by the consumer, within 10 business days after noting or being notified of the fraudulent authorised payment transaction, the payment service provider shall do either of the following:
Amendment 410 #
Proposal for a regulation
Article 59 – paragraph 2 – point b
Article 59 – paragraph 2 – point b
(b) where the payment service provider has reasonable grounds to suspect a fraud or a gross negligence by the consumer, provide aproof to the relevant national authority that the consumer has acted fraudulently or with gross negligence and provide to the payer a substantiated justification for refusing the refund and indicate to the consumer the bodies to which the consumer may refer the matter in accordance with Articles 90, 91, 93, 94 and 95 if the consumer does not accept the reasons provided.
Amendment 418 #
Proposal for a regulation
Article 59 – paragraph 5
Article 59 – paragraph 5
5. Where informed by a payment service provider of the occurrence of the type of fraud as referred to in paragraph 1, electronic communications services providers shall cooperate closely with payment service providers and act swiftly to ensure that appropriate organizational and technical measures are in place to safeguard the security and confidentiality of communications in accordance with Directive 2002/58/EC, including with regard to calling line identification and electronic mail address. Where informed by a payment service provider of the occurrence of the type of fraud as referred to in paragraph 1, online platforms and online search engines as defined in Regulation 2022/2065/EU [Digital Services Act] shall cooperate closely with payment service providers and act swiftly in removing fraudulent content from their websites.
Amendment 424 #
Proposal for a regulation
Article 59 – paragraph 5 a (new)
Article 59 – paragraph 5 a (new)
5 a. Where the payment service provider is liable to the payment service user pursuant to paragraph 1 resulting from an act or omission by a trader, the supplier shall be entitled to pursue remedies against the trader liable. The trader against whom the payment service provider may pursue remedies, and the relevant actions and conditions of exercising that pursuit of remedies, shall be determined by national law.
Amendment 427 #
Proposal for a regulation
Article 60 – paragraph 1 – subparagraph 2 – point a
Article 60 – paragraph 1 – subparagraph 2 – point a
(a) the loss, theft or misappropriation of a payment instrument or security credentials was not detectable to the payer prior to a payment, except where the payer has acted fraudulently; or
Amendment 428 #
Proposal for a regulation
Article 60 – paragraph 1 a (new)
Article 60 – paragraph 1 a (new)
1 a. Where the payer’s payment service provider has reasonable grounds for suspecting fraud or a gross negligence by the consumer, within 10 business days after noting or being notified of the fraudulent authorised payment transaction, the payment service provider shall do either of the following: (a) refund the consumer the amount of the fraudulent authorised payment transaction; (b) where the payment service provider continues to have reasonable grounds to suspect a fraud or a gross negligence by the consumer, provide proof to the relevant national authority that the consumer has acted fraudulently or with gross negligence and provide to the payer a substantiated justification for refusing the refund and indicate to the consumer the bodies to which the consumer may refer the matter in accordance with Articles 90, 91, 93, 94 and 95 if the consumer does not accept the reasons provided.
Amendment 429 #
Proposal for a regulation
Article 60 – paragraph 4 a (new)
Article 60 – paragraph 4 a (new)
4 a. By [ OP please insert the date= 12 months after the date of entry into force of this Regulation] the European Banking Authority shall issue guidelines on how the concept of gross negligence is to be interpreted for the purposes of this Regulation.
Amendment 446 #
Proposal for a regulation
Article 80 – paragraph 1 – introductory part
Article 80 – paragraph 1 – introductory part
Payment systems and payment service providers shall be allowed to process special categories of personal data as referred to in Article 9(1) of Regulation (EU) 2016/679 and Article 10(1) of Regulation (EU) 2018/1725 to the extent necessary for the provision of payment services and for compliance with obligations under this Regulation, in the public interest of the well-functioning of the internal market for payment services, subject to appropriate safeguards for the fundamental rights and freedoms of natural persons, including the following:when necessary to safeguard the prevention, investigation and detection of payment fraud. The provision of information to individuals about the processing of personal data and the processing of such personal data and any other processing of personal data for the purposes of this Directive shall be carried out in accordance with Regulation (EU) 2016/679.
Amendment 447 #
Proposal for a regulation
Article 80 – paragraph 1 – point a
Article 80 – paragraph 1 – point a
Amendment 448 #
Proposal for a regulation
Article 80 – paragraph 1 – point b
Article 80 – paragraph 1 – point b
Amendment 449 #
Proposal for a regulation
Article 80 – paragraph 1 a (new)
Article 80 – paragraph 1 a (new)
Payment service providers shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user.
Amendment 450 #
Proposal for a regulation
Article 81 – paragraph 1 – subparagraph 1
Article 81 – paragraph 1 – subparagraph 1
Payment service providers and e-wallet providers shall establish a framework with appropriate mitigation measures and control mechanisms to manage operational and security risks relating to the payment services they provide. As part of that framework, payment service providers shall establish and maintain effective incident management procedures, including for the detection and classification of major operational and security incidents.
Amendment 451 #
Proposal for a regulation
Article 81 – paragraph 1 – subparagraph 2 – point b
Article 81 – paragraph 1 – subparagraph 2 – point b
(b) account information service providers and e-wallet providers referred to in Article 36(1) of Directive (EU) (PSD3); and
Amendment 452 #
Proposal for a regulation
Article 82 – paragraph 1 – subparagraph 1 (new)
Article 82 – paragraph 1 – subparagraph 1 (new)
Statistical data sets on fraud shall include the number and value of reimbursed fraudulent transactions.Where reimbursement has been refused, payment service providers shall provide the reason for the rejection such as stipulating that the consumer has acted fraudulently or with gross negligence.
Amendment 453 #
Proposal for a regulation
Article 82 – paragraph 1 a (new)
Article 82 – paragraph 1 a (new)
1 a. National competent authorities, the European Banking Authority and the European Central Bank shall publish the statistical data in aggregated form at least on a yearly basis.
Amendment 470 #
Proposal for a regulation
Article 83 – paragraph 3
Article 83 – paragraph 3
3. To the extent necessary to comply with paragraph 1, point (c), payment service providers mayshall exchange the unique identifier of a payee with other payment service providers who are subject to information sharing arrangements as referred to in paragraph 5, when the payment service provider has sufficient evidence to assume that there was a fraudulent payment transaction. Sufficient evidence for sharing unique identifiers shall be assumed when at least two different payment services users who are customers of the same payment service provider or a consumer organisation have informed that a unique identifier of a payee was used to make a fraudulent credit transfer. Payment service providers shall not keep unique identifiers obtained following the information exchange referred to in this paragraph and paragraph 5 for longer than it is necessary for the purposes laid down in paragraph 1, point (c).
Amendment 478 #
Proposal for a regulation
Article 83 – paragraph 4
Article 83 – paragraph 4
4. The information sharing arrangements shall define details for participation and shall set out the details on operational elements, including the use of dedicated IT platforms. Before concluding such arrangements, payment service providers shall conduct jointly a data protection impact assessment as referred to in Article 35 of the Regulation (EU) 2016/679 and, where applicable, carry out prior consultation of the supervisory authority as referred to in Article 36 of that Regulation. The information sharing arrangements shall be concluded by [OP please insert the date = 12 months after the date of entry into force of this Regulation].
Amendment 482 #
Proposal for a regulation
Article 83 – paragraph 4 a (new)
Article 83 – paragraph 4 a (new)
4 a. To facilitate the exchange of unique identifier of a payee with other payment service providers, the European Banking Authority shall set up a dedicated IT platform allowing payment service providers to exchange unique identifiers of a payee who were used to make a fraudulent credit transfer by [OP please insert the date = 12 months after the date of entry into force of this Regulation].
Amendment 486 #
Proposal for a regulation
Article 83 – paragraph 5 a (new)
Article 83 – paragraph 5 a (new)
5 a. Where payment fraud originates in the publication of fraudulent content online, payment service providers shall, without undue delay, inform providers of hosting services following the procedure laid down in Article 16 of Regulation (EU) 2022/2065 [Digital Services Act].
Amendment 487 #
Proposal for a regulation
Article 83 – paragraph 5 b (new)
Article 83 – paragraph 5 b (new)
5 b. Where the payer’s payment service provider fails to block a transaction to an IBAN identified as fraudulent as set out in this Article, the payer shall not bear any financial losses unless the payer has acted fraudulently.
Amendment 492 #
Proposal for a regulation
Article 83 – paragraph 6 a (new)
Article 83 – paragraph 6 a (new)
6 a. The burden of proof shall lie with the payment service providers to prove that they have complied with the requirements under this article.
Amendment 495 #
Proposal for a regulation
Article 84 a (new)
Article 84 a (new)
Amendment 517 #
Proposal for a regulation
Article 85 – paragraph 12
Article 85 – paragraph 12
12. The two or more elements referred to in Article 3, point (35), on which strong customer authentication shall be based do not necessarily need to belong toshall belong to at least 2 different categories, as long asnd their independence ishall be fully preserved.
Amendment 532 #
Proposal for a regulation
Article 88 – paragraph 2
Article 88 – paragraph 2
2. Payment services providers shall not make the performance of strong customer authentication dependant on the exclusive use of a single means of authentication and shall not make the performance of strong customer authentication depend, explicitly or implicitly, on the possession of a smartphone or other smart devices. Payment services providers shall develop a diversity of means for application of strong customer authentication to cater for the specific situation of all their customers.
Amendment 534 #
Proposal for a regulation
Article 88 – paragraph 2 a (new)
Article 88 – paragraph 2 a (new)
2 a. All means of authentication shall be provided free of charge.
Amendment 547 #
Proposal for a regulation
Article 94 – paragraph 2 – subparagraph 1
Article 94 – paragraph 2 – subparagraph 1
Payment service providers shall make every possible effort to reply, on paper or, if agreed between the payment service provider and the payment service user, on another durable medium, to the payment service users’ complaints. Such a reply shall address all points raised, within an adequate timeframe and at the latest within 15 business days of receipt of the complaint. In exceptional situations, if the answer cannot be given within 15 business days for reasons beyond the control of the payment service provider, it shall send a holding reply, clearly indicating the reasons for a delay in answering to the complaint and specifying the deadline by which the payment service user will receive the final reply. In any event, the deadline for receiving the final reply shall not exceed 35 business days.
Amendment 548 #
Proposal for a regulation
Article 95 – paragraph 1 a (new)
Article 95 – paragraph 1 a (new)
1 a. The participation of payment service providers in out-of-court dispute settlement mechanisms for consumers shall be mandatory unless the Member State demonstrates to the Commission that other mechanisms are equally effective.
Amendment 552 #
Proposal for a regulation
Article 99 a (new)
Article 99 a (new)
Amendment 553 #
Proposal for a regulation
Article 104 a (new)
Article 104 a (new)