Bank of Italy communication on unauthorised payment transactions

On 17 June 2024, the Bank of Italy published a specific communication regarding unauthorised payment transactions (“Communication”). As indicated under the Communication, due to the significant changes that affected the payment services field in recent years and the growth of the use of e-payments, the Bank of Italy carried out inspections on a number of payment service providers (“PSPs”).

In this context, with specific reference to unauthorised transactions and the rights of the payment service users (“PSUs”) to obtain due refund, the Bank of Italy detected the following shortcomings:

• groundless refusals to refund payment transactions, mainly due to PSPs assessment not fully in line with the liability regime of PSPs and PSUs on the use of payment instruments;

• deficiencies in the execution of refunds, with regard to the timing for both ascertaining the PSUs right to the refund (including due to requirements imposed on PSUs not required by law) and to restore the account;

• deficiencies in the information provided to PSUs, on both the manner for the PSUs to notify the PSPs of the unauthorised payment transactions and the communication of the reason for refund refusal;

• inadequacy of the tokenization procedure of the payment cards provided in external wallets (used for payment at physical and virtual POS), with specific regard to the enrolment/onboarding process, which is often carried out without strong customer authentication (“SCA”) or through authentication elements that are not under the control of the PSP card issuer.

In this regard, the Communication set out the below instructions for PSPs to ensure the homogeneity of conducts and compliance with applicable rules:

• Policy on unauthorised payment transactions: PSPs should adopt a specific policy setting out the categories of unauthorised transactions, regardless of the payment instruments used, and the relevant timing for processing the requests (also to prevent some of them from being handled as ordinary complaints);
• Handling of unauthorised payment transactions: this process must be handled taking into account the rules on allocation of liability between PSPs and PSUs. In particular, in the absence of fraudulent behaviour of the PSU, the PSP must ensure the refund in cases where the latter does not request SCA or fails to prove that the transaction was authorised with SCA. For SCA transactions, an adequate assessment of the PSU behaviour must be ensured;
• Automated procedures: such procedures, if any, are based on granular grids allowing an adequate verification of the fraud or gross negligence of the PSU;
• Internal education: in order to ensure the proper assessment of PSU requests, PSPs should arrange adequate employees awareness initiatives, in particular for the personnel handling these requests;
• Timing: internal rules must define the timeframe for processing claims for unauthorised payment transactions in line with the applicable rules. In this regard, PSPs should burdensome requests for additional documents from PSUs and ensure adequate channels of contact with the latter. Also, specific mechanics must be taken to ensure, where applicable, that the account is restored to the state in which it would have been in case the unauthorised payment transaction had not taken place, with the correct value date and no additional costs;
• Transparency documents: the transparency information to be provided to PSUs must clearly indicate the rights of the latter and how to make the notifications to the PSPs, avoiding general reference to the provisions of law. Also, transparency documents as well as T&Cs must clearly indicate the PSPs’ right to recover the sums initially refunded if, at the outcome of any subsequent investigation, it emerges that the transaction was authorised, also specifying the relevant timing;
• Communication to PSUs: communications towards PSUs must be clear and comprehensible and include information on the reasons for the refusal of the refund request and on the possibility to challenge this in the competent venues;
• Card tokenization procedures: such procedures must be in line with the requirements set out in the SCA Regulation when 'enrolment' is carried out both by using the mobile banking app of the PSP card issuer and directly in the context made available by external 'wallet providers';
• ABF ruling: PSPs are also required to take into account rulings of the Arbitro Bancario e Finanziario (“ABF”) – the Bank of Italy out-of-court dispute resolution system - on these subject matters.

Next steps

PSPs are required to carry out a self-assessment of the procedures currently adopted and to ensure compliance with the above. If needed, PSPs should arrange a remediation plan to be finalised within 12 months of the publication of the Communication.

The assessment and analyses conducted by PSPs should be appropriately formalised and will be subject to verification in the context of the supervisory activity of the Bank of Italy.

Authored by Jeffrey Greenbaum and Elisabetta Zeppieri.