Secure payment

Authorization of Payment Transactions

Article 25. Consent and withdrawal of consent.

1. Payment transactions will be considered authorized when the payer has given consent for their execution. In the absence of such consent, the payment transaction will be deemed unauthorized.

The payer and their payment service provider shall agree on the method of providing consent and the procedure for its notification.

2. Consent may be granted before the execution of the transaction or, if agreed upon, after execution, in accordance with the procedure and limits established between the payer and their payment service provider.

3. The payer may withdraw consent at any time before the irrevocability date referred to in Article 37. When consent has been given for a series of payment transactions, its withdrawal will imply that any future payment transaction covered by such consent will be considered unauthorized.

Article 26. Limitations on the use of the payment instrument.

1. When a specific payment instrument is used to notify consent, the payer and the payment service provider may agree to set limits on payment transactions executed through that payment instrument.

2. Provided it has been agreed in the framework contract, the payment service provider may reserve the right to block the use of a payment instrument for objectively justified reasons related to the security of the payment instrument, suspicion of unauthorized or fraudulent use, or, if linked to a credit line, if its use may significantly increase the risk of the payer being unable to meet their payment obligations.

3. In the cases mentioned above, the payment service provider shall inform the payer, in the agreed manner, of the blocking of the payment instrument and the reasons for it. If possible, this communication will be made prior to the blocking; otherwise, it will be made immediately afterward, unless the provision of such information is compromised by objectively justified security reasons or is contrary to any other legal provision.

4. The payment service provider shall unblock the payment instrument or replace it with a new one once the reasons for blocking its use have ceased to exist. This does not affect the user's right to request unblocking under such circumstances. The unblocking of the payment instrument or its replacement with a new one shall be carried out at no cost to the payment service user.

Article 27. Obligations of the payment service user regarding payment instruments.

The payment service user authorized to use a payment instrument must comply with the following obligations:

• a) Use the payment instrument in accordance with the conditions governing its issuance and use. In particular, upon receiving the payment instrument, the user must take all reasonable measures to protect the personalized security elements of the instrument.
• b) In case of loss, theft, or unauthorized use of the payment instrument, notify the payment service provider or the designated entity without undue delay as soon as they become aware of the issue.

Article 28. Obligations of the payment service provider regarding payment instruments.

The payment service provider issuing a payment instrument must fulfill the following obligations:

• a) Ensure that the personalized security elements of the payment instrument are accessible only to the authorized payment service user. In particular, the provider will bear the risks arising from sending both a payment instrument and any associated personalized security elements to the payer.
• b) Refrain from sending unsolicited payment instruments, except when replacing an existing payment instrument already delivered to the user.
• This replacement may be justified by the inclusion of new functionalities not explicitly requested by the user, provided that the framework contract allows for such a possibility and the replacement is carried out free of charge for the customer.
• c) Ensure that adequate and free-of-charge means are available at all times, allowing the payment service user to communicate as indicated in Article 27.b) or request an unblock as stipulated in Article 26.4. In this regard, the payment service provider shall also make available to the user, free of charge, means to demonstrate that such communication has been made within the 18 months following the notification.
• d) Prevent any use of the payment instrument once the notification referred to in Article 27.b) has been made.

Article 29. Notification of unauthorized or incorrectly executed payment transactions.

1. When the payment service user becomes aware of an unauthorized or incorrectly executed payment transaction, they must report it without undue delay to the payment service provider to request rectification.

2. Unless the payment service provider has failed to provide or make accessible the necessary information regarding the transaction to the user, the communication referred to in the previous article must be made within a maximum period of thirteen months from the date of the debit or credit.

If the user is not a consumer, the parties may agree on a shorter period different from the one specified in the previous paragraph.

Article 30. Proof of authentication and execution of payment transactions.

1. When a payment service user denies having authorized an executed payment transaction or claims that it was executed incorrectly, it will be the responsibility of their payment service provider to demonstrate that the transaction was authenticated, accurately recorded, and accounted for, and that it was not affected by a technical failure or any other deficiency.

2. For the purposes of the previous section, the provider's record of the use of the payment instrument will not necessarily be sufficient to prove that the payment transaction was authorized by the payer, nor that they acted fraudulently or deliberately or with gross negligence in breaching one or more of their obligations under Article 27.

Article 31. Liability of the payment service provider in case of unauthorized payment transactions.

Without prejudice to the provisions of Article 29 of this Law and any compensation for damages that may be applicable under the regulations governing the contract between the payer and their payment service provider, if an unauthorized payment transaction is executed, the payer's payment service provider shall immediately refund the amount of the unauthorized transaction and, where applicable, restore the payment account from which the amount was debited to the state it would have been in had the unauthorized transaction not been carried out.

Article 32. Liability of the payer in case of unauthorized payment transactions.

1. Notwithstanding the provisions of Article 31, the payer shall bear up to a maximum of 150 euros in losses arising from unauthorized payment transactions resulting from the use of a lost or stolen payment instrument.

2. The payer shall bear the full amount of losses incurred due to unauthorized payment transactions that result from their fraudulent actions or deliberate or grossly negligent breach of one or more of their obligations under Article 27.

Article 33. Refund of payment transactions initiated by a payee or through them.

1. The payer shall have the right to a refund from their payment service provider for the full amount of authorized payment transactions initiated by a payee or through them, provided the following conditions are met:

• a) When the authorization did not specify the exact amount of the payment transaction, and
• b) The amount exceeds what the payer could reasonably expect, considering their previous spending patterns, the conditions of their framework contract, and relevant circumstances.

At the request of the payment service provider, the payer must provide factual data related to these conditions.

Regarding direct debits, the payer and their payment service provider may agree in the framework contract that the payer has the right to a refund from their provider, even if the conditions for reimbursement outlined above are not met.

2. For the purposes of paragraph 1, letter b), the payer may not invoke reasons related to currency exchange if the agreed reference exchange rate was applied by their payment service provider.

3. In any case, the payer and the payment service provider may agree in the framework contract that the payer has no right to a refund if they have directly transmitted their consent for the payment order to the provider, as long as the provider or the payee has provided or made available the relevant payment transaction information at least four weeks before the scheduled transaction date.

Article 34. Refund requests for payment transactions initiated by a payee or through them.

1. The payer may request a refund, as referred to in Article 33, for an authorized payment transaction initiated by a payee or through them, within a maximum period of eight weeks from the date the funds were debited from their account.

2. Within ten business days of receiving a refund request, the payment service provider must either refund the full amount of the payment transaction or justify its denial, in which case they must provide the user with information on the available judicial and extrajudicial claim procedures.

In the case of direct debits, such denial cannot occur if the payer and their payment service provider have agreed in the framework contract that the payer has the right to obtain a refund, even if the conditions outlined in Article 33.1 are not met.