Identity Theft in Consumer Finance: Consent, Contract and Liability

Analysing Rules on Loss Allocation in Norwegian, Estonian and EU Law
Vebjørn Wold

PhD candidate

Institute for Private law, University of Oslo
Piia Kalamees

Associate Professor in Civil Law

Department of Private Law at the University of Tartu, Estonia

Publisert 07.05.2025, Oslo Law Review 2025/2, Årgang 11, side 1-18

Lesetid ca. 30 minutter

Identity theft in financial services is a widespread problem in Europe. Scammers harm consumers and financial institutions by misusing electronic identity systems to access credit and make fraudulent payments. This article examines how private law distributes losses between consumers and financial institutions in such situations. It does so by analysing national private law regarding fraudulent credit contracts in Norway and Estonia, where financial services are highly digitised, and by examining common European rules for unauthorised payments. It is found that questions of contract formation, apparent authority, tort and evidence play key roles in distributing liability for fraudulent credit contracts under national private law. Additionally, these issues intrude on the common European framework on payment fraud through the ʻconsent’ requirement for payments in the second Payment Service Directive Article 64 (1). Given the high prevalence of digital identity fraud in Europe, the interpretation and application of private law and evidentiary rules have significant implications for the level of protection afforded to European consumers in the event of identity theft.

Keywords

  • electronic identity
  • fraud
  • consumer protection
  • payments

1. Introduction

Transactions require trust. At the very least, a contracting party needs to be certain that their counterparty really is who they claim to be. In the digitised world of modern finance, consumers often identify themselves using electronic identity (eID) systems when making payments or obtaining credit. Such systems are not perfect. They rely on humans to safeguard passwords, PIN codes and physical carriers such as cards and mobile phones. Our nearest and dearest can take advantage of our trust, while professional fraudsters have a plethora of techniques to exploit faults in our handling of precious information and objects.

Identity thieves are often financially motivated, aiming to access credit or make payments in the name of the victim, thereby harming both financial institutions and consumers. Even if authorities can apprehend the culprits, fraudsters rarely have funds to cover the damages they have wrought. Identity theft therefore gives rise to civil disputes between market actors and consumers. Should the consumer be financially responsible for having ʻallowed’ a third party to impersonate them using their eID?

When a fraudster uses a stolen identity to make a payment, the second Payment Service Directive (PSD II) provides a common European liability framework, although the directive gives the Member States discretion on some essential questions. When a fraudster misuses electronic identity for other purposes – such as signing a credit agreement – the question of liability falls to the national private law of Member States. In several European countries, it has become a hotly contested issue.

Currently, several relevant EU initiatives are at different stages of conception and implementation. In 2021, the European Commission proposed a revision of the existing European regulation on electronic identification (eIDAS regulation). The revised regulation, which launches the concepts of a ʻEuropean digital identity’ and a ʻdigital identity wallet’ (DIW), was officially adopted by the Council in March 2024. By way of the DIW, consumers will supposedly be able to do business securely with private and public institutions in any EU/EEA Member State. A proposed new regulation on payment services, building on PSD II, passed the European Parliament on first reading in April 2024. A new directive for consumer credit (Consumer Credit Directive), taking into account the ʻrapid technological developments registered’ since the adoption of the existing directive in 2007, entered into force in 2023. While the proposal for a payment service regulation includes some adjustments to the existing liability rules for unauthorised transactions, which have been further developed by the European Parliament, neither the eIDAS proposal nor the new Consumer Credit Directive addresses the civil consequences of eID fraud. Against this background, we attempt to answer the following question: How do European legal systems currently apportion losses from third-party digital identity fraud against consumers for credit contracts and payments?

The different sets of rules applying to the two situations of fraud inform the choice of materials to analyse and the methodological approach of this article. As there are no EU-wide rules applicable for credit fraud, the analysis of liability rules in credit fraud cases must examine national private law. The article therefore outlines the current positions in Norway and Estonia, two EU/EEA countries with a high level of digitisation of financial services and where fraudulent credit contracts have given rise to high-profile court cases in the past few years. An analysis of two countries is of course insufficient to answer comprehensively how liability for eID-based credit fraud is distributed across Europe, but should provide insights into current approaches in national law and how they affect the legal positions of consumers and lenders. They also offer interesting case studies on account of their different legislative traditions. While Estonia is a highly codified system of civil law, Norway is a ʻmixed system’ without a comprehensive civil law code. Norway has seen intense academic and political debate on the issue, which has not been the case in Estonia. In the case of payment fraud, the approach is more straightforward. We provide a doctrinal analysis of the increasingly contested question of what constitutes ʻconsent’ to a payment transaction under PSD II Article 64 (1), which is, as we will show, crucial for the allocation of losses in payment fraud situations.

This article proceeds as follows. We first explain how electronic identity systems in Norway and Estonia work and how fraudsters misuse these systems to act in the consumer’s name, thereby creating a loss (Section 2). We then explain and compare the two different approaches in Norway and Estonia in identity fraud cases concerning credit fraud (Section 3). We then examine the question of what it means to ʻconsent’ to a payment transaction within the meaning of PSD II in the context of identity fraud (Section 4) and the implications of different answers to that question. In Section 5, we offer our conclusions.

2. Use and Misuse of eID Systems in Norway and Estonia

2.1 Strong Customer Authentication and Electronic Signatures

The use of eID as referred to in this article encompasses both what is typically referred to as authentication and the production of electronic signatures. Authentication in the context of electronic commerce is the verification of the identities of the parties. The bank wants to know that only person A can log in to a bank account and therefore asks person A for authentication during login. Authentication can take the form of a simple login with a username and password. Modern online services, including financial service providers, typically demand that payment service providers use ʻstrong customer authentication’ (SCA). Under PSD II, SCA requires authentication to be ʻbased on the use of two or more elements categorised as knowledge …, possession … and inherence’. This generally involves the consumer having to use a particular object (eg their mobile phone, a code generator or an identity card) in conjunction with passwords or biometrics. The consumer is typically obligated to protect access to their eID from third parties through standard terms and legislation.

An electronic signature ties such an authentication procedure to other data, usually a document. Businesses can use electronic signatures to indicate that a consumer has not only confirmed their identity but also accepted a particular course of action, such as their agreement to a contract. Electronic identity systems and electronic signatures are subject to regulatory rules in the current eIDAS regulation, which distinguishes between different levels of security. Under Article 26, an electronic signature is ʻadvanced’ if it satisfies certain requirements for technical and operational security. Systems for ʻqualified’ signature certificates – the highest level of security – must also comply with a list of regulatory requirements and receive certification from national competent authorities.

2.2 Relevant eID Systems and How They Are Misused

In Norway and Estonia, public or de facto public eID systems are widely used for private transactions. In Estonia, for example, consumers can choose between using the digital operability of their national ID card, their mobile ID (SIM card-based eID carrier) and their Smart ID (smart device-based eID carrier) for authentication. For all these carriers, the consumers enter their social security number, a private 4-digit code to authenticate themselves and, if applicable, an additional 5-digit code to provide an electronic signature. Estonians use eID widely for everyday transactions and operations. In a country of roughly 1.4 million people, 12.5 million ID card transactions are made annually, and 3 million electronic signatures are given monthly. The electronic signatures used in Estonia are all ʻqualified’ electronic signatures under the eIDAS scheme.

In Norway, consumers mostly use BankID, an eID system developed by the Norwegian financial industry. BankID serves as a de facto public eID used for tax reporting, applying for higher education and booking healthcare appointments. BankID is used both for authentication of payments and for electronic signatures on credit agreements. The authentication process is largely similar to the Estonian one, although an additional code is not required for electronic signatures. A consumer can choose between using their mobile phone as a carrier or using a code generator. BankID is not a qualified signature under the eIDAS regulation.

Introducing secure two-factor authentication systems has been a major focus of European lawmakers in the area of digital finance. Unfortunately, experiences from Norway and Estonia show that the adoption of technically sound eID systems for strong customer authentication does not eliminate fraud. Fraudsters are highly adaptable. They target the weakest links – the consumers themselves – and misappropriate eIDs by gaining security credentials in a myriad of deceitful ways. One common type of eID fraud is to steal or misappropriate the relevant physical object, such as a code chip, mobile phone or ID card, and somehow learn the passwords or codes. A reading of Norwegian case law reveals many examples of fraudsters gaining access to physical carriers and passwords. In many cases, the fraudster is someone close to the victim, such as a spouse or a child. In Estonia, there are several court cases in which fraudsters have gained access to the ID card and the two PIN codes necessary for authentication or producing a signature.

It is also possible to defraud someone without gaining physical control of a mobile phone, card or a similar physical carrier. Many cases involve phone calls in which professional fraudsters impersonate police officers or bank employees and ask for PIN codes and other relevant data under the pretence that they require such information to stop an ongoing cyberattack towards the consumer – a technique often called ʻvishing’. Such social manipulation might convince consumers to reveal their passwords or one-time codes from the carrier so the fraudsters can use them. These methods may also be used to trick the consumer into authenticating a payment or credit contract directly. The fraudster might present themselves as calling from the authorities and explain that the victim needs to verify their identity to protect themselves from an ongoing cyberattack. While on the phone, the fraudster can send authentication requests, which the consumer is manipulated into answering, by scanning their face or entering a password on their device. As they speak, the fraudster logs into the consumer’s online bank account. Fraudsters also still rely on phishing, in which the victim enters valid codes and passwords into fake websites with the mistaken belief that they are logging on to their online bank or a government website. A particularly hazardous situation can arise if a fraudster circumvents the security measures in an application process and orders a fraudulent eID in the victim’s name.

These techniques can allow fraudsters to both access the consumer’s online bank and accept credit contracts. In one case, the fraudster gains authentication to log into the victim’s online bank and then authenticates/provides an electronic signature to a bank transfer, and in the other case, they apply for and then consent to a credit agreement (typically by providing an electronic signature). In both cases, the basic trick is getting between the bank and the consumer by using eID and relying on smooth and quick payment and credit systems to obtain funds quickly. Both types of fraud can be perpetrated by professional fraudsters or by persons close to the victim – such as a friend, spouse or family member – who have exploited the victim’s trust.

3. Fraudulent ʻConsent’ to Credit Contracts – Loss Allocation Under National Private Law in Estonia and Norway

3.1 Contract Formation and Evidentiary Rules

In this section, we examine how Norwegian and Estonian law treat cases in which a consumer alleges that a fraudster has entered a credit agreement through the appropriation of their digital identity. In both countries, a statement made in another’s name without their permission generally does not bind the latter contractually. The use of eID does not, on its own, alter that fundamental starting point. However, a consumer who is not able to prove that they did not perform (or consent to) the action in question remains bound by the contested contract. A question arises: How should we assess evidence when a consumer claims that a fraudster acted in their name without their permission?

In Estonia, the bar for courts to believe consumers in such cases is high. In 2019, the Estonian Supreme Court considered a case in which a consumer claimed that a credit purchase was the result of a third person using their electronic identity. The Court concluded that if a contract is signed digitally using the owner’s ID card and PIN codes, it should be assumed that the owner of the ID card has signed the contract. The court also indicated that the burden of proof lies with the consumer to show that someone else signed the contract and that the alleged third party acted against their will. It is insufficient for the consumer to prove that the contract was concluded by a third party. Lower courts have followed this reasoning and found there to be a contract between the owner of the eID and the creditor in similar cases.

Moreover, Estonian civil procedures contain rules on the presumed authenticity of documents signed electronically, which further emphasise the burden of proof for the consumer. A special rule on contesting the authenticity of an electronic document with a digital signature can be found in § 277 (3) of the Code of Civil Procedure. The consumer can only contest an electronic document’s authenticity if the alleged signatory can provide sufficient facts to substantiate their claim of fraud. This provision thereby constitutes a presumption of the digital signature’s authenticity based on its recognised security and the ability to verify its authenticity through national electronic certification procedures. This is a clear deviation from the main rule for physical signatures on documents, where a mere contestation of the authenticity of the document is sufficient to bring a case.

There are no similar rules in Norwegian civil procedure regarding electronically signed documents; general evidentiary principles apply. A sceptical line towards consumer claims of fraudulent eID use was nonetheless cemented by the Supreme Court in a case from 2017 that concerned unauthorised payments and was understood by lower courts to provide guidance in cases concerning credit agreements. The reasoning in these cases was that it fell on the consumer to prove that the eID was used without their consent, as long as the technical aspects of the authentication procedure were without fault.

Through the new Financial Contracts Act, which entered into force in 2023, the Norwegian legislator adjusted the framing of the evidentiary question in the consumer’s favour. Building on the rule found in PSD II Article 72 (2), the law now states that the mere use of the relevant eID should not, on its own, be taken as conclusive evidence of the consumer’s knowledge of the transaction. Further, the statute demands that the credit institution show to a ʻqualified’ degree that the consumer knew of the transaction for this fact to be considered established. In theory, this should mean that a 50/50 situation should fall in the consumer’s favour, but to date, there is no case law referring to this provision. The use of an eID may still carry significant weight as evidence that the consumer entered the contract or that they gave their consent for a third person to enter the contract in their name, as it is not trivial for a third party to access someone’s eID. The bank must, however, actively make a case against the consumer’s own explanation of the facts.

3.2 Liability Under Contract or Tort Law

If the consumer successfully shows that a fraudster made the commitment in their name, the focus will turn to whether they are legally responsible for the consequences of the fraudster’s actions. One possible argument for holding the consumer accountable is the concept of apparent authority. In eID fraud cases, the credit provider often argues that the fraudster had apparent authority because they failed to act in accordance with the terms and conditions of the electronic identity certificate (acting negligently), for example, by allowing a family member to use the eID or being tricked into providing passwords in a ʻvishing’ scheme.

In the above-mentioned case from 2019, the Estonian Supreme Court indicated that the misuse of an eID by a fraudster may lead to a binding credit contract between the creditor and the consumer through rules on apparent authority. Although this observation was only made in passing, the Court indicated that such an application of apparent authority is probable under Estonian law. The Estonian Act on the General Part of Civil Code (GPCC) recognises two different cases of apparent representation. One case arises when the principal knew of transactions made in their name and tolerated them (talumisvolitus), and the other occurs when the principal did not know of the transaction but should have known (näivusvolitus). According to § 15 (4) of the Law of Obligation Act (LOA), the person should have been aware of the circumstances if they were unaware of them due to gross negligence. This means that the owner of the eID failed to exercise necessary care to a material extent. The Supreme Court has stated that the owner of the eID must practise a high level of care while handling and safekeeping their card and PINs. Taken together, the statements made by the Supreme Court indicate that failure to protect electronic identity from fraud could conceivably be used as a basis for a contractual claim based on apparent authority, although there is no case law to this effect yet. In both Sweden and Denmark, doctrines of apparent authority have been used to hold consumers accountable in supreme court cases, although one can hardly speak of a general rule to this effect, as both supreme courts seem to reserve room for factors specific to the case on the sides of both the lender and the consumer.

In Norway, the view has been that third-party identity fraud does not give rise to apparent authority. However, credit providers have – often successfully – argued that the consumer’s negligence gives rise to a claim based on tort law. The basis of the tort claim is typically as follows: having lent to what turned out to be a fraudster, the bank has suffered a loss. The bank sues to shift this loss to the BankID owner because they failed to show the necessary care in using and storing the code chip or password, thereby acting negligently. Many such cases appeared in Norwegian courts during the 2010s. When judging the degree of diligence required by the consumer, Norwegian courts typically looked to the rules in the then-existing Financial Contracts Act transposing PSD I Article 56 (now PSD II Article 69), which required a customer to take ʻall reasonable steps’ to protect personalised security credentials and to adhere to the terms and conditions of the payment instrument. These terms typically forbid sharing passwords or objects and require a high degree of diligence. At the same time, the courts, by and large, rejected any analogy from the liability limits in PSD II and insisted that ʻmere negligence’ regarding the protection of security credentials and the BankID code chip would be sufficient to establish a claim. The possibility of suing allegedly negligent consumers for damages served as a replacement for a valid contract. In many cases, this approach left consumers responsible in situations where they had not willingly provided the fraudster with the means to use the eID. The claims were often for significant amounts of money.

Partly because of significant academic and political debate, two developments have subsequently limited the ability of credit providers to succeed with these claims. First, in such a tort case in 2020, the Supreme Court issued a judgment regarding eID misuse. The case concerned an eID owner who had kept his code chip in a purse in a closet in his workplace, where it was misused by people who had access to the location. The Supreme Court accepted that it was unwise to leave the code chip in his work closet over the holidays, but found this lack of care insufficient to establish a claim on the bank’s behalf. The lack of additional mechanisms of control, such as a text message to the supposed loan applicant or a letter to his digital mailbox, as well as the fact that the loan had been paid to an account registered to a third person, meant that the bank could not invoke the consumer’s lack of care as negligence. The decision was widely regarded as corrective to the lower courts on the issue of consumer liability in eID fraud credit contracts.

A new Financial Contracts Act was also passed by Parliament in 2020 and entered into force in 2023. In this reform, the PSD II limitations on consumer liability in payment transactions were applied to misused electronic signatures. In the area of financial services, misuse of electronic signatures now leads to a 12 000 NOK (approximately 1000 euros) liability if the consumer is grossly negligent, and full liability if there has been an intentional violation of the consumer’s duties to protect and safeguard their electronic identity. The requirement regarding intent means that the consumer must have understood that they acted in violation of the terms and conditions and the risk they generated by their negligent action. The bar is intentionally set high, and falling for professional fraud like ʻvishing’ is unlikely to lead to full liability.

3.3 Assessment

The liability question for fraudulent credit contracts clearly raises difficult problems of both fact and law in both countries. Rules for assessing evidence seem to play an important role. The sides of the dilemma are clear. Credit providers may argue that courts should presume electronic identities to be genuine so that businesses feel secure in relying on them and thereby fully realise the efficiency gains of digitisation. Further, there is fear that bad actors could use fraudulent claims of third-party misuse to defraud banks. On the other hand, consumers are generally at a disadvantage in terms of knowledge and resources when battling a professional creditor in court, and this also applies to the gathering of evidence. In Norway and Estonia, the eID systems in question are, de jure or de facto, public systems relied upon for crucial public services. As a result, citizens cannot realistically choose to live without such a digital identity. If we operate from strong presumptions about the authenticity of electronic signatures, we are likely to see many cases solved based on evidentiary rules alone, which is worrisome when the misuse of digital identity is widespread and acquiring an eID can hardly be considered a choice.

From these reviews of national law, it seems that Estonian and Norwegian law currently strike the balance in different ways. The rule operating in Estonia is significantly harsher on consumers than the one in the Norwegian Financial Contracts Act. The Estonian civil courts, as a rule, find there to be a valid contract between the consumer and the creditor, and it is complicated for the consumer to prove that they were not the person signing the contract. Even if they can prove that a third person has used their eID to sign a consumer credit contract, it is very difficult to prove, as the Estonian Supreme Court wants, that possession of the eID was lost against their will. In general, one would think scepticism was warranted towards evidentiary presumptions for the genuineness of electronic signatures, given the high propensity of fraud. However, much can also depend on how strong such a presumption is. If it can be overturned by presenting a police report and a somewhat coherent story, a presumptive rule is not necessarily particularly burdensome. For example, the Swedish Supreme Court has advanced an evidentiary presumption in credit providers’ favour, but one which is seemingly more cautious and thereby easier to overturn.

As for liability in the case of proven third-party misuse, both contractual and tort approaches are possible. National private law can be used for holding consumers accountable for third-party use, but the risk placed on the consumer can vary considerably between national systems.The particular differences between Norwegian and Estonian law can best be summarised by three different types of cases.

In both countries, the positions outlined above indicate a significant probability that the consumer will be held liable to the credit provider if they knew about the third person using the eID to access credit and did not attempt to stop it. In Estonia, this conclusion would be beyond doubt. In Norway, it is likely that such a situation would meet the definition of ʻintent’ under § 3-20 of the Financial Contracts Act. This is in line with the concept of ʻauthority of acquiescence’ or ʻduldungsvollmacht’ known in many European jurisdictions. The consumer has made a conscious choice to tolerate a third party acting in their name for a particular purpose, and the interests of a counterparty in good faith are deemed worthy of protection even if the fraudster acted contrary to the interests of the consumer.

Conclusions would, however, diverge in a situation in which the intention was for the fraudster to use the eID for purposes other than acquiring credit. A typical example is a family member or spouse who is given access to the eID to help the consumer with bills or appointments. As eIDs are usually strictly personal, this would be a breach by the consumer of the terms and conditions of the eID. In Estonia, this consumer would likely be seen as having granted authority to the fraudster, which would cover credit contracts, as the control of the eID was not lost against the will of the consumer. In Norway, courts are unlikely to deem the breach ʻintentional’ under the Financial Contracts Act and would therefore limit the liability to 12 000 NOK (approximately 1000 euros).

In some cases, the consumer never intends to provide a third party with access to their eID but is manipulated into providing codes and passwords through phishing or vishing, or a person close to the victim can use the carrier and learns the password without the victim’s knowledge. Again, such a situation would not lead to liability beyond 12 000 NOK (approximately 1000 euros) in Norway, as the threshold for ʻintent’ would not be met. In Estonia, rules on apparent authority (in the form of näivusvolitus) could be applicable in such a situation, and the consumer risks liability even if fraud is proven, although there is no case law to this effect yet.

These divergent approaches call for some reflection. Considering the aims of the EU for strong consumer protection in the area of finance and cybercrime, we would consider limiting consumer liability – as the Norwegian legislator has done – a reasonable approach as a matter of policy, particularly in cases of professional fraud. Consumers do not choose to participate in a certain economic sphere by acquiring an eID. It is a requirement for participating in a digital society. Many are likely unaware of the degree to which some businesses trust the eID as a basis for providing considerable amounts of credit. Credit providers have greater financial resources and accrue significant benefits through digitisation. They are also obligated to have safeguards and routines in place against fraud and should arguably not rely solely on eID systems for larger unsecured credit contracts. The worry with leniency might be that consumers become careless or put forth fraudulent claims of identity theft in the absence of a strong liability regime. In this regard, it should be mentioned that the introduction of liability limits in Norway does not seem to have led to such a result. Credit providers seem to have been incentivised to invest in security mechanisms and sounder practices. There are indications that eID-based credit fraud in Norway has in fact been reduced, although more empirical work is needed to understand by how much, or precisely why. It is at least not obvious that consumer protection in this area will always conflict with the aim of better security.

4. Fraudulent ʻConsent’ in Payment Fraud – Loss Allocation Under the EU Scheme for Payments

4.1 The PSD II System and the Function of ʻConsent’

Often, the identity of the consumer is not misused to make a contract but to order a payment. Here, national private law is supposed to play a subordinate role, as PSD II provides a common liability framework for all states in the EU/EEA. The protection consumers enjoy under PSD II serves the general aim of achieving a high level of consumer protection in payment services. It also serves the larger goal of protecting consumers from identity-based cybercrime. As mentioned, a proposal for a new regulation of payment services, replacing PSD II, has passed the European Parliament on first reading. We discuss some of the innovations in the current proposal in Section 4.4.

On the surface, PSD II is based on a simple and coherent system. A payment transaction is authorised if the consumer ʻhas given consent to execute the payment transaction … in the form agreed between the payer and the payment service provider’, as per Articles 64 (1) and (2). If consent is not present, the transaction is ʻunauthorised’, and the consumer – as a starting point – is not responsible for any loss generated by the transaction. According to the main rule in Article 73 (1), the payment service provider must refund the customer immediately, or at the latest, by the end of the next working day. According to Article 74 (1), the consumer may be charged 50 euros unless the misappropriation of a payment instrument was ʻnot detectable prior to a payment’ or caused by ʻacts or lack of action’ on the side of the payment service provider. Further, a consumer who with gross negligence or intent breached obligations to protect the payment instrument shall bear all losses. The degree of negligence is determined in accordance with national law. Countries may restrict the liability of a consumer who has been grossly negligent but not one who intentionally violates their obligation, as Norway and others have done. One would therefore expect that the main question is what constitutes intent or ʻgross negligence’ under Article 74 (1). In fraud cases involving digital banking and SCA, however, the arguably most pressing issue has turned out to be a different one: What does it mean to ʻconsent’ to a payment transaction?

4.2 Does the Use of eID as Strong Customer Authentication Prove ʻConsent’?

According to the Court of Justice of the European Union, formulations and concepts in EU legislation must be interpreted autonomously unless otherwise indicated. Member states are therefore not at liberty to use national private law without regard for the purpose and system of the directive. It is the ʻpayer’ who must give consent, which in this instance means the consumer. Consent to a payment transaction implies that the consumer themselves approves a payment, not merely that strong customer authentication has been applied or that the payment instrument has been used. There is, however, a similar discussion here as for credit contracts with regard to evidentiary rules. Questions arise regarding the degree to which electronic identity systems based on SCA can be relied upon to prove that the consumer has consented, even when they deny it. While PSD II states that evidence should be judged in accordance with national law, it specifies in Article 72 (2) that the mere use of the payment instrument cannot, on its own, prove that the consumer consented to the transaction.

Given the wide array of attacks against SCA mechanisms, it is clearly sensible that SCA is not considered sufficient on its own to establish that the consumer consented to the payment. However, the fact that an SCA method was used must play a role in the assessment. In Germany, for example, courts and scholarship have seemingly, to some extent, assumed ʻprima facie evidence’ of consent established if SCA was used. This is reminiscent of the Estonian approach to credit contracts and burdens the consumer with the task of proving that their electronic identity was misappropriated. Some might argue that this approach is in tension with Article 72 (2) of the directive. As is the case for evidentiary presumptions in credit fraud cases, the key is likely how hard it is for the consumer to overturn it. It is relevant that the person who consented to the payment knew the passwords or had access to the relevant devices. However, SCA should not become so dominant in the assessment that other arguments and facts fade into the background. The judge or panel hearing the case must also consider other relevant evidence, such as the credibility of the consumer’s account of the fraud and technical evidence (eg which IP address or what kind of eID device was used), which the service provider is clearly better equipped to produce.

4.3 ʻConsent’ and Contract Law

A payment service provider might also argue that consent is established or proven by the mere use of SCA because of pre-existing contract terms. Unlike what is often the case with credit providers, payment service providers have an underlying contractual relationship with that consumer. Some banks include provisions in their terms and conditions to the effect that the consumer is presumed to have consented if ʻconsent has been provided with the help of a payment instrument (e.g. via online banking)’. This could – if taken at face value – mean that the payment service provider can rely on the authority of any person, including a fraudster, ordering a payment from the consumer’s online bank. As the notion of consent is dependent on what is ʻagreed between the payer and the payment service provider’, as per Article 64 (2), one might argue that consumers are free to accept such an arrangement within the confines of PSD II. However, it is necessary to consider Directive 93/13 on unfair terms in consumer contracts (UCTD) in conjunction with the system and purpose of PSD II itself. If the terms have the effect of making any use of a certain payment instrument attributable to the consumer, a strong argument can be made that this is unfair, as it establishes a ʻsignificant imbalance’ under Article 3 (1) of UCTD, leaving the consumer with all the risk for what would otherwise be considered unauthorised use. This clearly places the consumer in a disadvantaged legal position compared to otherwise applicable laws. As such, the national court should examine and, if relevant, decline to apply such terms.

A payment service provider can also argue that the ʻconsent’ – although given by the fraudster – is covered by rules on apparent authority. As mentioned, the Estonian Supreme Court has ruled that rules on representation should be considered when the eID is used. Payment service providers could argue that the electronic identity of the consumer can be relied upon as apparent authority in a situation of payment fraud, so that consent given by the fraudster is attributed to the consumer. However, this seems problematic. Article 64 (1) must be understood in its context, notably the system of liability allocation in Articles 73 and 74. In our view, PSD II does not permit the use of national concepts in a way that circumvents the system of the directive, which indicates that the payment service provider should cover payments ordered fraudulently by third parties, absent the consumer’s gross negligence. The construction of consent by way of national agency law will have the potential effect of allocating responsibility in a different way than the PSD II system suggests. The effectiveness of the liability rules in Articles 73 and 74 is a strong argument for viewing consumer negligence in third-party fraud as a question of liability for an unauthorised payment transaction rather than as a reason for attributing the ʻconsent’ given by the fraudster through rules on apparent authority. Such national doctrines are therefore probably not applicable to the question of consent under Article 64 (1).

4.4 Subsequent Authentication by the Consumer of a Transaction Initiated by the Fraudster

As explained in Section 2, third-party fraud can also occur when a fraudster relies on the consumer’s own authentication actions. The fraudster might call the consumer posing as a bank employee and claim that the consumer’s accounts are under attack from hackers or scammers, so they must follow instructions sent to their phone to verify their identity. The consumer is deceived regarding the purpose of the authentication and does not understand that they are actually authenticating a payment to the fraudster. The consumer performs a procedure (eg entering a PIN code and ʻconfirming’ the transaction on their mobile phone), which gives the payment service provider the impression that the consumer has given ʻconsent’.

Are these cases ʻunauthorised’ under PSD II? A complicating factor here is variance in the functionality of different SCA systems. Some mechanisms display the payment information quite clearly on the phone screen as the consumer authenticates the payment, which strengthens the case for viewing the consumer’s performance of the authentication procedure as consent to the transaction. In cases observed in Norway, however, successful fraudsters manipulate the consumer even where the relevant information is displayed on the device. This is achieved in different ways: for example by convincing the consumer that they are confirming the reversal of a fraudulent payment instead of the payment itself, or by relying on the consumer, in a position of stress, clicking on the phone screen without reading its content.

Finansklagenemnda, the Norwegian Alternative Dispute Resolution (ADR) procedure for consumers and payment service providers, has reasoned that ʻconsent’ in these instances requires the consumer to perform the authentication procedure in the knowledge that they were approving a payment. These transactions are therefore unauthorised. The reasoning is that ʻconsent’ refers not to the mere performance of a particular authentication procedure but to the expression of a will to make a payment. Consumers may invoke their state of mind in situations where the payment information was technically visible to them, as long as they were genuinely confused as to whether the effect of their action was to authenticate a payment. Unsurprisingly, some payment providers view this case law as overly lenient and unjustifiable under the current rules.

This question illustrates the difficulty in applying a coherent notion of consent under the current legal and technical frameworks, as well as the close connection with the core questions of contract law. In our view, the demand for the subjective intention to order a payment for ʻconsent’ to apply, can reasonably be defended with reference to the system and purpose of the liability rules. The payment order is actually being issued by the fraudster from the online bank, deceitfully, in the consumer’s name. Of course, under the usual principles of contract law, parties bear the risk of their own mistaken communications with innocent third parties. There is also a danger that the consumer feigns ignorance and claims that they did not understand the purpose of the authentication. Under Article 74 (1), however, a consumer must still pay if they showed a high enough degree of negligence in falling for the fraud, and refunds can always be withheld under Article 73 (1) if there is reasonable suspicion of ʻfriendly fraud’. Therefore, an effective application of the PSD II’s system of loss allocation would favour allowing the consumer to invoke their lack of understanding as to whether they authenticated a payment, in the case that the payment is initiated by a fraudulent third party. The answer is, however, far from obvious, especially in cases where payment information is communicated to the consumer through the SCA mechanism.

In the review processes leading up to the proposal for a new payment service regulation, the Commission acknowledged the difficulty of ascertaining whether a consumer has given their consent in social manipulation schemes. The initial proposal nonetheless failed to clarify or expand the meaning of consent, opting instead for two new reimbursement requirements for particular fraud situations, including one for situations in which the fraudster pretended to be a representative of the payment service provider. The European Parliament, however, made substantial additions in its first reading of the proposal in April 2024. The Parliament added in the preamble that authorisation must ʻexpress the intention of the payer on the basis of full knowledge of relevant facts including the amount, recipient and purpose of the transaction’. Whether such intention is present is to be judged pursuant to national law. There will certainly be continued discussion over what such a formulation of consent means in specific fraud situations. The reference to national law is particularly ambiguous. It seems clear, however, that the proposal leaves room for considerations of how the consumer themselves understood the situation at the time of authentication.

In addition, the Parliament has suggested expanding the Commission’s proposed reimbursement scheme for impersonation fraud to cover the impersonation of not only the payment service provider but ʻany other relevant entity of a public or private nature’. The combination of an expanded notion of unauthorised payment transactions and broad protection from impersonation fraud could lead to substantially stronger consumer protection. Under the proposal, consumer liability will depend less on the technique chosen by the fraudster and more on the degree of negligence shown by the consumer. This aligns with recent developments in the United Kingdom, where a similar scheme has been adapted to encompass fraudulently induced transactions more generally. At the time of writing, the European proposal is merely a proposal and subject to trialogues between the European lawmakers.

4.5 Assessment

When digital identity is misused for the purpose of a payment transaction, PSD II provides a common framework for questions of loss allocation. The starting point is the same as for credit contracts under national private law: if the identity was misused by a third party, the consumer is not liable. This is supplemented with liability rules for grossly negligent consumers. A problem, however, is that the arrangement seems to depend on a coherent notion of ʻconsent’ being available to national courts. It is difficult to apply this notion in the context of modern online payment systems, and many of the same questions discussed in Section 3 reappear. As shown in Sections 4.2–4.4, we believe that some basic answers can nonetheless be found through a dogmatic analysis of PSD II. The application of national private law on apparent authority to the question of ʻconsent’ seems contrary to the system and purpose of the directive, and therefore not appropriate. The same goes for reliance on standard terms and conditions as a basis for attributing fraudulent third-party use to the consumer. In the case of social engineering scams in which the consumer is manipulated into providing SCA while the fraudster orders the payment, ʻconsent’ – in our view – requires the consumer to be have been aware that they were authenticating themselves for the purpose of ordering a payment.

5. Conclusions

This article has endeavoured to illuminate how European legal systems decide who bears the loss for fraudulent third-party transactions in modern eID systems. Our analysis indicates that rules regarding evidence play a key role in determining the outcomes of cases. This is illustrated clearly by Estonian case law on credit fraud, where the mere use of an eID goes far as evidence that a consumer has consented to the contract, and cases rarely move past this initial question. Evidence rules are, therefore, an important element in regulations that afford protection to consumers in identity fraud cases. A high level of consumer protection probably requires professional counterparties to absorb some of the inherent uncertainty of evidential assessment in a digital world – both in payment transactions and in credit contracts.

As for the question of liability when the court accepts the consumer’s claim of being defrauded, our analysis cannot identify a ʻEuropean approach’ to the allocation of losses in identity fraud cases. In credit fraud cases, the legal protection afforded to the consumer depends on national private law, where both apparent authority and tort rules might provide the credit provider with the basis for a claim. For example, the model in Norway – tort claims limited by a specific statutory limitation on liability – provides the consumer with a higher degree of protection than the application of general contractual and evidentiary rules observed in Estonia. Such discrepancies are not very surprising, as general private law in Europe is not harmonised.

Some have argued for common European consumer protection in credit fraud cases. While this is beyond the scope of this paper, we observe that the rollout of eIDAS 2.0 and the DIW could make that discussion more relevant. According to the EU Commission president, the DIW will ʻallow all EU citizens, residents and businesses to have trustworthy access to public and private online services all over Europe’. This aligns with the EU’s ambition for a digital single market helped by cross-country compatible eID systems. If this vision comes to fruition, the idea of common consumer protection rules for identity misuse cases might become appealing. Our analysis shows that such harmonisation would require engagement with basic rules on contract formation, evidentiary questions, agency and tort – traditional ʻhome turf’ for the Member States. This is vividly illustrated by the existing tensions within the EU’s harmonised rules on payments, where our analysis shows a multitude of possible interpretations as to the meaning of ʻconsent’ of PSD II, some of which include the intrusion of national contract law. Even within a harmonised framework, we cannot easily escape the more basic issue of what constitutes a legally binding action.

Our analysis confirms the key role of both national and EU-based private law in determining the level of protection our legal systems afford consumers in identity theft cases. Any attempt to shield consumers from risks created by an increasingly digitised consumer finance sector must put private law front and centre. From the EU’s point of view, true harmonisation of consumer protection in this area would require closer engagement with some of the most fundamental questions of contract and tort law in the national legal systems. Conversely, national authorities and lawyers should take great interest in how their national laws interact with EU law on payments and digital identity.

Acknowledgements

This article has been written as part of the research project ʻSocietal Security and Digital Identities’ (project number 320785) financed by the Norwegian Research Council. We are grateful to Professors Marte Eidsand Kjørven, Karin Sein and Erik Røsæg, as well as to the anonymous reviewer, for helpful comments. We are also grateful to Lara Marie Wik at the Norwegian Departmenent of Justice for help with language editing.

  • 1
    European Commission, Directorate-General for Migration and Home Affairs, ʻStudy on Online Identity Theft and Identity-related Crime – Final Report’ (2022) Publications Office of the European Union 15 <https://data.europa.eu/doi/10.2837/197724> accessed 2 April 2024.
  • 2
    ibid 39–47. For an in-depth study on personal consequences for victims in an American context, see Jordan Breninger,ʻIdentity Theft, Trust Breaches, and the Production of Economic Insecurity’ (2023) 88(5) American Sociological Review 844 <https://doi.org/10.1177/00031224231189895> accessed 10 April 2024.
  • 3
    See eg Marte Eidsand Kjørven, ʻWho Pays When Things Go Wrong? Online Financial Fraud and Consumer Protection in Scandinavia and Europe’ (2020) 31(1) European Business Law Review 77 <https://doi.org/10.54648/eulr2020004> accessed 25 April 2024; Maria Raquel Guimarães and Reinhard Steennot, ʻAllocation of Liability in Case of Payment Fraud: Who Bears the Risk of Innovation? A Comparison of Belgian and Portuguese Law in the Context of PSD II’ (2020) 30(1) European Review of Private Law 29 <https://doi.org/10.54648/erpl2022003> accessed 7 May 2024.
  • 4
    Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending directives 2002/65/EC, 2009/110/EC and 2013/36/ EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC [2015] OJ L 2015/337.
  • 5
    See PSD II (n 4) preamble (72) on the concept of ʻgross negligence’ and evidentiary rules.
  • 6
    Henrik Udsen, ʻAftaleretslig hæftelse ved misbrug af digital signatur i dansk ret’ (2023) 5 Svensk Juristtidning 511 <https://svjt.se/svjt/2023/511> accessed 27 December 2024; and Marianne Rødvei Aagaard,’ Låneaftalet ved Svea Ekonomi’ (2023) 5 Svensk Juristtidning 541<https://svjt.se/svjt/2023/541> accessed 27 December 2024; and Kjørven (n 3). On Estonia, see Civil Chamber of the Supreme Court (CCSC) 16.12.2019, 2-16-124450 from the Estonian Supreme Court.
  • 7
    Revision of the eIDAS Regulation – European Digital Identity (EUid) in ʻA Europe Fit for the Digital Age’ <https://www.europarl.europa.eu/legislative-train/spotlight-JD22/file-eid> accessed 2 April 2024.
  • 8
    Regulation (EU) No 910/2014 regarding establishing a framework for a European Digital Identity [2014] OJ L 257/73.
  • 9
    Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 amending Regulation (EU) No 910/2014 regarding establishing the European Digital Identity Framework [2024] OJ L, 2024/1183.
  • 10
    See eIDAS revision (n 9) preamble (19).
  • 11
    European Parliament legislative resolution of 23 April 2024 on the proposal for a regulation of the European Parliament and of the Council on payment services in the internal market and amending Regulation (EU) No 1093/2010 (COM(2023)0367 – C9- 0217/2023 – 2023/0210(COD)) <https://www.europarl.europa.eu/doceo/document/TA-9-2024-0298_EN.html> accessed 25 April 2024.
  • 12
    Directive (EU) 2023/2225 of the European Parliament and of the Council of 18 October 2023 on credit agreements for consumers and repealing Directive 2008/48/EC OJ L 2023/2225, preamble (4).
  • 13
    See Section 4.4.
  • 14
    They both scope out questions of validity of contracts, see the eIDAS revision (n 9) preamble (46), and the revised Consumer Credit Directive (n 12) preamble (58).
  • 15
    PSD II (n 4) Article 4 (29).
  • 16
    PSD II (n 4) Article 30.
  • 17
    See eg PSD II (n 4) Article 69 (1a) and (2).
  • 18
    According to Article 8 (8) of the eIDAS regulation (n 8) an ʻelectronic signature’ means ʻdata in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign’.
  • 19
    These requirements are that ʻ(a) it is uniquely linked to the signatory; (b) it is capable of identifying the signatory; (c) it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and (d) it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable’.
  • 20
    eIDAS Regulation (n 8) Articles 28–32.
  • 21
    There are other eID systems, but these are not used regularly for everyday transactions. For more information see Republic of Estonia Information System Authority, ʻElectronic Identity eID’ <https://www.ria.ee/en/state-information-system/electronic-identity-eid-and-trust-services/electronic-identity-eid> accessed 16 May 2023.
  • 22
    Republic of Estonia Information System Authority, ʻThe ID-card Turned 20 Years Old’ <https://www.ria.ee/en/news/id-card-turned-20-years-old> accessed 11 September 2023.
  • 23
    Irene Kull and Laura Kask ʻElectronic Signature Under the eIDAS Regulation in Domestic and Cross-Border Communication: Estonian Example’ (2019) 12 Journal of the University of Latvia. Law 21, 33 <https://doi.org/10.22364/jull.12.02>. See also the eIDAS list for qualified electronic signature devices in Estonia <https://eidas.ec.europa.eu/efda/browse/notification/qscd-sscd> accessed 20 February 2024.
  • 24
    BankID, ʻHva er egentlig bankID?’ <https://bankid.no/hva-er-bankid> accessed 19 February 2024.
  • 25
    ibid.
  • 26
    ibid.
  • 27
    ibid.
  • 28
    See European Commission, ʻQualified Signature/Seal Creation Devices and Secure Signature Creation Devices’ <https://eidas.ec.europa.eu/efda/browse/notification/qscd-sscd> where there are no listed providers in Norway, accessed 2 April 2024.
  • 29
    See eg European Commission, Directorate-General for Financial Stability, Financial Services and Capital Markets Union, Ivan Bosch Chen, Davide Fina, Pierre Hausemer and others, ʻA Study on the Application and Impact of Directive (EU) 2015/2366 on Payment Services (PSD2)’ (2023) Publications Office of the European Union, 127 <https://data.europa.eu/doi/10.2874/996945> accessed 24 April 2024.
  • 30
    See Case HR-2020-2021-A from the Supreme Court, LB-2018-192525 from the Borgarting Court of Appeal.
  • 31
    See Cases LB-2018-192525 and LB-2016-43622 from Borgarting Court of Appeal in Norway.
  • 32
    See Cases Harju County Court 8 August 2012 Case no 2-21-100379, Viru County Court 6 September 2021 Case no 2-21-105634.
  • 33
    This was the case in a Norwegian Supreme Court case concerning the liability of consumers for unauthorised payment transactions in HR-2022-1752-A.
  • 34
    ibid.
  • 35
    Examples from Norwegian ADR cases: FinKN 2022-684 and FinKN-2023-355 (all cases from Finansklagenemnda are available at <https://publisering.finkn.no/> accessed 24 June 2024).
  • 36
    See eg DNB Financial Cyber Crime Center (FC3), ʻAnnual Fraud Report 2022’ (2022) 1 <https://www.dnb.no/portalfront/nedlast/no/om-oss/dokumenter/2022_DNB_Annual_Fraud_Report_public.pdf> accessed 2 April 2024.
  • 37
    See Tiina Jõgeda, ’Operatsioon @kelluke123: kuritegelik paar tegi lihtsatest Eesti inimestest id-orjad’ Eesti Ekspress <https://ekspress.delfi.ee/artikkel/95420647/operatsioon-kelluke123-kuritegelik-paar-tegi-lihtsatest-eesti-inimestest-enda-id-orjad> accessed 15 March 2022.
  • 38
    Depending on the procedures used by financial institutions to assess creditworthiness etc, there might be differences in how simple the fraud process is.
  • 39
    For Norway, see eg Hilde Hauge, Ugyldighet ved formuerettslige disposisjoner (Universitetsforlaget 2009) 202–204; for Estonia, see Paul Varul and others, Tsiviilseadustiku üldosa seadus. Kommenteeritud väljaanne (Juura 2023) 550.
  • 40
    CCSC 16.12.2019, 2-16-124450/77, 22.
  • 41
    ibid.
  • 42
    Eg Viru County Court 06.09.2021 2-21-105634, 11, Tartu District Court 24.05.2021, 2-18-18946, 10, Tallinn District Court 29.04.2021, 2-19-118119, 25, Pärnu County Court 08.04.2021, 2-20-124703, 10, Harju County Court 30.11.2021, 2-20-134519, 4.
  • 43
    Code of Civil Procedure – RT I, 11.03.2023, 3. Available in English: <www.riigiteataja.ee/en/eli/528072023007/consolide> accessed 6 December 2023.
  • 44
    V Kõve I Järvekülg J Ots M Torga Tsiviilkohtumenetluse seadustik I. Kommenteeritud väljaanne (Juura 2017), 1477.
  • 45
    CCSC 2-17-1722/31, 10.2.
  • 46
    Tvisteloven (The Disputes Act) § 21-2.
  • 47
    HR-2017-639-U, see eg Cases LA-2019-89003, LB-2019-28374, LE-2020-150885 from appellate courts.
  • 48
    ibid.
  • 49
    Finansavtaleloven (The Financial Contracts Act) § 3-6 (3).
  • 50
    Finansavtaleloven (The Financial Contracts Act) § 3-6 (4).
  • 51
    See from the preparatory works Prop 92 LS (2019-2020), 115.
  • 52
    See eg the Principles on European Contract Law Article 3:201 (3) <https://www.trans-lex.org/400200/_/pecl/#head_48> accessed 2 May 2024; See also Udsen (n 6) and Aagaard (n 6) on Danish and Swedish law.
  • 53
    CCSC 16.12.2019, 2-16-124450/77, 24.
  • 54
    Tsviilkohtumenetluse seadustik. – RT I, 06.07.2023, 6. Available in English: <https://www.riigiteataja.ee/en/eli/518122023003/consolide> accessed 15 April 2024. Available in English: <https://www.riigiteataja.ee/en/eli/518122023003/consolide> accessed 15 April 2024.
  • 55
    Võlaõigusseadus. RT I 06.07.2023, 5. Available in English: <https://www.riigiteataja.ee/en/eli/527122023005/consolide> accessed 15 April 2024.
  • 56
    LOA § 104(4).
  • 57
    CCSC 16.12.2019, 2-16-124450/77, 23. Although we are sceptical of such an approach on a de lege ferenda basis, see Section 3.3
  • 58
    See Aagard (n 6) and Udsen (n 6). The Danish Supreme Court does not expressly speak of apparent authority, but of contract established through negligence: see Udsen (n 6) 517.
  • 59
    HR-2020-2021-A, which is in the text accompanied by (n 65) provides a typical example.
  • 60
    See Kjørven (n 3) 102 (see note 122 for list of judgments).
  • 61
    See eg TALST-2018-50976. The BankID is in this context not used as a payment instrument, but Courts felt that the norms for protecting the payment instrument informed the assessment of the consumer’s negligence.
  • 62
    See eg LF-2018-39633.
  • 63
    Kjørven (n 3) 102–103.
  • 64
    ibid.
  • 65
    Case HR-2020-2021-A.
  • 66
    The claim from this creditor was approximately 100 000 NOK (approximately 8 500 euros). At the time of writing, 1 euro is worth 11.85 NOK, according to the Central Bank of Norway <https://www.norges-bank.no/tema/Statistikk/Valutakurser> accessed 24 October 2024.
  • 67
    HR-2020-2021-A para 102.
  • 68
    HR-2020-2021-A para 104.
  • 69
    HR-2020-2021-A para 105.
  • 70
    In Norway, full liability for unauthorised payment transactions is limited to cases in which the consumer has not intentionally breached his obligations, see section 4.1.
  • 71
    The Financial Contracts Act § 3-20 (3).
  • 72
    ibid. See also Marte Eidsand Kjørven, Alf Petter Høgberg and Geir Woxholth, ʻBankID-opplysninger på avveie – om vilkårene for aktivering av forsettsansvaret etter finansavtaleloven § 35 (3) og ny finansavtalelov § 4-30 (4)’ (2021) 60(6) Lov og rett 335 <https://doi.org/10.18261/issn.1504-3061-2021-06-03> accessed 25 April 2024.
  • 73
    See Supreme Court Case HR-2022-1752-A.
  • 74
    CCSC 16.12.2019, 2-16-124450
  • 75
    See also Dimitri Linardatos ʻThe Transposition of the PSD 2: The Role of EBA and of the National Legislator in Germany’ in Elisabetta Bani, Vincenzio De Stasio, Antonella Sciarrone Alibrandi (eds), The Transposition of PSD2 and Open Banking (Bergamo University Press 2021) 121, 127–133 on the difference in German law between ʻAnscheinsbeweis’ and ʻBeweisvermutung’ with regards to misuse of payment instruments <https://aisberg.unibg.it/retrieve/handle/10446/176637/402185/Vol_DeStasio_Banking_ebook.pdf> accessed 14 October 2024.
  • 76
    See NJA 2017 s 1105.
  • 77
    Hein Kötz, European Contract Law (New York 2017; online edn, Oxford Academic) 308–309 <https://doi.org/10.1093/oso/9780198800040.003.0016> accessed 2 April 2024.
  • 78
    See eg EBA Guidelines on loan origination and monitoring <https://www.eba.europa.eu/legacy/regulation-and-policy/regulatory-activities/credit-risk/guidelines-loan-origination-and> accessed 24 June 2024, Section 42.
  • 79
    Sjur Anda, ʻEn fersk høyesterettsdom legger større ansvar for rett identitet på bankene. Svaret fra bransjen er å øke sikkerheten.’ Finansfokus (2021) <https://www.finansfokus.no/2021/01/14/bankid-moter-hoyesterettsdom-med-bedre-sikkerhet/> accessed 24 April 2024.
  • 80
    Petter Omland, Ellen Bennin Brataas and Malcolm Langford, ʻHva kan tingrettsdommer om eID-svindel fortelle oss?’, Conference presentation at the University of Oslo, 19 April 2024.
  • 81
    PSD II (n 4) preamble, Recital 6.
  • 82
    European Commission (n 1) 49-50.
  • 83
    European Parliament (n 11).
  • 84
    The Court of Justice of the European Union has clarified that ordering transfers through online banking constitutes the use of a ʻpayment instrument’ within the meaning of the directive, as it relies on ʻa set of procedures agreed between the user and the payment service provider and used by the user in order to initiate a payment order’ cf Article 4 (13), see Case C-616/11, T-Mobile Austria GmbH v Verein für Konsumenteninformation Judgment of 9 April 2014 (ECLI:EU:C:2014:242) para 44.
  • 85
    Article 74 (1) second section (a) and (b).
  • 86
    PSD II (n 4) Article 74 (1) third section.
  • 87
    PSD II (n 4) preamble (72).
  • 88
    PSD II (n 4) Article 74 (1) fourth section.
  • 89
    Koen Lenaerts and Jose A Gutierrez-Fons, ʻTo Say What the Law of the EU Is: Methods of Interpretation and the European Court of Justice’ (2014) 20(2) Columbia Journal of European Law 3, 16.
  • 90
    Guimarães, Maria Raquel, ʻThe transposition of PSD2: Decree-Law 91/2018 of 12 November, The Portuguese Experience and What May (or May Not) Change’, in Bani, De Stasio and Alibrandi (eds) (n 75) 141, 148.
  • 91
    PSD II (n 4) Article 64 (1).
  • 92
    PSD II (n 4) preamble (86).
  • 93
    Linardatos (n 75) 130.
  • 94
    See Section 3.1.
  • 95
    Linardatos (n 75) 130.
  • 96
    Cf the demand for ʻsupporting evidence’ (Article 72 (2) final sentence) for gross negligence and fraud on the consumer’s part. It seems reasonable that a similar requirement would exist for a claim that the consumer consented to.
  • 97
    See for example Swedbank ʻTerms and Conditions of the Current Account Agreement’ 5.4 <https://swedbank.ee/static/pdf/private/d2d/info/cond_curracc_eng_2018_06_01.pdf> accessed 24 November 2023. See also Guimarães and Steennot (n 3, 39) on similar terms in Portugal and Belgium.
  • 98
    Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts [1993] OJ L 95/29 (UCTD).
  • 99
    On the parallel application of UCTD and other consumer directives, see Case-290/16 Air Berlin PLC & Co. Luftverkehrs KG v Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband e.V, judgment of 6 July 2017 (ECLI:EU:C:2017:523) paras 45–46, where the court finds that UCTD applies unless otherwise explicitly stated. On the application of UCTD to terms governed by PSD II (n 4), see Case C-287/19 Denizbank v Verein für Konsumenteninformation, judgment of 11 November 2020 (ECLI:EU:C:2020:897) paras 61–66.
  • 100
    See on the significant imbalance test, eg Case C-226/12 Constructora Principado, judgment of 16 January 2014 (ECLI:EU:C:2014:10) paras 21–24.
  • 101
    UCTD Articles 6 (1) and 7. On the ex officio application of the directive, see eg C-176/17 Profi Credit Polska SA w Bielsku Białej v Mariusz Wawrzosek, judgment of 13 September 2018 (ECLI:EU:C:2018:711) para 42 and cases cited therein.
  • 102
    See Section 4.2.1.
  • 103
    Sonja Oleownik, ʻPhishing in Online Banking – An Overview of the Development and the European and German Legal Positions’ in Georg Borges and Christoph Sorge (eds) Law and Technology in a Global Digital Society (Springer 2022) 257, 267 <https://doi.org/10.1007/978-3-030-90513-2> accessed 25 April 2023.
  • 104
    See also what appears to be a similar conclusion in Matthias Casper and Bastian Reich, ʻHaftung bei einem qualifizierten Phishing mit weiteren Elementen des Social Engineering’ (2023) 35(3) Zeitschrift für Bankrecht und Bankwirtschaft 133, 138 <https://doi.org/10.15375/zbb-2023-0303> accessed 25 April 2024.
  • 105
    See eg FinKN 2022-684 and FinKN-2023-355 in Norway.
  • 106
    This fraud method is described in EBA’s single rulebook (EBA 2019-4984) <https://www.eba.europa.eu/single-rule-book-qa/qna/view/publicId/2019_4984> accessed 8 August 2024.
  • 107
    See for example those commonly used in Sweden, described in Case 2019-11253 from Swedish ADR institution ARN <https://www.arn.se/globalassets/extern/pdfer/referat-2020/arendereferat---2019-11253.pdf> accessed 3 July 2024.
  • 108
    See eg case FinKN 2022-684.
  • 109
    See eg Cases Finkn-2020-490, FinKN 2022-684, FinKN-2022-978 and FinKN-2023-355.
  • 110
    ibid.
  • 111
    For more detail, see Marte Eidsand Kjørven, Ellen Bennin Brataas, Nathaniel Skar Eide, William Fosdahl, Vebjørn Wold, ʻAnsvar og egenandeler ved ikke godkjente betalingstransaksjoner etter finansavtaleloven’ (2024) 59(1) Jussens Venner 55, 64–75 <https://doi.org/10.18261/jv.59.1.3> accessed 15 October 2024.
  • 112
    See Cases FinKN-2023-664, FinKN-2024-309.
  • 113
    Several of the relevant cases from the Finansklagenemnda have been brought before national courts by payment service providers. However, to the knowledge of the authors, no judgments from courts have yet been issued regarding this question.
  • 114
    One can even see this as an example of the fundamental distinction between ʻwill theory’ and ʻobjective theory’ of contract, which gains renewed relevance in the digital age, see Margaret Jane Radin, ʻThe Deformation of Contract in the Information Society’ (2017) 37(3) Oxford Journal of Legal Studies 505, 518-519 <https://doi.org/10.1093/ojls/gqx001> accessed 15 October 2024.
  • 115
    See also Casper and Reich (n 104) 139–140.
  • 116
    A different approach is offered in Marianne Rødvei Aagaard, ʻTredjemans svikliga förledande — Kan en godkänd betalningstransaktion vara obehörig?’ (2024) 4 Svensk Juristtidning 323, 325–327 <https://svjt.se/svjt/2024/323> accessed 27 December 2024, though the author’s point of departure is a slightly different type of fraud than the one discussed here.
  • 117
    Report from the Commission to the European Parliament, the Council, the European Central Bank and the European Economic and Social Committee on the Review of Directive 2015/2366/EU of the European Parliament and of the Council on payment services in the internal market, 10 <https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52023DC0365> accessed 3 April 2024.
  • 118
    Commission Proposal for a Regulation of The European Parliament and of the Council on payment services in the internal market and amending Regulation (EU) No 1093/2010 (COM/2023/367 final), Articles 57 and 59 <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52023PC0367> accessed 3 April 2024. The wording also changed from ʻconsent’ to ʻpermission’.
  • 119
    European Parliament (n 11) preamble 79a.
  • 120
    ibid.
  • 121
    European Parliament (n 11) Article 59.
  • 122
    The reference to the ʻpurpose’ of the transaction possibly takes it beyond any reasonable interpretation of the current directive, covering also situations where the consumer is aware that they are approving a payment.
  • 123
    The Payment Services (Amendment) Regulations 2024, Amendment (2A). <https://assets.publishing.service.gov.uk/media/65eafbed62ff489bab87b333/Draft_SI-The_Payment_Services__Amendment__Regulations_2024.pdf> accessed 3 April 2024, and the accompanying guidelines from the payment systems regulator, Payment Service Regulation. ʻPolicy Statement Fighting Authorised Push Payment Fraud: A New Reimbursement Requirement Response to September 2022 consultation (CP22/4)’ 14–15 <https://www.psr.org.uk/media/iolpbw0u/ps23-3-app-fraud-reimbursement-policy-statement-final-june-2023.pdf> accessed 3 April 2024.
  • 124
    See Kjørven (n 3) 37–40.
  • 125
    Provisional EU Council/European Parliament political agreement on key elements of European Digital Identity Wallet Brussels, 29 June 2023.
  • 126
    EU Commission, Consumer Financial Services Action Plan: Better Products, More Choice, Section 4.2.1 <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52017DC0139> accessed 8 April 2024.
  • 127
    See eg Hans Schulte-Nölke, ʻEC Law on the Formation of Contract – From the Common Frame of Reference to the “Blue Button”’ (2007) 3(3) European Review of Contract Law 332, 339–340 <https://doi.org/10.1515/ERCL.2007.023> accessed 25 April 2024.
Copyright © 2025 Author(s)

This is an open access article distributed under the terms of the Creative Commons CC-BY 4.0 License (https://creativecommons.org/licenses/by/4.0/).