Unauthorised payments?

Categoria: Scams
Reading time 5 minutes
Published on 18/06/2024

How to get a refund and what payment service providers must do

Sometimes, you might find payments on your account that you didn't make. These are called unauthorised payments. You can spot them, for example, by checking your account statements or payment notifications sent to your personal devices.

In most cases, unauthorised payments are linked to scams. When this happens, you can dispute the transaction and request a refund. Banca d'Italia has recently pointed out that payment service providers (PSPs) do not always respect the rights of customers in these cases. A recent communication was sent to PSPs, reminding them to pay greater attention to customer rights and to adopt more responsible and transparent practices. Banca d'Italia will monitor these behaviours as part of its supervisory activities.

Payment service providers include banks, Poste Italiane (BancoPosta), payment institutions and electronic money institutions. These operators offer services such as bank transfers, credit and debit card payments, and direct debits. The relevant legislation (Legislative Decree 11/2010) outlines the rights and duties of customers, as well as the obligations of PSPs.

Banca d'Italia invites PSPs to review those practices that do not fully respect customers' rights, such as:

1. Unfounded refusals to refund customers. PSPs sometimes apply criteria that unfairly lead to denying refunds.

You are generally entitled to a refund in two main situations:

  1. the payment was made without strong customer authentication (see below);
  2. strong customer authentication was used, but the customer did not act fraudulently or with gross negligence - for instance, by failing to take reasonable care when using their payment tools.

2. Delayed refunds or failure to restore the account balance.

The law clearly states that PSPs must refund the unauthorised transaction “immediately and in any case no later than the end of the following business day” after becoming aware of it. This means your account must be restored to the condition it was in before the transaction took place, including interest and available funds. PSPs should take prompt action to minimise any inconvenience to you.

3. Lack of transparency. PSPs do not always clearly explain how customers can report a dispute, or why a refund request was denied.

The right to a refund generally exists when:

  1. strong customer authentication was not used;
  2. authentication was used, but the customer did not act fraudulently or with gross negligence.

4. Weak security during digital wallet enrolment (tokenisation). Some systems for adding payment cards to digital wallets don't apply strong customer authentication properly.

Digital wallets like Google Pay and Apple Pay allow you to store your cards and use them for online or in-store purchases. Banks usually state on their website whether their cards can be used with digital wallets. If you have doubts, contact your bank or card issuer for assistance.

What Banca d'Italia expects is that all PSPs adopt clear and lawful internal procedures that help customers exercise their rights and comply with the rules. In short: fairer and more transparent behaviour.

In what situations is a refund due?

You are normally entitled to a refund when strong customer authentication (SCA) was not used. SCA is a procedure designed to make payments safer and reduce fraud. It relies on at least two independent security factors, such as something you know (e.g. a password), something you have (e.g. your phone), something you are (e.g. a fingerprint).

If a payment was made without SCA and you deny having authorised it, you must be refunded - unless the PSP suspects fraud on your part. In such cases, they may temporarily suspend the refund and report the issue to Banca d'Italia. If, after an investigation, the PSP believes the customer acted fraudulently, no refund is due.

And if the payment was authenticated with SCA?

In these cases, the PSP may deny the refund only if it can prove that the customer acted fraudulently, or with gross negligence, for example by carelessly sharing their credentials or failing to report the loss of their card or device. It is important to note that the use of SCA alone is not enough to automatically deny a refund. PSPs must evaluate the customer's behaviour in detail.

Are PSPs always responsible?

No. Alongside customer rights, the law also sets out your responsibilities. You must use your payment instruments according to the contract, keep your security credentials safe and secret, protect your payment instruments from loss, theft or misuse, and report any suspicious or unauthorised transactions to your PSP as soon as possible.

For example, you are not required by law to file a police report before requesting a refund. While your PSP may ask for it later, they cannot delay your refund until you provide it.

You must inform your PSP without delay, and in any case no later than 13 months after the transaction was charged to your account - as stated in your contract. Even though you have 13 months to request a refund, you should notify your PSP as soon as you notice the issue.

If you don't act promptly, you might lose your right to a refund.

What happens if the customer acted with gross negligence or fraud?

In that case, the PSP is not obliged to refund the amount. Sometimes, the PSP may refund the transaction first and later conduct an investigation. If it finds that the customer behaved fraudulently or with gross negligence - for example, by sharing their credentials or not protecting access to their devices - it may reverse the refund.

As recommended by Banca d'Italia, PSPs should inform customers if they plan to do this.

If you think the PSP acted unfairly or unlawfully, you can file a complaint directly with the PSP, submit a report to Banca d'Italia, and file a complaint with the Financial Banking and Financial Ombudsman (ABF) for a decision.

See more articles in these categories:

Did you find this content useful?