• sei qui: Home
  • News
  • Unauthorized payment transactions

Unauthorized payment transactions

18 June 2024

How to obtain a refund and the obligations of payment service providers

We might get charged for payments we did not make - these are technically referred to as unauthorized payments. We can identify them, for example, by checking our bank statements or the payment notifications on our smartphone and other personal devices.

If this happens, we are most likely dealing with fraud and we can 'dispute' the payments and request a refund for the transactions charged without our authorization. On this topic, Banca d'Italia has noted that customer rights are not always fully respected. Just recently, it issued a communication to payment service providers (PSPs), urging them to pay greater attention to customer rights and adopt more 'virtuous' practices in the interest of their clients. Banca d'Italia will assess these practices as part of its supervisory activities.

Payment service providers include banks, Poste Italiane (BancoPosta), payment institutions, and electronic money institutions - in short, all operators offering payment services such as credit transfers, credit or debit cards, and direct debits. The legislation on payment services (Legislative Decree 11/2010) lays out our rights and responsibilities, as well as the obligations that PSPs must fulfill.

Banca d'Italia is calling on PSPs to review certain practices that do not fully comply with consumer protection standards. The most common issues include:

1. Assessment criteria that lead to unfounded rejection of customers' refund requests.

Bear in mind that there are essentially two cases in which we are entitled to a refund:

a) Transactions carried out without strong customer authentication (SCA);
b) Payments where SCA was required but it was established that the customer acted without malicious intent to disregard their responsibilities relating to the payment instrument, or gross negligence, i.e. carelessness that resulted in failure to fulfil their duties.

2. Refunds issued too late or failure to restore the payment accounts to their original state prior to the unauthorized charges.

Remember: the law explicitly states that PSPs must refund the disputed amount 'immediately and, in any way, no later than by the end of the business day following that in which they become aware of the transaction'. In other words, the intermediary should act promptly to minimize harm to the customer, restoring the account to the state it would have been in if the unauthorized debit had never happened (this means not only refunding the transaction amount, but making sure that the computation of creditor interest and the funds available are not affected by the temporary decrease in the balance).

3. Lack of transparency regarding how customers can report issues and why refund requests are denied.

Again, there are essentially two cases in which we are entitled to a refund:

a) Transactions carried out without SCA;
b) Payments where SCA was required but it was established that the customer acted without malicious intent to disregard their responsibilities relating to the payment instrument, or gross negligence, i.e. carelessness that resulted in failure to fulfil their duties.

4. Inadequate mechanisms for adding payment cards to digital wallets ('tokenization'), which sometimes fail to enforce SCA properly.

Digital wallets, such as Google Pay or Apple Pay, store our payment instruments (e.g. credit or debit cards) for in-store or online payments. Banks typically indicate on their websites whether their cards are compatible with digital wallets. If you have concerns about digital wallet security, you should contact the bank that holds your account or issued your cards.

In general, Banca d'Italia expects each operator to adopt clear internal policies that comply with the law, making sure that customers can exercise their rights and that all regulatory obligations are fulfilled. In short: it expects fairer and more transparent behaviour.

Which transactions are eligible for a refund?
The right to a refund is generally guaranteed when SCA has not been used. SCA is a secure identification procedure that is required by law to enhance transaction security and reduce unauthorized payments. It relies on at least two independent security factors (so that compromising one does not compromise the other) that are used to access an online account and to make credit transfers and card payments. The security factors must be based on something only the user possesses (e.g. a smartphone), knows (e.g. a password), or is (e.g. a fingerprint).

If a payment is not authenticated with SCA and we deny having authorized it, we are entitled to a refund - unless the PSP suspects that our claim is part of an attempted fraud. In this case, the refund can be suspended while the PSP investigates the claim and notifies Banca d'Italia. If the investigation confirms that our claim is fraudulent, we will not be entitled to the refund.

What about transactions authenticated with SCA?
In such cases, PSPs can deny the refund not only in suspected fraud cases, but also if they prove that the customer acted with intent or gross negligence. For this reason, when a transaction is disputed, an investigation is conducted to assess the customer's conduct. However, the presence of SCA alone is not sufficient for a PSP to deny a refund without thoroughly evaluating the customer's behaviour and ascertaining intent or gross negligence.

Is the PSP always responsible?
No. As well as our rights, Legislative Decree 11/2010 lays out the rights of PSPs and our obligations as users. These include: using the payment instrument as agreed in the contract; protecting security credentials (not disclosing or exposing them to theft); properly storing the payment instrument; and promptly reporting any loss, theft, or unauthorized use to the PSP.

For instance, there is no legal requirement to report the unauthorized transaction to the authorities in order to initiate the refund process - so a bank cannot insist on having such documentation to start the procedure. However, it may request it later if the information is needed for assessment purposes.

Disputes must be made as soon as possible, and in any case within 13 months from the date of the debit, as stipulated in the banking contract. Although we have 13 months to claim a refund, we must notify the PSP of the unauthorized transaction as soon as we become aware of it.

It is crucial that we know what our legal obligations are: failure to comply could result in losing our right to a refund.

What happens in cases of gross negligence or fraud by the customer?
The PSP can deny the refund. It may initially refund the transaction within the required timeframe but later carry out a deeper investigation. If it concludes that the customer acted fraudulently, intentionally, or with gross negligence (e.g. carelessly shared credentials, failed to safeguard access devices), the PSP can reclaim the amount previously refunded. As Banca d'Italia points out, PSPs should inform customers when the disputed amount is being redebited, so as to ensure fair treatment.

If we believe the PSP has acted improperly, we can file a complaint with the PSP, Banca d'Italia and/or the Banking and Financial Ombudsman (ABF).