1. By way of derogation from Article 73, the
payer may be obliged to bear the losses relating to any unauthorised
payment transactions, up to a maximum of EUR 50, resulting from the use
of a lost or stolen payment instrument or from the misappropriation of a
payment instrument.
The first subparagraph shall not apply if:
(a) the loss, theft or misappropriation of a
payment instrument was not detectable to the payer prior to a payment,
except where the payer has acted fraudulently; or
(b) the loss was caused by acts or lack of
action of an employee, agent or branch of a payment service provider or
of an entity to which its activities were outsourced.
The payer shall bear all of the losses relating to
any unauthorised payment transactions if they were incurred by the payer
acting fraudulently or failing to fulfil one or more of the obligations
set out in Article 69 with intent or gross negligence. In such cases,
the maximum amount referred to in the first subparagraph shall not
apply.
Where the payer has neither acted fraudulently nor
intentionally failed to fulfil its obligations under Article 69, Member
States may reduce the liability referred to in this paragraph, taking
into account, in particular, the nature of the personalised security
credentials and the specific circumstances under which the payment
instrument was lost, stolen or misappropriated.
2. Where the payer’s payment service provider
does not require strong customer authentication, the payer shall not
bear any financial losses unless the payer has acted fraudulently. Where
the payee or the payment service provider of the payee fails to accept
strong customer authentication, it shall refund the financial damage
caused to the payer’s payment service provider.
3. The payer shall not bear any financial
consequences resulting from use of the lost, stolen or misappropriated
payment instrument after notification in accordance with point (b) of
Article 69(1), except where the payer has acted fraudulently.
If the payment service provider does not provide
appropriate means for the notification at all times of a lost, stolen or
misappropriated payment instrument, as required under point (c) of
Article 70(1), the payer shall not be liable for the financial
consequences resulting from use of that payment instrument, except where
the payer has acted fraudulently.