EU adopts directive on criminal sanctions for payment fraud

Scope of the Directive

 The Directive requires member states to take the necessary measures to ensure that particular conduct is punishable as a criminal offence. The Directive uses several terms that are not used in other payment-related legal acts such as PSD2. The Directive only refers to fraud in relation to non-cash payment instruments and information systems.

A non-cash instrument as defined as a non-corporeal or corporeal protected devise, object or record, or a combination thereof, other than legal tender, and which, alone or in conjunction with a procedure or a set of procedures, enables the holder or user to transfer money on monetary value, including through digital means of exchange.

An example for a non-cash payment instrument is a mobile payment application and a corresponding authorisation (e.g. a password). The Directive only covers instruments which put the holder or user of the instruments in the position to enable a transfer of money or to initiate a payment order. In that respect, unlawfully obtaining a mobile payment application without the necessary authorisation is not an unlawful obtainment of a non-cash payment instrument.

In addition, the Directive covers fraud in relation to information systems, which are defined as devices that, pursuant to a programme, automatically processes computer data, as well as computer data stored, processed, retrieved or transmitted by that device for the purposes of its or their operation, use, protection and maintenance.

Member States also have to ensure that incitement, aiding and abetting, and attempt shall be punishable as a criminal offence. However, the Directive only covers conduct when committed intentionally.

The criminal offences

1. Fraudulent use of non-cash payment instruments
   

The Directive requires Member States to ensure the fraudulent use of non-cash payment instruments to be punishable as a criminal offence: in particular, the fraudulent use of a stolen or otherwise appropriated or obtained non-cash payment instrument, or the fraudulent use of a counterfeit or falsified non-cash payment instrument. That criminal offence should essentially cover conduct of the transfer of money once the offender has obtained control over the non-cash payment instrument.

2. Offences related to the fraudulent use of non-cash payment instruments 

The Directive also requires Member States to adopt criminal laws that sanction conduct prior to the use of unlawfully obtained non-cash payment instruments. Such laws shall cover conduct of a person in order to obtain control over a non-cash payment instrument. The Directive distinguishes between offences of the fraudulent use of corporeal and non-corporeal non-cash payment instruments.

With the term “corporeal” non-cash payment instruments the Directive aims to cover classical forms of conduct, like fraud, forgery, theft and unlawful appropriation that had in the view of the legislator already been shaped by national law before the era of digitalisation.

In contrast, the Directive also aims to cover forms of conduct in the digital sphere by also protecting non-corporeal payment instruments. The Directive requires Member States to prohibit various kinds of conduct that have the aim of obtaining control of a non-cash payment instrument as well as to provide for sanctions.

3. Fraud related to information systems

Finally, Member States shall ensure that hindering or interfering with the functioning of an information system or introducing, altering, deleting, transmitting or suppressing computer data, in each case without right, shall be punishable as a criminal offence if such conduct results in the performance or causing an unlawful transfer of money.

Penalties

The Directive provides for particular penalties. For natural persons, certain types of conduct shall be punishable by a maximum term of imprisonment of at least one year, two years, three years or even five years. The Directive requires the highest maximum terms of imprisonment for conduct if it is committed within a framework of a criminal organisation.

The Directive also requires sanctions against legal persons if an offence has been committed by the natural person individually or as a part of an organ of that legal person, provided it has a leading position within that legal person (such as a company director). The Directive requires laws providing for criminal and non-criminal fines against the legal persons. Member states may also adopt other sanctions such as exclusion from entitlement to public benefits or aid, disqualification from the practice of commercial activities or judicial winding up.

Cooperation

Finally, the Directive requires Member States to adopt laws that shall ensure its effectiveness through cooperation between the Member States or by other means. Such laws shall, for instance, ensure the exchange of information, reporting of crime, assistance and support to victims, prevention as well as monitoring and statistics.

This article was originally published in the June 2019 edition of Osborne Clarke’s EPSM Legal Research Newsletter.