Has the PSD made you liable for card fraud against your employer?

A recent discussion on business expenses management with a colleague bought up the topic of liability in cases of fraud on Corporate cards and who actually has liability. So I decided to dig out some research that I did in the past on the legislature behind these products, which are supposedly designed to make life easier by serving the needs of both employers and employees.

The discussion questioned the maximum liability for fraud on a Corporate card where the employee is responsible for repayment of invoice directly to the issuer, but the card is issued via their employer under a framework agreement with the issuer (a sort of personal card where employment is one of the application criteria). As this is a common state of affairs in Belgium, it was interesting to see what could happen if there were unreported fraud on your card as this type of card seems to fall between the gaps of the articles in the Payment Services Directive (PSD). In the text of the PSD consumers as cardholders of general purpose payment cards, can only be held liable for a maximum of 150 EUR of losses due to unauthorised transactions. However, the directive does not make it immediately clear how this applies to holders of Corporate Card products issued to enterprises and/or their employees – which are also typically exempt from the current EU investigation into interchange. So I looked a little closer at this to see whether or not there is an issue for employees in this case.

The PSD actually puts boundaries on the liability for fraud for consumers to ensure that they are not hit too badly. This appears in Article 61 ‘Payer’s liability for unauthorised payment transactions’

It reads: 1. By way of derogation from Article 60 the payer shall bear the losses relating to any unauthorised payment transactions, up to a maximum of EUR 150, resulting from the use of a lost or stolen payment instrument or, if the payer has failed to keep the personalised security features safe, from the misappropriation of a payment instrument.

Sadly for Corporate Card users, this is one of the many articles that can apply solely to consumers. Article 51 allows issuers to derogate a number of articles in the PSD when delivering Corporate products. It also outlines the difference between Enterprises and Consumers.

Article 51

1. Where the payment service user is not a consumer, the parties may agree that Article 52(1), the second subparagraph of Article 54(2), and Articles 59, 61, 62, 63, 66 and 75 shall not apply in whole or in part. 

This means that if the Payment Service User (or Cardholder in our case) is not considered to be a consumer, the maximum liability described in Article 61 could be increased or waived entirely through a bilateral agreement between the Issuer and the Enterprise.

So how do you know if you’re a consumer or not?

From a bank perspective, it depends on the card programme under which your card has been issued. In essence, this means that it depends on the contractual and commercial terms under which the programme runs as there are three main deployment scenarios for products known as corporate or business card products. Each is identified by the contracts in place, usage rules and the liability for payment of the outstanding balance.

  • ‘Purchasing Card’ type – The issuer holds a contract with the enterprise. The card is issued to the enterprise (typically with only the name of the enterprise or department on the card) and can be used by any authorised employee to make purchases on behalf of the enterprise subject to internal rules. Liability for payments is with enterprise. Payment Service User is the Enterprise.
  • ‘Corporate Card’ type – The issuer holds a contract with the enterprise. The card is issued to specific person within the enterprise and carries their name (and often the name of the enterprise) on the card. Usage of the card is governed by a contract between the enterprise and cardholder. Liability for payments can be with the enterprise or the specified employee depending on the contract of employment. Payment Service User is the Enterprise as the Employee is using the card on behalf of the Corporate.
  • ‘Business Card’ type – The issuer has a framework agreement with the enterprise governing the terms of the programme, but the financial contract is between the issuer and the employee – this is the typical case in Belgium. Usage of the card is governed by a contract between the enterprise and the cardholder, with their eligibility for the programme usually linked to their continuing employment by the enterprise. Liability for payments is with the Employee. Payment Service User is the Employee.

From Article 51 and our given definitions of corporate card products, it would seem that dependent on the deployment scenario, the applicability of Article 51 (and so the possible derogation of Article 61) is variable. Consequently, Article 51 would apply to Purchasing Card types and Corporate Card types. However, as the Payment Service User (PSU) within a Business Card type product is the Employee, and not the Enterprise, then the PSU can be classed as a Consumer due to the personal financial liability for use of the product. This in turn means that Article 61 cannot be derogated under Article 51 and the PSU is only liable up to a maximum 150 EUR. So the cards that fall into the potential liability ‘danger area’ are those issued as Corporate Card products – under a frame with the Corporate, but direct to the employee.

The PSD has given issuers a conundrum, in cards that have been issued to individuals under a Corporate agreement – do they waive the derogation and maintain consumer-like protections, or do they rely on the goodwill of enterprises to protect their employees from exposure to fraud losses? If you are an employee with a Corporate Card, are you aware of your potential liabilities? Really the next revision of the PSD needs to make this more clear!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s