In a recent extraordinary ruling, the CJEU decided that merchants are not allowed to only offer the possibility to pay via direct debit to customers resident in a particular EU member state. The other interesting point made was that creditworthiness considerations are also no suitable justification for differentiating between payers according to their place of residence. Since then, many have proclaimed the death of direct debits. But is this really the end of direct debits for online sales? Let’s take a more detailed look here.
Direct debits before the CJEU
On 5 September 2019, the CJEU delivered its ruling in a case involving a consumer protection association and Deutsche Bahn (Case C-28/18). According to the CJEU, Deutsche Bahn’s payment practice, which requires that a customer be resident in Germany in order to use the SEPA direct debit scheme, violates the anti-discrimination prohibition set out in the SEPA Regulation.
What provision does the anti-discrimination prohibition concern?
The prohibition of discrimination is set out in Art. 9 para. 2 of the SEPA Regulation. This provision essentially stipulates that merchants wishing to collect funds from customers by direct debit may not dictate in which EU member state this payment account is to be held. According to the wording, this concerns the location where the account is held. This means that it is not permitted for merchants to offer their customers the option to pay by direct debit, but to restrict this option to German payment accounts. Such cases of so-called IBAN discrimination are prohibited and can be sanctioned. However, this not new.
What has changed with the CJEU ruling regarding direct debits?
According to the CJEU, discrimination has occurred, under Art. 9 para. 2 of the SEPA Regulation, if a company offers the option to pay by direct debit to customers, but restricts this option to customers with a specific place of residence. This is due to the fact that whereas this restriction does not explicitly dictate that a payment account needs to be held in a particular member state, it is still implied, since the bank where the account is held is generally located in the country where the customer resides.
Can discrimination be justified on the basis of creditworthiness?
In its ruling, the CJEU also takes a position on possible justifications. Indeed, the question arises as to whether merchants are permitted to refuse customers from abroad on the basis of creditworthiness considerations. For example, if there is no reliable creditworthiness information available for certain countries. A legitimate consideration, one might think. Nevertheless, the CJEU is of the opinion that creditworthiness considerations cannot justify a differentiation according to a customer’s place of residence.
Does this mean the end of direct debits for online sales?
In view of the CJEU’s case law, does this mean the end of direct debits for online sales? The CJEU’s reference to the fact that merchants are free to wait until the purchase price has been credited to the merchant’s account before dispatching the goods is not particularly helpful. This is because this approach does not provide sufficient protection for the merchant. Customers have the option to cancel direct debits for up to eight weeks after the relevant purchase despite having given a direct debit mandate. In cases of identity fraud, the true account holder even has 13 months to recover the money.
The crucial factor for the continued use of direct debits in online sales is likely to be whether or not merchants are still able to effectively manage their risks under the current legal framework. In our view, this is still the case. It is true that the anti-discrimination prohibition – as interpreted by the CJEU – somewhat restricts traders’ ability to manage their risks. It is also not foreseeable whether the courts will interpret the anti-discrimination prohibition even more extensively in future.
On the other hand, there is no provision (including the anti-discrimination prohibition) prohibiting the merchant from managing its risk regarding certain payment transactions. Therefore, it should still be possible and in compliance with the law to apply decision logic to fraud and credit checks based on the analysis of certain purchase parameters (e.g. new customer, customer appearing on a black list, purchase price, address validation) and, if applicable, creditworthiness information.
What do merchants have to do?
If a merchant still wants to offer direct debit payments, they must in principle offer this option to customers from all EU member states in order to comply with the CJEU ruling. At the same time, merchants should adjust their risk management strategies in such a way that they offer sufficient protection on the one hand and satisfy the applicable legal requirements on the other. The legal framework to be considered here includes, in particular, the General Data Protection Regulation as well as the anti-discrimination prohibitions contained in the Geo-blocking Regulation and the SEPA Regulation. With regard to risk management strategies it should also be noted that the SEPA Regulation prohibits direct debits from being offered only to customers with a payment account held in a particular EU member state.
Another point to be deduced for any risk management strategies is that the CJEU ruling also prohibits merchants from generally withholding the option to pay by direct debit from customers domiciled in other EU member states. In all other aspects, the following applies to the design of any risk management strategies: the less discriminatory the effect is of the decision logic that is applied to checking for fraud and creditworthiness (for example, because various parameters are combined), the less vulnerable any decisions are to refuse payment by direct debit to a particular customer for risk reasons.
Cover picture: Copyright © Adobe Stock /alswart