Care in protecting a bank card and its pin code

Diary number: S2017/178
Issue date: 1.11.2018

Background to the case and the issue to be decided

A’s bank card had been in his wallet on his desk, and its pin code had been in a desk drawer, inside an envelope from the bank. A had left his law office for about ten minutes, leaving the outer door unlocked. During that time, an unknown person had stolen the card and the pin code, and soon thereafter had used the card to withdraw almost 5,000 euros. The bank requested that the court order A to reimburse the bank in full for the funds that had been withdrawn with the card without authorization, on the grounds that A had been grossly negligent in keeping the card and pin code safe. A had admitted to having acted carelessly but denied having been grossly negligent.

The decision of the Supreme Court concerned the question of whether A had been negligent or grossly negligent and to what extent he was liable to reimburse the bank for the funds that had been withdrawn without authorization.

Provisions to be applied

According to section 53 (1) of the Payment Services Act (290/2010) in force at the time of the events and to be applied in the case, the holder of a payment instrument shall use it in accordance with the terms governing the issue and use of the payment instrument. In particular he or she shall take reasonable steps to protect the payment instrument and the personalized security features. The obligation of the holder to protect the means of payment and the personalized security features begins when he or she receives them.

According to section 62 (1), paragraph 2 of the Act (290/2010), a payment service user who has entered into an agreement with a service provider on a payment instrument is liable for its unauthorized use only if the loss of the payment instrument, its theft or misappropriation by another person or its unauthorized use is due to his or her negligence and failure to fulfil his or her obligations under section 53 (1). According to paragraph 2, the liability of the user of a payment service for the unauthorized use of a payment instrument in the cases referred to in subsection 1, paragraph 2 is at most 150 euros. This maximum does not apply if the user of the payment service or another holder of the payment instrument had acted with intent or with gross negligence.

These provisions corresponded to Articles 56 and 61 of Directive 2007/64/EC of the European Parliament and of the Council on payment services in the internal market (Payment Services Directive). Also according to the new Payment Services Directive 2015/2366/EU, a payment service user is liable for unauthorized use only if he or she had acted with intent or been grossly negligent.

The preamble of the Payment Services Directive states that in order to assess possible negligence by the payment service user, account should be taken of all the circumstances. The evidence and degree of alleged negligence should be evaluated according to national law (preambular paragraph 33).

There are no Supreme Court precedents on the application of sections 53 and 62 of the Payment Services Act and the related assessment of the degree of negligence. In the drafting of the Payment Services Act and in other case law, gross negligence has been deemed to be conduct that is clearly and essentially different from what is required of careful conduct. Gross negligence is thus obvious heedlessness of instructions and risks. The assessment of negligence and its degree of grossness consists of an overall review in which account can be taken in particular of the magnitude of the risk of loss and the possibility of taking precautionary measures.

Assessment by the Supreme Court

The Supreme Court noted that in the allocation of liability under the Payment Services Act and the Payment Services Directive, liability for the unauthorized use of a payment instrument is, in principle, held by the service provider. A service user who has acted carelessly is usually liable for only a fairly small set fee. Full transfer of liability to the user of the service, in turn, is the exception and requires negligence that rises to the level of intent or gross negligence.

The Supreme Court noted that A's conduct was to be assessed first in relation to the terms of the payment instrument, which, however, could not change the liability of a consumer using the service to his or her detriment. A had agreed to the general bank card conditions that the bank had established for private clients, according to which the pin code was to be kept with care, separately from the card and preferably only in the client’s memory. In addition, in agreeing to the terms, A had undertaken to dispose of the letter from the bank that contained the pin code, and to not record the pin code in an easily identifiable format.

The Supreme Court noted that, in accordance with the general card terms and also with the travaux préparatoires of the Act, a key requirement of care is that the payment instrument and the pin code may not be stored together and the pin code may not be stored in such a way that it can easily be linked to the payment card. On the other hand, the payment card is intended to be used on a daily basis, and so it must be kept at hand. The user could also not be required to retain the pin code solely in his or her memory; instead, it should be possible to record the pin code in a place where it is readily available. When the Act was drafted, it had been assumed that sufficiently careful conduct would be, for example, that the payment card is kept in one’s wallet or handbag and the pin code is kept at home in a drawer.

The Supreme Court noted that A had not kept the pin code at home but at his law office. A's workplace was no less secure that his home as a place to keep the pin code, since the law office is kept locked, and no clients or other outsiders have free access to it. The Supreme Court held that there was no reason to deem A's conduct as reproachable on the grounds that he had kept his card in his wallet and his pin code in his desk drawer, even though they were at times in close proximity to one another.

A had kept the pin code in the original bank envelope, contrary to the express terms of the agreement. This had increased the risk that an outsider who had gained access to the place of storage would more quickly find the pin code and connect it to a particular bank card. However, the Supreme Court held that, on its own, keeping the bank's letter containing the pin code, with no other factors increasing the risk of unauthorized use, did not yet constitute gross negligence.

In this case, the risk of unauthorized use had been substantially increased by the fact that A, in leaving the office to go up to the attic, had left the office door unlocked and his wallet on top of the desk. However, what had to be assessed was whether this carelessness showed such a clear and reproachable disregard for safety instructions and the risks caused by such conduct that it would rise to the level of gross carelessness.

The Supreme Court noted that A's office was located on the second floor of a multi-floor building, with no direct line of sight from the street to the interior of the office. This was not a public open space, such as a restaurant or a beach, where an outsider would have a good line of sight and ease of access. It had been a coincidence that an outsider had entered the office during A's brief absence and had had time to find and steal not only the wallet but also the pin code from the drawer.

The Supreme Court held that A had, through his conduct, increased the risk of theft and the unauthorized use of the card, which could have been prevented through the taking of reasonable precautions. A was a lawyer by profession, and so he had had to be aware of the risks associated with his conduct. On the other hand, A's carelessness in having left the office door unlocked and his wallet on the desk had been an isolated case. The risk thus caused had been short-term and it had not been a very likely one.


In its overall assessment, the Supreme Court concluded that A's conduct had not demonstrated such serious recklessness that he would be deemed to have neglected his duty of care through gross negligence. Consequently, A's liability for the unauthorized use of the bank card was limited to the amount of 150 euros provided for in Article 62 (2) of the Payment Services Act.

The issue was put to a vote in the Supreme Court. Two justices deemed A's conduct to have been grossly negligent.

Published 23.11.2018