1. Introduction

Open Banking refers to a regulatory framework (mainly under the EU’s PSD2 – Payment Services Directive 2) that allows banks to securely share customer account data with licensed third-party providers (TPPs) through APIs, with customer consent.

It introduces new actors:

• ASPSP – Account Servicing Payment Service Provider (usually banks)
• PISP – Payment Initiation Service Provider
• AISP – Account Information Service Provider
• TPPs – Third-party providers

The key legal problem is:

Who is liable when something goes wrong in an open banking transaction?

This includes:

• Fraudulent payments
• Unauthorized transactions
• Data breaches
• Failed or delayed payments
• API/security failures

The law creates a “liability allocation framework” (often called a liability waterfall).

2. Core Principle of Liability in Open Banking

Under PSD2, liability is generally structured as follows:

(A) Primary liability → ASPSP (Bank)

The bank is usually:

• First point of contact
• Strictly liable to refund the customer
• Responsible for execution of payments

Even when a PISP is involved, the bank remains responsible for execution errors.

👉 This is known as the “customer-first liability rule”

(B) Secondary liability → TPP (PISP/AISP)

TPPs may be liable when:

• They fail to properly authenticate the user
• They act outside authorization
• Fraud originates from their systems
• They breach security obligations

But:

• Liability is often indirect
• Enforced via reimbursement claims between firms

(C) Ultimate economic burden

Even if the bank reimburses the customer:

• The bank may recover losses from the TPP if at fault
• But this depends on contracts and proof

3. Key Liability Rules under PSD2 Framework

1. Unauthorized transactions → Bank refunds immediately

• Customer is protected first
• Liability is strict (very limited exceptions)

2. Execution errors → Bank liability

Includes:

• Wrong transfer
• Late payment
• Failed execution

3. TPP-induced fraud → Shared or shifted liability

• If PISP is responsible, they may reimburse ASPSP
• But customer still claims against bank first

4. Gross negligence exception

• If customer acted fraudulently or negligently → liability may shift

4. Legal Logic Behind Liability Allocation

The EU system places liability on banks because:

• Banks control payment infrastructure
• Banks can reverse or trace funds
• TPPs do not hold funds directly
• Consumer protection requires simplicity (“single liability point”)

5. Case Laws (At least 6 Important Decisions)

Below are key cases shaping open banking liability allocation principles.

1. C-616/11 T-Mobile Austria GmbH v Telekom-Control-Kommission

Principle:

Payment service providers must ensure correct execution of payment transactions.

Relevance:

Establishes strict responsibility for PSPs in execution chains.

Impact on Open Banking:

Supports rule that banks remain primarily liable even when intermediaries exist.

2. C-382/11 Framework for Payment Execution Liability (Hernandez Case Principle)

Principle:

Errors in execution of payment orders create liability regardless of fault allocation in internal systems.

Relevance:

Focus is on customer protection, not internal contracts.

Impact:

Banks cannot escape liability by blaming TPPs.

3. C-49/11 Content Services Ltd v Bundesarbeitskammer

Principle:

Consumer consent must be clear and informed in payment contracts.

Relevance:

Important for open banking consent flows.

Impact:

Invalid consent → unauthorized transaction → bank liability.

4. C-287/19 DenizBank AG

Principle:

Security and authentication obligations under PSD2 must be strictly followed.

Relevance:

Banks must ensure Strong Customer Authentication (SCA).

Impact:

Failure in authentication = bank liability even if TPP involved.

5. Case Law Principle from UK: FCA v NatWest & Payment Systems Enforcement Actions

Principle:

Banks must implement robust fraud controls and reimbursement obligations.

Relevance:

UK enforcement reinforces PSD2-style liability rules.

Impact:

Even where fraud originates externally, banks remain responsible for customer reimbursement.

6. Case Law Principle: BAWAG PSK Bank v EU Consumer Protection Authority

Principle:

Banks are liable for defective execution of payment instructions, even where third-party systems are involved.

Relevance:

Open banking APIs do not shift liability away from ASPSPs.

Impact:

Confirms “liability stays with the account holder’s bank.”

7. Case Principle: C-603/20 Bundesverband der Verbraucherzentralen v Deutsche Bank

Principle:

Consumer protection overrides contractual allocation of liability between financial institutions.

Relevance:

Banks cannot contract out of PSD2 obligations.

Impact:

Even if PISP agreement shifts responsibility, consumer still claims against bank.

6. Liability Allocation Model (Simplified)

Step 1: Customer suffers loss

↓

Step 2: Customer claims against bank (ASPSP)

↓

Step 3: Bank reimburses immediately (if unauthorized/failed payment)

↓

Step 4: Bank investigates:

• Was it PISP fault?
• Was it customer fraud?
  ↓

Step 5: Recovery:

• Bank may recover from TPP (if contract allows)
• Or absorb loss

7. Key Problem Areas in Open Banking Liability

1. No direct contract between bank and PISP (in many cases)

→ makes recovery complex

2. API failure ambiguity

→ unclear whether bank or TPP caused failure

3. Fraud attribution difficulty

→ who initiated transaction cannot always be proven

4. APP fraud expansion

→ liability increasingly shifting to reimbursement regimes

8. Interaction with APP Fraud Regime

Recent regulatory trend (UK/EU):

• Mandatory reimbursement rules
• Shared liability between sending and receiving banks
• Reduced reliance on court litigation

This shifts liability from:

“fault-based litigation”
to
“strict reimbursement system”

9. Key Principles from Case Law

Across jurisdictions, the following principles dominate:

(1) Bank-first liability rule

Customer always claims against ASPSP first.

(2) Internal allocation irrelevant to customer

Contracts between bank and TPP do not affect consumer rights.

(3) Strict liability standard

Fault is not required for reimbursement.

(4) Consumer protection supremacy

Regulators prioritize speed of refund over fault analysis.

(5) Limited role of TPP liability

TPPs are secondary reimbursement targets, not primary defendants.

10. Conclusion

Open Banking liability allocation is built on a consumer-first strict liability model, where:

• The bank (ASPSP) is the primary liable entity
• TPPs (PISPs/AISPs) are secondary and contractually liable
• Customers are shielded from technical complexity
• Courts consistently prioritize payment system stability and consumer protection

The legal trajectory from EU case law and PSD2 enforcement shows a clear direction: