The proliferation of virtual currencies has increased explosively in recent years. The extensive implementation and integration of cryptocurrencies stems, from the convenience they provide to carry out transactions in combination with their pseudo-anonymous nature and the decentralization of blockchain technology. At the same time, the constrained traceability of cryptocurrency transfers substantially impedes means of effective oversight and supervision, thereby creating a heightened risk of illicit activities.
With the rise of cryptocurrencies, the discussion of whether crypto platform providers fall within the scope of § 4 of the Austrian Payment Service Act 2018 (“ZaDiG 2018”), and subsequently, whether users are entitled to the consumer protection mechanisms typically available under regulated payment services, has intensified.
Against this backdrop, the Austrian Supreme Court has now issued its first ruling on the applicability of the Payment Service Act 2018 and the E-Money Act 2010 (“E-GeldG 2010”) to transactions involving cryptocurrencies.
Austrian Supreme Court sheds light on blockchain jungle: 4 Ob 234/23z
In this first case, the claimant set up an account on the defendant’s platform. For that purpose, a digital wallet was automatically generated, into which monetary funds could be transferred and converted into Bitcoin. The claimant secured access to the account with a personal password, but did not activate two-factor authentication, which would have been available as an additional protective measure, albeit not required, but designed to enhance the security of the wallet nevertheless.
During 2021, the claimant initiated a series of eight transfers. Within two or three days after every transfer, the claimant was able to verify the transaction – the amount of fiat currency transferred to the account as well as the corresponding amount of Bitcoin thereby acquired.
Subsequently, the claimant became the victim of criminal conduct perpetrated by an unidentified individual who fraudulently purported to provide assistance in operating and using the platform. Through the installation of the remote-access software ‘AnyDesk’ – an application facilitating external control over computer programs – the malicious third party successfully gained unauthorized access to the claimant’s digital wallet and transferred Bitcoin stored in the wallet to an external wallet address linked to an unidentified party. The claimant was unable to ascertain the identity of the third party and consequently sustained a significant financial loss.
The claimant refused to accept her misfortune and sued the crypto platform provider. The claimant asserted that the damage could have been prevented had the platform complied with §§ 67 and 87 of the Payment Service Act 2018. Compliance with the refund obligations applicable to unauthorized payments, alongside the implementation of a two-factor authentication, would have materially mitigated the risk of misuse.
Nonetheless, the claimant’s case was dismissed, as the court held that crypto platform providers do not fall within the scope of § 4 of the Payment Service Act 2018. Consequently, §§ 67 and 87 of the Payment Service Act 2018 were deemed inapplicable, absolving the platform from any liability.
Legal analysis
The legal issue centers on the extent to which the Payment Service Act 2018 and the E-Money Act 2010 apply to cryptocurrencies and crypto platform providers.
The Payment Service Act 2018 establishes a legal framework governing the conditions under which individuals or entities may provide payment services commercially in Austria (payment service providers). It also sets out the respective rights and obligations of payment service providers and payment service users in connection with payment services (OGH 8 Ob 106/20a; § 1 (1) ZaDiG 2018).
Pursuant to the definitions in § 4 of the Payment Service Act 2018, the following terms are to be understood as follows:
- “Payment transaction”: The provision, transfer or withdrawal of an amount of money initiated by the payor, on behalf of the payor or by the payee, regardless of any underlying obligations in the relationship between the payor and the payee,
- “Amount of money”: banknotes and coins, scriptural money or e-money in accordance with § 1 (1) of the E-Money Act 2010,
- “Payment service provider”: A legal entity pursuant to the exhaustive list in § 1 (3) of the Payment Service Act 2018,
- “Strong customer authentication (two-factor authentication)”: Authentication using at least two elements from the categories of knowledge (something only the user knows), possession (something only the user possesses) or inherence (something only the user is), which are independent of each other in that the failure of one criterion does not compromise the reliability of the others, and which is designed to protect the confidentiality of the authentication data.
Of particular interest here is § 67 (1) of the Payment Service Act 2018, which stipulates that in the event of an unauthorized payment transaction, the payment service provider must restore the debited payment account, without undue delay, to the state it would have been in without the unauthorized payment transaction.
Moreover, pursuant to § 87 (1) of the Payment Service Act 2018, a payment service provider is mandated to require strong customer authentication (two-factor-authentication) whenever a payer accesses their payment account online, initiates an electronic payment transaction or performs any action via remote access that may expose the transaction to an illicit activity.
According to § 1 (1) of the E-Money Act 2010, e-money refers to any electronically stored monetary value (this includes magnetically stored monetary value) and is issued upon receipt of an amount of money with the intent of executing a payment transaction within the meaning of § 4 of the Payment Service Act 2018.
The authority to issue e-money is limited to the extensive list of e-money issuers listed in § 1 (2) of the E-Money Act 2010.
Consequently, given that the existence of a payment transaction presupposes an association with ‘monetary value’ as reflected by legal tender in the form of banknotes, coins, scriptural money, or electronic money, a transfer of Bitcoin does not fall within the definition of ‘payment transaction’ under § 4 of the Payment Services Act 2018.
Legal finding of the Supreme Court
The clear wording of § 1 (1) of the E-Money Act 2010 excludes cryptocurrencies in the established form of Bitcoin from the definition of electronically stored monetary value contained therein. Consequently, as cryptocurrencies fall outside the statutory scope, the Payment Service Act 2018 cannot be directly applied to Bitcoin.
As recognized by the Austrian Supreme Court, cryptocurrencies, in the established form of Bitcoin, are indisputably an encrypted electronic payment system generated by computer processing power, which is maintained within a decentralized ledger system accessible by the public. Bitcoin are not issued by a central bank or public authority, nor is it possible to identify a general issuer of this payment service (OGH 4 Ob 234/23z).
It is apparent that Bitcoin are neither banknotes nor coins denominated in a legal currency, nor do they qualify as scriptural money (as in a claim due against a credit institution; see Kaufmann/Schneckenleitner/Tuder in Weilinger/Knauder/Miernicki, ZaDiG 2018 Sec 4 [2022]). Further, cryptocurrencies in the established form of Bitcoin cannot be subsumed under the definition of e-money in § 1 (1) of the E-Money Act 2010. This is because Bitcoin do not represent any monetary value stored in the form of a claim against one of the e-money issuers defined by law.Because Bitcoin are neither issued by a central bank, public authority, nor a general issuer of this payment service pursuant to § 1 (3) of the Payment Service Act 2018, and in the absence of the qualification of a Bitcoin transfer as a payment transaction associated with ‘monetary value’, crypto platform providers facilitating the provision, transfer or withdrawal of cryptocurrencies in the established form of Bitcoin cannot be classified as payment service providers. Accordingly, the applicability of the Payment Service Act 2018 and the E-Money Act 2010, which establish specific rights and obligations regarding payment transactions, does not extend to these cryptocurrency transfers.
§§ 67 and 87 of the Payment Service Act 2018 do not apply to these crypto platform providers, absolving the platform from liability for any monetary loss in the event of an unauthorized Bitcoin transfer.
Regulatory outlook
Regulation (EU) 2023/1114 of 31 May 2023 (MiCA-VO) on markets in crypto assets marks a significant development in the EU’s financial supervisory landscape. The regulation introduces for the first time a comprehensive framework to harmonize the regulation of services related to crypto assets (Recital 4 MiCA-VO). This is accompanied by stringent requirements for transparency, IT security and risk management. It is anticipated that the legislative framework will reduce regulatory uncertainties, such as in the present case, thereby establishing a uniform and transparent standard in order to enhance consumer protection and uphold market integrity.
