Felix Eggenburg
Knoetzl, Vienna

Bettina Knoetzl
Knoetzl, Vienna

The proliferation of virtual currencies has exploded in recent years. The widespread adoption of cryptocurrencies can be attributed, inter alia, to the convenience they provide to carry out transactions in combination with their pseudo-anonymous nature. At the same time, the constrained traceability of cryptocurrency transfers significantly obfuscates means of effective oversight and supervision, thereby creating a heightened risk of illicit activities.

Against this backdrop, the first ruling has now been handed down by the Austrian Supreme Court on the applicability of the Payment Service Act 2018 (ZaDiG 2018) and the E-Money Act 2010 (E-GeldG 2010) implicating transactions involving cryptocurrencies. The Court’s reasoning in the case is pivotal, as it discusses whether crypto platform providers fall within the scope of section 4 of the Payment Service Act 2018, thereby determining the availability of consumer-protective mechanisms generally accorded to users of regulated payment services.

Austrian Supreme Court ruling: 4 Ob 234/23z

In the underlying case, the claimant set up an account on the defendant’s platform. For that purpose, a digital wallet was automatically generated, into which monetary funds could be transferred and converted into Bitcoin. The claimant secured access to the account with a personal password, but refrained from activating two-factor authentication, which would have been available as an additionally protective measure, albeit not mandatory, designed to enhance the security of the wallet.

In the course of 2021, the claimant initiated a series of eight transfers. Within two to three days after every transfer, the claimant was able to verify the transaction – the amount of fiat currency transferred to the account as well as the corresponding amount of Bitcoin thereby acquired.

Subsequently, through the installation of the remote-access software AnyDesk – an application facilitating external control over computer programs – a malicious third party successfully gained unauthorised access to the claimant’s digital wallet and transferred corresponding Bitcoin stored in the wallet to an external wallet address linked to an unidentified party. The claimant was unable to ascertain the third party and consequently sustained significant financial loss.

The claimant later asserted that the damage could have been prevented had the platform complied with sections 67 and 87 of the Payment Services Act 2018.

The Payment Service Act 2018

Pursuant to the definitions in section 4 of the Payment Service Act 2018, the following terms are to be understood as follows:

• payment transaction: the provision, transfer or withdrawal of an amount of money initiated by the payor, on behalf of the payor or by the payee, regardless of any underlying obligations in the relationship between the payor and the payee;
• amount of money: banknotes and coins, scriptural money or e-money in accordance with section 1 (1) of the E-Money Act 2010; and
• payment service provider: a legal entity pursuant to the exhaustive list in section 1 (3) of the Payment Service Act 2018.

Of particular interest here is section 67 (1) of the Payment Services Act 2018, which stipulates that in the event of an unauthorised payment transaction, the payment service provider must restore the debited payment account, without undue delay, to the state it would have been in without the unauthorised payment transaction.

Moreover, pursuant to section 87 (1) of the Payment Service Act 2018, a payment service provider is mandated to require strong costumer authentication (two-factor authentication) whenever a payer accesses their payment account online, initiates an electronic payment transaction, or performs any action via remote access that may expose the transaction to an illicit activity.

The E-Money Act 2010

According to section 1 (1) of the E-Money Act 2010, e-money refers to any electronically stored monetary value (this includes magnetically stored monetary value) and is issued upon receipt of an amount of money with the intent of executing a payment transaction within the meaning of section 4 of the Payment Service Act 2018.

The authority to issue e-money is limited to the exhaustive list of e-money issuers listed in section 1(2) of the E-Money Act 2010.

The liability mirage

As recognised by the Austrian Supreme Court, cryptocurrencies, in the established form of Bitcoin, are indisputably an encrypted electronic payment system generated by computer processing power, which is maintained within a decentralised ledger system accessible by the public. Bitcoin is not issued by a central bank or public authority, nor is it possible to identify a general issuer of this payment service.^[1]

It is apparent that Bitcoin is neither banknotes nor coins denominated in a legal currency, nor does it qualify as scriptural money (as a claim due against a credit institution).^[2] Further, cryptocurrencies in the established form of Bitcoin cannot be subsumed under the definition of e-money in section 1 (1) of the E-Money Act 2010. This is because Bitcoin does not represent any monetary value stored in the form of a claim against one of the e-money issuers defined by law.

Consequently, given that the existence of a payment transaction presupposes an association with ‘monetary value’ as reflected by legal tender in the form of banknotes, coins, scriptural money, or electronic money, a transfer of Bitcoin does not fall within the definition of ‘payment transaction’ under section 4 of the Payment Service Act 2018.

Because Bitcoin is neither issued by a central bank or public authority, nor a general issuer of this payment service pursuant to section 1 (3) of the Payment Service Act 2018, and in the absence of the qualification of a Bitcoin transfer as a payment transaction associated with ‘monetary value’, crypto platform providers facilitating the provision, transfer or withdrawal of cryptocurrencies in the established form of Bitcoin cannot be classified as payment service providers. Accordingly, the applicability of the Payment Service Act 2018 and the E-Money Act 2010, which establish specific rights and obligations regarding payment transactions, does not extend to these cryptocurrency transfers.

Sections 67 and 68 of the Payment Service Act do not apply to these crypto platform providers, absolving the platform from liability for any monetary loss in the event of an unauthorised Bitcoin transfer.

This determination does not preclude recourse to general civil law principles.

Regulatory outlook

Regulation (EU) 2023/1114 of 31 May 2023 (MiCA-VO) on markets in crypto assets marks a significant development in the EU’s financial regulatory landscape. The regulation introduces for the first time a comprehensive framework to harmonise the regulation of services related to crypto assets.^[3] Crypto asset service providers will become subject to detailed obligations designed to enhance customer protection and market integrity.

It is expected that regulatory uncertainties such as in the present case will be reduced with the new legislation.