Financial Ombudsman Service decision

Barclays Bank UK Plc · DRN-5790669

Unauthorised TransactionComplaint upheldRedress £12,500
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint A company which I will refer to as ‘D’ complains that Barclays Bank UK Plc didn’t reimburse the payments made by a fraudster that it says it didn’t agree to. The complaint is brought on D’s behalf by Mr H and the company is represented by a firm of solicitors. However, for ease I’ll refer to D or Mr H throughout. What happened The background to the complaint is known to both parties and so I won’t repeat it at length here. But briefly, D holds a business account with Barclays including an online banking facility. In July 2023 one of D’s employees, Ms E, was called by someone she believed to be from D’s bank. Ms E didn’t know at the time that the person who had contacted her was a fraudster. Ms E said the fraudster told her that they were calling from Barclays fraud team as fraudulent payments had been identified on D’s account. Ms E was instructed to download ‘anydesk’ on her computer so the caller could block and refund the payments which were due to debit. Ms E logged in to Barclays online banking platform and was told that her screen would go black, but she shouldn’t worry. Ms E was told that three payments hadn’t been released, which she could see was correct. Ms E was told that she needed to log into her PIN sentry device to approve the cancellation of the payments which were due to debit the account. Ms E received five different PIN requests which she approved, but she was concerned that she had no visibility of her screen, so she shut down her computer. Once she’d logged back into D’s online banking, she could see that five transfers had been made from the account. It appeared that two payments had been rejected by Barclays and two payments had been declined but one payment for £25,000 had debited D’s account. Ms E contacted Barclays immediately to report her concerns, and the bank said it would try and stop the payment or recover the missing funds. Barclays contacted the receiving bank within an hour of Ms E’s call to raise the fraud. However, the bank was only able to recover £12.00. D complained to Barclays that it hadn’t done enough to stop the payment debiting its account. Barclays didn’t uphold the complaint and said that Ms E hadn’t followed the warning messages it had provided and had authorised the payment. Barclays wouldn’t refund D’s loss but offered £200 compensation for poor service when investigating the fraud. D didn’t think this was fair and asked our service to investigate the complaint. After the complaint had been brought to our service, Barclays made an offer to resolve D’s complaint. The bank agreed it was partly to blame for D’s loss as it should have identified the payment method was unusual. So, it offered D 50% of its loss, plus interest at 8% for the time D was without its funds and £200 compensation for inconvenience. D didn’t accept this as it said it hadn’t authorised the payment and therefore wanted a full refund.

-- 1 of 5 --

Our investigator reviewed everything and thought the offer made by Barclays was fair. He thought Barclays should have identified that the payment type and rapid timing was unusual for D’s account and therefore it should bear some liability for D’s loss. The investigator also thought that the fraudster had tricked Ms E into allowing them to have remote access to Barclays online system by likely misrepresenting Barclays legitimate system, and he thought Ms E had likely been tricked into authenticating the fraudulent payments through the pin sentry device. However, he thought that although D hadn’t created the payments, it was reasonable for Barclays to say that D had authorised the payments as Ms E had physically pressed the ‘ok’ button on the PIN sentry. So, both parties should equally share the loss suffered by D. Barclays accepted the investigator’s opinion and confirmed its offer was still available to D. D didn’t agree and said in summary that: • It wasn’t uncommon for victims in safe account scams to share their OTP’s thinking this will reverse fraudulent payments. They do not believe they are authorising them. D did not authorise the payments made by the scammer. • The caller misrepresented the purpose of the payments and at no time had D intended to authorise the payments in the sense outlined under the PSRs. There was no informed consent by D of the fraudulent payments. • In this case, Barclays could only refuse to fully reimburse D if it had been grossly negligent, which wasn’t the case here. D had been deceived and acted reasonably, not recklessly. D took steps to verify the caller and was persuaded by the information they were given. • D was made to believe that the requests were urgent and the information contained within the PIN sentry device was limited and wouldn’t have had a bearing on its decision-making process as it didn’t indicate specific payments were being authorised. D wasn’t aware of the processes for incomplete or pending payments so the requests by the fraudster seemed reasonable. • The warnings presented by Barclays initially weren’t received by D, as it hadn’t been making these payments. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Having done so, I’ve decided to uphold it. But I consider the offer made by Barclays since D asked this service to look into its complaint is fair. I’ll explain why. Firstly, I just want to say I’m really sorry that D has had to contact us in these circumstances. Fraud has a huge impact, both financially and emotionally. And we recognise how important these cases are to all complainants affected. When reviewing the complaint, I’ve taken into account the relevant rules, regulation, and the industry guidance. I’ve also taken into account Barclays terms and conditions as that sets the starting point for D’s agreement with the bank on how its account will be managed. Is it fair for Barclays to treat the payment as authorised?

-- 2 of 5 --

D says that it did not authorise the payment made to the fraudulent bank account and therefore it shouldn’t be held responsible for the payment. Barclays disagreed and said that the payment was authorised by D’s employee using the payment tools it had provided. However, both parties agree that D was the victim of a scam. The regulations relevant to this case are the Payment Services Regulations (the PSRs). These explain, generally speaking, that account holders will be liable for payments they’ve authorised, and banks will be liable for unauthorised payments. To consider a payment authorised, the PSRs explain that D must have given its consent to the execution of the payment transaction – and that consent must be in the form, and in accordance with the procedure, agreed between it and Barclays. Barclays say that on 6 July 2023 at around 12:30, Ms E authorised a transfer for £25,000 to a new third-party beneficiary account via her laptop. It also says that Ms E was sent a message to her PIN sentry device with information about a transaction, and that Ms E released the payment. Barclays says this was repeated for each of the 5 payments (albeit only one payment debited D’s account) and that Ms E would have been aware that if she accepted the message on the PIN sentry device, that a payment would debit D’s account. So, it was satisfied the payments were made by D. Although we can’t be sure what happened here, based on Ms E’s testimony it appears that she was tricked into allowing remote access to Barclays online banking portal through a fake version of the real site. The fraudsters then set up payments through the online banking portal and Ms E received a request to authorise the payments using her PIN sentry device – which she acknowledges she did as she believed she was correcting the actions of a different fraudster and releasing previously held payments. In practical terms, the form and procedure which D and Barclays have agreed to is outlined in the terms of D’s account. The most applicable terms here say: “You use payment tools to access your accounts and make payments. All these tools are personal to you […] it’s your responsibility to keep it safe”. Payment tools are further defined as cards, pin numbers or actions taken such as using passwords, PINs or codes (such as via the PIN sentry) “To make a payment or withdrawal from your account, you need to give us authorisation. You can do this in several ways including [...] Log onto Online Banking, the Barclays app or any other applicate Electronic Banking Service we provide using your security details. Follow the instructions to complete the payment.” and, “We’ll think an instruction has come from you […] or if your payment tools were used” I recognise that D says that it didn’t authorise the payments, of which only the £25,000 was credited to the fraudsters account, as Ms E was misled about the reason for these payments taking place. However, although Ms E says she thought she was agreeing to release the expected pending payments, she has accepted that she did receive requests to release the payments, and she did undertake this action using her PIN sentry device. The PIN sentry message displayed to Ms E didn’t say an amount, only the last six digits of the payment reference, the date and time of the payment. I can understand why Ms E believed she was taking the required action to release the ‘pending payments, given that there was no amount included in the message, and she said her screen was black at the

-- 3 of 5 --

time the payments were being processed by the fraudster. But in this case, Ms E has confirmed she did approve the payments on her PIN sentry. I’m sorry to disappoint Mr H, but given the circumstances of the complaint, I think it’s reasonable for Barclays to rely on this confirmation as consent by Ms E as D’s agent to process the payment instructions on the company’s behalf. I acknowledge D thinks that the payments shouldn’t be treated as authorised as the fraudster misrepresented the payments and Ms E didn’t intend to make them. However, I can’t ignore that Ms E did agree for the payments to be released, albeit she says she didn’t have oversight of what they were for and trusted what the fraudster had said, but I can’t fairly hold Barclays responsible for that. Ultimately, I think Ms E ought reasonably to have been aware that by accepting the code on the PIN sentry that a payment could be made from D’s account, as this was outlined in the account terms and she’d used this as a method to make payments previously. So, I’m satisfied the payments were authorised and therefore under the PSRs there isn’t an obligation on Barclays to refund D. I recognise that D says Barclays could only refuse to fully reimburse D if it had been grossly negligent, which wasn’t the case here. However, gross negligence wouldn’t be a consideration in this case due to D’s business size. Should Barclays have done more before processing any of the payments? Barclays has a duty to exercise reasonable skill and care, pay due regard to the interest of its customers and to follow good industry practice to keep customer’s accounts safe. This includes looking out for payments which might indicate the consumer is at risk of financial harm. Taking these things into account, I think Barclays should fairly and reasonably have had systems in place to look out for out of character or unusual transactions, or other signs that might indicate that its customers were at risk of fraud. So, I need to decide whether Barclays acted fairly and reasonably in its dealings with D here, and if I think it should have done more before allowing the payments to leave D’s account. However, Barclays has already accepted that it should have done more here and has offered to pay half of the £25,000 which debited D’s account. Whilst I recognise that Ms E says she thought she was speaking to Barclays at the time she logged into D’s account, I have to take into consideration that Ms E would have needed to, as a minimum here, had to physically click on the PIN sentry to allow the payment to leave D’s account. Ms E told us that she’d made payments using this method previously, so I think she ought reasonably to have been aware that her actions could lead to a payment being made from D’s account by the third-party to whom she’d given control of her computer. Whilst I acknowledge that Ms E says she thought she was agreeing to a legitimate payment, I’m satisfied that D should bear some responsibility here as a result of Ms E’s actions in contributing to its loss. Barclays’ actions after the scam was reported Barclays obligations as a payment service provider don’t end once a payment has been made. There is an expectation on it to attempt to recover any lost funds once a scam has been reported. In this case, I can see that Ms E reported the fraud at around 12:45 shortly after the payments had debited D’s account. When Barclays received the fraud report from Ms E, I’d have expected it to contact the receiving bank at the earliest available opportunity to see if any funds could be returned. In this case, I can see that Barclays reported the fraud at 13:54 to the receiving bank, so I’m satisfied that it acted quickly and in the manner I’d have expected. However, I can see that D had to chase Barclays for an update on the recovered funds and that the bank wasn’t proactive in supporting D about the fraud. I can see that this caused

-- 4 of 5 --

inconvenience to D, and I think Barclays needs to acknowledge the impact its actions had on D at an already difficult time. Putting things right I recognise Mr H’s strength of feeling about this complaint, and I acknowledge the comments that he’s provided. However, having considered all the evidence available I think both parties should be held equally responsible for D’s loss. I also think interest should be awarded to D for the time it has been without its funds. Our service has generally recommended annual interest at 8% simple for the time a complainant has been without the use of their funds. Barclays has offered to refund half the loss plus 8% interest, and I think this is reasonable. Barclays has also accepted that its communication with D after the fraud should have been better. It has offered £200 compensation for the inconvenience caused and I think this is enough to put things right. I recognise this doesn’t take into consideration the frustration felt by Mr H, however, D is the eligible complainant here and cannot experience distress. Therefore, I can only recommend an award for the inconvenience caused to D from having to chase Barclays for information. My final decision My final decision is that I uphold this complaint. Barclays Bank UK Plc has now made an offer to refund D 50% of the £24,988 loss incurred as a result of the fraud, along with annual interest at 8% simple for the time D was without the use of its funds and £200 compensation for the inconvenience caused from poor service. I think this offer is fair in all the circumstances, and I don’t intend to order Barclays Bank UK Plc to do anything more. Under the rules of the Financial Ombudsman Service, I’m required to ask D to accept or reject my decision before 29 September 2025. Jenny Lomax Ombudsman

-- 5 of 5 --