Financial Ombudsman Service decision

Kroo Bank Ltd · DRN-6208110

Unauthorised TransactionComplaint not upheld
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Mr B complains that Kroo Bank Ltd hasn’t reimbursed him payments which he says he didn’t authorise. What happened The facts of this case are well known to both parties so I will only briefly summarise them. Mr B says that he was at a daytime networking event which was followed by visits to numerous pubs and clubs throughout the evening and into the early hours of the morning. He says that he has no recollection of the events between 4am and 8am. And got a taxi home at roughly 8am the next day. He had his phone in his possession. The transactions Mr B is disputing are listed below. It is not disputed that the transactions were completed using a token set up in his digitised wallet on Mr B’s device – and that he had used this token previously. Date Time Amount 15 March 2025 5.00am £3,540 15 March 2025 5.22am £4,990 15 March 2025 5.29am £1,450 Kroo says that two subsequent payments of £2,000 and £1,000 made at 5.33am and 5.35am were declined as this would have exceeded the daily spending limit on the account. Mr B believes that his drink was likely spiked which accounted for him not remembering events between 4am and 8am. He reported the fraud to the police saying that his mobile device had been compromised during a night out. He was referred onto Action Fraud which he has followed up on. Mr B has also said that other banks contacted him about unusual activity on his account and referenced declined transactions. He said that one of the banks refunded him £970 and has provided a statement showing this. Kroo declined to refund the transactions. It pointed out that Mr B was unable to provide a full account of events. And that there was no transaction for a drink to suggest he had been spiked or drugged to cause memory loss, and Mr B was also in possession of his device. Our investigator concluded that Kroo had fairly treated the payment as authorised. Mr B disagreed reiterating that he had consistently told both Kroo, our service and the police, that he was incapacitated at the time of the transactions. He therefore believes that the transactions should be refunded to him. As an agreement could be reached this complaint has been passed to me for a decision.

-- 1 of 3 --

What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Under the relevant law – the Payment Services Regulations 2017 (PSRs) – the starting point is that Mr B is liable for authorised payments and Kroo is liable for unauthorised payments. So, I’ll address this point first While I might not comment on everything (only what I consider key) this is not meant as a discourtesy to either party – it reflects my role resolving disputes with minimum formality. I’d like to assure both parties I’ve carefully considered everything they have sent. Where evidence is incomplete, missing or contradictory, I’ve considered both parties accounts, the technical evidence, and what is most likely to have happened in the circumstances. I need to determine what I think is more likely than not to have happened. I do this by weighing up what I do have and making a finding on the balance of probabilities. Authorisation The internal notes provided by Kroo show that the transactions were completed using a token in Mr B’s digitised wallet. And it isn’t disputed that it was the token on Mr B’s device that was used to complete the transactions. To access this token on Mr B’s device either his passcode or Face ID would be needed. Mr B says he doesn’t recall anything that occurred between 4am and 8am. He had however referenced going to numerous bars and nightclubs. He has provided a taxi receipt for roughly 8am showing that he took a taxi home from London. I’ve also looked at the technical information given by Kroo to get a better understanding of the transactions. The disputed transactions occurred in a roughly 30-minute window. And as there are no failed payment attempts, this suggests the person making the payments was able to successfully authenticate on the first attempt, which is more consistent with someone who knew or had access to Mr B’s security credentials so I’m persuaded that they were completed by somebody who knew Mr B’s security details (his PIN) or they were authenticated using Mr B’s biometrics (Face ID). Normally for fraudulent transactions there are numerous transactions made in quick succession. The logic being that the fraudster is unsure how long they will have access to the payment instrument – so wants to drain the account as quickly as possible. That rapid pattern isn’t present here. Instead, the transactions were spaced over a short period without repeated rapid attempts, which is less typical of third-party fraud. I’ve also considered that Mr B says he remained in possession of his phone, including when he later used it to order a taxi. If a third party had gained access to his device and token in Mr B’s digitised wallet, I would need to see a more plausible explanation for how that access was obtained and then relinquished sometime later. And as I’ve mentioned, Mr B’s phone was also in his possession when he ordered a taxi at 8am. If fraudsters were able to access Mr B’s phone I’m unsure why they would return it to him. As Mr B doesn’t recall events between 4am and 8am – he has concluded he was spiked, but hasn’t provided any evidence in support of this. He has also mentioned that he has gone to the police, which he says demonstrates how seriously he has taken this. He has also said that he has consistently provided the same account to Kroo, the police and the Financial Ombudsman Service.

-- 2 of 3 --

Looking at how the payments occurred it is important to note that, for the transactions to complete it wouldn’t be enough for Mr B to be incapacitated – his security details would be needed to access the token in his digitised wallet. Either his biometrics or PIN. The question of consent as set out in the PSRs is an objective test, and it doesn’t depend on the consumer being fully aware of the details of the payment at the time they completed. This means where a consumer says they were drunk or drugged so couldn’t appreciate what was happening when they entered their PIN or used their biometrics to approve a payment, or where they are being pressured or coerced into giving consent to a payment – under the applicable regulations, they are still deemed to have given consent. I’ve carefully considered what Mr B has said but considering the level of security needed to complete the transactions and considering the relevant law (the PSRs), I’m satisfied that Kroo acted fairly in treating these payments as authorised. Prevention Having taken into account longstanding regulatory expectations and requirements, and what I consider to be good industry practice, Kroo ought to have been on the look-out for the possibility of fraud and made additional checks before processing payments in some circumstances. I’ve carefully considered whether, applying the above principle, the disputed payments warranted further intervention from Kroo before they were processed. The payments were made over 30-minute period using a token in a digitised wallet set up on Mr B’s device which he had used previously. The transactions did not leave the account overdrawn or with a zero balance. I’ve also noted that within the 12 months prior to this transaction Mr B had previously completed large transactions in the thousands from his Kroo account. Given the circumstances of the payments, I’m not satisfied that there’s enough here to say Kroo acted unfairly by not intervening. I’m satisfied that after considering the account history and payment details that Kroo didn’t need to intervene before allowing the payments. Customer service The investigator concluded that Kroo hadn’t taken an unreasonable amount of time in responding to Mr B, and I agree. Mr B initiated a fraud dispute on 16 March 2025, and Kroo provided its response on 9 April 2025. I also haven’t found any errors in Kroo’s investigation, so I don’t think Mr B is entitled to any compensation. My final decision My final decision s that I don’t uphold this complaint. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr B to accept or reject my decision before 24 April 2026. Sureeni Weerasinghe Ombudsman

-- 3 of 3 --