Financial Ombudsman Service decision

Modulr FS Limited · DRN-6100621

Unauthorised TransactionComplaint upheldRedress £2,200
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Mr C complains that Modulr FS Limited (‘HyperJar’) declined to refund payments from his account that he says he did not make or otherwise authorise. What happened Mr C says that he did not authorise payments totalling around £2,200 from his account held with HyperJar. Mr C said that at the time of the disputed transactions he was on holiday and had his phone stolen whilst he was at a restaurant. He said the transactions occurred after this theft. Mr C said he had tried to block his phone but had issues due to password recovery not working. This meant he did not discover the transactions until he returned to the UK, and at this point he contacted HyperJar to report them as fraudulent. HyperJar considered Mr C’s complaint but declined to reimburse him on the basis that it did not think Mr C had met his obligations to safeguard his credentials or to notify it of the fraud without undue delay. Mr C was unhappy with HyperJar’s response, so he escalated his concerns to our service where one of our investigators looked into what had happened. They recommended that Mr C’s complaint should be upheld and he should be reimbursed in full, along with 8% simple interest from the date of the loss to the date or settlement. HyperJar did not agree. As no agreement could be reached, the case has been passed to me to decide. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Where evidence is incomplete, inconclusive or contradictory, I reach my decision about the merits of this complaint on the balance of probabilities – in other words, what I consider is most likely to have happened in the light of the available evidence and the wider circumstances. I also have to take account of law and regulations, regulators' rules, guidance and standards, and codes of practice and good industry practice, when I make my decision. The starting position in line with the relevant legislation – The Payment Services Regulations 2017 – is that HyperJar would be liable for any unauthorised payments, and Mr C is liable for any authorised payments. The same regulations also say that Mr C would be entitled to reimbursement for unauthorised transactions “only if [he] notified the payment service provider without undue delay, and in any event no later than 13 months after the debit date, on becoming aware of any unauthorised [transactions]”. Can HyperJar fairly conclude that Mr C authorised the payments?

-- 1 of 3 --

I am persuaded that on the balance of probabilities, Mr C did not make or otherwise authorise these transactions. He has been consistent in his explanation of events. He has provided evidence in support of his testimony that his phone was stolen whilst he was on holiday which allowed the transactions to take place. This includes: • Police report made at the time his phone was stolen; • Evidence he ordered and received a new SIM card; • Evidence that he deactivated his old SIM card; • Evidence that he tried to reset his password on his Apple account to block the phone, and that the verification code was sent to his email; • Evidence of his boarding passes to show that he was abroad at the specified time; • Evidence of account takeover on other accounts. The evidence surrounding the disputed activity also appears to be consistent with a pattern of fraud known in the industry. The larger transactions appear to have taken place in a mobile phone/technology shop which advertises that it can unlock iPhones, and so likely had technical knowledge of how Mr C’s phone worked. The evidence suggests that the person making the payments tried to make larger transactions before making smaller incremental ones when the larger ones did not go through. Mr C had not used ApplePay prior to the disputed transactions, and HyperJar accept that it was set up just before they took place. HyperJar are unable to say how the app was accessed, but Mr C has accepted that his phone may have been unlocked and he utilised the ‘auto fill’ functionality for logging into accounts on his device and stored some information in his notes app, so it is entirely plausible that the unknown third party could have utilised this to access his accounts. I have seen nothing to persuade me that the transactions in question were carried out by Mr C or someone acting with his authority. HyperJar have argued that our investigator has not explained how fraudsters could realistically obtain and use Mr C’s account and ApplePay just because they had stolen the device. I think the evidence does indicate someone who a certain amount of knowledge about phone functionality could have conducted this fraud. But in accordance with the relevant regulations it is for HyperJar to show that the payments were properly authorised. And it is for our service to say what we think is most likely, on the balance of probabilities. We may never know for certain how this happened, but I am satisfied that it is fair and reasonable to conclude that Mr C did not authorise these transactions. Did Mr C act with gross negligence by failing to keep his personal security credentials safe, and did he report the unauthorised transactions without undue delay? If Mr C acted with gross negligence by failing to keep his personal security credentials safe, HyperJar may not be liable to reimburse his losses. So, I have considered whether this should be my conclusion here, but I don’t think this would be fair or reasonable. I’ll explain why. The bar for gross negligence is a high one – Mr C would have had to have been significantly careless and seriously disregarded an obvious risk, or he must have fallen so far below what a reasonable person would have done for this to apply here. It is not unusual for people to store passwords in their device, on the assumption that they are safe within it. Mr C did not hand his phone over to someone with this information on it, his phone was stolen in a surprise act by a third party. Mr C did take steps to try and prevent third party access to his device, as evidenced by the fact he tried to login to his Apple account but was unable to. Mr C, like the average consumer, did not fully comprehend that an unknown third party with access to his phone, which he believed was locked, would allow them to get into his HyperJar account and accounts held with other financial firms. It is clear

-- 2 of 3 --

in the first instance that he wanted to prevent the thief from being able to use the phone more broadly – which is why he tried to block the phone. At this point he also reported the matter to the police. So, I do not think it would be appropriate for HyperJar to rely on this exception to reimbursement here. Onto the matter of when he reported the disputed transactions, I do not think it would be fair or reasonable to conclude that Mr C failed to do so without undue delay. Mr C was unaware of the disputed transactions whilst his holiday continued – he did not have his phone to look at his accounts. He did not think that a thief would be able to access his bank accounts so he did not take steps to check on his accounts – which I think was reasonable in the circumstances. Once he had access to his HyperJar statements and saw the disputed transactions, he did report them immediately. So whilst he did not report the theft of the mobile phone to HyperJar for four days, I do not think this constitutes a failure to report them without undue delay. HyperJar have suggested that Mr C also failed to take effective steps to block the SIM or suspend wallet access until well after he had returned to the UK. I do not think this represents a fair assessment of the facts of this case. It is clear that he did try to block the phone but struggled with technical difficulties. It is also evident that he contacted his mobile phone provider when he arrived back in the UK, but due to lack of access to his phone or email account there were some delays in blocking the SIM and ordering a new one. I do not think this demonstrates he acted unreasonably here. Putting things right In order to put things right, HyperJar must: • Reimburse the disputed transactions; and • Pay 8% simple interest from the date of the transactions to the date of settlement. My final decision I uphold this complaint and require Modulr FS Limited to reimburse Mr C in line with what I have set out above. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr C to accept or reject my decision before 27 April 2026. Katherine Jones Ombudsman

-- 3 of 3 --