Financial Ombudsman Service decision

Revolut Ltd · DRN-5255906

Authorised Push Payment (APP) ScamComplaint upheld
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Mr W complains that Revolut Ltd (Revolut) won’t refund the money he lost as part of a scam. What happened The background to this complaint is well known to both parties, so I won’t repeat it in detail here, but in summary I understand it to be as follows. Mr W was tricked into transferring funds between his external bank account with Bank L, to his Revolut account, and from there, on to a fraudster. This was following a phone call Mr W received from who he thought was his credit card provider informing him of a fraudulent attempt made on his credit card. The fraudster led Mr W to believe that he had compromised his accounts through a phishing attempt, which enabled a scammer to hack into his internet and therefore compromise his online banking and the safety of his bank accounts and credit card. Mr W then received a further call from a fraudster impersonating Bank L who was guiding him through the investigation. To protect his funds, and to evade the scammer targeting his accounts, the fraudster told him to move his funds via his Revolut account to a new ‘safe account’ in his name with Bank L, whilst the matter was investigated. Mr W made two faster payments from his Revolut account: 31/10/23 18:18 Faster payment to Payee 1 £24,900 31/10/23 18:39 Faster payment to Payee 2 £23,100 Total £48,000 Mr W was then expecting further contact from another firm he banks with. At this point he grew suspicious and contacted his bank directly who confirmed he had been scammed. He therefore contacted Revolut the same day, to report what happened. Revolut was able to recover some of Mr W’s funds, totalling £391.63, which it paid back to Mr W’s account on 24 November 2023. Revolut declined to refund any more of Mr W’s loss. I’ve summarised its main arguments below: - It’s not at fault for processing the payments Mr W authorised in line with the terms and conditions of his account. - It has no legal duty to prevent fraud and it must comply strictly and promptly with valid payment instructions. It does not need to concern itself with the wisdom of those instructions. This was confirmed in the recent Supreme Court judgement in the case of Philipp v Barclays Bank UK plc [2023] UKSC 25. - It provided sufficient scam warnings (which I’ll come on to discuss later in my decision) and its controls were proportionate and appropriate to the aim of mitigating the risk of a scam occurring. - It did not have reasonable grounds to believe the payments were suspicious. - Mr W seriously impacted Revolut’s ability to spot the fraud because he did not

-- 1 of 10 --

answer Revolut’s questions about the payments honestly. - Revolut is not a signatory to the Contingent Reimbursement Model (CRM) Code and therefore its rules do not apply. The Payment Service Regulator’s (“PSR”) mandatory reimbursement scheme rules were also not yet in force and so should not be applied either. - Revolut acted promptly to recover any potential losses once the scam was brought to its attention. - FOS have overstated Revolut’s duty to its customers in similar cases, and errs in law, by stating that Revolut should have ‘taken additional steps, or made additional checks, before processing a payment, or in some cases declined to make a payment altogether, to help protect customers from the possibility of financial harm from fraud’. Our Investigator looked into Mr W’s complaint and upheld it. He thought that Revolut ought to have contacted Mr W to discuss the first payment and had that happened, the loss would have been prevented. They also considered a linked complaint about Bank L and thought that it too could have prevented most of the same loss Mr W suffered. So, he recommended that both respondents (Bank L and Revolut) refund Mr W’s loss between them. However, as Revolut had recovered some of Mr W’s funds, he said this ought to be deducted from the refund Revolut paid. He also said Revolut ought to pay 8% simple interest from the date of the payments, until the date of the settlement, and £200 compensation for the stress caused to Mr W. Revolut didn’t agree to this outcome. In summary it said: - Mr W’s responses to the warnings were given purposely to not arouse suspicion and did not warrant an escalation for manual review. - Mr W had the opportunity to select a more accurate option in response to the questions asked. - Mr W’s failure to disclose critical information about the payments, and lack of honestly, seriously limited the effectiveness of the intervention it gave. - Its risk assessment was proportionate. As no agreement could be reached, this case was passed to me to be decided. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. In deciding what’s fair and reasonable, I am required to take into account relevant law and regulations, regulators’ rules, guidance and standards, and codes of practice; and, where appropriate, I must also take into account what I consider to have been good industry practice at the time. In broad terms, the starting position at law is that an Electronic Money Institution (“EMI”) such as Revolut is expected to process payments and withdrawals that a customer authorises it to make, in accordance with the Payment Services Regulations (in this case the 2017 regulations) and the terms and conditions of the customer’s account. And, as the Supreme Court has recently reiterated in Philipp v Barclays Bank UK PLC, subject to some limited exceptions banks have a contractual duty to make payments in compliance with the customer’s instructions.

-- 2 of 10 --

In that case, the Supreme Court considered the nature and extent of the contractual duties owed by banks to their customers when making payments. Among other things, it said, in summary: • The starting position is that it is an implied term of any current account contract that, where a customer has authorised and instructed a bank to make a payment, it must carry out the instruction promptly. It is not for the bank to concern itself with the wisdom or risk of its customer’s payment decisions. • At paragraph 114 of the judgment the court noted that express terms of the current account contract may modify or alter that position. In Philipp, the contract permitted Barclays not to follow its consumer’s instructions where it reasonably believed the payment instruction was the result of APP fraud; but the court said having the right to decline to carry out an instruction was not the same as being under a legal duty to do so. In this case, the terms of Revolut’s contract with Mr W modified the starting position described in Philipp, by expressly requiring Revolut to refuse or delay a payment “if legal or regulatory requirements prevent us from making the payment or mean that we need to carry out further checks”. So Revolut was required by the implied terms of its contract with Mr W and the Payment Services Regulations to carry out their instructions promptly, except in the circumstances set out in its contract, which included where regulatory requirements meant it needed to carry out further checks. Whether or not Revolut was required to refuse or delay a payment for one of the reasons set out in its contract, the basic implied requirement to carry out an instruction promptly did not in any event mean Revolut was required to carry out the payments immediately1. Revolut could comply with the requirement to carry out payments promptly while still giving fraud warnings, or making further enquiries, prior to making the payment. And, I am satisfied that, taking into account longstanding regulatory expectations and requirements and what I consider to have been good industry practice at the time, Revolut should in October 2023 fairly and reasonably have been on the look-out for the possibility of fraud and have taken additional steps, or made additional checks, before processing payments in some circumstances (irrespective of whether it was also required by the express terms of its contract to do so). In reaching the view that Revolut should have been on the look-out for the possibility of fraud and have taken additional steps, or made additional checks, before processing payments in some circumstances, I am mindful that in practice all banks and EMI’s like Revolut do in fact seek to take those steps, often by: • using algorithms to identify transactions presenting an increased risk of fraud;2 1 The Payment Services Regulation 2017 Reg. 86 states that “the payer’s payment service provider must ensure that the amount of the payment transaction is credited to the payee’s payment service provider’s account by the end of the business day following the time of receipt of the payment order” (emphasis added). 2 For example, Revolut’s website explains it launched an automated anti-fraud system in August 2018: https://www.revolut.com/news/revolut_unveils_new_fleet_of_machine_learning_technology_that_has_seen _a_fourfold_reduction_in_card_fraud_and_had_offers_from_banks_/

-- 3 of 10 --

• requiring consumers to provide additional information about the purpose of transactions during the payment authorisation process; • using the confirmation of payee system for authorised push payments; • providing increasingly tailored and specific automated warnings, or in some circumstances human intervention, when an increased risk of fraud is identified. In reaching my conclusions about what Revolut ought fairly and reasonably to have done, I am also mindful that: • Electronic Money Institutions like Revolut are required to conduct their business with “due skill, care and diligence” (FCA Principle for Businesses 2), “integrity” (FCA Principle for Businesses 1) and a firm “must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems” (FCA Principle for Businesses 3). • Over the years, the FCA, and its predecessor the FSA, have published a series of publications setting out non-exhaustive examples of good and poor practice found when reviewing measures taken by firms to counter financial crime, including various iterations of the “Financial crime: a guide for firms”. • Regulated firms are required to comply with legal and regulatory anti-money laundering and countering the financing of terrorism requirements. Those requirements include maintaining proportionate and risk-sensitive policies and procedures to identify, assess and manage money laundering risk – for example through customer due-diligence measures and the ongoing monitoring of the business relationship (including through the scrutiny of transactions undertaken throughout the course of the relationship). I do not suggest that Revolut ought to have had concerns about money laundering or financing terrorism here, but I nevertheless consider these requirements to be relevant to the consideration of Revolut’s obligation to monitor its customer’s accounts and scrutinise transactions. • The October 2017, BSI Code3, which a number of banks and trade associations were involved in the development of, recommended firms look to identify and help prevent transactions – particularly unusual or out of character transactions – that could involve fraud or be the result of a scam. Not all firms signed the BSI Code (and Revolut was not a signatory), but the standards and expectations it referred to represented a fair articulation of what was, in my opinion, already good industry practice in October 2017 particularly around fraud prevention, and it remains a starting point for what I consider to be the minimum standards of good industry practice now (regardless of the fact the BSI was withdrawn in 2022). • Since 31 July 2023, under the FCA’s Consumer Duty4, regulated firms (like Revolut) must act to deliver good outcomes for customers (Principle 12) and must avoid causing foreseeable harm to retail customers (PRIN 2A.2.8R). Avoiding foreseeable harm includes ensuring all aspects of the design, terms, marketing, sale of and support for its products avoid causing foreseeable harm (PRIN 2A.2.10G). One example of foreseeable harm given by the FCA in its final non-handbook guidance on the application of the duty was “consumers becoming victims to scams relating to their financial products for example, due to a firm’s inadequate systems to detect/prevent scams or inadequate processes to design, test, tailor and monitor the 3 BSI: PAS 17271: 2017” Protecting customers from financial harm as result of fraud or financial abuse” 4 Prior to the Consumer Duty, FCA regulated firms were required to “pay due regard to the interests of its customers and treat them fairly.” (FCA Principle for Businesses 6). As from 31 July 2023 the Consumer Duty applies to all open products and services.

-- 4 of 10 --

effectiveness of scam warning messages presented to customers”5. • Revolut should also have been aware of the increase in multi-stage fraud. Multi-stage fraud involves money passing through more than one account under the consumer’s control before being sent to a fraudster. Our service has seen a significant increase in this type of fraud over the past few years. And, increasingly, we have seen the use of an EMI (like Revolut) as an intermediate step between a high street bank account and the final destination of the funds. Overall, taking into account relevant law, regulators rules and guidance, relevant codes of practice and what I consider to have been good industry practice at the time, I consider it fair and reasonable in October 2023 that Revolut should: • have been monitoring accounts and any payments made or received to counter various risks, including preventing fraud and scams; • have had systems in place to look out for unusual transactions or other signs that might indicate that its customers were at risk of fraud (among other things). This is particularly so given the increase in sophisticated fraud and scams in recent years, which firms are generally more familiar with than the average customer; • have acted to avoid causing foreseeable harm to customers, for example by maintaining adequate systems to detect and prevent scams and by ensuring all aspects of its products, including the contractual terms, enabled it to do so; • in some circumstances, irrespective of the payment channel used, have taken additional steps, or made additional checks, or provided additional warnings, before processing a payment – (as in practice Revolut sometimes does); and • have been mindful of – among other things – common scam scenarios, how the fraudulent practices are evolving (including for example the common use of multi- stage fraud by scammers) and the different risks these can present to consumers, when deciding whether to intervene. Should Revolut have recognised that Mr W was at risk of financial harm from fraud? I agree with our Investigator that Revolut ought to have been concerned that Mr W was at risk of financial harm from fraud when he made Payment 1. I accept Revolut’s argument that the account wasn’t frequently used by Mr W, so it didn’t necessarily know in great detail, how Mr W typically transacted. And when he opened the account back in 2017, one of the given account-opening purposes was ‘transfers’ which aligned with the disputed payments. However, on the day of the scam, Mr W made six payments into his Revolut account from his Bank L using open banking. These payments were made in quick succession and in total, £48,000 credited his Revolut account in increments, in the space of around 25 minutes. This was a sudden increase in activity on the account, which had only been used six times since the start of 2023. And it was usual that Mr W topped his account up in this way, as opposed to depositing one lump sum into the account. Within the hour, he then made a significant payment of £24,900. The funds crediting his account in such a way, only to be moved out to a third party shortly after, might suggest a multi-stage fraud, or an attempt to evade fraud detection systems. 5 The Consumer Duty Finalised Guidance FG 22/5 (Paragraph 5.23)

-- 5 of 10 --

Taking these things into account, I’m satisfied Revolut ought to have identified that Mr W might be at risk of financial harm from fraud when he made Payment 1. And it ought to have taken steps to warn him against the risks of proceeding. What did Revolut do to warn Mr W? When Mr W created the new payees, he was shown a warning which said: "Do you know and trust this payee? If you’re unsure, don’t pay them, as we may not be able to help you get your money back. Remember, fraudsters can impersonate others, and we will never ask you to make a payment.” Both payments were put on hold by Revolut, and he was shown a series of screens containing some warnings about scams in general. Following this, Mr W was asked to confirm that he was not being told how to answer the questions or being told it was urgent. He was then asked to give the reason for the payments he was making. Mr W selected ‘Pay a family member or friend’ for a ‘Wedding’, as instructed to do so by the fraudster. He confirmed he had not been asked for help unexpectedly and he had paid them before using different bank details. He said he’d receive the bank details face to face. After being shown some further scam warnings, he was presented with a risk agreement which he accepted and made the payments. As I understand it, the process was the same for Payment 1 and Payment 2. Revolut has also commented on an email it sent to Mr W some months prior to the scam which contained general scam education. It says had Mr W taken this email more seriously, it would have prevented the successful phishing attempt at the start of the scam. I’ve considered the warnings relied on by Revolut, and having done so, I’m not persuaded such warnings were proportionate to the scam risk either payment presented. I accept that some of the warnings contained information relevant to Mr W’s circumstances. However, the warnings lack sufficient context to have been impactful in the circumstances of the payments. I have considered Revolut’s argument that Mr W didn’t provide accurate information in response to the questions he was asked about the payments, and this impacted its ability to provide a more specific warning. But given the risk associated with these payments, I’m still not persuaded that it was enough for Revolut to simply ask Mr W to answer a series of automated questions and be satisfied that he wasn’t at risk of financial harm from fraud. It’s also not fair or reasonable to rely on an email it sent to Mr W some months prior to the scam and expect him to have remembered the contents of this email, when faced with a high-pressure situation like a ‘safe account’ scam call. Overall, I’m not persuaded Revolut did enough to warn Mr W about the payments he was making. Having thought carefully about the risk Payment 1 presented, I think a proportionate response to that risk would be for Revolut to have attempted to establish the wider circumstances surrounding the payment before allowing it to debit Mr W’s account. I think it should have done this by, for example, directing Mr W to its in-app chat to discuss the payment further. If Revolut had attempted to establish the circumstances surrounding Payment 1, would the scam have come to light and Mr W’s loss been prevented?

-- 6 of 10 --

I’m satisfied that had Mr W told Revolut the true circumstances behind the payment he was making, it would have easily been able to identify the clear hallmarks of a ‘safe account’ scam. It would have been able to provide a specific and clear warning about this scam and considering Mr W was only moving his funds believing he was keeping them safe, I think it’s highly unlikely he’d have proceeded if he knew he was in fact doing the opposite and risking losing them all. However, as Revolut has fairly argued, Mr W didn’t reveal the true reason for the payments in the first instance when asked through a series of automated questions. So, I’ve considered whether, through further open ended and probing questioning, Revolut could have uncovered the true circumstances behind the payments Mr W was making. Firstly, Mr W was told how to answer the automated questions Revolut asked, by the fraudster. But I’m mindful his answers came under no real scrutiny by Revolut, so that’s not to say he could have so easily evaded Revolut had he spoke to a member of staff. Secondly, Mr W was not intending to deceive Revolut. He understood that he was masking the true reason for the payment in order to evade the scammer who was allegedly monitoring his account and trying to take his funds. I see no reason as to why Mr W would have continued to mislead Revolut, had it asked open ended and probing questions about the wider circumstances of the payment he was making. But even if Mr W had attempted to maintain a cover story if Revolut had made further enquiries, I’m not persuaded that this would have stood up to scrutiny, when considering the recent account activity on Mr W’s account. Had he truly been paying a friend for a wedding, I’d expect Revolut to have questioned the unusual pattern of credits into Mr W’s account, and why he had not simply paid that beneficiary from his Bank L’s account. This additional step of moving funds to Revolut first, would seem unnecessary and could be indicative of multi-stage fraud. So, I’m not persuaded a plausible cover story would have been maintained, and I think it’s likely Revolut could have uncovered the true circumstances behind the payments. Ultimately, Mr W was never given a clear and specific warning about the risks of safe account scams. I’ve already explained why Revolut’s warnings weren’t impactful. And I’ve seen evidence from Bank L which confirmed it did not give any interventions when Mr W moved his funds from Bank L to Revolut. So, in the absence of any compelling evidence which supports Mr W would have ignored a targeted waring about the common features of safe account scams, I’m satisfied that had Revolut established the circumstances surrounding Payment 1, as I think it ought to have done, and provided a clear warning, Mr W’s loss from and including Payment 1 would have been prevented. Is it fair and reasonable for Revolut to be held responsible for Mr W’s loss? In reaching my decision about what is fair and reasonable, I have taken into account that Mr W moved his funds from his Bank L account to his Revolut account, before passing them on to a fraudster. Mr W has chosen to also complain about Bank L. And that complaint has been considered by our service, with our Investigator reaching a view that it too missed the opportunity to intervene and prevent £47,000 of Mr W’s loss. As such, he recommended that Bank L refund 50% of this (£23,500) which Bank L has accepted, on the basis that Revolut would be responsible for the rest of the loss.

-- 7 of 10 --

As I’ve set out above, I think that Revolut still should have recognised that Mr W might have been at risk of financial harm from fraud when he made Payment 1. And in those circumstances Revolut should have made further enquiries about the payment before processing it. If it had done that, I am satisfied it would have prevented the £48,000 loss Mr W suffered. It's worth highlighting that the fact that the money used to fund the scam came from elsewhere, does not alter that fact and I think Revolut can fairly be held responsible for Mr W’s loss in such circumstances. I don’t think there is any point of law or principle that says that a complaint should only be considered against either the firm that is the origin of the funds or the point of loss. Given Bank L has already agreed to refund £23,500 of Mr W’s loss, and for the reasons I’ve explained, Revolut failed to prevent Mr W’s £48,000 loss, I’m satisfied Revolut can be held liable for the outstanding loss. Should Mr W bear any responsibility for his loss? In considering this point, I’ve taken into account what the law says about contributory negligence as well as what’s fair and reasonable in the circumstances of this complaint. Having done so, I agree with our Investigator that Mr W should not be held liable for his loss. I say this because: - This was a particularly elaborate and drawn-out scam which involved Mr W speaking to multiple fraudsters who impersonated his account providers, over several hours. And he was led to believe that this was a complex investigation overseen by the Financial Conduct Authority (FCA). - The fraudsters used persuasive techniques such as quoting a ‘security code’ which it sent to Mr W by text message and giving partial known information about him and his account. This created the illusion he was speaking to a genuine member of bank staff. - Mr W was already suspicious that he’d fallen victim to a phishing attempt and this concern was solidified by the fraudsters who referenced the website Mr W had suspicions about. So, he had a genuine reason to believe his account could be compromised, making the threat he was facing seem even more real. - The use of a withheld number was explained away as a tactic to evade the fraudsters targeting his account. It’s also not particularly unusual for a bank to call from a withheld number. - The payment journey (from Bank L to Revolut to two Bank L accounts in different names, in ‘randomly generated amounts’) was explained to be a deliberate attempt to hide the trail of funds from the scammer who had hacked his internet and was infiltrating his accounts. - I’ve also taken into account that at the time of the scam, Mr W had recently visited his elderly father who was seriously ill. As a result, Mr W was somewhat distracted, and his defences were weakened. Taking all of these things into account, and in the absence of an impactful warning from either Revolut or Bank L, I can see why Mr W was duped by the fraudster. In light of the above, I’m satisfied Mr W acted reasonably, and ultimately has fallen victim to a highly sophisticated scam. And in these circumstances, it would not be fair or reasonable to hold him liable for his loss. Revolut’s handling of Mr W’s scam claim

-- 8 of 10 --

Mr W feels strongly that Revolut took too long to action his claim, and that this impacted the amount he was able to recover from the Bank L accounts he paid. I’ve considered whether Revolut took appropriate and timely steps to recover Mr W’s funds once he reported the scam on 31 October 2023. Good industry practice (derived from the Best Practice Standards for recovery of funds) suggests contact with the recipient firm (Bank L) should be made ‘immediately’. Whilst ‘immediately’ isn’t defined, but I think up to one hour would be considered reasonable. Revolut says it contacted Bank L on 4 November 2023, so it didn’t act as quickly as I’d have expected it to. However, I have also seen evidence from Bank L which suggests it took steps to block the accounts Mr W paid when Mr W called Bank L to report the scam. So, it seems unlikely that Revolut’s delays impacted the amount recoverable from the Bank L accounts. But I accept that this was not known to Mr W at the time, and it was the frustration and uncertainty that caused him distress. I understand Mr W was also frustrated that he was unable to report the scam to Revolut by phone, they took a long time to respond and progress his claim, and they often asked him for information he’d already provided. Having reviewed the contact notes between Mr W and Revolut, I agree the service fell short of what you’d fairly and reasonably expect from Revolut. Aside from the obvious delays in attempting to recover Mr W’s funds, which caused him stress, it also asked him for evidence he’d already provided, and repeatedly ignored his requests for confirmation that they’d contacted Bank L, and for a case reference to be provided. Ultimately, I need to remember that Mr W lost this money because of the actions of a fraudster. And whilst I am sorry to hear of the devastating impact this loss had on Mr W, it would not be fair or reasonable to suggest Revolut is the sole cause of this impact. However, I agree that the handling of Mr W’s claim, caused him added distress at an already difficult time. In light of this, I think the £200 compensation recommended by our Investigation is fair and reasonable in these circumstances. Putting things right Overall, I’m in agreement with the view our Investigator reached that Revolut ought to refund Mr W’s outstanding loss in full. He calculated that to be £24,108.85 (£24,500 - £391.15). This is because in its submission to our service, Revolut said it recovered £391.15 (£385.15 + £6.00). However, Mr W’s Revolut statements show the actual amount Revolut recovered was £391.63 (£385.15 + £6.48), which was paid into his account on 24 November 2023. I’m therefore satisfied that the outstanding loss, taking into account the recovered funds and refund from Bank L, is £24,108.37. My calculations are below: £24,900 + £23,100 = £48,000 (total disputed payments) £385.15 + £6.48 = £391.63 (total recovered funds) £48,000 - £23,500 (refund from Bank L) = £24,500 £24,500 - £391.63 = £24,108.37 Revolut should now refund £24,108.37 and pay 8% simple interest on this, from the 31 October 2023, until the date the settlement is paid. Revolut should also pay £200 compensation in recognition of the added stress it caused Mr W.

-- 9 of 10 --

My final decision For the reasons set out, I uphold this complaint about Revolut Ltd and instruct it to: - Refund £24,108.37 - Pay 8% simple interest on this amount, from 31 October 2023, until the date the settlement is paid (less any tax lawfully deductible) - Pay £200 compensation Under the rules of the Financial Ombudsman Service, I’m required to ask Mr W to accept or reject my decision before 21 March 2025. Meghan Gilligan Ombudsman

-- 10 of 10 --