Unauthorised transactions and identity theft

How we resolve complaints about unauthorised transactions

• Your customer was tricked into sharing their bank details

  Many customers tell us they were tricked into handing over confidential information that enabled fraudsters to access their money. For example, they may have:

  • received an official-looking email or text message they thought was genuine, with a link to a fake website – where they then entered confidential banking details
  • had a phone call they thought was from their bank or another organisation and were persuaded into handing over confidential information about their account

  Generally, if a customer didn’t authorise a transaction, they’re not liable for the loss. The exception is if they haven’t kept security information safe through ‘gross negligence’. We consider the bar for gross negligence to be very high.

  If we think your customer didn’t authorise a transaction – and was the victim of a scam – we’ll want to understand how the customer was manipulated into sharing sensitive information.

  In these scams criminals often play on the emotions of the consumer – for example by making them think they’ll lose all their money. We’ll take this into account.

  And we’ll ask the customer for anything that played a part in the manipulation – such as a fraudulent email or text message.

  You will need to provide us with:

  • statements from the period of the disputed transactions and six months leading up to the transactions
  • terms and conditions of the account
  • electronic records (an audit trail) to show how the disputed transactions were authenticated. For example, chip read, PIN entered, card not present, contactless, if 3D Secure was used, any biometrics used such as the customer’s fingerprint
  • where and how someone else other than the customer has been able to carry out the transactions, for example was it a change of IP address
  • electronic record key so we can understand the report
  • online and mobile banking records covering the same time period as the disputed transactions
  • all relevant call recordings including the call when the disputed transactions were reported if applicable
  • card and PIN history, where relevant
  • for distance contracts (card not present transactions), all information obtained from the merchants in question or details why it wasn’t requested if applicable

  We may find that the transactions were unauthorised and your customer didn’t act with ‘gross negligence’, in which case, we might ask you to:

  • refund all or some of the customer’s loss
  • pay interest – usually calculated at 8% per year simple, and
  • make a distress and inconvenience payment

• A customer says money has left their account without their knowledge or permission

  Your customer may notice a transaction on their account that they don't think they authorised. They may say their card was lost or stolen and that someone else has made payments without their permission.

  In cases where a payment has been made using a credit facility (such as a credit card or overdraft), you should reimburse your customer regardless of whether they acted with 'gross negligence'.

  Otherwise, we'll look at whether:

  • your customer did in fact make the payment
  • they kept their card – or other payment instrument – secure and if not whether they may have deliberately or with gross negligence

  We’ll ask your customer about the circumstances surrounding the payments, for example:

  • how they kept information about any payment instrument, such as the card and PIN, or online banking security information
  • whether they’ve given anyone else permission to use that information
  • whether at any time they've lost or not had possession of that the information

  We’ll expect you to provide compelling evidence to demonstrate that your customer authorised a payment or acted with gross negligence.

• Identity theft complaints

  The most common example of ID theft we see is where a fraudster has applied for a loan in someone else’s name. The fraudster then withdraws the loaned money from their current account.

  Generally, if a consumer didn’t consent to a loan, they can’t be held liable for any outstanding debt. So, we’ll want to establish whether the customer applied for a loan or was the victim of identity theft.

  To help us decide, we’ll ask for information from the customer, the bank and the lender – along with evidence to back up what they tell us.

  We’ll ask the customer questions, which might include:

  • how they became aware of the problem
  • whether any of their important documents, such as passports or driving licences, have gone missing, and
  • if so, about the circumstances – for example, how they discovered documents were missing, whether they reported it to get replacement documents and whether they have proof of this

  We’ll ask you why you believe your customer is responsible for the loan or withdrawal. You will also need to provide us with:

  • full details of the loan application and how it was processed (online, phone, in person)
  • all details provided on the application (email address, contact number, address)
  • evidence of checks conducted to confirm identity, CRA searches, existing connection
  • evidence of correspondence/information/welcome pack including where and how it was sent
  • full statements for account including details of any payments and account from where any direct debit was set up
  • full contact history from the customer, to include when the ID Theft was first reported, contact number/email address used for that contact
  • full investigation notes with explanation for how you reached the outcome 
  • details of any contact between the lender and any other firm (such as the bank that received the funds)
  • if a scam is involved, any information the customer has shared
  • if the complaint includes an allegation of irresponsible lending – full details of how the lending decision was assessed and made

  Sometimes, we’ll conclude that the customer didn’t take out the loan, but did withdraw or use the proceeds of the loan. In that situation it may not be appropriate to ask the loan company to write off the debt.