Financial Ombudsman Service decision

Barclays Bank UK PLC · DRN-5900928

Unauthorised TransactionComplaint not upheld
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Ms O complains that Barclays Bank UK PLC (‘Barclays’) declined to reimburse her when a payment was debited from her account which she says she did not make or otherwise authorise. What happened The circumstances of this complaint are well known to both parties, so I will not go into every detail of what happened here. But in summary, a payment of approximately £1,600 was taken from Ms O’s account which she says she did not make or otherwise authorise. This was a card payment to a retailer for a phone. She said it took place on her old Barclays card which she had cut up when she replaced it with a personalised one. She said that the transaction took her into an unauthorised overdraft. She explained that Barclays were having IT issues at the time of the transaction in dispute, and she had frozen her new card for security reasons. Barclays looked into what happened and declined to reimburse the disputed transaction. It said there was no evidence that the transaction was fraudulent, and that her old card had not been blocked as it hadn’t been cancelled due to loss or theft, so it was still able to be used. It said that the transaction was able to go through despite her lack of overdraft as a result of the IT issues it was facing. Ms O was unhappy with their response and so she escalated her concerns to our service where one of our investigators looked into what had happened. They did not recommend that Ms O’s complaint should be upheld on the basis that they thought it was most likely that Ms O made or otherwise authorised the transaction. Ms O did not agree, and as no agreement could be reached the case has been passed to me to decide. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Does the evidence suggest that the payments were authorised by Ms O, or someone acting on her behalf? I think it’s important to explain I’ve considered all of the information provided by both parties in reaching my decision. If I’ve not reflected or answered something that’s been said it’s not because I didn’t see it, it’s because I didn’t deem it relevant to the crux of the complaint. This isn’t intended as a discourtesy to either party, but merely to reflect my informal role in deciding what a fair and reasonable outcome is. The regulations relevant to this case - the Payment Services Regulations 2017 (PSRs) – set out what is needed for a payment to be authorised and who has liability for disputed payments in different situations. The starting point is that the Ms O would be responsible for

-- 1 of 4 --

authorised payments, and Barclays would be responsible for unauthorised ones. The PSRs specify that authorisation depends on whether the payment transactions were authenticated correctly – and whether Ms O, or someone acting on her behalf, consented to them. So, the relevant findings for me to make here are whether the payment was authenticated, and whether I think it is more likely than not that Ms O made or otherwise consented to the payment in dispute. The technical evidence shows that the transaction was completed by entering the long card number, the card expiry date and CVV into the merchant’s website. It also shows that the payment had to be further authenticated through two factor authentication. In order for the payment to be authenticated the payer was given a number of options which included in-app authentication – which was chosen in this case. This prompted an app notification on the registered device for the Barclays app, which prompted them to log in and authenticate the transaction. The technical data shows that the app was logged into via biometric authentication. When logged in, the customer was automatically moved to a screen with a warning message where they could confirm whether they wanted to confirm or deny the payment. The payment was confirmed in this case. So, considering all of this, I am satisfied that the payment was properly authenticated in this case. But as I outlined above, this is not enough in and of itself to say that Ms O is liable for the transaction – I need to consider whether the evidence suggests that she also consented to the payment being made. Having carefully considered the available evidence, I do think that Ms O consented to the payment being made. In summary, I say this because: • There is no apparent point of compromise for her card details. Ms O said that she cut up her old card when she got her new one, and that she had not shared the details with anyone else. I do understand that there are ways and means in which fraudsters can obtain card details without a cardholder’s permission, but as this was not the only way in which this payment was authenticated this does not seem to be most likely here. • The technical evidence shows that the device that was used to complete the in-app part of the authentication process was the only device which was used for Ms O’s account during this period. It was used for the disputed activity, but was also used for undisputed activity. Therefore it seems most likely that this was Ms O’s genuine device. Ms O has said that she had her phone on her at all times and no one else had access to it. The technical data also shows that the phone used the same IP address for the disputed activity as it did not undisputed activity. This supports the suggestion that the disputed activity took place on her device, utilising the same internet services that she would normally use. • The technical data also shows that biometric identification was used to login to her app. By Ms O’s own admission, hers was the only biometric data stored on her device. She has also accepted that she used biometric ID to get into her Barclays app – which is what was used here. And so it follows that either she logged into her Barclays app, or someone was able to bypass the biometric data. There is nothing in the technical data or other evidence to suggest that the latter is what happened in this case – if indeed it would even be possible. So, it seems more likely than not that Ms O used her biometric ID to get into the Barclays app. • Further to this, Barclays have been able to provide the transaction data from the retailer which has shown that Ms O’s full name and correct address were used to place the order for the phone. This means that it would have been shipped to her address, which would seem like an unusual thing for a third party fraudster to do.

-- 2 of 4 --

So, when considering all of this, I think it is more likely than not that Ms O made or otherwise authorised the transaction and so should be held liable for it. Ms O has argued that someone was able to take over her account due to IT issues with Barclays which were ongoing at the time of the disputed transaction. She has also questioned the reliability of the technical data due to these IT issues. There is no evidence to suggest that the IT issues in question allowed for the takeover of customer accounts – and there is certainly no evidence to suggest that this happened in this case. There was no changes made to her account, new devices added or used to access her account. There is no evidence that a third party tried to use the details after the IT issues – which one would expect an unknown fraudster to do. Despite the IT outage for customers, not all customers were effected. Ms O’s phone was used to login numerous times during the outage and there is no evidence to suggest that she had any difficulties accessing her banking app during the period. The method used to login to the app was consistent before and after the day of the disputed transaction. so, I do not think there is any evidence to suggest that the outage could have impacted her ability to take the steps to authorise the transaction. The evidence I have seen does show that the exact time of the transaction may not have been accurately recorded – but there is nothing to suggest that the overall evidence of authentication was impacted by this. So, on balance, I do not think that there is enough to say that the IT issues had any material impact in this case. Should the transaction have been able to go through on a cancelled card? I understand that she did have a new card, but the original card was not blocked as it was cancelled to get a personalised card rather than for any reasons such as fraud or theft. This is why transactions were able to go through on the original card. Barclays have to follow payment instructions it receives from Ms O – and I do not think the fact that it related to an old but not blocked card impacts this. So, I do not think Barclays acted improperly by following her payment instructions here. Should the transaction be able to go through when it put her into an unauthorised overdraft? I have also thought about the fact the payment put Ms O into an unauthorised overdraft here. It is right that but for the IT outage, Barclays may not have allowed this payment to go through due to the insufficient funds. Barclays did block other attempted transactions during this period. Ms O would have been aware of her balance due to the evidence of multiple logins on the day in question, and so I cannot say that Barclays have treated her unfairly by following her payment instructions here. Did Barclays act fairly in restricting Ms O’s account access? Barclays restricted Ms O’s account access in July due to the overdrawn balance and then took the decision to close it in August 2025 due to the overdrawn balance. She has not raised a separate complaint with Barclays about the closure – so I will not consider that here. But, it appears that the account restrictions were put in place in line with the terms and conditions of Ms O’s account on the basis of the outstanding balance on her account. Debt recovery I appreciate that Ms O has submitted information about a debt recovery agency chasing her about this debt – this did not form part of the matter complained about to Barclays and so she will need to raise this as a new complaint should she wish to do so.

-- 3 of 4 --

My final decision I do not uphold this complaint and require Barclays Bank UK PLC to do nothing further. Under the rules of the Financial Ombudsman Service, I’m required to ask Ms O to accept or reject my decision before 11 May 2026. Katherine Jones Ombudsman

-- 4 of 4 --