Financial Ombudsman Service decision

DRN-5887447

Unauthorised TransactionComplaint not upheld
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Mr D is unhappy Metro Bank PLC (Metro) won’t refund transactions made on his account which he says he didn’t authorise. Mr D is represented by his mother in this complaint. What happened Mr D raised concerns on noticing transactions on his Metro account which he says were made without his knowledge. The transactions took place between 7 May and 8 June 2025 and totalled £5,250. Mr D reported his concerns to Metro on 18 June 2025, saying he didn’t recognise the payments or who the payments went to, and it only came to his attention on checking his account. Metro investigated but didn’t uphold Mr D’s complaint. In summary it stated the payments were made using the mobile banking app on Mr D’s registered device, and that one-time passcodes (OTP’s) were sent to Mr D’s registered mobile number to set up the new payees that received the payments. Metro also said a notice to close Mr D’s account was issued on 17 June 2025, one day prior to him logging his concerns. After considering the evidence presented, our Investigator didn’t uphold Mr D’s complaint. He concluded that Mr D had likely consented to the payments. As the matter remained unresolved, it was passed to me to decide. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Having done so, my review of the evidence has led me to the same overall conclusion as the investigator for much the same reasons, in that it’s fair and reasonable for Metro to hold Mr D liable for the disputed transactions. Here I’ve considered Mr D’s submissions about what happened, and I’m very aware that I’ve summarised this complaint in far less detail than it may merit. Instead, I’ve focussed on what I think are the key issues here. Our Investigator’s view set out the full facts, the transactions in dispute, and the evidence that was presented. So, I won’t repeat every detail here, only those which form the basis of my decision. Our rules allow me to do this.

-- 1 of 3 --

The starting position, in line with the Payment Services Regulations 2017 (PSRs), is that Mr D is presumed liable for payments he authorised and that Metro is liable for unauthorised payments. So, to decide this, I’ve carefully considered what he’s told us about what happened. Along with considering all the available evidence. Internal technical information provided by Metro shows that the disputed payments were authenticated using Mr D’s genuine phone, and that the same device had consistently been associated with Mr D’s account since 11 January 2025 when he registered it for online banking – which is in keeping with what Mr D has said about receiving the phone as a Christmas present just prior to this. Regulations relevant to this case say that authentication isn’t, on its own, enough for Metro to hold Mr D liable. I also need to think about whether the evidence suggests that Mr D, or someone acting with his authority, consented to the transactions being made. Metro says that OTPs were sent to Mr D’s genuine mobile number which allowed for new payees to be created. But Mr D maintains that he does not recall receiving any of the OTP’s that Metro says it sent. So, I’ve gone on to further review internal records provided by Metro and note that the OTP’s were sent to the same contact number that Mr D has provided to this service - and that he had recorded with Metro. As such I’m satisfied the OTPs were sent to Mr D’s genuine phone number and that was how the new payees were subsequently set up and validated. So, it follows that I don’t think Metro did anything wrong by allowing this. I note Mr D clarified, when asked, that access to the Metro banking app on his device required his biometrics or passcode – which he says was only known to him– and he has been consistent that he did not receive any text messages or click on any suspicious links as he is aware of the possibility of being tricked. But without any evidence to suggest how his account was compromised, or an explanation as to how someone could have authorised the payments without his knowledge or access to his phone, Metro can’t reasonably be held liable for the transactions Mr D disputes. Mr D maintains he retained possession of his phone throughout, and no third party had access to his device. He also confirmed that his phone was also protected with both a passcode and his biometrics. So, here in order to carry out the transactions, a third party would have needed to take Mr D’s phone without him noticing, unlock it, and then gain access to his banking app - again using either his biometrics or passcode - to set up each individual new payee, and carrying out each of the transactions in dispute, on various different occasions over a period of over a month. So, it’s difficult to see how someone carried out the transactions without Mr D’s knowledge or consent. I can see that Mr D mentions that prior to reporting his concerns on the 18 June 2025, although he had previously logged into his Metro account, as none of his money was showing as missing, he wasn’t alerted to anything untoward sooner. But given the evidence presented shows that a considerable sum of money had been withdrawn on several occasions, and the account balance would have been seen to have reduced quite significantly, it’s unclear why Mr D didn’t see this discrepancy reflected on his account when previously logging in. Metro has presented Mr D’s account statements to show the history of transactions both in and out of the account going back to before the disputed transactions took place, and I note that the transactions Mr D disputes started on 7 May and initially continued until 11 May, but

-- 2 of 3 --

then there were no further disputed payments made on the account until 6 June, which was almost a month later. What I find unusual about this is why a fraudster would firstly wait some weeks before attempting to make these further payments, but also why they didn’t try and maximise access to Mr D’s money. I’ve also listened to the calls between Mr D and Metro where Mr D has confirmed that genuine authorised transactions, that he recognises, were also made on his account during the period in question and Metro has presented evidence indicating the IP address used to make the payments was the same as that used for authorised transactions made on the account. Having given this all a great deal of thought and on reviewing the evidence presented in detail, I cannot see how it would have been plausible for another third party to have made these payments without Mr D’s consent or knowledge. And I’m satisfied that it’s more likely than not that the disputed payments were made using Mr D’s genuine phone. I don’t doubt this has all been very concerning for Mr D. But my role here is to consider whether Metro are being unfair in holding him liable for the transactions he is disputing on his account. Here, given my observations – and based on what Mr D has said about not sharing his phone and security details with anyone - it seems more likely than not that the payments were made by Mr D, or by someone with his authority. That means I don’t consider Metro has been unreasonable in not refunding Mr D for the loss he disputes. In summary, I recognise that this will come as a disappointment to Mr D. But in the circumstances, I’m not persuaded that Metro can fairly or reasonably be held liable. My final decision My final decision is that I do not uphold this complaint. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr D to accept or reject my decision before 14 May 2026. Sukhdeep Judge Ombudsman

-- 3 of 3 --