DRN-6159848

The complaint Ms R complained because Monzo Bank Ltd refused to refund her for payments she said she hadn’t authorised. What happened On 2 August 2025, Ms R contacted Monzo by chat. She said there had been three payments out of her Monzo account which she didn’t recognise. She said she had no money to buy food for herself and her children, and no-one to help her. There were three disputed payments which had taken place between 5.15am and 5.20am on 2 August. They were debit card payments for £780, £600 and £611, totalling £1,991. The money had been sent to an international money transfer service. Ms R said her phone PIN wasn’t written down and no-one else knew it, or had access to her phone. Monzo’s wellbeing team contacted Ms R the next day, and offered information about some organisations which could help. Ms R said a friend had lent her some money for a couple of days, and she hoped the fraud team would be able to reply soon. The wellbeing team contacted Ms R again the following day. On 6 August, Monzo told Ms R that unfortunately it couldn’t treat the payments as fraudulent, so it wouldn’t reimburse her. It said this was because the payments were made using 3D secure verification. That meant they’d been made securely on a phone or device connected to her account, and Ms R hadn’t mentioned anything being lost or stolen. So Monzo couldn’t treat this as fraud because only Ms R or an authorised user could have made the transactions. Monzo said that if Ms R wanted to speak to the international money transfer service, it could provide the information that service would need to locate the payments, so she could take it up with that service. Ms R replied that she was devastated. She said she was a single mother, and had been asleep in a hotel room in a city at the time of the payments. She added that she’d spoken to a friend who’d reminded her that her phone had been stolen in early July. Ms R had contacted her phone provider at that time, and they’d assured her that phone could no longer be used. Ms R sent Monzo evidence that she’d reported her old phone stolen to the police on 12 July, and that her phone provider had it reported as lost/stolen on 13 July. Ms R told Monzo she’d still got her card, and that she’d contacted the police in the city where she’d been staying in August. She said that she’d removed Apple Pay from the old phone within hours of it being stolen in July. She said she thought her current phone had been cloned or targeted while she’d been staying at the hotel in a city. Monzo’s wellbeing team contacted Ms R again, but Ms R said she didn’t need the care team but wanted her case looked into again. Monzo also sent her the technical information about the three payments, which she’d need to contact the international money service. Ms R complained. Monzo sent her its final response letter on 20 August. It said that:

-- 1 of 4 --

- it couldn’t reimburse her, because the payments had involved 3D secure verification. This meant they’d been securely processed on a device connected to her account. As Ms R hadn’t reported anything being lost or stolen, the payments could only have been made by Ms R or an authorised user; - it had exceeded the time limits for providing Ms R with an outcome, so it paid her £25 compensation. Ms R replied that she was furious. She didn’t care that Monzo’s checks said she’d authorised the payments. She asked how she could have done that overnight when she’d been asleep. She also said that Monzo should have had systems in place to say that three transactions one after another were odd. She said she was depressed and had had the worst summer of her life with her children. She said she’d been a victim, and it was disgusting that Monzo had sent her £25. Ms R contacted this service. She explained that on 1 August she’d been on a rare night out in a city, going to the theatre and staying at a hotel overnight. She’d been out for dinner with her eldest daughter as her daughter’s birthday present. They’d then been to the hotel bar, had a couple of drinks and gone to bed. She’d discovered the three large international payments, to a money transfer service she’d never heard of. She said she’d later been told which country abroad the money had gone to, which was a country she had no connection to. The payments had wiped out the benefit payments she relied on as a single parent to provide for her children, one of whom was disabled. Ms R said that it was unusual for her to be in the city, and she believed the phone had been scanned or compromised while she’d been out. She said her spending history didn’t reflect international transfers, especially not of this size. She thought the three international payments which wiped out all her money should have been flagged by Monzo. Ms R said that her old phone had been stolen a month earlier on 11 July. She said she’d immediately reported that to her phone provider, which had blocked and disabled that device. She’d then started using an older phone she already had at home, from 12 July, and the phone provider had emailed saying the old phone could no longer be used. She said she’d already removed her Monzo card from her phone wallet long before the disputed transactions, but Monzo had dismissed the information about her phone. She said she hadn’t shared her phone login details, Monzo PIN, Monzo app login details, or card details, with anyone. Ms R also said that the financial and emotional impact of the disputed transactions had been significant. Our investigator didn’t uphold Ms R’s complaint. He said that the records showed that the transactions had been made using Ms R’s correct card details, including the PIN and the CVV (three digit security number). He also said that the technical information from Monzo showed how the disputed payments had been authorised. There were two verified devices linked to Ms R’s account, and he could see that one had accessed Ms R’s Monzo app up to 11 July, and another device had then been added. But the first phone, which Ms R had said had been stolen and then blocked by her phone provider, had continued to be used and to access Ms R’s Monzo app several times between 12 July and the disputed payments on 2 August. And that first phone had been used to make the disputed transactions. Ms R said she hadn’t shared details of her Monzo app, or card details. So the investigator concluded that there was no plausible explanation for how an unknown third party could

-- 2 of 4 --

have made the disputed payments, and it was more likely than not that Ms R had authorised the payments herself. This means that Monzo didn’t have to refund Ms R. Ms R was upset. She said she hadn’t made the payments and wasn’t in possession of the first phone. She said she couldn’t afford to let nearly £2,000 be lost when she was a single mother on benefits. She said she particularly didn’t like the investigator saying it was more likely than not that she’d authorised the payments. She said she’d sent in all her emails with the hotel, the police and the phone company. She said she hadn’t authorised the payments and it made no sense that she’d send money abroad when her children were at home hungry. She added that Monzo said her phone had been used, but wouldn’t provide the police or Ms R with proof. She said only the previous week she’d contacted Monzo about an alert that her Face ID had been used but didn’t work, and she hadn’t yet had a reply from Monzo about that. Ms R asked for an ombudsman’s decision. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. First, I’m sorry to hear about Ms R’s difficult situation, and that she’s very upset. What the Regulations say There are regulations which govern disputed transactions. The relevant regulations here are the Payment Services Regulations 2017. In general terms, the bank is liable if the customer didn’t authorise the payments, and the customer is liable if they did authorise them. So what decides the outcome here is whether it’s more likely than not that Ms R, or a third party fraudster unknown to her, carried out the disputed transactions. The regulations also say that account holders can still be liable for unauthorised payments under certain circumstances – for example if they’ve failed to keep their details secure to such an extent that it can be termed ‘’gross negligence.’’ Who is most likely to have authorised the disputed transactions? I’ve seen the technical computer evidence which shows that the disputed payments were debit card payments. They were authorised using Ms R’s Monzo app, and within the app were authorised using the correct PIN for the account. Monzo told Ms R that the transaction had used 3DS, which is an authentication protocol that adds a security layer to online payments, requiring users to verify transactions via a mobile app, SMS PIN, or biometric check. At the time of the disputed transactions, there were two registered phones on Ms R’s Monzo account. As Ms R said, she added the second phone to her account on 12 July 2025. But the first phone continued to be used, as well as the second phone. For example it was used on 18 July, and 23 July, as well as for the disputed transactions on 2 August. I recognise that Ms R said her phone provider had blocked the first phone and that she’d told the police it had been stolen. But she hadn’t told Monzo it had been stolen. And someone continued to use it on Ms R’s Monzo account. If the phone was still working and in the hands of someone who’d stolen it, I’d have expected it to have been used to withdraw money much

-- 3 of 4 --

sooner after Ms R said it was stolen on 11 July. So I consider it’s more likely than not that Ms R still had that phone. Ms R said that she hadn’t shared her phone login details, Monzo PIN, Monzo app login details, or card details, with anyone. This means that if any third party had somehow obtained her phone when she was on her overnight stay at the city hotel, they wouldn’t have been able to make the disputed transactions. They wouldn’t have had the information which was entered in order to make the transactions. It’s possible in theory that someone close to Ms R might have made the disputed payments – but that too wouldn’t have been possible without Ms R disclosing information, which she said she didn’t do. So I can’t see how any third party could have made the disputed transactions. This means it’s more likely that not that Ms R made them herself. Other matters Ms R suggested that Monzo should have flagged the disputed transactions, blocked them, and contacted her at the time to check whether they were genuine. As the payments took place in quick succession, were international transfers, and drained the account, Monzo might have recognised a heightened risk of fraud. But the payments were made using additional security. So it’s arguable that Monzo should have asked some in-app questions, but given my conclusion above, that it’s most likely that Ms R authorised the payments herself, I don’t think the loss would have been prevented. Monzo paid Ms R £25 for exceeding the timescales for providing her with an outcome to her complaint. I recognise that Ms R was very dissatisfied with this when she said she’d lost £1,991, but the £25 payment was specifically related to timescales alone. As such, I find that £25 was fair and reasonable. In Ms R’s most recent email to the investigator, she said Monzo hadn’t provided her with proof that her first phone had been used, and that she’d recently contacted Monzo about another matter, regarding her Face ID. But: - Monzo doesn’t have to provide all its secure information to Ms R, but it did provide it to this service. I confirm I’ve seen the evidence that Ms R’s first phone was used on her account on a number of occasions after 11 July, including for the disputed transactions; - I can’t comment on Ms R’s most recent dispute with Monzo. That’s because we can only consider complaints where banks have had the opportunity to provide their final response letter. My final decision My final decision is that I do not uphold this complaint. Under the rules of the Financial Ombudsman Service, I’m required to ask Ms R to accept or reject my decision before 12 May 2026. Belinda Knight Ombudsman

-- 4 of 4 --