Financial Ombudsman Service decision

DRN-6184585

Unauthorised TransactionComplaint not upheld
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Mr M complained because Revolut Limited refused to refund him for transactions which he said he hadn’t authorised. What happened At 5.14am on 10 January 2026, Mr M contacted Revolut by chat. He said that that last two transactions on his account, to a gambling firm, hadn’t been made by him. One was for £1,000 at 3.50am and the other for £2,000 at 4.00am. Revolut froze Mr M’s card and asked if his phone had been lost or stolen. Mr M said his girlfriend had taken his phone after an argument because he’d been gambling earlier. He’d made a £100 payment to the betting firm at 3.30am and had then gone to sleep. He said his girlfriend had then locked herself in the bathroom and made the disputed transactions. He said she’d accessed his phone and used his Revolut details, which were stored on the phone, to make the betting deposits. He’d seen the transactions around 5am and had then contacted Revolut. Mr M also said he’d used his Revolut account and his gambling accounts responsibly, and these two transactions were out of character for his normal account usage. He said his girlfriend had used a stored payment method on his phone via Apple Pay. He confirmed that he had previously used the device, and Apple Pay, from his home IP address, to make payments to the gambling firm, but he said he hadn’t authorised these two payments. Revolut told Mr M that the payments had been made using his card, not Apple Pay as he’d said, so it cancelled his card. Mr M told Revolut that his phone was protected with a passcode and Face ID. The app was protected with a saved password with Apple, and that too could only be accessed with Face ID/passcode. He said the passcodes for the phone and the app had been similar but not identical, and he hadn’t stored these anywhere. He said he’d since changed the passcodes, and he’d also reported the issue to the police. On 12 January, Revolut rejected Mr M’s claim. It said it had evidence indicating the transactions were authorised. It said that the app had been accessed on Mr M’s registered phone, and had been authenticated using his unique Face ID. These sessions had occurred between 3am and 5.05am on the day of the disputed transactions. Revolut also said that its specialist team had assessed Mr M’s account. They’d found that the disputed transactions had been authenticated using the unique security features of Mr M’s phone, between 3 am and 5.05am. It said that although Mr M had said he only intended to make the 3.31am payment, the evidence from Revolut’s systems shows that the later sessions had used the same secure credentials. Mr M didn’t accept this. He said he acknowledged that his Revolut app had been accessed on his phone at the relevant time – but he said he hadn’t authorised, consented to or intended the transactions to take place. He said he’d been asleep at the time. He also said

-- 1 of 4 --

that Face ID allowed access via the device passcode, and that successful authentication didn’t constitute authorisation under the Payment Services Regulations 2017. He said he’d reported them promptly and had provided everything Revolut had asked him for. He complained. Revolut issued its final response to Mr M’s complaint on 16 January. It set out what had happened, and said that after completing a thorough review, it couldn’t refund Mr M. This was because there weren’t signs of any unauthorised login attempts or suspicious activity. Investigation had also shown that the disputed transactions had been approved while Mr M had had access to his account. Mr M wasn’t satisfied and contacted this service. Our investigator didn’t uphold Mr M’s complaint. He noted that Mr M had said that he’d had an argument with his girlfriend about Mr M’s gambling. Mr M had said his girlfriend then took the phone while he was asleep, and used it to make the disputed payments to prove her point that gambling was a waste of money. The investigator asked Mr M how he believed his girlfriend had been able to make the payments on his phone, given that it was protected by Face ID and a passcode. Mr M told the investigator that he believed his girlfriend held it up to his face while he was asleep, to unlock the phone. But the investigator pointed out that this wasn’t possible, with the default setting on the make and model of phone which Mr M had. It would have been necessary for Mr M to have had his eyes open for the biometrics to have been validated. So the investigator couldn’t see how Mr M’s girlfriend could have unlocked the phone, and authenticated the payments, without the passcode which Mr M had confirmed wasn’t written down, or stored on the phone itself. The investigator added that he’d checked Mr M’s online banking log for around the times of the disputed payments. Mr M’s Revolut app had been accessed using Face ID at 3.48 am and 4 am, shortly before each of the disputed payments. The biometrics hadn’t been changed, so it could only have been Mr M’s Face ID which had been used to log in. He also said he couldn’t see why Mr M’s girlfriend would have made the payments when she had an aversion to Mr M’s gambling. The investigator said it would be a highly unusual way to react to a partner’s gambling habit. So the investigator concluded that Mr M had authorised the disputed payments himself. Mr M didn’t accept this. He said that the use of Face ID wasn’t sufficient to prove he’d authorised the disputed transactions. He said it only showed that his registered Face ID had been used and didn’t prove he knowingly approved or participated in the transactions, and he said he’d been asleep at the time. He said that the Payment Services Regulations 2017 meant that Revolut had to prove the payer had authorised the payment. He said the test was whether he’d consented to the transactions and he hadn’t. Mr M asked for an ombudsman’s decision. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. What the Regulations say

-- 2 of 4 --

There are regulations which govern disputed transactions. The relevant regulations here are the Payment Services Regulations 2017. There is a difference between authentication and authorisation. Authentication is the technical part of the payment, and Regulation 75 of the Payment Services Regulations 2017 say: ‘’75.—(1) Where a payment service user— (a)denies having authorised an executed payment transaction … it is for the payment service provider to prove that the payment transaction was authenticated, accurately recorded, entered in the payment service provider’s accounts and not affected by a technical breakdown or some other deficiency in the service provided by the payment service provider.’’ I’ve seen the relevant technical evidence which shows that the disputed payments were authenticated. So Revolut’s responsibility for this has been met. Authorisation, however, is set out in Regulation 67, which says: ‘’67. (1) A payment transaction is to be regarded as having been authorised by the payer for the purposes of this Part only if the payer has given its consent to— (a)the execution of the payment transaction…’’ So Revolut has to provide the technical evidence about authentication, which it has done. But the test for authorisation isn’t that it’s entirely up to Revolut to provide irrefutable evidence of definite consent by Mr M. The test I have to apply is whether, in all the circumstances of this case, I consider, on the balance of probabilities, that Mr M, or someone else, consented to the disputed transactions. The regulations also say that account holders can still be liable for unauthorised payments under certain circumstances – for example if they’ve failed to keep their details secure to such an extent that it can be termed ‘’gross negligence.’’ Who is more likely than not to have authorised the disputed transactions? Mr M said he made the £100 payment to the betting firm at 3.30am and then went to sleep, after arguing with his girlfriend who disapproved of his gambling. He said that she then accessed his phone and used his Revolut details, which were stored on the phone, to make the betting deposits to Mr M’s gambling account. I find this unlikely for several reasons. First, the evidence shows that Mr M’s Revolut app was accessed using Face ID at 3.48 and 4 am, shortly before both disputed transactions. With the type of phone which Mr M had registered to his Revolut account, and which he used for other undisputed payments including the £100 gambling payment to the same betting firm, Mr M would have had to have had his eyes open in order to validate the biometrics. Merely holding the phone to Mr M’s sleeping face with his eyes closed, wouldn’t have enabled any third party to access the app. So I can’t see how Mr M’s version of events can be accurate. Mr M also confirmed that he hadn’t written down his passcode, or stored it on his device. So I can’t see how any third party could have known the passcode in order to have used it. If Mr M had told his girlfriend the code, that would have been a breach of the terms and conditions of his account. So Revolut wouldn’t have had to refund Mr M.

-- 3 of 4 --

Mr M also said that the reason his girlfriend made the payments was that she disapproved of his gambling, and that they’d argued about this immediately before he went to sleep. I’m not persuaded that it’s likely that someone who disapproved of Mr M’s gambling would then make large gambling payments. Finally, for the avoidance of doubt, I don’t consider there was any need for Revolut to have intervened when the disputed payments were made. They were made to a known beneficiary which Mr M used regularly for multiple undisputed payments. For example, Mr M had made an undisputed £1,000 payment to the same beneficiary the previous day. Mr M’s account also shows other undisputed payments to different gambling firms. So the transactions were not out of character for Mr M’s usage of the account. Taking all these factors into account, I find that on the balance of probabilities, Mr M authorised the disputed transactions himself. This means that Revolut doesn’t have to refund him. My final decision My final decision is that I do not uphold this complaint. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr M to accept or reject my decision before 8 May 2026. Belinda Knight Ombudsman

-- 4 of 4 --