DRN-6289241

The complaint Mr and Mrs M are complaining that Santander UK Plc hasn’t refunded payments which were made when they fell victim to a scam. What happened Mrs M received a call from someone (the scammer) who said they were from a well-known online retailer. They told her that her account had been compromised, and she needed to take steps to keep her money safe. Mrs M downloaded a remote access app to her mobile phone on the scammer’s instructions, thinking they were helping to keep her account safe. Two debit card payments were then made from Mr and Mrs M’s joint account with Santander to an account with an Electronic Money Institution (EMI). From there, the funds were transferred on and lost to the scam. The payments were for £1,962.87 and £1,308.58. Mrs M says the scammer completed the transactions while she was talking to them on the phone, without her knowledge. When the phone call ended, Mrs M began to suspect she’d been scammed and checked her account with Santander. She saw that the disputed payments were pending, and contacted Santander to tell it what had happened and asked it to stop them. But Santander told her it was unable to stop the payments. Santander reviewed what had happened but responded to Mrs M to say it wouldn’t be refunding the payments because it had found she had authorised them. Mrs M complained, and Santander replied reiterating its decision that it wouldn’t be refunding the payments. However, it did pay Mr and Mrs M £200 for not keeping them up to date with what was happening during its investigation. Mr and Mrs M brought their complaint to the Financial Ombudsman Service, where it was considered by our Investigator. But he didn’t think their complaint should be upheld. He concluded that the payments had been authorised by Mrs M, and he didn’t think Santander ought to have found them suspicious so that it should have intervened when they were made. Mr and Mrs M didn’t agree, so their complaint was passed to me for review and a decision. They told us that the EMI had refunded 50% of the payments. But they thought that Santander should refund the rest of the money they lost. I issued a provisional decision, giving both parties a further chance to reply. This is what I said. “I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Having done so, I’m not upholding Mr and Mrs M’s complaint. I’ll explain why. Mrs M has referred to the Authorised Push Payment (APP) scam reimbursement rules. But

-- 1 of 5 --

these payments weren’t ‘push’ payments because they weren’t payment transfers that were instructed from Santander. They were ‘pull’ payments using the Santander debit card with the EMI as the merchant, and it appears they were made from Santander to another account in Mrs M’s name. So, for both of these reasons the payments from Santander fall outside the scope of the scam reimbursement rules. This means I can’t consider Mr and Mrs M’s complaint about Santander with their provisions in mind. Were the payments authorised? The relevant law here is the Payment Services Regulations 2017 – these set out what is needed for a payment to be authorised and who has liability for disputed payments in different situations. With some exceptions, the starting point is that the consumer is responsible for authorised payments, and the business is responsible for unauthorised payments. Mrs M disputes authorising the payments, so I’ll address this point first. The PSRs specify that authorisation depends on whether the payment transactions were authenticated correctly – and whether Mrs M, or someone acting on her behalf, consented to them. The PSRs go on to specify how consent is given. It must be in the form, and in accordance with the procedure, agreed between Mr and Mrs M and Santander. I’ve reviewed the terms of their account with Santander that were in place at the time of the payments, but they don’t specify exactly how they give consent to online card payments. But broadly speaking, this is usually through entering the long card number, the card expiry date and CVV into the merchant’s website and completing any required authentication process. Mrs M disputes making the payments, but Santander says the payments were authorised as Mrs M confirmed the payments in its app through its stronger authentication process for card payments. I appreciate that Mrs M feels strongly that she didn’t authorise these payments, and they were carried out in their entirety by the scammer through remote access. But I must make my decision on the balance of probabilities based on the evidence presented to me. And the technical evidence I’ve seen here does lead me to conclude, on the balance of probabilities, that it was most likely Mrs M who authorised the payments. I’ll explain why. The evidence Santander has provided shows that the payments here were approved in its app using biometrics on an iPhone which had been registered as Mrs M’s device on her account for some time and before the disputed payments took place. So, I’m satisfied this is Mrs M’s device which remained in her possession. And with the use of the device biometrics in the authentication process, it’s difficult to see how this could have happened without Mrs M’s involvement at all. Santander has also shown us the screens which would have been shown in the app when the payments were authenticated. The first screen shows the amount of the payment being requested, and gives the option to select “I requested this” or “I didn’t request this.” On selecting “I requested this” the next screen also shows the amount of the payment and who it is being made to. The option is given to “authorise card payment” or “cancel the card payment”. So, it would have been clear that payments were being made when the option to authorise the card payment was selected. I appreciate Mrs M doesn’t recall following this process, but I think she would have been under a lot of pressure to act quickly at the time. I know Mrs M has disputed this, but it is our understanding that remote control operation of an iPhone through remote access is generally not possible due to Apple’s security restrictions, although screen sharing and screen viewing is possible. But this wouldn’t

-- 2 of 5 --

explain how the steps to approve the payments through the app took place. Overall, I’m satisfied that the payments here were correctly authenticated using the card information and the stronger authentication process. And it was reasonable for Santander to rely on this to process the payments. So, it’s reasonable for Santander to treat the payments as having been authorised and the starting point is that it isn’t obliged to provide a refund of the payments. Should Santander have done anything to prevent the disputed payments? I’ve concluded the payments were authorised, so I’ve gone on to consider if Santander should have done anything to prevent the payments that were lost to the scam. When a payment is authorised, Santander has a duty to act on the payment instruction. But in some circumstances, it should take a closer look at the circumstances of the payment – for example, if it ought to be alert to a fraud risk, because the transaction is unusual, or looks out of character or suspicious. And if so, it should intervene, for example, by contacting the customer directly, before releasing the payment. I’d expect any intervention to be proportionate to the circumstances of the payment. But I’ve also kept in mind that Santander processes high volumes of transactions each day. There is a balance for it to find between allowing customers to be able to use their account and questioning transactions to make sure they’re legitimate. I wouldn’t have expected Santander to have intervened in all the circumstances here. While the value of the payments was of course significant to Mr and Mrs M, they weren’t of a value where I’d expect Santander to have been concerned about a heightened risk of financial harm. The pattern of the payments here wasn’t particularly suspicious – for instance, the payments didn’t increase rapidly in value or frequency in the way which can sometimes indicate a scam is taking place. And the payments were being made to a legitimate EMI. Overall, I don’t think these payments ought to have caused Santander to be sufficiently concerned about a scam risk that it ought to have intervened with warnings, or by contacting Mr and Mrs M directly. Could Santander have done more to recover the payments? The payments were made by debit card and as such there was no mechanism for them to be recalled or cancelled by Santander, even when they were still in a pending state. However, when something goes wrong with a debit card payment it’s sometimes possible to dispute it through a process called chargeback, subject to the relevant card scheme’s rules. But I don’t think Santander had any grounds to dispute the transactions here. I say this because I’ve concluded that the payments were authorised, and they were made as a money transfer to another account, which means the service of transferring the funds was provided by the EMI. I appreciate that Mrs M thinks Santander could have done more to recover the funds, but as I’ve said, there wasn’t any other reasonable mechanism for it to do this when it comes to card payments. For completeness, having reviewed how Santander communicated with Mr and Mrs M during the investigation I think the £200 it has already paid to compensate them for this is fair and reasonable in all the circumstances and considering the impact this would have had on them. I’m really sorry to disappoint Mr and Mrs M. But I’ve found that the payments were

-- 3 of 5 --

authorised, and I’ve not found that Santander ought reasonably to have done anything else here which would have led to the payments being prevented. It follows that it wouldn’t be fair or reasonable to ask it to refund them.” Mr and Mrs M replied to my provisional decision. I have summarised the main points of their response as I understand them below. • I haven’t understood that Mrs M failed to receive any of the warning messages Santander said that it sent. • It hadn’t been fully explained why Santander didn’t try to contact the EMI to say there was a scam and the funds should be held or returned. • My comment about the value of the payments being significant to Mr and Mrs M implies that we have sought to ignore the claim because the amount lost wasn’t high enough to merit the requisite attention. • I have implied that they would be happy with £200 compensation in the face of a much higher loss. Santander replied to say it accepted my provisional decision. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Having done so, I’m not changing my provisional decision that I’m not upholding this complaint. I’m aware that I’ve summarised Mr and Mrs M’s response to my provisional decision briefly, in less detail than has been provided, and in my own words. No discourtesy is intended by this. Instead, I’ve focussed on what I think are the central issues of the complaint. If there’s something I’ve not mentioned, it isn’t because I’ve ignored it. But, I’m satisfied I don’t need to comment on every individual point or argument to be able to reach what I think is the right outcome. Our rules allow me to do this. This simply reflects the informal nature of our service as a free alternative to the courts. I’m sorry if I have upset Mrs M in how I referred to the value of the payments. This wasn’t intended as a comment on Mr and Mrs M’s overall financial position which isn’t relevant to my findings here, and I don’t wish to minimise their loss. My intention was to explain that the value of the payments wasn’t at a level which I’d usually expect to have prompted a scam intervention from Santander in all the circumstances here. I can’t see that Santander has said that it sent any warning messages to Mr and Mrs M – it says that the payments were approved in its app. I do understand that Mrs M feels strongly that she didn’t approve the payments through Santander’s app. But as I’ve explained, the technical evidence leads me to conclude, on the balance of probabilities, that she did. I understand that Mr and Mrs M feel strongly that Santander ought to have done more to contact the EMI when Mrs M reported what had happened. When an Authorised Push Payment has been made to a scam, I’d generally expect the sending bank to contact the receiving financial institution to attempt to recover the funds immediately on a scam being reported to it, and there are mechanisms in place between financial institutions to facilitate this. But these payments were made by debit card and so were not Authorised Push

-- 4 of 5 --

Payments (and were money transfers to another account in Mrs M’s name) and so the only mechanism for them to have been disputed with the EMI would have been through the chargeback scheme. I wouldn’t reasonably have expected Santander to have done anything to contact the EMI directly in these circumstances. I haven’t assumed that Mr and Mrs M would be satisfied with £200 in compensation when their loss is much greater than this – I understand that they are not. But as I’ve explained I consider £200 to be fair and reasonable compensation for the communication issues they experienced during Santander’s investigation. Once again, I’m sorry to disappoint Mr and Mrs M. But it wouldn’t be fair or reasonable for me to ask Santander to refund the payments to them. My final decision My final decision is that I’m not upholding Mr and Mrs M’s complaint. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr and Mrs M to accept or reject my decision before 18 May 2026. Helen Sutcliffe Ombudsman

-- 5 of 5 --