Financial Ombudsman Service decision

DRN-6296951

Frozen Account / Account ClosureComplaint upheld
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Mr L is unhappy that HSBC UK Bank Plc won’t refund a payment he made as part of a scam. What happened Mr L says he came across an advert on social media for a cryptocurrency investment opportunity, offered by a platform I’ll call “T”, that was seemingly endorsed by a celebrity. He registered his interest and received a call from one of T’s agent, who showed him a professional looking platform. The agent also explained via screensharing software how to make deposits to the investment in cryptocurrency. Mr L initially invested through a different bank, and received some returns – so he was persuaded the investment was legitimate and decided to add more funds. On 29 February 2024 Mr L used his HSBC account to send a faster payment for £20,000 to a cryptocurrency provider. The intended recipient account was at an Electronic Money Institution with no obvious direct connection to cryptocurrency – though it provided payment solutions for fintechs (like the cryptocurrency merchant Mr L used). The name of the payee that showed up for the bank was a software development company. HSBC asked Mr L about the purpose in app, and he selected ‘goods and services’, which resulted in warning related to that option being shown. The bank then spoke to Mr L before approving the transfer, and he said the money was to buy training and software for a new business he was setting up. He told HSBC the payment details were provided by text, and he had a contract. Mr L added that the training would last ten months, and he’d found it through someone he knew that had tried it before. He gave HSBC the details of the person he’d been dealing with for the purchase, which matched the name of one of the directors on Companies House for the software development company showing as the payee. HSBC allowed the payment, which was used to buy cryptocurrency – and that was then sent on to the wallet address for T’s platform. When Mr L later tried to withdraw funds from the investment he was faced with very large fees for doing so, and says that caused him to eventually realise he’d been scammed. In 2025 Mr L complained to HSBC that the account activity was out of character and so the bank should have intervened strongly. HSBC’s response said the payment wasn’t covered by the Contingent Reimbursement Model (CRM) Code, as it had gone to a wallet in his own name. The bank also said that during its fraud checks Mr L hadn’t answered questions about the payment honestly, and so it didn’t think there was any indication at the time that he was falling victim to a scam. As Mr L wasn’t happy with that outcome, he referred things to the Financial Ombudsman Service for review. One of our investigators considered everything and didn’t recommend the complaint should be upheld. In the investigator’s view, HSBC had intervened appropriately by speaking with Mr L about the payment, but the answers given weren’t accurate and so the bank wouldn’t have reasonably been able to uncover the scam. Mr L didn’t accept the investigator’s opinion, and believed HSBC didn’t ask probing enough questions or pick up on unusual

-- 1 of 6 --

aspects like the payment details being obtained over text. Had it done so, the cover story would have been exposed. As no agreement could be reached Mr L asked that an ombudsman reconsidered the matter. So the complaint was passed to me to decide. I issued provisional findings, that said I intended to uphold the complaint in part. I’ve copied below my rationale for that outcome: “This case is very finely balanced, and so I’ve thought about it carefully. Having done so, I’m minded to uphold Mr L’s complaint in part – and say HSBC needed to ask more questions during the intervention call, which would have likely exposed the cover story and ultimately prevented the money being sent to the scam. But I also think Mr L missed clear signs this investment might not be legitimate, so I think he should fairly share responsibility with HSBC for the loss. I’ve explained why below. In broad terms, the starting position in law is that a bank and payment services provider like HSBC is expected to process payments and withdrawals that its customer authorises it to make, in accordance with the terms and conditions of the account and the Payment Services Regulations (PSR’s). Mr L ‘authorised’ the transaction in question (he made it), albeit under the false belief it was for a legitimate investment opportunity. So the starting position is that HSBC was under an obligation to process the payment – but that isn’t the end of the story, as far as the bank’s responsibility in the matter goes. I’ve also taken into account the regulator’s rules and guidance; relevant codes of practice, along with what I consider to have been good industry practice at the time. I’ve also applied HSBC’s terms for the account, which say it can delay payments and make enquiries in order to meet its regulatory requirements. Those together mean I consider HSBC should fairly and reasonably have been on the lookout for the possibility of fraud at the time, and intervened if there were clear indications its customer might be at risk. HSBC has a difficult balance to strike in how it configures its systems. It needs to detect unusual activity, or activity that might otherwise indicate a higher than usual risk of fraud, whilst not unduly hindering legitimate transactions. There are many millions of payments made each day, and it would not be possible or reasonable to expect firms to check each one. In situations where firms do (or ought to) carry out checks, I would expect that intervention to be a reflection of the risks involved. HSBC spoke to Mr L over the phone prior to allowing this payment. So the first question for me to decide is whether that intervention was proportionate to the circumstances of the payment. HSBC was rightly concerned by the payment – it was a large amount going to a new payee, on an account that had only been open a couple of months. In that time Mr L had only put through low value transactions, with £200 being the highest payment sent out. So this one for £20,000 was out of character, even based on the limited information HSBC had about his usual activity, and certainly worth a check. During the call HSBC learned the £20,000 was supposedly for training and to buy software. It was also told the training would last ten months and that the destination account details were obtained by text. Mr L added that he knew someone who had been involved with the payee company – and when asked on the call for the name of someone he was dealing with there, he said hang on and could be heard typing before he provided the details of one of the company’s directors. I want to acknowledge that Mr L wasn’t honest with HSBC during the call, and some of what he told the bank would have sounded plausible on the face of it. Being fair to Mr L, he was told by the scammers to mislead the banks involved – so I appreciate he was following instructions rather than actively lying. The payee was a software company of sorts, and he

-- 2 of 6 --

did name one of the directors (though he audibly looked that up on the call). It was also understandably reassuring for HSBC to hear that Mr L knew someone who had dealt with the company previously. Mr L didn’t sound unsure or nervous, so there weren’t obvious signs he was being coached or that he was under any undue pressure. I do, however, think there were clear red flags in what HSBC was being told, that ought to have prompted further questioning. It should have struck the bank as odd that a man in his seventies was starting a new software business, and undergoing lengthy training for it. HSBC’s agent also thought ten months was a long time – and Mr L struggled to authorise himself on the app during the call, so he wasn’t coming off as particularly tech savvy. The payment details for a £20,000 bill being texted to him, rather than appearing on an invoice, should have prompted concern too – as that doesn’t sound like typical business practices. I’m not saying the story given wasn’t possible, I just don’t think it should have been accepted on face value by HSBC without some follow-up questions being asked. Had that happened I don’t consider Mr L would have had satisfactory answers ready about the software business he was supposedly setting up or the type of training he was due to have. From the evidence I’ve seen the vague purpose he gave was the extent of the cover story he’d been provide with. It had also been accepted by another bank shortly before this conversation without any follow up questions being asked (that bank has since accepted that was a mistake), so I don’t think Mr L would have been expecting to go into any more detail. As I don’t think his answers to further questions would have provided sufficient reassurance, HSBC would likely have been seeking something to corroborate the story – and he wouldn’t have been able to produce an invoice or any supporting evidence if asked. Once forced to come clean about what was going on, or risk the account being frozen, I think the circumstances would have alerted HSBC to the fraud. It bore the common hallmarks of cryptocurrency investment scams – there was a celebrity endorsed social media advert, an unregulated third party broker providing advice, as well as the use of remote access software. A warning had also been posted about the platform by a foreign regulator a few months prior to this transaction – so once HSBC had the name of the company Mr L was dealing with that would have been spotted too. So, overall, I’m satisfied that proportionate intervention would likely had led to the scam being uncovered and the loss prevented. I’ve thought about whether Mr L should bear any responsibility for his loss. In doing so, I’ve considered what the law says about contributory negligence, as well as what I consider to be fair and reasonable in all of the circumstances of this complaint. That includes taking into account Mr L’s own actions and responsibility for the losses he has suffered. I recognise there were sophisticated aspects to this scam, including a trading platform that looked very professional, and several calls with the scammers where various trades were explained in detail. Mr L also received some small returns, which I appreciate would have been reassuring. That said, there were some clear red flags that this might not be a legitimate opportunity that I consider were missed. The returns seen in a short space of time ought to have seemed too good to be true, even taking into account the perceived profits to be made in cryptocurrency, and Mr L had some investing experience (the funds he sent from his HSBC account were withdrawn from a regulated investment company). He was also struggling to cope with the stress of the situation, according to his chats with the scammer, and described having a physical reaction to it as well as feeling very conflicted. So I think Mr L knew on some level that something wasn’t right. Having to hide what he was doing to the banks and his family should have struck him as odd too, particularly if it was supposedly a legitimate investment. Not being honest about the circumstances when questioned seriously hampered HSBC’s ability to uncover the scam. I haven’t seen there was a persuasive reason given for doing

-- 3 of 6 --

that either, though I appreciate Mr L was following instructions rather than actively lying to the bank. Had he acted on the warnings signs and conducted further research on the platform I think he’d have seen the warning posted. Bearing in mind all the risk factors I’ve highlighted, I think it would be fair for Mr L to share responsibility with HSBC for what happened. So, to recognise that both parties should have taken steps to avoid the loss, I plan to apply a 50% deduction to the refund of the payment involved. I’ve also thought about whether HSBC could have done more once alerted to the fraud, and I’m satisfied it couldn’t have. The payment went to a cryptocurrency exchange, where the funds were converted and moved on quickly – so there wouldn’t have been anything in the beneficiary account to recover. I also haven’t seen any service issues that I consider would warrant a further award – and the interest applied to the redress will fairly compensate Mr L for the time he was deprived of the use of those funds.” Mr L replied to say he accepted my findings. HSBC disagreed and, in summary, said: • It felt the provisional decision was made in hindsight, and the intervention it carried out was proportionate at the time. Mr L’s responses were also rational and consistent. So it didn’t accept it should have done more. • Given Mr L’s background it was entirely reasonable that a person with his characteristics would want to engage in new activities. • He might not have been coming off as tech savvy but that would explain the need for 10 months of training for the new endeavour. • Even if more questions had been asked, it believed Mr L would have continued to mislead the bank and provide reassuring responses. The payee was on Companies House and it appeared to offer digital solutions and software development, which was consistent with the purpose provided too. • It felt the decision wasn’t consistent our service’s approach where customers have knowingly and purposefully misled the bank. HSBC cited a decision issued on a separate case where it felt we’d approached this issue differently. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. I’ve also reflected on HSBC’s comments in response to my provisional findings. Having done so, I’ve still decided to uphold Mr L’s complaint in part, and maintain my initial outcome. I’ve explained why below. HSBC thought the transaction carried an elevated fraud risk, and I agree that it did. So the bank needed to ask questions to enable it to be reasonably satisfied its customer wasn’t falling victim to a scam. I don’t consider the scenario of man in his seventies paying £20,000 for ten months’ worth of training and software for starting a new company, on a new account he’d only used for small transactions, was such a plausible explanation or everyday occurrence that no further questions were required. It’s unusual at best, and the agent on the call seemingly thought the same, as she remarked that it sounded like a long time for training. The payment details were also texted, rather than provided on an invoice, and it was unclear why the payment was being made on this account (it wasn’t his main one) or where the money to fund it had come from. So there were other red flags in what HSBC learned or could see. I’m not suggesting someone with Mr L’s characteristics couldn’t have been starting a software company, or embarking on a long stint of training – and I’ve been conscious not to view the intervention call with the benefit of hindsight. But I don’t consider it was reasonable

-- 4 of 6 --

here for HSBC to accept what it had been told on face value. The bank would also have been aware that cover stories are commonly provided by scammers, so further questions were needed in the circumstances to be sure Mr L wasn’t at risk. What’s more finely balanced is deciding what would have likely happened if proportionate questioning had taken place. HSBC’s mistake in not asking means we’ll never know the answer to that for sure. Our service doesn’t have a set approach either for all cases where customers have misled their banks – it depends completely on the individual circumstances involved. The decision HSBC quoted as an example of our approach to this issue involved a cover story that rightly seemed plausible to the bank and consistent with everything it knew. HSBC believes Mr L would have been able to concoct a plausible enough back story on the spot – but I don’t agree. I accept he was prepared to make up certain details, like the length of the training course, and he looked up the name of one of the directors of the payee company during the call. That does indicate he likely would have tried to continue with the lie. But, on balance, I find that the evidence better supports the view that Mr L likely wouldn’t have been able to reassure HSBC he wasn’t at risk if it had probed him appropriately. Looking at the messages with the scammer I don’t think Mr L had a detailed back story prepared. His interaction with a different bank had also showed him that the vague purpose he was told to relay probably wouldn’t be questioned. In addition, the answers Mr L provided that were off script actually made the scenario sound less plausible – things like the length of time for the training and the way payment details were provided. That tells me he hadn’t given it much thought, and so likely wouldn’t have been able to improvise coherent additional elements to the cover story in the moment. I believe that would have continued to be the case if Mr L was required to explain in any more detail what the money was for, and the circumstances wouldn’t have added up overall. What we also know from Mr L’s communication with the scammer is that the situation (of risking all this money and having to hide things from family) was taking its toll and really affecting his health. So, while I accept Mr L didn’t sound flustered during the call, he wasn’t really challenged by HSBC – and in the background its clear he wasn’t handling the pressure well. The scammers hadn’t really provided a good reason to lie to the banks either. The cover story was supposed to make things easier and help Mr L get through the calls quicker, so I’m not sure how committed to the lie he would have been if it didn’t play out that way and he was questioned more on what he was doing. Mr L’s health, and the lack of a strong motivation to hide the true purpose, add to my belief that he wouldn’t have been able to reassure HSBC if further questions were asked. If HSBC wasn’t satisfied by his answers, then it would have needed to see something to corroborate what he was paying for, which he wouldn’t have been able to provide – and it would have unravelled from there. HSBC also couldn’t have allowed Mr L to circumvent its controls by authorising the funds to be moved elsewhere without being satisfied he wasn’t at risk. So I still find the loss would likely have been prevented if proportionate intervention had taken place, and I maintain its fair for Mr L to share liability for the reasons I’ve already given. Putting things right I’ve decided to uphold Mr L’s complaint, and direct HSBC UK Bank Plc to: • refund 50% of the disputed transaction (£10,000); and • apply 8% simple interest yearly to the refund, calculated from the date of payment until settlement is paid. If HSBC considers that it’s required by HM Revenue & Customs to deduct income tax from

-- 5 of 6 --

that interest, it should tell Mr L how much it’s taken off. It should also give him a tax deduction certificate if he asks for one, so he can reclaim the tax from HM Revenue & Customs if appropriate. My final decision I’ve decided to uphold Mr L’s complaint against HSBC UK Bank Plc in part, and I’m directing the bank to settle in line with what I’ve set out above (in the ‘Putting things right’ section). Under the rules of the Financial Ombudsman Service, I’m required to ask Mr L to accept or reject my decision before 19 May 2026. Ryan Miles Ombudsman

-- 6 of 6 --