Financial Ombudsman Service decision

HSBC UK Bank · DRN-6199586

Authorised Push Payment (APP) ScamComplaint upheldRedress £25,150
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Mr C complains that HSBC UK Bank Plc (‘HSBC’) won’t reimburse the funds he lost when he fell victim to a scam. What happened Mr C says that his son introduced him to an investment opportunity with a company I’ll call ‘S’ in this decision. S was a property development company specialising in social housing and offered loan notes. Mr C was told that an escrow wallet would be opened in his name to receive his payments and that the banking provider requested identification and proof of address documents, which Mr C provided. After making payments, Mr C was provided with a convertible loan note showing a £10,000 investment. He received interest payments of £50 and £300. Soon after, Mr C was advised that a company, which I’ll call M, was due to buy out S and investors were given the opportunity to invest more. Mr C added further funds. The investigator set out the payments Mr C made and the returns he received. The investigator included funds received from Mr C’s son’s business (£20,000) and explained why this service would not consider this amount as part of Mr C’s loss. Mr C’s outstanding loss is £25,150. Mr C raised a fraud claim with HSBC and instructed a professional representative to complain on his behalf. HSBC said that as Mr C had received small returns, he had a civil dispute with S. HSBC also said that the payments Mr C made were to accounts in his own name. Mr C was unhappy with HSBC’s response and brought a complaint to this service. The investigator who considered this complaint recommended that Mr C’s outstanding loss be reimbursed in full. He explained why he felt Mr C was the victim of an authorised push payment (APP) scam as defined by the Contingent Reimbursement Model Code (CRM Code) and why he thought none of the exceptions to reimbursement could be applied. Mr C accepted the investigator’s findings, but HSBC did not and asked for a final decision. After reviewing the evidence provided by both parties, I contacted HSBC to explain why I felt Mr C was the victim of a scam and should be reimbursed, but HSBC maintained its stance, so I am issuing a decision. HSBC said that the CRM Code was intended to deal with APP scams which firms could have prevented through better policies, procedures and monitoring, which it says it couldn’t have done. In this case HSBC say Mr C was involved in a high risk, unregulated investment and it isn’t in the spirit of the CRM Code to expect it to reimburse in these circumstances. HSBC also said that if I uphold the complaint, I shouldn’t award interest at the rate of 8% simple per year. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. In deciding what’s fair and reasonable in all the circumstances of a complaint, I’m required to take into account relevant: law and regulations; regulators’ rules, guidance and standards;

-- 1 of 4 --

codes of practice; and, where appropriate, what I consider to be good industry practice at the time. Where there is a dispute about what happened, and the evidence is incomplete or contradictory, I’ve reached my decision on the balance of probabilities – in other words, on what I consider is most likely to have happened in light of the available evidence. In broad terms, the starting position in law is that HSBC is expected to process payments that a customer authorises it to make, in accordance with the terms and conditions of the customer’s account and the Payment Services Regulations (PSR’s). But there are circumstances when it might be fair and reasonable for a firm to reimburse a customer even when they have authorised a payment. Has Mr C been the victim of an APP scam as defined by the CRM Code? HSBC initially said that Mr C paid accounts in his own name, so the CRM Code doesn’t apply. I agree that Mr C paid accounts that were in his name, so on the surface the CRM Code doesn’t apply. But in this case, I’m satisfied that Mr C didn’t open the accounts himself and he didn’t operate or have access to them. This service has received confidential information from the two account providers. I appreciate why HSBC would like to view this information, but it should understand why I am unable to share it. When I contacted HSBC informally, I provided it with some relevant details which I will summarise. In respect of the first account used, incorrect contact information was provided. The account provider has confirmed that soon after the account was opened a large credit was received (from Mr C). It requested supporting evidence in respect of the payment and had concerns it wasn’t speaking to the account holder so closed the account with immediate effect. Turning to the second account Mr C paid, again incorrect details were used to open the account, and the account was suspended when Mr C reported concerns about fraudulent activity after obtaining account details from HSBC. It is also clear that Mr C’s funds were rapidly disbursed. Overall, I’m satisfied that Mr C lost control of the funds at the point he transferred to two separate accounts in his own name and there is the potential for the CRM Code to apply if the definition of an APP scam has been met. Under the CRM Code, the starting principle is that a firm should reimburse a customer who is the victim of an APP scam, except in limited circumstances. But the CRM Code only applies if the definition of an APP scam, as set out in it, is met. I have considered whether Mr C’s claim falls within the scope of the CRM Code, which defines an APP scam as: ...a transfer of funds executed across Faster Payments…where: (i) The Customer intended to transfer funds to another person, but was instead deceived into transferring the funds to a different person; or (ii) The Customer transferred funds to another person for what they believed were legitimate purposes but which were in fact fraudulent. To decide whether Mr C is the victim of an APP scam as defined in the CRM Code I have considered: - The purpose of the payments and whether Mr C thought this purpose was legitimate. - The purpose the recipient (S) had in mind at the time of the payments, and whether this broadly aligned with what Mr C understood to have been the purpose of the payments. - Whether there was a significant difference in these purposes, and if so, whether it could be said this was as a result of dishonest deception.

-- 2 of 4 --

Mr C thought he was loaning funds to S. I haven’t seen anything to suggest that he didn’t consider this to be a legitimate purpose. So, I’ve gone on to consider what purpose S had in mind and whether it was in line with what Mr C thought. The investigator raised many general concerns relating to S which strongly suggest that it wasn’t operating legitimately. I won’t repeat those points here, as they don’t relate to this specific case. But they provide an important background. One of the strongest indicators that Mr C was the victim of an APP scam is the opening of two accounts in Mr C’s name that he didn’t have access to or control of (which I have already discussed). I can’t see any circumstances in which a legitimate investment company would open and operate accounts in the name of a client in this manner. Most of the funds sent to the first account provider used by the scammer either bounced back or were returned when the account was closed by the provider. The other account provider has given this service confidential information about how the funds credited to the account were used. The funds went to individuals and to a company that I can’t find any information about. S’s brochure described the payee as its banking partner, which provides it with an escrow account facility. This clearly wasn’t the case. There are other points that lead me to believe S wasn’t operating legitimately, such as the fact there was no telephone number on the emails sent by its representative, the fact that the debenture Mr C was asked to sign was never registered, and the manner in which the investment with M was presented. Mr C was also advised to pool funds with Mr C’s son’s business, something I don’t think a legitimate business would propose. There is also an FCA warning about clones of M. Based on the available evidence, I’m satisfied it’s more likely than not Mr C’s funds weren’t used for the intended purpose and that S obtained the funds through dishonest deception. So, I’m satisfied that Mr C’s payments meet the definition of an APP scam and are covered by the CRM Code. HSBC has said that it’s not within the spirit of the CRM Code for investors to expect their bank to act as an insurer of last resort for speculative investment schemes. One of the three stated objectives of the CRM Code was to increase the proportion of customers protected from the impact of APP scams through reimbursement and the reduction of APP scams. I have set out why I think Mr C was the victim of an APP scam. In these circumstances HSBC should reimburse him under the CRM Code if none of the exclusions apply. Does an exception to reimbursement apply? The CRM Code says that Mr C is entitled to a full refund unless HSBC can establish that an exception to reimbursement applies. The CRM Code says that a bank may choose not to reimburse a customer if it can establish that: - The customer made payments without having a reasonable basis for believing that: the payee was the person the customer was expecting to pay; the payment was for genuine goods or services; and/or the person or business with whom they transacted was legitimate - The customer ignored an ‘effective warning’ by failing to take appropriate steps in response to that warning. There are further exceptions outlined in the CRM Code that do not apply to this case. I’m satisfied that Mr C had a reasonable basis for believing S offered a genuine investment opportunity.

-- 3 of 4 --

Like HSBC, I can’t find reviews of S, whether positive or negative. But S was a registered company and Mr C had a personal recommendation from his son who had already invested. Mr C’s son invested through his company and a charge was registered on Companies House in the name of his company. This would have added legitimacy to the investment. Mr C was then asked to sign a debenture in the same way so had good reason to believe this would be registered with Companies House too, although this didn’t happen. The debenture document looked legitimate. Mr C was also provided with a persuasive looking brochure and received emails that would seem legitimate to a novice investor like Mr C. By the time Mr C added further funds relating to the buyout by M he had received a return from S and a level of trust had been built. He was provided with a letter from S which set out the takeover offer in broad terms and what Mr C believed to be a letter from M to its executive management team relating to the offer to buy S. These letters made Mr C think the investment was legitimate. The test here is whether Mr C had a reasonable basis for believing the investment was legitimate, not whether he has completed every check an experienced investor might have made. And I note that up to now HSBC has said Mr C has a civil dispute, so it’s hard to see how it can fairly rely on the reasonable basis for belief exception to reimbursement. HSBC hasn’t said that an effective warning was ignored when Mr C made the payments. So, it can’t fairly rely on that exception to reimbursement either. As I’m not satisfied that HSBC can rely on an exception to reimbursement, Mr C is entitled to be reimbursed under the CRM Code. HSBC has said that it shouldn’t be held liable in circumstances where it could not have prevented the loss. Being unable to prevent a loss isn’t a valid exception to reimbursement under the CRM Code. HSBC has said that I should not award interest at the rate of 8% simple per year as this service hasn’t found that it was at fault and HSBC couldn’t have prevented Mr C’s loss. HSBC also said that awarding this rate of interest rewards Mr C by giving him a greater return than he would have received if he’d made a genuine investment. I have found HSBC to be at fault in not reimbursing Mr C’s claim when it was made. Mr C has been deprived of the use of the funds and the interest I am awarding reflects that. And HSBC is aware of this service’s approach to interest in respect of complaints brought in 2024. My final decision For the reasons stated, I uphold this complaint and require HSBC UK Bank Plc to: - Pay Mr C £25,150; and - Pay interest on this amount at the rate of 8% simple per year from the date it rejected Mr C’s claim to the date of settlement. If HSBC UK Bank Plc is legally required to deduct tax from the interest it should send Mr C a tax deduction certificate so that he can claim it back from HMRC if appropriate. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr C to accept or reject my decision before 14 May 2026. Jay Hadfield Ombudsman

-- 4 of 4 --