Financial Ombudsman Service decision

PayPal UK Ltd · DRN-6142261

Unauthorised TransactionComplaint upheld
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Mr D complains that PayPal UK Ltd declined to cancel a credit agreement for an unauthorised purchase. What happened Mr D has a PayPal account. In July 2023 Mr D unfortunately had his mobile phone stolen from his hand while he was making a call. Mr D reported this to the police and replaced his phone the next day. Having done so, Mr D says he noticed an email confirming a purchase for a new phone from a retailer I’ll call A. This had been purchased on his PayPal account through a credit agreement, lasting 18 months, for £1,099. Mr D contacted PayPal to report what had happened and request PayPal cancel the credit agreement. PayPal investigated but concluded that they couldn’t see fraudulent activity because the third party was able to access Mr D’s phone and PayPal account via username and password. Therefore, PayPal said Mr D was responsible for the finance agreement. Mr D appealed PayPal’s decision but was unsuccessful. So, he brought his complaint to our service. One of our Investigators reviewed Mr D’s complaint and thought that PayPal hadn’t acted fairly. They said this because: • Mr D provided evidence of his phone having been stolen and the timings of the purchase aligned with Mr D’s testimony. • The collection location of the purchased item was 70 miles away from Mr D’s home address, so it seemed illogical for Mr D to collect an item there. This address/area was not previously associated to Mr D’s account. • Mr D had no passwords saved in his phone, didn’t use auto-populate for passwords, doesn’t use the biometric function, and hadn’t shared, accidentally or otherwise, any credentials to access his phone or PayPal account. So, our Investigator thought PayPal should end the finance agreement, reimburse Mr D for payments made including additional charges and interest and remove any adverse information from Mr D’s credit file. Mr D agreed with our Investigator’s view, but PayPal didn’t. They said, in summary: • The payment transaction was carried out using Mr D’s account username and password and there was no evidence of a compromise to these, so they believe the transaction was properly authorised • The timing of the purchase and location of the purchase don’t prove Mr D didn’t consent to the purchase.

-- 1 of 3 --

• Mr D failed to keep his credentials safe by having his device unlocked in a public place. So, as an agreement couldn’t be reached, Mr D’s complaint was passed to me. I reviewed the case file and thought that PayPal hadn’t acted fairly. In summary, I’m satisfied the evidence didn’t sufficiently demonstrate that Mr D consented to the payment. The evidence indicated that Mr D’s phone was stolen. The technical audit showed Mr D’s PayPal password was changed following his phone theft, and before the phone purchase likely allowing the third party access to the account. Therefore, I thought the transaction was unauthorised and PayPal were liable. PayPal didn’t accept this view. So, I’ve proceeded to issue my final decision. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Having done so, I haven’t changed the provisional conclusions I previously reached that I think PayPal are liable for the transaction. I’ll explain in full below. Generally, PayPal is entitled to hold a consumer liable for authorised transactions, and PayPal is liable for unauthorised transactions. Under the PSRs 2017, the burden lies with the business to prove, on balance, both authentication of the payment, and that the consumer has given consent. I’m satisfied that the evidence PayPal have provided proves proper authentication, in that Mr D’s genuine device was used with the correct username and password. However, I’m not satisfied that Mr D’s consent has been properly proved. And therefore, I think it’s more likely than not that this transaction is unauthorised. And I’ll explain why. PayPal say Mr D authorised the payment because his PayPal username and password were used to complete the disputed transaction and he hadn’t shared them with anyone else. However, I’ve seen evidence which shows that Mr D’s PayPal password was reset after the theft and before the purchase. The evidence indicates the password was reset via the ‘forgotten password’ function which sends an email to the account holder. By taking Mr D’s phone, a third party would also gain access to Mr D’s email. I find it likely that this is how the third-party fraudster was able to correctly enter the username and password to complete the transaction. I can also see a text message was sent to Mr D’s contact number but since the third party was in possession of Mr D’s mobile phone, it follows that they were able to view the text message too. I’m satisfied this explains how a third party fraudster could have gained access to Mr D’s PayPal account and authorised the purchase. I’ve considered the timing of the disputed transaction and location of the pick-up point when thinking about whether Mr D likely consented to the agreement. The transaction is timed at 5.44am in line with Mr D’s testimony that his phone was stolen in the early hours of the same day. This is also shortly after the user was able to successfully reset the password. And, the location of the pick-up address was around 70 miles from where Mr D lives. It’s also not a pick-up point that Mr D has ever used with A before. I’m satisfied this evidence adds credence to Mr D’s testimony that the phone was stolen and he didn’t consent to the transaction. PayPal explained that they felt Mr D failed to take reasonable care in securing his PayPal credentials by leaving his device unlocked in a public place. I’m afraid I disagree that this accurately reflects the circumstances. Mr D told PayPal and our service that the phone was

-- 2 of 3 --

stolen from his hand while he was making a call. I’m satisfied it’s not unreasonable to have a mobile device unlocked in a public place while it’s in your hands. Additionally, since this is a credit agreement, under the Consumer Credit Act 1974, a consumer cannot be held liable for a credit agreement they didn’t consent to taking out. So, even if Mr D hadn’t shown reasonable care, as I’m satisfied Mr D didn’t consent to the credit agreement, it isn’t fair for PayPal to hold him liable for this reason. For the reasons I’ve outlined, I’m not persuaded that Mr D authorised the disputed transaction, and therefore it’s unfair for PayPal to hold him liable. I want to acknowledge that Mr D told us that the credit agreement payments has put significant financial strain on him and his family. I don’t underestimate the impact on Mr D from having his belongings stolen and a third party fraudster taking out a credit agreement without his consent. I’ve thought about whether Mr D should be awarded additional compensation for the distress caused to him however I’m satisfied the majority of the distress was caused to Mr D by the fraudsters actions which isn’t something I can hold PayPal responsible for. Putting things right For the reasons I’ve outlined above I’m satisfied that Mr D shouldn’t be held liable tor the disputed transaction or the associated credit agreement. To put things right I’ll be directing PayPal to clear the existing credit agreement including any interest any charges, remove any record of the agreement from Mr D’s credit file and reimburse Mr D for any payments made towards the debt. I’m also directing PayPal to pay 8% interest on any payments Mr D’s made towards the debt to acknowledge the time he’s been deprived of these funds. My final decision My final decision is I uphold this complaint. I direct PayPal UK Ltd to: • Clear the existing agreement for the disputed purchase, including removing any interest and any charges. • Remove any record of the credit agreement from Mr D’s credit file. • Reimburse Mr D for any payments made on the agreement so far, including 8% interest from the date of the payments to the date they are refunded. If PayPal considers that it’s required by HM Revenue & Customs to deduct income tax from that interest, it should tell Mr D how much it’s taken off. It should also give Mr D a tax deduction certificate if he asks for one, so he can reclaim the tax from HM Revenue & Customs if appropriate Under the rules of the Financial Ombudsman Service, I’m required to ask Mr D to accept or reject my decision before 18 May 2026. Cheryl Dior Ombudsman

-- 3 of 3 --