Zempler Bank Limited · DRN-5822486

The complaint Mr M is a sole trader, trading as D. D complains that Zempler Bank Limited has declined to reimburse payments made in relation to a scam. What happened In May 2025, the additional cardholder on D’s account received a call from a scammer who told them the account was at risk. They were manipulated into sharing one-time passcodes (OTPs) on the understanding that funds in the account needed to be moved to a safe place. D is disputing four card payments totalling over £18,000 made to different merchants. Zempler declined to reimburse D on the basis that the payments were authorised, and it didn’t have valid grounds for a chargeback in the circumstances. When D referred the complaint to our service, the investigator upheld it. They thought Zempler ought to have identified that D was at a heightened risk of financial harm from fraud and intervened at payment three, and that this would have prevented further loss. The investigator thought it would be fair for Zempler to reimburse 50% of payments three and four on the basis that the additional cardholder had contributed to the loss. Zempler didn’t agree, it said that as part of the stronger authentication process known as 3DS the additional cardholder was shown a warning with the OTP that said not to share the code and that if asked to do this it is a scam. And that the SMS would have included information about the payments such as the merchant and payment amount. Zempler says this should have raised serious doubts about the authenticity of the payment. It also said that it can’t intervene in card payments and that it doesn’t consider this a “safe account scam” because they were approving card payments rather than transferring funds to another account. The investigator explained they had already factored into the award that the additional cardholder had contributed to D’s loss, but they still thought Zempler should have stopped the third payment due to the risk factors present. As an agreement couldn’t be reached the matter has been passed to me for consideration by an ombudsman. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Having done so, I’m upholding this complaint for similar reasons to the investigator – I agree that a fair way to resolve this complaint is for Zempler to reimburse 50% of payments three and four. I’ll explain why. Under the relevant law - the Payment Services Regulations 2017 (PSRs) – the starting point is that D is liable for authorised payments. Zempler is generally expected to reimburse unauthorised payments.

-- 1 of 3 --

It’s common ground that the additional card holder was the victim of a scam. Zempler has provided evidence to show that the disputed card payments were correctly authenticated which included a stronger authentication process whereby each disputed payment required the use of an OTP sent by SMS. I understand that while the scammer likely used the card details to make the payments, the additional card holder does recall sharing at least one OTP on the understanding that money needed to be moved that was at risk – and that Mr M (on behalf of D) now accepts that the additional cardholder must have shared all four OTPs and that the payments are authorised. So, I’ll focus my decision on the issues that remain in dispute i.e. whether Zempler ought to have done more in the circumstances to identify D’s account was at a heightened risk of financial harm from fraud and prevented his loss. Did Zempler miss an opportunity to prevent D’s loss? In broad terms, the starting position at law is that Zempler is expected to process payments and withdrawals that a customer authorises it to make, in accordance with the PSRs and the terms and conditions of the customer’s account. But, taking into account longstanding regulatory expectations and requirements, and what I consider to be good industry practice, Zempler ought to have been on the look-out for the possibility of fraud and made additional checks before processing payments in some circumstances. I have reviewed D’s account statements. Having considered when the disputed payments were made, their values and who they were made to, I’m not persuaded that Zempler ought to have found the first two disputed payments suspicious, such that it ought to have made enquiries of Mr M or the additional cardholder before processing them. They were online payments from a business account that wouldn’t have appeared particularly high risk or out of character for the account. Zempler does need to strike a balance between its obligations to follow their customer’s payment instructions with their responsibilities to prevent foreseeable harm. However, I think by payment three – which was for over £10,000 to a luxury brand, Zempler ought to have recognised D was at a heightened risk of financial harm from fraud and done more to intervene and establish the circumstances surrounding the payments. This is because the payment was out of character for the account and was the third higher value payment within a few minutes so the pace and account activity would have appeared suspicious. I understand that in practice this would likely have meant Zempler needed to decline the payment rather than delay it. I think if it had done this, which the terms of the account allow for, this would have prevented D’s loss. This is because if Zempler had contacted Mr M or the additional account holder to ask about the payment before allowing further payments, the scam would have come to light, and no further OTPs would have been shared. It follows that I think the loss from the third and fourth payment should have been prevented. Should D bear any responsibility for its loss? In considering this point, I’ve taken into account what the law says about contributory negligence as well as what’s fair and reasonable in the circumstances of this complaint. D is accountable for the actions of the additional cardholder on the account, so I’ve also needed to consider their actions in the circumstances. The additional cardholder was told that the account was at risk and so I can understand this may well have created a sense of panic and urgency. But by the point at which I’ve concluded Zempler ought to have intervened (and therefore regarding the payments relevant

-- 2 of 3 --

to my award), I think the additional cardholder ought to have had concerns about what they were being asked to do. The call came from a number that wasn’t spoofed and the additional card holder hasn’t described undertaking the usual steps to verify himself or the caller such as security questions. I think most people would also have found it odd that they were being asked to make multiple payments rather than a lumpsum if they needed to be moved for safekeeping. I note that each OTP was provided in an SMS which set out the merchant and said not to share the OTP. So, while I have considered the additional cardholder’s age, I’m persuaded it is fair to hold D responsible for 50% of the loss I’m awarding in the circumstances. Could Zempler have done anything else to recover D’s payments? By the time Mr M reported the scam to Zempler the payments had already been processed. So Zempler wouldn’t have been able to stop the payments even if they showed as pending. As the disputed payments were card payments, a recovery option that would have been available to Zempler would have been through the chargeback scheme. This is a scheme run by the card scheme provider to resolve payment disputes between customers and merchants – subject to the rules they set. Zempler wouldn’t be expected to raise a claim that it thought had no prospect of success. As the merchants are genuine companies there’s no reason to think the goods/services wouldn’t have been provided. Though I accept its likely this was not for the benefit of D. So, I don’t think Zempler did anything wrong by not pursuing a chargeback in the circumstances. My final decision My final decision is that Zempler Bank Limited should reimburse D 50% of payments three and four – this is £5,922.96. It should also pay D simple interest on this amount at a rate of 8%, from the date of the payments to the date of settlement to recognise the time it was without these funds. Under the rules of the Financial Ombudsman Service, I’m required to ask D to accept or reject my decision before 7 May 2026. Stephanie Mitchell Ombudsman

-- 3 of 3 --