Financial Ombudsman Service decision

DRN-6261371

Unauthorised TransactionComplaint not upheld
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint D, a limited company, complains that ARBUTHNOT LATHAM & CO LIMITED (“Arbuthnot Latham”) won’t refund the money it lost to a scam. One of D’s directors (I’ll refer to as “Mr H”) has brought this complaint on D’s behalf, through a firm of solicitors. For simplicity, I’ll generally refer to D and Mr H throughout this decision. What happened In summary, on 18 November 2024, Mr H received a call from someone claiming to be from Arbuthnot Latham. He later discovered he had connected with a scammer. The scammer told Mr H there had been suspicious activity on D’s account, referring to two possibly fraudulent transactions that had supposedly been stopped. They said they needed to verify some information to protect the account from fraud. As Mr H was in a meeting and couldn’t speak for long, it was agreed that the caller would phone back the next day. On 19 November 2024, the scammer called again. They again mentioned the two possible fraudulent payments which Mr H confirmed he didn’t recognise. The caller then asked Mr H to share a one-time passcode (“OTP”). Mr H says he provided it believing he was speaking with Arbuthnot Latham and that it was needed to allow the caller to access D’s account and secure it. In reality, the OTP was used to authorise a £7,000 card payment to a merchant that appears to have been dissolved on the same day. Mr H says he realised he had been scammed as soon as the scammer ended the call, shortly after he provided the OTP. He immediately contacted Arbuthnot Latham to report what had happened. A complaint was later submitted. Arbuthnot Latham declined to refund the money. It said the disputed payment was a card transaction authenticated using the OTP Mr H had shared. It pointed out the OTP message contained details of the transaction and a clear warning not to share the code with anyone. In addition, it noted Mr H had apparently breached its terms and conditions by sometimes allowing his father to use the card. The complaint was referred to our Service. Our Investigator upheld it. She was satisfied Mr H genuinely believed the caller was from Arbuthnot Latham. Although he shared the OTP, she accepted he did so because he thought it was needed to help secure D’s account. She found that Mr H didn’t realise sharing the OTP would authorise the payment from the account. And, as she didn’t consider his actions amounted to gross negligence, she said that D should receive a full refund of the disputed transaction, plus interest. Arbuthnot Latham disagreed. In short, it said the card payment was authorised through the OTP. If it is considered unauthorised, then Mr H acted with gross negligence. The lack of a verification process in the second call should have alerted Mr H that the call wasn’t genuine. Mr H shared the OTP without reading the message. Even in preview, the message warned him not to share the code. Based on previous OTPs received, Mr H should have known they contain more information than just the code and Mr H should have realised that being asked for an OTP was inconsistent with how it typically interacts with him.

-- 1 of 5 --

Arbuthnot Latham also said Mr H had already been warned about the risk of fraud following a failed scam attempt on 1 October 2024. At that time, he was specifically told not to reveal OTPs to anyone. He also received regular fraud-awareness communication. Despite these warnings, he shared the OTP. It doesn’t accept that “being busy” was a reasonable excuse for not paying close attention during a call that appeared to be from the bank. It said that, given the importance and sensitivity of such calls, Mr H had a responsibility to remain alert. His failure to do so caused him to miss clear indicators that the call was not genuine. Provisional decision I issued my provisional decision explaining why I wasn’t minded to uphold this complaint. I set out the background as above and provided the following reasons. Under the Payment Services Regulations 2017 (PSRs), the starting point is that D is responsible for any payments that were authorised. Conversely, unless certain exceptions apply, Arbuthnot Latham must refund any payments that were unauthorised. There’s no dispute Mr H was the victim of a scam or that he was tricked into taking some steps that enabled the card payment in question to be made from D’s account. However, for a payment to be considered authorised under the PSRs, Mr H (acting on behalf of D) must have consented to the execution of the transaction – and that consent must have been given in the form and according to the procedure agreed between D and Arbuthnot Latham. I’ve reviewed the relevant terms and conditions. Section 3.1 explains that a cardholder may use their card number to make transactions, within reasonable pre-determined limits, to suppliers of goods and services. Section 3.5 outlines the way a cardholder may authenticate a card transaction. Given that the physical card wasn’t used and there’s no indication a token (like ApplePay or Google Pay) was used, it’s likely the card payment was made online. The terms and conditions don’t specifically mention the use of an OTP. So I’ve considered the practical steps involved. I think it’s likely that the scammer, rather than Mr H, initiated the payment entering D’s card details on the merchant site. It’s not clear how those details were obtained but scammers have many ways of obtaining such information. The scammer then used the OTP, sent to Mr H’s mobile number, to authenticate the disputed transaction. Mr H accepts that he shared the OTP. However, on balance, I’m not persuaded that his actions, or his understanding of the situation, amount to him consenting to a third party making a payment. When Mr H first reported the scam, he explained that he believed he’d been called by the bank about fraudulent activity on D’s account. The caller referred to two payment attempts which Mr H didn’t recognise, but which at the time he thought may have been made by his father. Mr H made that connection as the scammer mentioned a billing address connected to the supposed fraudulent payments. Mr H didn’t suggest that he recognised or consented to the card payment in question. Instead, he said that, in a moment of stress, he shared the OTP without reading the full message. Although this then led to the payment in dispute, Mr H explained he shared the information because the caller told him they needed it to access D’s account. I find this testimony plausible. I don’t think it would be fair to find Mr H consented to a payment and to treat it as authorised in these circumstances. Arbuthnot Latham can decline to refund unauthorised payments where, for example, Mr H (on behalf of D) failed with intent or gross negligence to take all reasonable steps to keep safe D’s personalised security credentials. When considering if Mr H failed in his obligations, I’m considering if he seriously disregarded an obvious risk, falling significantly below the standards expected of a reasonable person in that situation.

-- 2 of 5 --

As I’ve set out above, Arbuthnot Latham argues that the threshold for gross negligence has been met. And having considered all the circumstances carefully, I’m inclined to agree. The scam began with a call late on 18 November 2024. The caller, pretending to be from Arbuthnot Latham, said they needed to review potentially fraudulent transactions that had supposedly been stopped. When Mr H later reported the incident, he explained the caller had started taking him through verification during the initial call, but because the process was taking too long and he was in a meeting, they agreed to continue the next day. While I accept Mr H’s explanation that he recognised the caller’s voice and was caught off guard when the caller rang back the following day, it’s still significant no proper verification took place at that point – the reason for ending the earlier call. I think most people in that situation would have expected to be taken through security to continue with the conversation. During the second call, the scammer again referred to the stopped transactions and asked Mr H for the OTP he had been told he would receive, saying it was needed to access the account. Mr H shared the OTP without reading the full message, believing he was speaking to the bank. However, given that in the initial call he had already been told that “fraudulent” transactions had been stopped and that a callback had been arranged to discuss this further, I’m not persuaded he was under significant scam-induced pressure at that moment. Nothing in his reporting calls to the bank suggests he believed the account was at immediate risk or that urgent action was required on his part to prevent financial loss. This is an important point. I consider most people would recognise sharing an OTP carries a risk and would read the accompanying text in circumstances where there’s no immediate threat of financial loss – particularly when, as happened to Mr H, only a few weeks earlier warnings had been received specific to not sharing any OTPs and that scammers might impersonate the bank. And, while I’ve thought about Mr H’s explanation that he was working in a tight space and juggling multiple tasks, I still think most people would have paused to reflect on what was happening and paid attention to the OTP message – again considering what I’ve said above and also the gap between the two scam calls. Arbuthnot Latham has shown, even in preview form, the OTP stated it was to authorise a purchase and should not be shared. It’s also relevant that in his reporting calls, Mr H seems to accept he shouldn’t have shared the OTP, indicating he recognised what he’d done wasn’t reasonable. Taking all these factors into account, I consider that Mr H did ignore an obvious risk when he shared the OTP and that his actions fell significantly below the standard expected of a reasonable person in that situation. For this reason, I’m persuaded that, in this particular case, Arbuthnot Latham can hold D liable for the unauthorised card payment. Did Arbuthnot Latham miss an opportunity to prevent the scam? In broad terms, Arbuthnot Latham is expected to process payments and withdrawals that a customer authorises, in line with the PSRs and the account’s terms and conditions. But taking into account longstanding regulatory expectations and what I consider was good industry practice, Arbuthnot Latham should also have been alert to the possibility of fraud and taken additional steps before processing a payment in certain circumstances. I acknowledge that the card payment was not insignificant in terms of value. But considering previous activity on the account, that this was a one-off payment authenticated by an OTP, and that this is a business account where spending can reasonably be expected to fluctuate at times, I’m not persuaded the payment in question should necessarily have appeared as particularly suspicious such that it was a failing on Arbuthnot Latham’s part not to intervene. Recovery

-- 3 of 5 --

As the disputed transaction was a card payment, a potential recovery route for Arbuthnot Latham was the chargeback scheme. Chargeback is operated by the card scheme provider to resolve disputes between customers and merchants, subject to the scheme rules. Because participation is voluntary and the scope limited, Arbuthnot Latham wouldn’t be expected to raise a claim it believed had no realistic prospect of success. The merchant was dissolved on the day the payment was made. Arbuthnot Latham said it was unable to identify the administrators and that Visa (the card scheme) had referred it to a third-party payment processor, which hasn’t responded. I don’t think Arbuthnot Latham could have done more here. I think it’s also unlikely a chargeback claim would have been successful as it’s unlikely that goods or services were not provided, even if to a scammer and not for D’s benefit. Responses to provisional decision I invited further comments and evidence from both parties. I explained that, unless any new information changed my view, my final decision was likely to be in line with my provisional conclusions. Arbuthnot Latham didn’t add anything more. D disagreed with my provisional decision. In summary, its representative said:  Mr H shared the OTP with the scammer because he has another account with another bank that also requires the use of OTP. The scammer did complete various verification checks such as confirming the current credit card limit, as well as other standard procedures. The final verification was to provide the OTP. Mr H didn’t find that suspicious as he had dealt with a similar procedure from his other bank.  Mr H was not grossly negligent. He followed the steps that appeared natural to him. Arbuthnot Latham did not intervene and the warning provided with the OTP was not easily identifiable and did not stand out.  It’s unreasonable to find that a chargeback wouldn’t have been effective. The payment didn’t clear the bank account until after days had passed. Mr H called Arbuthnot Latham a minute after the payment. Arbuthnot Latham had ample time to reclaim the funds. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Having done so, I’m not persuaded to depart from the conclusions reached in my provisional decision, which is copied above and forms part of this final decision. I’ve explained why I consider the payment in question to have been unauthorised. I do not think Mr H shared the OTP on the understanding it would lead to money being taken from D’s account. However, for the reasons set out, I consider Mr H ignored an obvious risk such that it is reasonable for Arbuthnot Latham to hold D liable for the payment. Mr H’s representative has said the scammer completed various verification steps, including confirming the card limit and requesting the OTP. However, their initial submissions stated that the reference to account “limits” occurred during the first call, whereas the OTP was shared during the second call. When we asked specifically what steps Mr H took to verify the caller was genuinely from the bank, the response was “Our client believed the caller was genuine”. They also said the scammer requested an OTP, explaining it was needed to secure the account and stop fraudulent activity. In Mr H’s reporting calls to the bank, he said that, in the second call, he was caught off guard because he recognised the voice from the first call. He also said the caller asked for the OTP so they could access the account. In my provisional decision, I also set out several reasons for finding that Mr H was grossly

-- 4 of 5 --

negligent (the term used in the regulations) in safeguarding D’s security credentials. These include the absence of an imminent threat to D’s funds, the time gap between the scam calls, the clarity of the OTP (which related to a purchase), Mr H’s own explanation for not reading that message, and the recent warnings he had received from Arbuthnot Latham about OTPs and impersonation scams. As Mr H appears to have realised immediately he shouldn’t have shared the OTP, this further indicates that he understood there was a risk. Taking all these factors into account, I still consider it reasonable for Arbuthnot Latham to hold D liable for the payment, on the basis that Mr H failed with gross negligence in keeping D’s security credentials safe. While the representative has also said that Mr H “followed the steps that appeared natural to him”, my assessment is based on what a reasonable person would have been expected to do in the wider circumstances Mr H found himself in. As for the chargeback, I explained Arbuthnot Latham wouldn’t have been expected to raise a claim where it believed there was little prospect of success. The matter was complicated as the merchant was dissolved. While Mr H’s representative has said they’re not convinced that goods were provided (to the scammer), referred to when the payment cleared D’s account, and has pointed to how quickly Mr H reported the scam, Arbuthnot Latham couldn’t have stopped the funds from leaving the account once the payment had been approved. And on the evidence, I remain unconvinced Arbuthnot Latham was at fault for not pursuing a claim on the basis that it should have been considered likely to succeed. I’m sorry that Mr H was scammed, and I understand why he wants to do everything he can to recover D’s money. But for the reasons explained, I consider Arbuthnot Latham can hold D liable for the payment on the basis of gross negligence. And I don’t think there were other significant failings on its part such that I can fairly hold it liable for D’s losses. My final decision For the reasons given, I do not uphold this complaint. Under the rules of the Financial Ombudsman Service, I’m required to ask D to accept or reject my decision before 29 April 2026. Thomas Cardia Ombudsman

-- 5 of 5 --