Financial Ombudsman Service decision

Barclays Bank UK PLC · DRN-6121492

Authorised Push Payment (APP) ScamComplaint upheld
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Mr O complains that Barclays Bank UK PLC (‘Barclays’) won’t fully reimburse the funds he lost when he fell victim to a scam. What happened Mr O says that he saw a celebrity endorsed advert online about an investment opportunity using automated software. He provided contact details and received calls from representatives of two companies, which I’ll call ‘P’ and ‘S’ in this decision. He didn’t know at the time, but Mr O was dealing with scammers. I have set out in the table below the transactions Mr O made that relate to the scam. The payments sent to Mr O’s own account with R were exchanged and sent to international accounts. Mr O believed the funds sent to his cryptocurrency account were then moved to a trading platform in his name, but they were lost to the scammer. Transaction Date Amount Payee 1 01/08/24 £4,500 Own account at R 2 02/08/24 £4,500 Own account at R 3 13/08/24 £5,000 Company 1 4 14/08/24 £9,000 Own account at R 5 14/04/24 £15,000 Company 2 6 21/08/24 £3,000 Own account at R 7 23/08/24 £4,000 Own account at R 8 28/08/24 £10,000 Crypto account 9 29/08/24 £20,000 Own account at R 10 30/08/24 £10,000 Own account at R 11 02/09/24 £10,000 Crypto account 12 25/09/24 £15,000 Crypto account 13 27/09/24 £1,000 Crypto account The representative of P stopped communicating with Mr O when he asked to withdraw funds. This made Mr O concerned so he tried to also withdraw funds from S. The withdrawal request wasn’t successful, and Mr O realised he was the victim of a scam. Through a professional representative, Mr O reported what had happened to Barclays. Barclays reimbursed 50% of payments three and five, saying both parties could have done more, plus interest and compensation of £150 to reflect the service provided. All other payments were made to accounts in Mr O’s name and Barclays said it wasn’t responsible for

-- 1 of 8 --

them. It noted that it had a detailed scam conversation with Mr O about payment eight when Mr O misled Barclays. Mr O was unhappy with Barclays’ response and brought a complaint to this service. The investigator who considered this complaint held Barclays liable from payment five (£15,000 on 14 August 2024). She said Barclays didn’t do enough when it intervened before processing this transaction and that better intervention would likely have uncovered the scam. Broadly, the investigator said Barclays should be liable for 50% of payments to Mr O’s cryptocurrency account and 33% of payments to his account with R (as R was also partly responsible). Mr O accepted the investigator’s findings, but Barclays did not. It said that there was no legal basis to hold Barclays liable for transactions sent to accounts held by Mr O with a cryptocurrency provider and R. I contacted both parties and explained that if I agreed with the investigator’s findings, I would be calculating the redress differently. I said I would be awarding 25% of the payments to R, which R was also responsible for (payments six, seven, nine and ten) and 50% of the payments made to cryptocurrency accounts (payments eight, eleven, twelve and thirteen). I also explained to Barclays why I agreed with the investigator’s findings in terms of why it was liable and from what point. Mr O let me know that he accepted my revised redress calculation and Barclays didn’t respond by the deadline given. So I am progressing this complaint and issuing a decision. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. In deciding what’s fair and reasonable, as set out at DISP 3.6.4R, I’m required to take into account relevant law and regulations; regulators’ rules, guidance and standards; codes of practice; and, where appropriate, what I consider having been good industry practice at the time. Should Barclays have been on the look-out for the possibility of APP fraud? The starting point under the relevant regulations (in this case, the Payment Services Regulations 2017) and the terms of Mr O’s account is that customers are responsible for payments they authorised. And, as the Supreme Court has recently reiterated in the case of Philipp v Barclays Bank UK PLC, banks generally have a contractual duty to make payments in compliance with their customer’s instructions. In that case, the Supreme Court considered the nature and extent of the contractual duties owed by banks when making payments. Among other things, it said, in summary: • The starting position is that it is an implied term of any current account contract that, where a customer has authorised and instructed a bank to make a payment, the bank must carry out the instruction promptly. It is not for the bank to concern itself with the wisdom or risk of its customer’s payment decisions. • The express terms of the current account contract may modify or alter that position. For example, in Philipp, the contract permitted Barclays not to follow its customer’s instructions where it reasonably believed the payment instruction was the result of APP fraud; but the court said having the right to decline to carry out an instruction was not the same as being under a duty to do so. In this complaint, the terms of Barclays’ contract with Mr O modified the starting position described in Philipp by expressly stating that Barclays was permitted to not follow a payment instruction in certain circumstances. In respect of this, the terms and conditions said:

-- 2 of 8 --

“When we don’t have to follow your instructions We’ll do all we can to carry out your instructions. However, we don’t have to follow an instruction for any of these reasons. … • We reasonably believe it might expose us (or another Barclays company) to legal action or censure from any government, regulator or law enforcement agency. • We reasonably think that a payment into or out of an account is connected to a fraud, scam or any other criminal activity. This includes where we reasonably think the funds are being obtained through deception. … While we are checking that none of the reasons above apply, there may be a delay in getting the payment to its destination. This might happen even if everything turns out to be fine… Unless the law prevents us, we’ll try to contact you as quickly as possible to tell you we haven’t followed an instruction and to explain why. You can also ask us why we haven’t followed your instruction. We’ll tell you what you can do to correct any errors in the instruction, or to satisfy us that the instruction came from you.” So the starting position at law was that: • Barclays was under an implied duty at law to make payments promptly. • It had a contractual right not to make payments where it suspected fraud. • It had a contractual right to delay payments to make enquiries where it suspected fraud. • It could therefore refuse payments, or make enquiries, where it suspected fraud, but it was not under a contractual duty to do either of those things. Whilst the current account terms did not oblige Barclays to make fraud checks, I do not consider any of these things (including the implied basic legal duty to make payments promptly) precluded Barclays from making fraud checks before making a payment. As explained above, in addition to relevant law, I also take into account regulators' rules, guidance and standards, codes of practice, and what I consider to have been good industry practice at the relevant time. Taking into account longstanding regulatory expectations and requirements and what I consider to have been good industry practice at the time, I am satisfied that Barclays should have been on the look-out for the possibility of APP fraud and have taken additional steps or made additional checks, before processing payments in some circumstances – as in practice all banks, including Barclays, do. This is because of the following: • FCA regulated banks are required to conduct their “business with due skill, care and diligence” (FCA Principle for Businesses 2) and to “pay due regard to the interests of its customers” (Principle 6). • Banks have a longstanding regulatory duty “to take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime” (SYSC 3.2.6R of the Financial Conduct Authority Handbook, which has applied since 2001). • Over the years, the FSA, and its successor the FCA, have published a series of publications setting out non-exhaustive examples of good and poor practice found when reviewing measures taken by banks to counter financial crime, including various iterations of the “Financial crime: a guide for firms”.

-- 3 of 8 --

• Regulated banks are required to comply with legal and regulatory anti-money laundering and countering the financing of terrorism requirements. Those requirements include maintaining proportionate and risk-sensitive policies and procedures to identify, assess and manage money laundering risk – for example through customer due-diligence measures and the ongoing monitoring of the business relationship (including through the scrutiny of transactions undertaken throughout the course of the relationship). • The October 2017, BSI Code, which a number of banks and trade associations were involved in the development of, recommended firms look to identify and help prevent transactions – particularly unusual or out of character transactions – that could involve fraud or be the result of a scam. Not all firms signed the BSI Code, but in my view the standards and expectations it referred to represented a fair articulation of what was, in my opinion, already good industry practice in October 2017 particularly around fraud prevention, and it remains a starting point for what I consider to be the minimum standards of good industry practice now. • Barclays is also a signatory of the CRM Code. This sets out both standards for firms and situations where signatory firms will reimburse consumers. The CRM Code does not cover all authorised push payments (APP) in every set of circumstances (and it does not apply to the circumstances of these payments), but I consider the standards for firms around the identification of transactions presenting additional scam risks and the provision of effective warnings to consumers when that is the case,a represent a fair articulation of what I consider to be good industry practice generally for payment service providers carrying out any APP transactions. Overall, taking into account the law, regulators rules and guidance, relevant codes of practice and what I consider to have been good industry practice at the time, I consider Barclays should: • Have been monitoring accounts and any payments made or received to counter various risks, including anti-money laundering, countering the financing of terrorism, and preventing fraud and scams. • Have had systems in place to look out for unusual transactions or other signs that might indicate that its customers were at risk of fraud (among other things). This is particularly so given the increase in sophisticated fraud and scams in recent years, which banks are generally more familiar with than the average customer. • In some circumstances, irrespective of the payment channel used, have taken additional steps, or made additional checks, or provided additional warnings, before processing a payment – as in practice all banks do. • Have been mindful of – among other things – common scam scenarios, the evolving fraud landscape (including for example the use of multi-stage fraud by scammers and the use of payments to cryptocurrency accounts as a step to defraud customers) and the different risks these can present to consumers, when deciding whether to intervene. Should Barclays have recognised Mr O was at risk of financial harm from fraud? As I have explained above, I think Barclays ought to have been on the look-out for unusual and out of character transactions on Mr O’s account, such that it could identify payments which may be at risk of fraud or financial harm. I have considered the steps Barclays ought to have taken with only the more limited information it had. Like the investigator, I don’t think Barclays ought reasonably to have had concerns about payments one, two and four to Mr O’s own account with R. Mr O had already made a £3,000 payment to the same account at the end of June 2024 and Barclays knew the payments were going to an account in Mr O’s name. Payment four was to an external account but I

-- 4 of 8 --

won’t focus on it, as Barclays has already reimbursed 50% of it – which is the most I would award given what I will say below about Mr O’s actions. Payment five was highly unusual given Mr O’s usual account activity. It was high value, to a new payee and was made on the same day as a transfer of £9,000 to Mr O’s account with R. Barclays recognised that the transaction was unusual and spoke to Mr O about it. What did Barclays do to protect Mr O? As I have said above, Barclays recognised that payment five was unusual and spoke to Mr O before releasing it. I have listened to the call. Mr O was very unclear about who he was paying and needed to look this up. He initially said the payment was for counselling and then that it related to education about the management of money and private wealth. Without prompting, Mr O pointed out it wasn’t for investing. No further questions were asked, and the only scam advice was that Barclays see a lot of fraud and scams. Would better intervention have prevented the losses Mr O incurred from payment five? Barclays accepts that the call on 13 August 2024 didn’t go far enough, and I agree. As a result, Barclays has reimbursed 50% of payment five. But Barclays has declined to reimburse payments made subsequently to accounts in Mr O’s name with R and a cryptocurrency provider. Barclays should have probed much further and asked for more information about why Mr O was making the payment, how he found out about the company he was paying, and why he was paying so much. The agent could also have discussed the change in Mr O’s account activity more broadly. It’s difficult to see how Mr O could possibly have provided answers that could have satisfied Barclays he wasn’t at risk of financial harm from fraud. He was vague about where the payment was going, was paying a huge amount, had given different reasons that didn’t justify such a large payment and, as far as I can see, the company he was paying didn’t have a website. In the circumstances, I can’t see how Mr O could have persuaded Barclays that the payment was legitimate. Given what I’ve said, even if he’d been asked to provide an invoice, I think Barclays could quickly have recognised it wasn’t legitimate. Whilst I accept that Mr O misled Barclays in more than one call, I think better intervention in respect of payment five would have uncovered the scam and prevented Mr O’s loss. If Barclays, as the expert here, had set out its concerns and stressed the importance of being open and honest, I think the spell could have been broken and Mr O’s further loss prevented. Is it fair and reasonable for Barclays to be held responsible for some of Mr O’s loss? I accept that the payments Mr O made after payment five were to other accounts in his own name with R and a cryptocurrency provider, rather than directly to the fraudster. So he remained in control of his money after the money left his Barclays account, and there were further steps before the money was lost to the scammer. I also note that Mr O misled Barclays in a call after payment five was made. But as I’ve set out in detail above, I think that Barclays should have uncovered the scam when Mr O made payment five. Had it done so, no further payments would have been made. The fact that the money used to fund the scam after payment five wasn’t lost at the point it was transferred to Mr O’s own account with a cryptocurrency provider and R does not alter that fact and I think Barclays can fairly be held responsible for Mr O’s loss in such circumstances. And I have considered the fact Mr O misled Barclays in the section below which covers whether Mr O should share responsibility for his loss. Barclays has said that Mr O would not be entitled to compensation under either the Lending Standards Boards Contingent Reimbursement Model (the CRM code) or the Faster Payment Scheme (FPS) mandatory reimbursement rules for the payments made to accounts in his

-- 5 of 8 --

own name. And I agree that neither of those sets of rules apply to these payments. The payments fell out of scope of the CRM code as it went to an account in Mr O’s own name. The FPS mandatory reimbursement rules are now in force, but do not apply retrospectively and so are not relevant to the payments in this case. But the Payment Systems Regulator, when it introduced the FPS mandatory reimbursement rules, reminded firms that fraud victims have a right to make complaints and refer them to the Financial Ombudsman Service separately from the new reimbursement rights and that APP scam victims will still be able to bring complaints where they believe that the conduct of a firm has caused their loss (in addition to any claim under the reimbursement rules). So it is not correct to suggest, as Barclays appears to do, that the PSR’s mandatory reimbursement scheme represents the only refund requirements so far as fraud and scam reimbursement is concerned. I’ve also considered that Mr O has complained against two regulated financial businesses here, Barclays and R. In cases where a consumer has made complaints against two financial businesses about connected circumstances, DISP 3.6.3 gives me the power to require a financial business to pay a proportion of an award. In this case, I am considering Barclays’ liability, but as Mr O has also complained against R, its liability in this case is relevant, too. So, when considering a fair and reasonable level of redress in this case, I have taken this into account. Should Mr O bear any responsibility for his loss? I’ve considered whether it would be fair for Mr O to bear some responsibility for his loss. In considering this, I’ve taken into account what the law says about contributory negligence as well as what’s fair and reasonable in the circumstances of this complaint. I appreciate Mr O says he was given access to a trading platform. But I also think there were a number of things about what was happening and what Mr O was told that should have caused him significant concern. Mr O doesn’t appear to have done any independent checks into P or S before making this investment. If Mr O had researched P and S online, he ought to have had concerns about the legitimacy of what he was being told. There were negative scam reviews in respect of P and S. Particularly given the amount of money he was investing, I think it’s reasonable to expect Mr O to have carried out more thorough checks than he appears to have. I can see that Mr O was told he would receive returns of at least 12% a month from P and 20-25% a month from S. I think being told he would make these kinds of returns should have caused Mr O significant concern that what he was being told was too good to be true. The scammer told Mr O to mislead Barclays about the payments he was making. Mr O appears to have followed the scammer’s advice without considering whether legitimate investment companies would make such a request or why he was asked to lie. On a number of occasions, the information Mr O gave to Barclays wasn’t true. When he spoke to Barclays about payment five, Mr O said he was paying for counselling/education and when making a payment to his cryptocurrency account Mr O said that a broker wasn’t involved, he hadn’t been offered high returns, and he hadn’t been told to lie to Barclays. He also told Barclays he was buying cryptocurrency to hold and not use. I sympathise with the position Mr O has found himself in and recognise that he has been the victim of a cruel scam. But I think there were a number of things here which should have caused him significant concern, particularly when taken all together. And I don’t think he did enough to satisfy those concerns or that the seemingly genuine parts of the scam should have been enough to overcome them. So I think it would be fair and reasonable for him to bear some responsibility for the loss he suffered.

-- 6 of 8 --

Redress For the reasons set out above, I think Barclays should have identified that Mr O was at risk of financial harm from fraud as a result of payment five. And I think the action I would have expected it to take in response to this risk would have prevented Mr O making any further payments, and so losing the money he did from that point on. I also think it would be fair for Mr O to bear some responsibility for the money he lost. With the exception of payment five (which Barclays has already reimbursed 50% of) the payments from Mr O’s Barclays account were sent on to an account he held with a cryptocurrency provider and to R before being sent on to the investment company. I agree with the investigator that Barclays should reimburse 50% of payments eight, eleven, twelve and thirteen that went via Mr O’s cryptocurrency account to the scammer. In a separate complaint, it was recommended that R could also have done more to protect Mr O in relation to all the funds it allowed to be sent on (payments six, seven, nine and ten). So I think it would be fair for Mr O, Barclays and R to all share responsibility for the loss here. I’ve considered the nature and seriousness of the fault on the side of the banks, as a whole, compared with the fault of Mr O. When looking at the mistakes made by Barclays and R, I’ve found them to be very similar in nature – they both should have recognised that Mr O was at risk of financial harm from fraud and prevented some of his loss. Where two firms have made the same or similar mistakes, I don’t think their combined mistakes mean that they are more at fault than they would be if only one of them had made that mistake. And so I think Mr O should bear equal responsibility for what happened, and that means I think fair redress is as follows: • Barclays and R should each be responsible for 25% of the loss Mr O suffered in respect of payments six, seven, nine and ten and 50% of the loss Mr O suffered in respect of payments eight, eleven, twelve and thirteen and • Mr O should be responsible for 50% of the loss he suffered from the payments I’ve found Barclays should bear some responsibility for as part of this complaint. My final decision For the reasons set out above, I uphold this complaint and require Barclays Bank UK PLC to: • Refund Mr O 25% of payments six, seven, nine and ten and 50% of payments eight, eleven, twelve and thirteen. I calculate this figure to be £27,250; and • Pay simple interest at 8% per year on the payments, from the date the payments were made until the date of settlement. If Barclays Bank UK PLC is legally required to deduct tax from the interest it should send Mr O a tax deduction certificate so he can claim it back from HMRC if appropriate. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr O to accept or reject my decision before 2 April 2026. Jay Hadfield

-- 7 of 8 --

Ombudsman

-- 8 of 8 --