Financial Ombudsman Service decision

Santander UK Plc · DRN-6239379

Authorised Push Payment (APP) ScamComplaint upheldRedress £75
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Mr P complains that Santander UK Plc won’t refund the money he lost when he fell victim to a scam. What happened The details of this complaint are well known to both parties. So what I’ve set out below is merely a summary of the events and arguments key to my determination. In April 2024, Mr P used a company I’ll refer to as T to book a holiday. He says he provided T with his Santander credit and debit card details on the understanding they would charge him £1,200 for the flights (providing details for both cards as he was told the payment hadn’t initially succeeded). But he subsequently saw the following payments had been taken – none of which were sent to T: Payment number Date Merchant paid From Amount 1 27/04/2024 "E" Debit card £913.94 2 27/04/2024 "N" Credit card £1,146.31 3 28/04/2024 N Credit card £300 On realising he had been scammed by T, Mr P raised a payment dispute with Santander – and referred the matter on to our service when it didn’t agree to refund him. Our investigator thought Santander should pay Mr P £75 compensation for service failings, but didn’t uphold the remaining aspects of his complaint. She thought it fair to treat the payments as authorised due to Mr P providing his card details for the purpose of making a payment and then confirming them in-app. And she didn’t think Santander was at fault for not preventing or recovering (or otherwise refunding) the loss. Mr P appealed the investigator’s outcome. In summary, he said he didn’t consent to the payments; Santander hadn’t met its evidential burden to prove the payments were authorised; T never provided him with any service; and the credit card payments should be refunded under section 75 of the Consumer Credit Act 1974. I then issued a provisional decision explaining Santander had subsequently agreed to refund payment 3 – which I considered a fair outcome overall: Is it fair to treat the payments as authorised? The relevant law here is the Payment Services Regulations 2017 (PSRs) and the Consumer Credit Act 1974 (CCA). With some exceptions, the starting point is that Mr P is liable for payments he authorised, and Santander is liable for unauthorised payments.

-- 1 of 6 --

The PSRs specify that authorisation depends on whether the payment transactions were authenticated correctly – and whether the customer consented to them. That consent must be given in the form, and in accordance with the procedure, agreed between the customer and their payment service provider. It isn’t a matter of informed consent, so a payment can be authorised even if the customer was tricked about what they were agreeing to. Where a payment is authorised, that will often be because the customer has made the payment themselves. But there are other circumstances where a payment can fairly be considered authorised, such as where the customer has given permission for someone else to make a payment on their behalf or they’ve told their payment service provider they want a payment to go ahead. While tricked, Mr P has confirmed sharing his card details with T for the purpose of agreeing to a payment. And, crucially, the audit information I’ve seen supports that payments one and two were authenticated via a “3DS” check. This involved confirming the payments in-app. The screen would have displayed the payment amount and the merchant the payment was being sent to, and the option was given to select “authorise”, “cancel” or “no, this isn’t me”. Mr P says Santander has failed to evidence that the payments were properly authenticated as required under the PSRs. However, I’m satisfied from the technical data I’ve seen that Santander has sufficiently demonstrated that this step was completed for each of these payments. For the credit card payment, this is further supported by N’s response to the chargeback raised – which further confirmed that payment two was 3DS authenticated. Mr P disputes doing anything in-app at the time of these payments. But as above, that isn’t supported by the technical data I’ve seen which shows his device accessing his Santander mobile banking and confirming the payments. Mr P says the device ID shown wasn’t registered until May 2024. I believe this may be due to information he received from Santander which said its records about the device ID only goes back to May 2024. But I’ve seen other technical data supporting that the device was in fact registered in March 2024. In any event, our service makes decisions on the balance of probabilities. The fact the device ID connected to these payments matches that of a device used for other, undisputed activity on the account satisfies me it was likely Mr P who completed these 3DS checks. Based on what I’ve seen about how this scam transpired, I can’t see how someone else could have gained the level of access needed to do this. I’m therefore persuaded Mr P completed the 3DS checks for payments one and two in-app. By doing so, I think he effectively told Santander he wanted these payments to go ahead. I therefore think it is fair to treat them as authorised – meaning the starting position is that Mr P is liable for them. However, in reviewing the information from Santander and N, I found the final payment didn’t appear to have been authenticated via 3DS. Rather, it appears the scammer was able to contact N to amend their booking, which resulted in a further charge to Mr P’s card – without any further involvement from him. As I’ve explained to Santander, I therefore don’t think it’s fair to treat this payment as authorised. Santander has now agreed to refund this payment. Should Santander have prevented Mr P’s loss?

-- 2 of 6 --

In line with the PSRs, firms are expected to process authorised payments without undue delay. But while I accept the first two payments were authorised, I am conscious they were made due to Mr P being tricked by a scammer. I’ve therefore considered whether Santander should have identified that Mr P was at risk from fraud when these payments were requested – and, if so, whether it failed to take appropriate action in response that would have prevented his loss. I can see an initial debit card payment for around £1,250 was attempted but didn’t succeed. Santander has explained this didn’t go through due to the CVV not being entered correctly rather than being blocked due to fraud concerns. Then payment one - £913.94 to E – was requested and confirmed in-app. I don’t think this activity looked particularly unusual or concerning, so I don’t think Santander had cause to flag this payment for further checking. I can see a further payment to E, for £1,175.81, was subsequently attempted from Mr P’s debit card. But this was blocked by Santander. Mr P has confirmed Santander sent him a text about this, and he confirmed he didn’t request the payment. The card was blocked and no further payments were taken from Mr P’s current account. However, two further payments were then made from Mr P’s credit card – the payment of £1,146.31 sent to N, and then the £300 payment the following day which Santander has now agreed to refund. As these were sent from a different account, I don’t think Santander had cause to suspect this card/account might also be at risk. And again, I don’t think the payment was so unusual or otherwise concerning that Santander should have known to complete further checks – particularly as the payment was verified in-app. In the circumstances, I consider it reasonable that Santander followed the payment instructions it received on payments one and two. I therefore don’t consider it at fault for not preventing these payments. Is Santander otherwise liable for recovering or refunding the loss? I’ve considered Santander’s actions when Mr P reported the payments as unauthorised. As they were made by card, the payments were covered by the chargeback scheme. But this is a limited and voluntary scheme for resolving payment disputes. Claims for payments disputed as fraudulent won’t succeed if the payments were 3DS authenticated – which payments one and two were. So, I don’t think Santander could have successfully recovered these payments under the terms of the chargeback scheme. The scheme does also allow claims for services not being provided. But as Mr P has himself confirmed from his enquiries with N and E directly, those merchants did provide the expected service in exchange for the payments received – just not to him. So, I don’t think there were reasonable prospects to pursue claims on this basis either. However, Mr P says payment two should be refunded under section 75 of the CCA. In brief, this allows the borrower to claim against the credit provider for a breach of contract or misrepresentation by the supplier in some circumstances. The onus would still be on the claimant to raise, and evidence, a claim. As our investigator explained, it doesn’t appear Mr P ever raised such a claim with Santander directly so I can’t say it is at fault for not considering this. In any event, claims can only be made for valid “debtor-creditor-supplier agreements”. It doesn’t

-- 3 of 6 --

appear to me that would be the case here – as the “debtor” is Mr P, but he has no contractual relationship with the supplier (“N”, a genuine travel company who there is no suggestion failed to fulfil its contractual duties). I appreciate this will be disappointing for Mr P, as he is still left out of pocket due to a scam. I accept he didn’t receive the service he was expecting from T (due to them operating a scam). However, in looking at Santander’s role in what happened, I don’t think it would be fair to direct it to refund him for payments one and two. Did Santander’s service cause Mr P unavoidable distress and inconvenience? As part of Mr P’s complaint, he reported that Santander was rude over the phone when he and his son called to discuss the dispute. I agree that the service provided fell short of what I’d expect from Santander and caused Mr P upset at a difficult time. The investigator recommended Santander should pay £75 compensation for the distress and inconvenience caused by its service failings. Santander has accepted this, and I can’t see Mr P has objected to the level of this award. I also agree this level of compensation appears to fairly reflect the impact on him from Santander’s poor service. So, I agree it should pay this compensation. Santander has already agreed to this outcome. But Mr P has appealed. In summary, he says: • the payments were unauthorised. He provided his card details to T only for the sake of agreeing to the particular payments they said they would be taking; he didn’t consent to those that were made. And the completion of in-app “3DS” checks isn’t enough to deem the payments authorised; • the account activity looked suspicious so Santander should have intervened; • there are inconsistencies between what I’ve said about payments being blocked compared to what the investigator said; • the chargebacks should have succeeded as no services were rendered to him, and it’s inconsistent that I’ve referred to both 3DS authentication and the merchants providing services as a reason for this. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Having done so, I’ve reached the same overall conclusions as I did in my provisional decision – which is set out above and also forms part of my final decision. I’ll therefore focus here on responding to the points Mr P raised in response. In explaining my decision I want to highlight that, while I have carefully considered everything that has been submitted, I’ve focussed on the points I consider key to my determination – meaning not all information provided will be cited or commented on. Authorisation I accept Mr P didn’t provide his card details to T for the purpose of authorising payments beyond those he understood T would be taking. But when looking at whether the payments were consented to under the PSRs, this isn’t a matter of informed consent. As explained in my provisional decision, consent normally occurs because the consumer has completed the agreed steps to make a payment.

-- 4 of 6 --

However, as I also explained, there are further instances when we would consider it fair for a firm to treat a payment as having been authorised. I know Mr P has maintained he doesn’t recall completing in-app 3DS checks on payments one and two. In a case like this, I can’t be certain about what happened. Where information is unclear or contradictory, I’ve decided what is more likely to have happened on the balance of probabilities. On balance, I am persuaded by the audit information Santander has provided that these checks were completed – and I can’t see how they could have been completed by someone other than Mr P. And in looking at what information these screens set out about the nature of the payment, and given that the “authorise” option had to be selected to proceed, I do think it’s reasonable for Santander to rely on Mr P completing this step as confirmation that he was agreeing to payments 2 and 3. I therefore consider it fair for Santander to treat these payments as authorised – even though I accept they came about due to Mr P being tricked by a scammer. Account activity Mr P says payment one (£913.94 to E) was allowed to go ahead on 28 April 2024, after a payment to E (for £1,175.81) had been flagged for further checking. However, payment one was made on 27 April 2024, before the time at which Mr P confirms receiving a text about the flagged payment. It’s common for there to be a lag between when a card payment is made and when it shows on a statement. I think Santander’s actions here support that it was appropriately monitoring for, and acting on, indications of fraud risk; no payments were taken from Mr P’s debit card, which was blocked, after the flagged payment. While further payments were made from Mr P’s credit card account, I don’t think the risk Santander had identified about the use of his debit card, attached to his current account, meant it had grounds to suspect his credit card might also be at risk. Especially as payment two was further verified by an in-app 3DS check. Mr P has highlighted that the investigator previously said Santander didn’t decline any payments, But as he appealed the investigator’s outcome, I’ve completed my own, independent review of this complaint and am not bound by the investigator’s comments. In any event, it seems to be clear, and accepted by Mr P, that Santander flagged a payment of £1,751.81. I’m satisfied what I have said in this respect is accurate. Overall, looking at the activity on each account, I’m not persuaded Santander was remiss not to intervene further on payment one or two. I therefore don’t consider it fair to hold Santander liable for failing to prevent these payments. The chargeback scheme Mr P says it’s inconsistent that I’ve referred to two reasons for the claims not succeeding. But there are different grounds on which a chargeback claim can be brought. And the explanations given in my provisional decision reflected the arguments Mr P had put forward, and on what basis a claim could have been pursued. I’m conscious Mr P denies authorising the payments. I therefore thought it would be helpful to cover off that, while claims can be raised on the grounds of fraud, such a claim wouldn’t have succeeded for payment one or two due to the way in which they were authenticated. Another option would have been to claim for the payments due to the service not being provided. However, as Mr P’s response acknowledges, it’s not that the merchants didn’t provide any service in exchange for the payments they received, even if the services weren’t provided to Mr P but to the scammers. So, while I acknowledge Mr P didn’t receive those

-- 5 of 6 --

services, I don’t consider there would be grounds to successfully claim the payments back for the merchants on the basis they didn’t provide the service. Overall, it’s clear Mr P lost out due to a scam and I can therefore see why he feels strongly about recovering his funds. However, my role is to look at what fault Santander holds for this. For the reasons I’ve explained, I do think it holds liability for causing Mr P upset, and for the final payment. But having carefully considered all the circumstances, I don’t consider it fair to direct it to refund the first two payments. My final decision For the reasons given above, my final decision is that I uphold this complaint and direct Santander UK Plc to: • refund Mr P payment 3 (totalling £300); • reconstruct the credit card account and refund any interest and charges applied due to this payment; • pay 8% simple interest (less any tax properly deductible) on any repayments made in relation to this payment, running from the date of the repayment(s) to the date of settlement; and • pay Mr P £75 compensation for his distress and inconvenience. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr P to accept or reject my decision before 17 April 2026. Rachel Loughlin Ombudsman

-- 6 of 6 --