Financial Ombudsman Service decision

Currensea Limited · DRN-5819741

Authorised Push Payment (APP) ScamComplaint upheldRedress £450
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Ms L complains that Currensea Limited won’t reimburse money that debited her account. What happened Ms L fell victim to a scam. She was contacted by a third party claiming to represent her bank (“H Bank”). The caller suggested that her bank accounts had been compromised and that she’d need to change her security information for all of her accounts, delete data from her phone and change her email address passwords. Ms L was instructed to change her PIN for her Currensea card while on the phone to the fraudsters and later put several debit cards, including her Currensea card, as well as various PINs in an envelope, which was collected by a third party. A number of payments were attempted on her Currensea account, most of which were unsuccessful. Three payments went through and remain outstanding – each was for £150 and carried out online to a retailer. One further payment that was successful was refunded by the merchant. Each payment was authorised via two-factor authentication from a different device than Ms L normally uses. In order to access Ms P’s account through their own device, the fraudster would have needed to have used her security credentials. Currensea say Ms L would have also needed to pass her H Bank login details to the fraudsters too – so her device could be fully registered. H Bank confirms this happened and that a new device was added to Ms L’s H Bank account too. Ms L admits sharing her card and PIN, but denies sharing other security details. Ms L complained to Currensea about what happened, but it declined to reimburse her. It said that she had been grossly negligent in failing to protect her account. Ms L referred a complaint to our service and one of our investigators upheld it. They argued that Ms L hadn’t authorised the payments herself and, under the relevant regulations – the Payment Services Regulations 2017 (“PSR 2017”), she could not be held responsible for payments made in relation to “distance contracts” (which they thought the payments to the retailer were). Currensea disagreed, in summary it argued: - The investigator’s interpretation of PSR 2017, Reg 77(4)(d) was “fallacious” as Ms L hadn’t herself entered into a distance contract – one had been concluded between the merchant and the fraudster (and had likely been fulfilled). - In any case, it was only due to Ms L’s grossly negligent actions that the fraudsters could have made the payments – she’d passed her security credentials to them in a way which allowed them to act on her behalf. - Ms L’s actions, in passing on her security credentials, card and PIN amounted to giving the fraudster apparent authority to act on her behalf. As no agreement could be reached the case was passed to me for a final decision.

-- 1 of 3 --

What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Did Ms L authorise the payments in dispute? Under the PSR 2017, account holders are generally only responsible for payments they’ve authorised themselves. In most cases authorisation will mean that an account holder has made a payment themselves or has given someone else permission to make a payment on their behalf. But there might also be circumstances where it is fair to treat a payment as authorised, for example where an account holder has told its payment service provider that they want a payment to go ahead (even if they did this accidentally or believing they were doing something else). There doesn’t appear to be any dispute that Ms L didn’t enter her card details onto the merchant’s website. So she didn’t make the payments herself. I also don’t think that evidence supports a finding that Ms L gave permission for someone else to make the payments on her behalf. That seems at odds with the premise of the scam – that she needed to protect her accounts from fraud. Currensea argue that the steps Ms L took mean that, despite this, it should be able to treat the payments as authorised by her. Like the investigator, I think it’s likely that Ms L did disclose her security credentials to the third party (both those for H Bank and Currensea) and either doesn’t recall doing this or is reluctant to disclose that she did so. But I’m not persuaded that these actions mean that Currensea can fairly treat the payments as authorised. Ms L did not tell Currensea that she wanted any of the payments to take place and did not complete the two-factor authentication herself. Impersonation scams are relatively common and the transactions in dispute also took place on a new device and followed a much larger declined transaction, all of which ought to have given Currensea some doubt that the payments were being made by its customer (as it did have later, after more payments were attempted). Overall, I don’t think that Currensea can fairly treat the payments as authorised. Under the PSR 2017 Reg 77(4)(d), a payment services provider can’t hold the account holder responsible for an unauthorised payment if their payment instrument is used in connection with a distance contract, other than an “excepted contract”. A distance contract means: “a contract concluded between a trader and a consumer under an organised distance sales or service-provision scheme without the simultaneous physical presence of the trader and the consumer, with the exclusive use of one or more means of distance communication up to and including the time at which the contract is concluded;” I agree with the investigator that the payments are likely to have been distance contracts, given that they appear to have been carried out online. There’s also no evidence that the payments relate to “excepted contracts” (which includes, for example, payments for financial services) and this seems less likely than not given that the payments were made to a supermarket. Currensea argue that Reg 77(4)(d) doesn’t apply because it wasn’t Ms L who entered into a distance contract but rather the fraudster. I think this is a misunderstanding of the relevant

-- 2 of 3 --

provision. Reg 77(4)(d) only requires the payment instrument to be “used in connection with” a distance contract. It does not state that the account holder needs to have entered the contract themselves. And, I’m satisfied, for the reasons set out, Ms L’s payment instrument was used in connection with a distance contract. It follows that Currensea should reimburse Ms L. Our investigator also recommended that Currensea pay Ms L £50 in compensation. I think this is fair in the circumstances, I don’t think that Currensea acted fairly in declining Ms L’s claim and I think this has caused unnecessary distress and inconvenience. My final decision I uphold this complaint about Currensea Limited and instruct it to pay Ms L: - The value of the disputed transactions - £450 - 8% simple interest per year on that amount from the date of each payment to the date of settlement, less any tax lawfully deductible - £50 compensation Under the rules of the Financial Ombudsman Service, I’m required to ask Ms L to accept or reject my decision before 28 April 2026. Rich Drury Ombudsman

-- 3 of 3 --