PSI-Pay Ltd · DRN-5978544

The complaint Mr M complains that PSI-Pay Ltd won’t refund payments made as part of a scam. Mr M has an account with Pockit. Pockit’s cards are issued by PSI-Pay Ltd. As the transactions being complained about were made through the card associated with his Pockit account, PSI-Pay is the correct respondent business here. But as Mr M’s communication was with Pockit, for ease of reading, I’ll refer to Pockit throughout my decision. What happened The full details of this complaint are well known to both parties. The facts about what happened aren’t in dispute. So, I’ll only provide an overview of what happened and focus on giving my reasons for my decision. Mr M was selling an item on an e-commerce platform when he was contacted by a scammer posing as a purported buyer. To complete the sale, he was asked to verify his card details. He provided his Pockit card details and also approved notifications in the Pockit app as instructed. The steps Mr M took led to several card payments being approved. Pockit declined to refund the payments which totalled just over £3,500. It said the payments were 3DS verified in its app, so they were authorised. Pockit also said the payments didn’t have chargeback rights. Our Investigator concluded that it was fair for Pockit to treat the transactions as authorised, given how they were approved and also because Mr M understood payments were going to be made on each occasion (although he was tricked into believing that they would be returned as these were test transactions). But the Investigator also concluded that by the time Mr M approved Payment 6 (out of a total of 8 payments), Pockit ought to have been on notice that he was at risk of financial harm from fraud. The Investigator said Pockit ought to have taken additional steps at the time, and had it done that then the scam would have been uncovered and Mr M’s losses from Payments 6-8 – totalling £1,209.08 – being prevented. They asked Pockit to refund 50% of these payments along with interest, the deduction being made to account for Mr M’s contributory negligence. Mr M accepted the Investigator’s conclusions, but Pockit didn’t. In summary, it says that as these were authorised card payments, it has no liability for losses arising from them. Pockit says there’s no regulatory or contractual obligation for it to manually intervene or query a cardholder’s intent once a payment has been properly authorised and authenticated. The Investigator considered Pockit’s response and said it was subject to the regulator’s Principles for Businesses and BCOBS2, which expects firms to consider the risk of fraud and put in place appropriate safeguarding procedures. As an agreement couldn’t be reached, the complaint has been passed to me for a decision.

-- 1 of 4 --

What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. As it’s no longer in dispute that the disputed payments were authorised – Mr M has accepted the Investigator’s conclusions on this point – it seems to me that the matter I need to determine is whether Pockit should have recognised that Mr M was at the risk of financial harm from fraud at the time they were made. And whether this would have prevented or limited his loss. In broad terms, the starting position at law is that an Electronic Money Institution (“EMI”) such as PSI-Pay Ltd which issues Pockit’s cards is expected to process payments and withdrawals that a customer authorises it to make, in accordance with the Payment Services Regulations (in this case the 2017 regulations) and the terms and conditions of the customer’s account. While the relevant regulations and law are both things I must take into account in deciding this complaint, I’m also obliged to take into account regulator’s guidance and standards, relevant codes of practice and, where appropriate, what I consider to have been good industry practice at the relevant time: see DISP 3.6.4R. So, I also must have regard to these other matters in reaching my decision. Looking at what is fair and reasonable on the basis set out at DISP 3.6.4R, I consider that Pockit should in August 2025 – when these payments were made – have been on the look- out for the possibility of fraud and have taken additional steps, or made additional checks, before processing payments in some circumstances. This is because EMIs are required to conduct their business with “due skill, care and diligence” (FCA Principle for Businesses 2), “integrity” (FCA Principle for Businesses 1) and a firm “must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems” (FCA Principle for Businesses 3). Also, over the years, the FCA, and its predecessor the FSA, have published a series of publications setting out non-exhaustive examples of good and poor practice found when reviewing measures taken by firms to counter financial crime, including various iterations of the “Financial crime: a guide for firms”. Additionally, since 31 July 2023, under the FCA’s Consumer Duty, regulated firms must act to deliver good outcomes for customers (Principle 12) and must avoid causing foreseeable harm to retail customers (PRIN 2A.2.8R). Avoiding foreseeable harm includes ensuring all aspects of the design, terms, marketing, sale of and support for its products avoid causing foreseeable harm (PRIN 2A.2.10G). One example of foreseeable harm given by the FCA in its final non-handbook guidance on the application of the duty was “consumers becoming victims to scams relating to their financial products for example, due to a firm’s inadequate systems to detect/prevent scams or inadequate processes to design, test, tailor and monitor the effectiveness of scam warning messages presented to customers”. I’m mindful that the main card networks don’t allow for a delay between receipt of a payment instruction and its acceptance: the card issuer has to choose straight away whether to accept or refuse the payment. They also place certain restrictions on their card issuers’ right to decline payment instructions. The essential effect of these restrictions is to prevent indiscriminate refusal of whole classes of transaction, such as by location. The network rules did not, however, prevent card issuers from declining particular payment instructions from a customer, based on a perceived risk of fraud that arose from that customer’s pattern of usage. So, it was open to Pockit to decline card payments where it suspected fraud.

-- 2 of 4 --

Overall, taking into account relevant law, regulators rules and guidance, relevant codes of practice and what I consider to have been good industry practice at the time, I consider it fair and reasonable in August 2025 that Pockit should: • have been monitoring accounts and any payments made or received to counter various risks, including preventing fraud and scams; • have had systems in place to look out for unusual transactions or other signs that might indicate that its customers were at risk of fraud (among other things). This is particularly so given the increase in sophisticated fraud and scams in recent years, which firms are generally more familiar with than the average customer; • have acted to avoid causing foreseeable harm to customers, for example by maintaining adequate systems to detect and prevent scams and by ensuring all aspects of its products, including the contractual terms, enabled it to do so; and • in some circumstances, irrespective of the payment channel used, have taken additional steps, or made additional checks, or provided additional warnings, before processing a payment. It isn’t in dispute that Mr M has fallen victim to a scam here. And, as I’ve set out at the start, it’s no longer in dispute that he authorised the payments. I agree with the Investigator’s conclusions that there was nothing remarkable about the first five payments such that I think Pockit should reasonably have suspected that they might be part of a scam. The payments were relatively low in value and spaced out over a period of an hour. That said, by the time Payment 6 was approved, an unusual pattern had begun to emerge. It was made a minute after Payment 5 and went to the same merchant. Payment 6 was the third payment for the same amount to the same merchant in just over 15 minutes. That, combined with an overall increased account activity within the hour, created circumstances which I consider should have led Pockit to suspect that Mr M could be at heightened risk of financial harm from fraud. In line with good industry practice and regulatory requirements, I’m satisfied that it is fair and reasonable to conclude that Pockit should have warned its customer before this payment went ahead. If Pockit had intervened at the suggested trigger point and made enquiries of Mr M, I’ve no reason to believe that he wouldn’t have been honest about what he thought was doing. I’m satisfied that his responses would have led to Pockit discovering that he’d fallen victim to a scam. Given the nature of the scam, I also think a timely warning from Pockit would have resonated with Mr M and stopped him in his tracks. As such, I find that Pockit can be held liable for Mr M’s losses from Payment 6 onwards. Thinking next about Mr M’s role in what happened, he already accepts the Investigator’s recommendation that the refund he’s due is 50% of the payments Pockit could have stopped. Having reviewed the available information, in the circumstances of what happened here and Mr M’s own concerns at the time of the payments, I don’t think this deduction for contributory negligence is unreasonable. Putting things right PSI-Pay Ltd needs to refund Mr M Payments 6-8, making a 50% deduction for contributory negligence. It also needs to add simple interest at 8% per year (less any tax lawfully deductible) to the amount that needs refunding, calculated from the date of loss to the date of refund.

-- 3 of 4 --

My final decision For the reasons given, my final decision is that I uphold this complaint. PSI-Pay Ltd needs to put things right for Mr M as set out above. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr M to accept or reject my decision before 24 April 2026. Gagandeep Singh Ombudsman

-- 4 of 4 --