Financial Ombudsman Service decision

HSBC UK Bank Plc · DRN-6028956

Authorised Push Payment (APP) ScamComplaint upheldRedress £5,500
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Mr A complains that HSBC UK Bank Plc (‘HSBC’) did not reimburse the funds he says he lost to a scam. What happened The circumstances of the complaint are well-known to both parties. So, I don’t intend to set these out in detail here. However, I’ll provide a brief summary of what’s happened. In October 2023 Mr A was introduced to an investment opportunity with a company I’ll refer to as ‘Company I’. The director of Company I, whom I’ll refer to as ‘Mr W’, told Mr A that his investment would be used to trade cryptocurrency, forex and other commodities and that he could expect a monthly return of around 13%. Mr A made two payments to Company I from his HSBC account, one of £5,000 on 5 October 2023 and one of £3,000 on 6 November 2023. On 10 March 2024 Mr A received £2,500 from Company I after requesting a withdrawal. Mr A didn’t receive any further payments from Company I or Mr W despite asking to withdraw further funds. After several months contacting Mr W about the withdrawal request, Company I and Mr W stopped responding to Mr A. Mr A raised a claim with HSBC on 19 July 2024. HSBC rejected the claim on the same day during a phone call with Mr A, saying what had happened was a ‘civil dispute’ and not a scam, so it wouldn’t reimburse Mr A. Through a professional representative, Mr A raised a complaint with HSBC, but the outcome remained the same. Unhappy with the outcome, Mr A brought his complaint to this service. One of our Investigators considered the complaint and recommended that it be upheld. She was persuaded that Company I was operating as a scam and that the Contingent Reimbursement Model Code (‘CRM Code’) applied. Our Investigator concluded that HSBC couldn’t rely on any of the exceptions to reimbursement under the CRM Code so HSBC should fully reimburse Mr A’s remaining loss. She recommended HSBC refund Mr A £5,500 plus interest. Mr A agreed with the outcome, but HSBC did not. HSBC said it would be premature for our service to provide an outcome while a police investigation is ongoing. It also said our Investigator’s assessment hadn’t considered the specific merits of how Mr A’s funds were used by Company I. HSBC also said it gave a warning with clear, concise and unambiguous advice to Mr A which he ignored and that the returns he expected to see were too good to be true. As an informal agreement couldn’t be reached, the complaint has been passed to me to decide. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable

-- 1 of 7 --

in the circumstances of this complaint. In deciding what’s fair and reasonable in all the circumstances of a complaint, I’m required to take into account relevant: law and regulations; regulators’ rules, guidance and standards; codes of practice; and, where appropriate, what I consider to have been good industry practice at the time. Our service is an informal dispute resolution provider that is fair and impartial and aims to settle disputes between businesses and consumers. I have to consider the complaint before me and whether, based on the evidence available, it was fair and reasonable for HSBC to decline reimbursing Mr A under the provisions of the CRM Code. While there is an ongoing police investigation, for reasons I will go on to explain, I consider I am able to reach a final decision on what I consider is a fair answer to the complaint. HSBC was signed up to the voluntary CRM Code, which provides additional protection to scam victims. Under the CRM Code, the starting principle is that a firm should reimburse a customer who is the victim of an APP scam (except in limited circumstances). But the CRM Code only applies if the definition of an APP scam, as set out in it, is met. HSBC told Mr A that because he received £2,500 back from Company I and had a contract, it considered what happened a civil dispute between the parties – which is not something covered by the provisions of the CRM Code. I also note that HSBC gave Mr A this outcome in the same phone call in which he reported it to HSBC. Because of this, it can’t seek to rely on the provision of the CRM Code that allows a firm to delay giving an outcome while a statutory body is carrying out an investigation. To determine Mr A’s complaint, I’ve considered whether, on the balance of probabilities, the available evidence indicates that it’s more likely than not that Mr A was the victim of a scam rather than a failed investment. Was there an APP scam? In order to reach a decision, I’ve considered the definition of an APP scam under the CRM Code, which defines an APP scam as: “…a transfer of funds executed across Faster Payments, CHAPS or an internal book transfer, authorised by a Customer in accordance with regulation 67 of the PSRs, where: (i) he Customer intended to transfer funds to another person, but was instead deceived into transferring the funds to a different person; or (ii) he Customer transferred funds to another person for what they believed were legitimate purposes but which were in fact fraudulent.” The CRM Code only applies if the definition of an APP scam is met and doesn’t apply to private civil disputes. So, it wouldn’t apply to a payment made for a genuine investment that subsequently failed. There’s no dispute that Mr A’s funds were transferred to the intended recipient, so to decide whether Mr A is the victim of an APP scam as defined in the CRM Code I have considered:

-- 2 of 7 --

- The purpose of the payments and whether Mr A thought this purpose was legitimate. - The purpose the recipient (Company I) had in mind at the time of the payments, and whether this broadly aligned with what Mr A understood to have been the purpose of the payments. - Whether there was a significant difference in these purposes, and if so, whether it could be said this was as a result of dishonest deception. Mr A sent money to Company I which he believed would be used for trading in different commodities, cryptocurrencies and Forex, and would receive returns of around 13% per month. Mr A believed Company I was legitimate and that the purpose for paying Company I was also legitimate. I’ve considered whether there’s convincing evidence to demonstrate that Company I’s purpose for the payments was fraudulent. That is, whether Company I’s purpose must have been to misappropriate Mr A’s funds or otherwise deprive him of his money, rather than to use it for the purpose believed by Mr A. Company I had some features that gave it the impression of a legitimate business and investment operation. It was registered on Companies House, had an office, support staff and Mr W had spoken to Mr A and other investors directly. Like Mr A, other investors who lost money had also been introduced to the scheme through personal recommendations – sometimes by people who’d successfully withdrawn “profits” from the scheme. However, I’ve found the following facts to be persuasive evidence that Company I was operating as a scam: • Mr W, and Company I, claimed to be providing a service that required it to be regulated by the Financial Conduct Authority (‘FCA’) – even though Company I wasn’t regulated. It seems Mr W was aware of this fact given that he sent Mr A an email asking him to complete a risk assessment in order to comply with FCA regulations. Mr W also gave assurances to Mr A that Company I was in the process of obtaining FCA authorisation – although there’s nothing to suggest Mr W was actually seeking FCA authorisation. Essentially Mr W led Mr A, and other investors, to believe that he was following necessary regulatory requirements, but in fact wasn’t. • I’ve reviewed evidence that I’m unable to share due to data protection legislation. The evidence shows that while there were some payments made towards trading activities, these payments were only a relatively small proportion of the payments Company I received from investors (including Mr A). • espite the low proportion of investor funds used for investment purposes, Company I still paid out a significant amount back to investors. Company I did receive some money from trading related activities, but it was a very small percentage of the amount that was paid back to investors. It seems a large proportion of ‘returns’ investors were seeing weren’t in fact investment returns – but funds provided to Company I by other investors. • It seems to me that Company I was sending funds to investors to give the impression that it was performing as expected, the likely intention of which was to obtain further investment into what was overall a scam. The evidence available to me also

-- 3 of 7 --

suggests new investors were usually introduced to the scheme by existing investors who were often friends, family or acquaintances. These are all common features of a Ponzi scheme. • Company I also guaranteed minimum returns of 13% per month despite the investments it was supposedly making being high risk and volatile. I don’t think a legitimate investment firm would guarantee such returns. So I don’t think that Mr W was honest with Mr A, and other investors, about the level of risk involved. • While Company I was a registered company, no accounts were ever filed with Companies House despite the company being live for around four years. • Whilst I recognise there may not be a prosecution, I note there is an ongoing police investigation into Mr W and Company I. Considering all of the above, I’m satisfied, on the balance of probabilities, that the money Mr A sent to Company I was not most likely used for its intended purpose. The evidence suggests that Mr A’s payments went towards a scam, rather than a failed investment. Because I’m satisfied Mr A has most likely been the victim of an APP scam, I’ve considered whether he should be reimbursed under the CRM Code. Is Mr A entitled to reimbursement under the CRM Code? Under the CRM Code, a Sending Firm (in this case HSBC) may choose not to reimburse a customer if it can establish that*: • …The customer made the payment without having a reasonable basis for believing that: • the payee was the person the Customer was expecting to pay; • the payment was for genuine goods or services; and/or • the person or business with whom they transacted was legitimate. • The customer ignored what the CRM Code refers to as an ‘Effective Warning’ by failing to take appropriate action in response to such an Effective Warning. *Further exceptions outlined in the CRM Code do not apply to this case. When assessing whether it can establish these things, HSBC must consider whether they would have had a ‘material effect on preventing the APP scam’. Did Mr A have a Reasonable basis for belief? I have considered whether Mr A had a reasonable basis to believe Company I was legitimate and was providing a genuine investment opportunity. Mr A was introduced to the scheme by two friends who were also colleagues of his that he’d known for several years, and one happened to be the next door neighbour of Mr W. Mr A and his friends worked in finance related roles, often socialising and discussing finances. Mr A had also met Mr W previously when socialising with his friend. Both of Mr A’s friends reassured him that Mr W was trustworthy and that they had seen good returns and had been able to withdraw funds from the investment. They also showed him graphs, monthly reports they’d received from Company I and evidence of multiple drawdowns.

-- 4 of 7 --

Mr A reached out to Company I and was sent a prospectus and a phone call was arranged with Mr W in which Mr A asked about the investment and how it worked. Mr A has said he asked questions and received confident and knowledgeable answers from Mr W about how the trading worked and the strategy. Mr A has said he was told that the 13% minimum return was achievable by only investing small percentages of the overall investment profile at a time. Mr A had some general knowledge of cryptocurrency and had seen posts online about strategies like this as well as seeing that good returns could be made in trading these and other commodities. Mr A says he asked Mr W about FCA authorisation and was told it was in progress and that the process took time. Mr A was also reassured by Mr W that there would be a contract in place guaranteeing minimum returns, and withdrawals which would take ten days. Satisfied that Company I was a legitimate investment opportunity and given the close personal connection he had with his friends, Mr A agreed to invest. Though I haven’t seen a copy, the evidence suggests Mr A was sent a contract which he signed and returned before being provided with Company I’s bank details. Mr A then made his first payment of £5,000 to an account which matched Company I’s name. Following this, Mr A started to receive frequent updates from Mr W about the market conditions. He was also sent a professional looking monthly report which showed how his portfolio was progressing. Happy with what he’d seen he decided to invest more and sent another £3,000 around a month after the first payment. I have thought about the fact that the returns promised were relatively high and supposedly guaranteed, and this should perhaps have caused Mr A concern. But, and importantly, alongside this I also have to weigh up what Mr A had been told about Company I by others, and what he had seen others seemingly get back in returns and how their investments were doing. I think the sophisticated aspects of the scam and what he was told and shown by Mr W and others, outweighs the concerns that Mr A perhaps ought to have had about the returns being claimed. Overall, I’m not persuaded Mr A didn’t have a reasonable basis for believing Company I was a legitimate investment opportunity. So, I don’t think HSBC can fairly rely on this exception to reimbursement under the CRM Code. Did Mr A ignore Effective Warnings I have also considered whether HSBC can rely on the exception to reimbursement that Mr A ignored what the CRM Code deems to be an ‘Effective Warning’. In short, the CRM Code said that where the firm identifies an APP scam risk it should take reasonable steps to provide their customer with ‘Effective Warnings’. It goes on to say that as a minimum, an Effective Warning should be understandable, clear, impactful, timely and specific. HSBC only needs to provide an Effective Warning when it identifies APP scam risks during a payment journey. Having considered Mr A’s usual account activity, I would have expected HSBC to have had concerns about the first payment. HSBC did show Mr A a warning when he made that payment. HSBC has said the warning shown to Mr A was relevant and effective and that if Mr A had taken heed it would’ve prevented the scam. The warning shown to Mr A was in two parts. The first part warned him that if the payment was made to a scam he could lose his money and gave common signs of a scam. The second part gave some advice on how Mr A could protect himself. While some of the advice given in the warning was relevant to Mr A’s circumstances, I am not persuaded that the warning presented to Mr A was impactful in Mr A’s specific circumstances. I say this because:

-- 5 of 7 --

• The first part of the warning led with advice and recommendations about being told to mislead the bank, pressure to invest savings or move pension funds and using social media to gain trust. None of these points were relevant to Mr A’s circumstances and I don’t think he would have thought they apply to the situation he was in. • The warning refers to different aspects of investment scams without being specific to any one type of investment scam, and particularly the specific scam Mr A was falling victim to. As such, I don’t think it brought to life the scam Mr A was falling victim to. • Mr A wasn’t cold-called or pressured into making the payment. And while he was guaranteed returns by Mr W, he had discussed with him how that was possible and received plausible answers as well as seeing trusted friends receive such returns. • Company I wasn’t FCA authorised, but again, Mr A had already discussed this with Mr W and received an explanation he thought was reasonable. The company also wasn’t on the FCA warning list at the time (or since). • The investment Mr A was making wasn’t just into cryptocurrency, but trading cryptocurrency, other commodities and Forex and he wasn’t expecting to have his own wallet or personally hold any of the funds. His understanding was that Mr W and Company I were going to use his funds to trade with and generate profits. For the reasons given above I don’t think the warning would have been impactful in Mr A’s specific circumstances. Overall, I’m not satisfied HSBC showed Mr A effective warnings when the scam payments were made. As a result, I’m not persuaded HSBC has demonstrated that this exception to reimbursement applies. Should HSBC have done anything else to prevent the loss? Good industry practice requires that regulated firms such as HSBC engage in the monitoring of customer accounts and to be on the lookout for suspicious or out of character transactions with an aim of preventing fraud and protecting customers from financial harm. Outside the provisions of the CRM Code, I consider it unlikely that any intervention by HSBC at the time of the payment would have positively impacted Mr A’s decision-making. I don’t think either party would have likely uncovered sufficient cause for concern about Company I at the time such that Mr A would have chosen not to proceed. I say this because I believe Mr A truly trusted his friends who had seen returns and what Mr W had told him was possible – along with the supposed results he saw based on his first payment. I don’t think he would have thought he was being scammed even if HSBC had questioned him further or had given him more relevant scam warnings at the time of the payments. So I don’t think HSBC would have been able to break the spell of the scam and ultimately prevent Mr A from transferring his money to Company I. Recovery of funds I’ve considered whether HSBC did what it could to recover the funds Mr A lost after he reported the matter to it. I can’t see that HSBC attempted to recover the funds from the recipient account. But by the time the claim had been raised to HSBC, Mr A’s funds had long since left the Company I’s account. Summary Overall, I am satisfied, based on the evidence available, that Mr A was more likely than not

-- 6 of 7 --

the victim of an APP scam. And his fraud claim is therefore covered by the provisions of the CRM Code. I’m also satisfied HSBC can’t fairly rely on any exceptions to reimbursement under the CRM Code so HSBC should reimburse Mr A under the provisions of it. In my judgment, this is a fair and reasonable outcome in the circumstances of this complaint. Putting things right I uphold this complaint. HSBC UK Bank Plc should pay Mr A: • £5,500 which is the remaining amount he lost to the scam orchestrated by Company I and Mr W; and • 8% simple a year interest on that amount from the date HSBC declined Mr A’s claim (19 July 2024), to the date of settlement. I’m aware that the police are actively investigating Mr W and Company I. It’s possible that the police investigation might result in some recoveries for Company I’s investors – including Mr A. In order to avoid the risk of double recovery, I think HSBC would be entitled to take, if it wishes, an assignment of rights to all future distributions to Mr A under those processes in respect of this investment before paying any redress to Mr A. My final decision For the reasons given above, I uphold this complaint. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr A to accept or reject my decision before 17 February 2026. Mike Southgate Ombudsman

-- 7 of 7 --