Financial Ombudsman Service decision

Lloyds Bank PLC · DRN-6013353

Unauthorised TransactionComplaint not upheld
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Mr W complains that Lloyds Bank PLC failed to refund an unauthorised transaction made from his account. What happened The facts of this case are well known to both parties, so I’ll keep my summary brief. On a night out Mr W’s phone was stolen and after being threatened he handed over his phone PIN. After Mr W’s phone was stolen four transfers were completed from his account totalling £450. Mr W reported the fraud claim to Lloyds and advised them that he hadn’t shared his internet banking details nor stored them on his phone. Lloyds didn’t uphold it concluding that there was no plausible explanation for how a fraudster could have gained access to Mr W’s internet banking without his memorable word and password. Mr W raised a complaint with Lloyds but they felt they’d acted fairly in declining his claim. As Mr W wasn’t happy he brought his complaint to our service. One of our Investigators looked into his complaint, and initially they upheld it. Our Investigator thought it more likely than not the fraudster had managed to guess or obtain his security details to access his mobile banking application and make the transfers. Mr W accepted, but Lloyds didn’t. They argued that both a memorable word and password were needed, and it was implausible these could be guessed. Our Investigator considered their outcome, and following the new information supplied by Lloyds changed their conclusion. They now agreed that the fraudsters obtaining both the memorable owrd and password without them being written down was implausible. They thought Mr W acted with gross negligence as he must have stored both on his phone. Mr W didn’t agree and argued he was only required to pick selected characters from his memorable information to log into his application, and not both his password and memorable information. He reiterated the facts of the night when his phone was stolen, advising it was a terrifying incident, he didn’t, share anything other than his PIN and his phone was accessed without his consent and money stolen. As Mr W didn’t agree it’s been passed to me to decide. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint.

-- 1 of 2 --

I’ve seen evidence that the disputed transactions were authenticated using Mr W’s mobile banking. The relevant legislation, the PSRs 2017, says on its own authentication isn’t enough to conclude Mr W should he held liable for the transaction. Lloyds also need to show that on balance Mr W most likely consented to the payments or if the payments were unauthorised Mr W acted with gross negligence or failed with intent. I empathise with the distressing situation Mr W found himself in. Namely being threatened at knife point to hand over his mobile phone and PIN. However, I also need to determine how I think the disputed payments were carried out after the robbery occurred. I’ve received conflicting information from Lloyds regarding the steps needed to log into Mr W’s mobile banking app. However, I’m satisfied that at the very least a fraudster would need access to Mr W’s memorable information to enter a selection of characters. That means either the fraudster knew the memorable information or guessed it. I’m afraid I don’t find guessing it as plausible – even if Mr W had other passwords/data written down on his phone, I find it unlikely a fraudster successfully found a password written down for another purpose and managed to guess this was the same as Mr W’s memorable information on their first attempt. I’m afraid I think it’s more likely Mr W had his memorable information stored on his phone – it’s difficult for me be confident on how exactly this was recorded, and whether it clearly stated it was for his Lloyds account. But I can only conclude it was sufficient for the fraudsters to access his Lloyds account on their first attempt. I’ve thought about whether by storing his memorable information in an accessible format on his phone Mr W has been ‘grossly negligent’. For me to conclude he has I’d need to be satisfied Mr W showed a very significant degree of carelessness. It’s difficult for me to conclude this due to Mr W maintaining that he hasn’t stored his memorial information anywhere on his phone – however, for the reasons I’ve already outlined, specifically that the fraudsters managed to gain access to Mr W’s mobile banking app at the first attempt without any failed log ins, I’m satisfied that this information must have been clear and accessible. And this means Mr W has shown a very significant degree of carelessness. I empathise with Mr W’s situation, and the trauma he experienced. But under the relevant rules Lloyds aren’t liable to refund Mr W for the disputed transactions if he’s acted with gross negligence. For the reasons I’ve outlined above I think it’s fair for Lloyds to hold Mr W liable and not refund the payments. It follows I won’t be asking them to do anything further. My final decision My final decision is I don’t uphold this complaint. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr W to accept or reject my decision before 28 April 2026. Jeff Burch Ombudsman

-- 2 of 2 --