Financial Ombudsman Service decision

PayrNet Limited · DRN-6055416

Unauthorised TransactionComplaint upheldDecided 19 January 2026
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint A company I’ll call S complains that PayrNet Limited (trading as ANNA) has declined to reimburse payments it says were unauthorised. Mr G is the director of S and has instructed a professional representative to bring this complaint on its behalf. What happened In November 2024, Mr G received a notification to authorise setting up Google Pay on a new device – he approved this request believing that it related to his own activity of previously adding his card to his laptop. After seeing relatively low value payments on the account that he didn’t recognise, Mr G froze the card and reported them to PayrNet. However, Mr G then unfroze the card when he needed to make payments unsure if the payments were legitimate or not. Further payments were then made which Mr G says were also unauthorised. ANNA declined to reimburse the payments on the basis that it considered the payments authorised and that it didn’t think it ought to have intervened in any of the payments. ANNA didn’t think there were grounds for a chargeback in the circumstances. The complaint was referred to our service via a professional representative. The investigator didn’t uphold it; they explained why weren’t persuaded the payments were unauthorised based on the information provided. And they didn’t think ANNA ought to have done more to prevent or recover the payments in the circumstances. S’s representative didn’t accept this outcome - in summary it said: • Mr G didn’t consent to the payments and so they were unauthorised under the Payment Services Regulations 2017 (PSRs). • Mr G’s card details could have been obtained when he used merchant websites – he had experience of using a website where he never received what was purchased. • When Mr G received a new device login notification, he presumed it was one of his own devices. Once set up further involvement from Mr G wasn’t required for each payment. • Mr G didn’t make the disputed payments – this is supported by them being processed abroad. • ANNA was on notice after Mr G notified it of fraudulent transactions on 2 November 2024. • The payments were high risk due to their value, pace, location, recent fraud report. As an agreement couldn’t be reached, the matter was passed to me for consideration by an ombudsman. I wrote to both parties on 19 January 2026 explaining why I thought ANNA ought to reimburse the payments and pay S interest for the time it had been without the funds. S’ representative accepted this outcome on its behalf, but ANNA didn’t respond by the deadline set.

-- 1 of 3 --

What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Having done so I’m upholding this complaint, I’ll explain why. Under the Payment Services Regulations 2017 (PSRs) – the starting point is that S is liable for authorised payments and ANNA is liable for unauthorised payments. The PSRs also set out other situations where S would be liable for payments, of relevance here is if Mr G failed with intent or gross negligence to take all reasonable steps to keep the secure information safe. Taking what Mr G says at face value – as I have no persuasive evidence to the contrary - a third party appears to have initiated the process to add S’s card to Google Pay on 13 October 2024. We can’t know for certain how these details were compromised, but it’s possible they were obtained from a website Mr G had used that was in some way compromised or from some other a phishing attempt. Mr G noticed the notification in his banking app on 19 October 2024 and confirmed this was him – he’s told us that he thought it was in relation to him adding his card to his laptop which on the face of it was a genuine mistake. This new token was used to make a small payment on 1 November 2024 and then two further payments on 2 November 2024. Mr G noticed this, froze the card and contacted ANNA – the chat history shows Mr G went through the process to “report fraud” and was clear about not recognising the two payments from 2 November 2024 – he says he hadn’t noticed the smaller one from 1 November 2024 at the time. The chat history also shows that on 6 November 2024 Mr G was asked by the ANNABOT “Do you want to report this card as lost or stolen so we can re-issue it?” and he responded, “Yes please”. It’s not clear why this didn’t happen. Mr G then unblocked the card to use it on 13 November 2024 – he’s said he needed to pay bills for the company. In addition to his payments, four further payments were made using the Google Pay token that Mr G says he didn’t consent to. I find Mr G’s story plausible, and his actions are consistent with someone who has been the victim of fraud. I appreciate it was arguably careless of Mr G to confirm a new token without checking the details, but given the time that passed between when it was initiated and Mr G approved it, I can see how he might have thought it related to something else he had done. ANNA has had the opportunity to provide commentary on whether it accepts Mr G was the victim of fraud and hasn’t responded by the deadline set. As it doesn’t appear to be in dispute that Mr G didn’t make any of the disputed payments, or that he didn’t agree to a third party making payments on his behalf, I don’t think they are authorised under the tests set out in the Payment Services Regulations 2017. I don’t think S can be held liable on the basis that Mr G failed in his obligations with intent or gross negligence. There’s no evidence to suggest he shared his card details in a way beyond their normal use. And I don’t consider the action of confirming the new device or unblocking the card directly relates to the obligations set out in the PSRs. I also consider that ANNA was on notice that the payment instrument has been misappropriated, and it’s not clear why the card wasn’t cancelled and replaced on 6 November 2024.

-- 2 of 3 --

For these reasons I don’t think ANNA has shown it acted reasonably in treating the payments as authorised or holding S liable for the payments for any other reason. It follows that I think ANNA should reimburse the payments. As S is a limited company, I’m not making an award for the impact this fraud had on Mr G personally. My final decision My final decision is that PayrNet Limited should: 1. Reimburse S the value of the disputed payments - £14,607.74 2. Pay S simple interest on the amount in point 1 at a rate of 8% from the date of the payments to the date of settlement. Under the rules of the Financial Ombudsman Service, I’m required to ask S to accept or reject my decision before 13 March 2026. Stephanie Mitchell Ombudsman

-- 3 of 3 --