Financial Ombudsman Service decision

Bank of Scotland PLC · DRN-5746207

Authorised Push Payment (APP) ScamComplaint upheldRedress £500
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Mrs K is unhappy that Bank of Scotland PLC (trading as ‘Halifax’) won’t refund her fully after she was the victim of a scam. What happened Both sides are aware of what happened, so I will provide a brief summary. Mrs K saw a cryptocurrency investment advert whilst browsing online. The advert featured a well-known entrepreneur who claimed that his team could help people generate monthly income. Mrs K trusted the entrepreneur and so clicked the link at the bottom of the advert to get in touch with the team. Sadly, the advert wasn’t genuine, it had been faked by scammers. Mrs K made the following payments as the result of the scam: Date Payment 23 July 2024 £9,300 to payee MA 26 July 2024 £9,300 to payee TDC 16 August 2024 £5,000 to payee GC (bounced back) 20 August 2024 £5,000 to payee GC 30 August 2024 £1,000 to payee GC 5 September 2024 £1,000 to payee DH Mrs K said she realised the matter was a scam when the scammers asked for further funds to facilitate withdrawals. She reported the matter to Halifax. They reimbursed 50% of the payments, apart from the 5 September 2024 payment which hadn’t been considered. Mrs K was unhappy with this outcome and brought her complaint to the Financial Ombudsman Service. Our Investigator looked at everything provided and upheld the complaint for an additional 50% of the final £1,000 payment which hadn’t been considered by Halifax previously. But he did agree that overall, it was fair for both sides to share responsibility. Halifax agreed to pay the additional £500 and 8% simple interest per year for the time Mrs K hasn’t had this money. Mrs K disagreed and requested a final decision, so the complaint has now come to me to consider. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. I may not comment on every argument raised but have focused on what I believe are the key issues to get to the heart of the matter. Having done so, I agree with the Investigator that Halifax doesn’t have to refund the remaining 50% of the loss, though for slightly different reasons. I am sorry to disappoint

-- 1 of 5 --

Mrs K here as I can see that the scam has had a severe impact on her finances and health. I have explained my reasoning below. In broad terms, the starting position at law is that a firm is expected to process payments and withdrawals that a customer authorises, in accordance with the Payment Services Regulations 2017 and the terms and conditions of the customer’s account. However, that isn’t the end of the story. At the time the payment was made, Halifax had agreed to follow the Lending Standards Board’s Contingent Reimbursement Model Code (‘the CRM Code’). This Code required firms to reimburse customers who were the victim of authorised push payment (‘APP’) scams, in all but a limited number of circumstances. Under the CRM Code, a firm may choose not to reimburse a customer if it can establish that: • The customer ignored an effective warning in relation to the payment being made; or • In all the circumstances at the time of the payment, in particular the characteristics of the customer and the complexity and sophistication of the APP scam, the customer made the payment without a reasonable basis for believing that: o the payee was the person the customer was expecting to pay; o the payment was for genuine goods or services; and/or o the person or business with whom they transacted was legitimate However, a firm cannot decline reimbursement under the CRM Code for one of the reasons above if the customer is considered ‘vulnerable’. As Mrs K has argued that she was vulnerable, I have considered this first. Was Mrs K ‘vulnerable’ under the CRM Rules? The CRM Code states that someone is considered vulnerable to APP scams if: “it would not be reasonable to expect that Customer to have protected themselves, at the time of becoming victim of an APP scam, against that particular APP scam, to the extent of the impact they suffered.” Mrs K has shared with us that her husband and her mother both passed away the year before the scam and that her grief is still very raw. Mrs K’s representative has said it was the anniversary of her mother’s passing on the day she saw the advert for the investment, so this would have impacted her judgement quite substantially. Mrs K also explained that she was not very financially or IT savvy; she said she wasn’t very familiar with loans or with AI which made her vulnerable to being exploited by the scammer and unable to see some of the red flags that were apparent. She said this was why she wasn’t more concerned about the scammer’s advice to give inaccurate answers on her loan applications and why she didn’t have any queries about the advert she watched in the first place. I’ve given great thought to Mrs K’s points and I’m so sorry that she has experienced so much loss in the last few years. I acknowledge that grief can impact people in different ways and make them act differently to how they normally would. There is no doubt that Mrs K was vulnerable in the plain, everyday meaning of the word. However, I have to consider whether the above definition applies to her circumstances. Looking at Mrs K’s explanation of what happened, I think there are a number of elements that make it difficult for me to conclude that she should be considered ‘vulnerable’ under the CRM Code: - Whilst I acknowledge that Mrs K’s grief may have impacted her thought processes, I can’t say that the impact was so severe it meant she was less able to protect

-- 2 of 5 --

herself. Mrs K was able to recognise ‘red flags’ and challenge the scammer about their suspicious behaviour, which I wouldn’t necessarily expect a vulnerable person to be able to do. She was then given responses which she was able to rationalise and this led to her continuing to make the payments. For example: o she asked the scammer for details of his other clients to prove that the matter wasn’t a scam. He said he couldn’t do that for confidentiality reasons. o she recognised the scammer would call her from different numbers and challenged him about it, he said it was cheaper to do it this way. o she had reservations about taking out loans but the scammer told her it was what rich people do, which reassured her. - I appreciate that Mrs K says she is not financially literate, but I don’t think that this meant she was so vulnerable that she couldn’t recognise the risks of taking out loans to fund an investment, or recognise that she would be liable for it if her investment wasn’t successful. - Mrs K said she didn’t realise the significance of putting a different purpose for the loan on her application form because of her lack of experience with loans. But I don’t think her lack of financial experience was really the issue here. I don’t believe that Mrs K needed to have experience with loans to have concerns that a professional was telling her to mislead the lender about the answers she was giving on a loan application form. - This was a sophisticated scam that used AI to trick Mrs K into thinking a celebrity was endorsing the investment. I don’t think Mrs K was at a significant disadvantage here compared to others. The use of AI in scams (and particularly the use of AI to create ‘deepfake’ video footage) is evolving, and it can make it very hard for people to know what is genuine and what isn’t. Whilst I have every sympathy for Mrs K’s position, the points above make it difficult for me to conclude that she should be considered ‘vulnerable’ to the scam as defined in the CRM Code. So I have gone on to consider the other provisions of the CRM Code relating to reimbursement. As Halifax have refunded 50% on the basis that they could have done more to stop the scam, I will only focus on if Mrs K had a reasonable basis for believing that the scam was legitimate, or if it was reasonable for Halifax to decline reimbursement for this reason. Did Mrs K make the payment without a ‘reasonable basis for belief’? I have given a great deal of thought on this issue as I think the matter is finely balanced. I am aware of how much is at stake for Mrs K, so I have explained my thoughts below. I can understand why Mrs K thought the scam was legitimate: - The Investigator said that if Mrs K had researched the celebrity’s involvement with the investment then the scam would’ve been exposed. However, I’m not persuaded by this argument. I’m sympathetic to the fact that such videos can be impressively believable and so it’s understandable why she thought it was authentic and didn’t think to research this aspect of the investment. - She did receive £13.02 from the scammer as returns into another account. This would have added to the sense that the opportunity was legitimate as she did receive funds back, albeit a very small amount. - She did challenge the scammer on a number of issues that she found suspicious and he was able to reassure her, as mentioned in my discussion on vulnerability above.

-- 3 of 5 --

- Mrs K’s daughter appears to assist her in the investment from early on in the scam. I think this would’ve added to Mrs K’s confidence that the investment was legitimate as she knew someone else who believed the opportunity was real. But there were fundamental red flags here which I think Mrs K should have seen and which indicated that the opportunity wasn’t legitimate: - Mrs K says she kept asking the scammer if the investment was a scam or not, but I can’t see that she made attempts to independently verify the investment or the scammer. For example, Mrs K asked the scammer to provide details of other people who had successfully invested, but she didn’t really get any information from him which would have reassured her that the matter wasn’t a scam as he said he couldn’t give her the information that she wanted due to confidentiality. It seemed to be critically important to her to have this reassurance, but when it wasn’t provided, she continued to make payments anyway. I don’t think she acted reasonably in doing so. I appreciate that Mrs K has no experience with investment, so she may not have known how to verify the opportunity, but I don’t think this meant she had to move forward with the payments. - I think Mrs K should have been uncomfortable with the fact that the scammer coached her to mislead lenders in order to get loans and to mislead the bank as to the purpose of the payments. I appreciate that Mrs K is not a savvy investor and hasn’t taken out loans before, but I do think that being advised by a professional to mislead a bank about payments or the purpose of a loan should have raised concerns, as there should be no reason to lie to a bank about either. - Given Mrs K’s financial situation, I don’t think she should have been comfortable with the scammer’s direction for her to take out loans to invest. She was borrowing money that she would struggle to pay back if the investment didn’t pay out, which was a real risk. I think it should have been even more concerning when the scammer encouraged her to borrow further, as Mrs K was getting into further debt. I appreciate that Mrs K was promised that the investment was ‘safe’, so she thought she would be able to pay off the loans, but by the payment request for £5,000 around the 16 August 2024, she was told she would need to invest more to secure the account, indicating that the investment wasn’t safe at all. Mrs K knew at that point the investment was riskier than she’d previously assumed and was not guaranteed, so I don’t see why she made further payments after this point. I think this was another fundamental red flag that all was not as it seemed. Overall, I cannot say that Mrs K had a reasonable basis for believing that the investment opportunity was real. I think the fact that she was being asked to fund the investment with loans was deeply suspicious and this concern should have been at the forefront of her mind when considering if to make the payments. I am truly sorry for the circumstances that Mrs K is in following the scam but I cannot say that Halifax have to refund more than what has already been recommended. As mentioned above, Halifax agreed that they didn’t meet the standards for firms under the CRM Code and have refunded 50% of the payments apart from the last £1,000. They have since agreed to refund 50% of the £1,000 and pay compensatory interest of 8% for the time Mrs K didn’t have the money. I think this is fair. Putting things right Halifax should: - Reimburse Mrs K 50% of the final £1,000 payment made to the scam on 5 September 2024, so £500. - Pay 8% simple interest on the £500 from the time the payment was made to the time that Mrs K receives the reimbursement.

-- 4 of 5 --

My final decision My final decision is that I uphold this complaint against Bank of Scotland PLC (trading as Halifax). Under the rules of the Financial Ombudsman Service, I’m required to ask Mrs K to accept or reject my decision before 23 March 2026. Paula Lipkowska Ombudsman

-- 5 of 5 --