Bank of Scotland plc · DRN-6239377

The complaint Mr R complains that Bank of Scotland plc won’t refund money he lost to a scam. Mr R is represented by a firm I’ll refer to as ‘C’. What happened The background to this complaint is well known to both parties and so I’ll only refer to some key events here. Mr R fell victim to an investment scam in 2024. He’s explained that he saw a post on his friend’s social media page promoting a crypto investment opportunity with a firm I’ll refer to as ‘N’. We now know the friend’s social media account had been hacked and that N was a scam. But under the belief it was legitimate, Mr R proceeded to invest. To do this, Mr R purchased crypto from a legitimate provider before forwarding it to N’s trading platform. Mr R made four payments to the scam – via the crypto provider - totalling £10,000 between 19 August and 1 September 2024. But when Mr R requested a withdrawal of his funds, he encountered issues and was told more money had to be deposited to cover unforeseen fees. At which point, Mr R became suspicious and conducted further research which led him to discover social media posts indicating his friend’s account had been hacked. This made Mr R realise N was a scam. C complained to Bank of Scotland, on Mr R’s behalf in November 2024 – saying Bank of Scotland failed to protect him from the scam. C wanted Bank of Scotland to refund Mr C, pay 8% simple interest and £300 compensation. Bank of Scotland rejected the complaint The complaint was brought to the Financial Ombudsman. I wrote to both parties and said: “Our Investigator didn’t uphold Mr R’s complaint as he didn’t think Mr R’s loss had been sufficiently evidenced – as he alluded to the ‘scam chat’ referencing a ‘defi wallet’ and a ‘[crypto provider A] account’. But having looked at the evidence, I’m satisfied that that it shows no funds were sent to either a defi wallet or [crypto provider A] account in Mr R’s name and control. Instead, it shows that he was unable to withdraw funds from the scam platform (N). I’m satisfied that Mr R fell victim to a scam and sent funds, via [crypto provider B], to a crypto wallet address provided by the scammer – under the belief N was a legitimate platform. And given there’s nothing to evidence any funds were returned to Mr R, I’m satisfied he suffered a loss to the scam. At which point, I note that the £71.91 credit from [crypto provider C] wasn’t invested through N (and so wasn’t part of the scam) and the £2,000 credit from [crypto provider B] was an unsuccessful payment that was returned. So, I consider Mr R’s loss to be £10,000. Taking into account the regulatory rules and guidance, relevant codes of practice and

-- 1 of 5 --

good industry practice, including the Consumer Duty, there are circumstances where it might be appropriate for Bank of Scotland to take additional steps or make additional checks before processing a payment to help protect customers from the possibility of financial harm from fraud. I wouldn’t have expected Bank of Scotland to have intervened before processing the first two payments given their low value. But I think it would’ve been reasonable for them to have carried out some additional checks before processing the £4,000 payment – given its value and it being sent to a crypto provider (which carries a known risk). In these circumstances, I think a proportionate response would’ve been for Bank of Scotland to have taken reasonable steps to attempt to identify the specific scam risk – for example by seeking further information about the nature of the payment to enable them to provide more tailored warnings. Bank of Scotland knew the £4,000 payment was being made to a crypto provider and their systems ought to have factored that information into the warning they gave. And so, Bank of Scotland ought to have attempted to narrow down the potential risk further. I’m satisfied that when Mr R made the payment, Bank of Scotland should – for example by asking a series of automated questions designed to narrow down the type of crypto related scam risk associated with the payment he was making – have provided a scam warning tailored to the likely crypto related scam Mr R was at risk from. In this case, Mr R was falling victim to a ‘crypto investment scam’. As such, I’d have expected Bank of Scotland to have asked a series of simple questions in order to establish that this was the risk the payment presented. Once that risk had been established, they should have provided a warning which was tailored to that risk and the answers Mr R gave. I’d expect any such warning to have covered off the key features of common crypto investment scams, for example referring to: an advertisement on social media, fake trading platforms, an ‘account manager’, ‘broker’ or ‘trader’ acting on their behalf; the use of remote access software and a small initial deposit which quickly increases in value. It also ought to have highlighted some of the steps Mr R could take to protect himself from falling victim to a scam – such as carrying out research on the firm before proceeding (including checking the FCA’s website and online reviews) and seeking independent financial advice. I acknowledge that any such warning relies on the customer answering questions honestly and openly, but I’ve seen nothing to indicate that Mr R wouldn’t have done so here. This is because, having reviewed his conversation with the scammer, I haven’t seen anything to show he was told – or that he agreed – to mislead Bank of Scotland if questioned about the payment(s). I’ve thought carefully about whether such a warning would’ve resonated with Mr R and to the extent whereby he wouldn’t have proceeded with making it. Having done so, I think it would. Although Mr R seemingly believed he was dealing with a legitimate firm, having been unknowingly reassured by his friend whose account had been hacked on social media, he questioned how safe his money was before investing and highlighted that he didn’t have any knowledge of crypto trading. So, I think Mr R would’ve been receptive to advice and warnings provided by his trusted bank – thereby leading him to take greater caution before proceeding. This, in my view, would’ve likely led him reaching out to his friend in person and/or carrying out additional checks on N online before proceeding.

-- 2 of 5 --

This would’ve likely uncovered the scam – as, from my historical internet search, there was little (if anything) to indicate it was a legitimate firm. And Mr R’s friend would’ve also been able to confirm that they hadn’t invested themselves or recommended it on their social media account. It follows that I think it would’ve been enough to have made Mr R realise that the investment opportunity wasn’t genuine. In turn, I consider it most likely Mr R wouldn’t have gone ahead with the £4,000 payment or those that followed. I’ve thought about whether Mr R should bear any responsibility for his loss. In doing so, I’ve considered what the law says about contributory negligence, as well as what I consider to be fair and reasonable in all of the circumstances of this complaint including taking into account Mr R’s own actions and responsibility for the losses he has suffered. When considering whether a consumer has contributed to their own loss, I must consider whether the consumer’s actions showed a lack of care that goes beyond what we would expect from a reasonable person. I must also be satisfied that the lack of care directly contributed to the individual’s losses. Here, I consider that there were sophisticated aspects to this scam – including, for example, N’s trading platform and how the scammer hacked the friend’s social media account. I must however also take into account that Mr R was promised returns that should’ve been seen as simply too good to be trust – such as a £50,000 investment yielding returns of up to £420,000 in 12 months, or special trading signals that provided returns of between 1.8 to 2.9 times the investment in a 24-hour period. And so, I think it would’ve been reasonable for Mr R to have carried out further due diligence on N (beyond relying on the assurance he received via social media) before proceeding. This could’ve similarly included carrying out research on the firm, speaking to his friend in person, or seeking independent financial advice. If Mr R had done so, then I think he would’ve become aware he was falling victim to a scam and prevented his losses from this point. I’ve concluded, on balance, that it would be fair to reduce the amount Bank of Scotland pays Mr R because of his role in what happened. Weighing the fault that I’ve found on both sides, I think a fair deduction is 50%.” I therefore thought that, to put things right, it would be fair for Bank of Scotland to refund 50% of the last two payments - £4,500 – along with 8% simple interest (calculated from the date of each payment to the date of settlement). C confirmed Mr R’s acceptance. Bank of Scotland didn’t agree that they ought to have been expected to have intervened before processing the third payment (£4,000). In short, Bank of Scotland said: • They use a data-driven approach that incorporates both customer history and transaction patterns to reduce inconsistency and subjectivity – which draws on insights from previous fraud and scams.

-- 3 of 5 --

• They’ve applied this methodology against Mr R’s typical account activity to ensure a fair and consistent assessment, and to identify when the behaviour first became unusual for Mr R. • The value and frequency of these transactions were consistent with Mr R’s typical account behaviour. He regular used Faster Payments, and he’d made two payments of a significantly higher in value (£12,159 and £10,000). • Purchasing crypto is lawful and an increasingly common financial activity. It isn’t unusual for individuals to invest their funds this way. • They don’t think it would’ve been appropriate to intervene given these transactions were consistent with prior account behaviour. Given both parties have had an opportunity to respond, I can proceed to make my final decision on Mr R’s complaint. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Having given careful consideration to the additional points raised by Bank of Scotland, I’m not persuaded to depart from the above. I’ll explain why. Bank of Scotland argues that, based on his prior account activity, the £4,000 payment wasn’t unusual or out of character for Mr R – and so, it didn’t warrant additional checks to have been carried out before being processed. While I accept that Mr R did make occasional transactions on his account of a greater value, that isn’t the only consideration when determining the fraud or scam risk associated with a payment. Here, the payments were being made to a well-known crypto provider. And there are known fraud risks associated with crypto as scams like this have unfortunately become more prevalent in recent years. The FCA and Action Fraud published warnings about crypto scams in mid-2018 and figures published by the latter show that losses suffered to crypto scams have continued to increase since. And so, Bank of Scotland should’ve been aware of the potential risks crypto presented when these payments were made. At which point, I’ve noted Bank of Scotland’s point that purchasing crypto is lawful and becoming increasingly common financial activity. I’ve thought about this when considering – at the time of these payments – what was known to Bank of Scotland and what would’ve been reasonably expected from them. In Mr R’s case, there was no prior crypto activity on his account before the scam occurred. So, the payments he made to crypto provider B was a change in Mr R’s account usage. And although Mr R did make occasional transactions of a greater value, the £4,000 payment was more than he typically used his account for. At which point, I also note that the higher value transactions Bank of Scotland have referenced appear to have gone to another of Mr R’s own accounts and, as I understand, his wife’s account – which thereby would’ve presented a significantly lower fraud risk compared to funds being sent to a crypto provider. Looking at the value of the payment and its destination, along with an absence of prior crypto activity on Mr R’s account, I think there was sufficient reason for Bank of Scotland to suspect Mr R was at risk of financial harm when he made the £4,000 payment. And in these circumstances, I think a proportionate response would’ve been for Bank of Scotland to have

-- 4 of 5 --

taken reasonable steps to attempt to identify the specific scam risk – for example by seeking further information about the nature of the payment to enable them to provide more tailored warnings. I think Bank of Scotland could’ve done this through automated questioning – as I don’t consider the payment warranted a greater level of intervention, such as a telephone conversation. I think this would’ve been appropriate in the circumstances as it would’ve been a reasonable balance between protecting against fraud and not unduly hindering legitimate transactions. Neither party has provided any further submissions in respect of how Mr R would’ve responded to an intervention of the type I’ve described, or in respect of whether Mr R should bear any responsibility for his loss. In the absence of this, I remain of the view that such a warning would’ve likely resonated with Mr R and prevented his loss. I similarly consider that it would be fair to reduce the amount Bank of Scotland pays Mr R by 50% because of his role in what happened. It follows that, to put things right, I consider Bank of Scotland should refund 50% of the last two payments - £4,500 – along with 8% simple interest (calculated from the date of each payment to the date of settlement) to recognise the loss of use of money Mr R would otherwise have used. My final decision My final decision is that I uphold this complaint in part. I direct Bank of Scotland plc to pay Mr R: • £4,500 – that being 50% of the last two payments. • 8% simple interest, per year, from the date of each payment to the date of settlement less any tax lawfully deductible. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr R to accept or reject my decision before 17 April 2026. Daniel O'Dell Ombudsman

-- 5 of 5 --