Financial Ombudsman Service decision

HSBC UK Bank Plc · DRN-6158607

Authorised Push Payment (APP) ScamComplaint upheldRedress £15,500
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Mrs S complains that HSBC UK Bank Plc (HSBC) won’t refund money she lost when she was the victim of an Authorised Push Payment Scam (APP scam). What happened In April 2024, Mrs S’s husband received a call from someone claiming to be from his own bank. They said multiple attempts had been made to take money from the account. He was told that while these payment attempts had been refused the criminals would likely try again. Believing he was following his bank’s directions to protect his money, he carried out the caller’s instructions. Unknown to Mrs S’s husband at the time, the caller was not from his bank but was in fact a fraudster. After this first call, a second person rang. They said they worked in a cross-bank fraud team. Mr S and Mrs S’s banks were working together to fight internal fraud through this team. They had identified that the risk to Mr S’s money also affected Mrs S’s account. The caller said Mr and Mrs S would both need to move their money into ‘self-defence accounts’ because their own accounts had been compromised. It was crucial that they kept this secret to avoid compromising the wider investigation into fraudsters supposedly believed to be operating within the banks. They were told that if these fraudsters at the bank realised that Mr and Mrs S were now aware of them and the threat they posed, the fraudsters would likely flee, taking the balance of Mr and Mrs S’s accounts — and leaving them with nothing. Mr and Mrs S explain they were terrified by this prospect, these were their life savings, and they would not be able to replace the funds being in their seventies and both retired. Mrs S says she checked her HSBC account but thankfully couldn’t see anything unexpected or any signs of suspicious activity. However, given what the caller was saying about the imminent risk to her funds, she says she was very concerned and unsure what to do. And by this point, her husband had already been following the callers’ instructions in the belief the callers were genuine. The caller told her that bank staff members’ accounts had been picked at random to act as what was described to her as being these ‘self-defence accounts’. Mrs S was told that the account balance and history showing up when she checked her online banking wasn’t showing anything unexpected because it had been manipulated by the cross-bank internal fraud team as part of the scheme to uncover a group of supposed criminals operating internally within the two banks. The callers appear to have maintained consistent pressure on Mr and Mrs S. Based on Mrs S’s testimony, the calls appear to have been frequent, regular and often lengthy. This seems likely to have been a deliberate tactic on the part of the scammers to manipulate Mr

-- 1 of 9 --

and Mrs S, and to reduce the chance they would have enough time to reflect on what was happening and identify that this might not be genuine. On 11 April, Mrs S attempted a payment to the first account using the details given to her by the caller. While she was inputting the details, HSBC asked the purpose of the payment (in an automated question). Mrs S had been told by the caller to say the payment was going to ‘friends or family’ (on the basis that this was necessary to avoid tipping off the supposed internal fraudsters) and so she chose that payment option from the available list. HSBC says it then provided a scam warning message. When Mrs S chose to ‘continue’, HSBC blocked the payment (and her online banking) until it could speak to her. During the subsequent call, Mrs S said she no longer needed to make the payment from her HSBC account and that she’d send it from a different bank if still needed. She said she just wanted her HSBC account unblocked. This had been what she was told to say by the original caller, who was coaching her in what to tell HSBC. HSBC then read a further scam warning. That included mentioning the risk of scams where customers were influenced to move money out of their accounts. Mrs S attempted the payment again the following day. Again, HSBC blocked the payment until it could speak to her. Mrs S told HSBC (as she’d been instructed by the original caller) that she hadn’t received any calls or text messages about this. She said she’d made other arrangements, and the payment was no longer required. Over the next few days, Mrs S transferred several similar sized payments to her husband’s bank account (an account that was already a long-established payee for Mrs S). It appears the scammers intention was to then transfer out from her husband’s account (again to the supposed ‘self-defence account’). HSBC did not intervene in Mrs S’s payments to her husband’s account. A few days later, on 16 April, the original caller told Mrs S to make a payment of £15,500 to a second ‘self-defence account’. Once again, she had been told to choose the payment option for paying friends or family members. HSBC again held the payment until it could speak to Mrs S about it. During the security call, Mrs S was asked a series of questions about the circumstances surrounding the payment. Believing that she was following the instructions of the cross-bank fraud team in order to uncover internal fraud at her and her husband’s banks, she used a cover story as she’d been prompted. She told HSBC that the payment was a short-term loan to a very good friend who needed to borrow the money to set up a small business. She said she’d had a meeting in person with that friend the same morning and that she’d known them for a few years. HSBC warned Mrs S that it was aware of people being contacted by fraudsters pretending to be from the bank or other financial institutions. HSBC told her it would never ask a customer to transfer funds to a safe account. Mrs S was asked further questions about the payment but stuck to the story she’d been given by the original caller (still under the belief this was something the cross-bank fraud team needed her to do to avoid compromising its investigation into HSBC staff). Eventually after some discussion, HSBC agreed to release the payment in line with Mrs S’s instructions. Mrs S says that shortly before, her husband had gone to his bank branch, intending to make

-- 2 of 9 --

a payment from his account. By that point, the caller had told them a staff member at that branch had been identified as one of the suspects involved in the theft of funds from customers’ accounts. However, when her husband attempted to make the payment, the funds were not sent. He’d told his branch he was paying an invoice, but the staff member wanted to see the actual invoice - which obviously Mr S couldn’t produce. It later emerged that the bank had frozen his account until he later called them to unblock it. As a result, the funds didn’t leave his account. When Mr S and Mrs S later discussed this, they realised the scammer’s story didn’t make sense. They came to the realisation that they’d been the victims of fraud. Mrs S alerted HSBC, and reported what had happened. The bank was unable to recover the money she’d sent (except for a very small sum that remained in the beneficiary account). At the relevant time, HSBC was a signatory of the Lending Standard Board’s Contingent Reimbursement Model Code (the “CRM Code”). This was a voluntary code requiring signatory firms to reimburse victims of APP Scams in all but a limited set of circumstances. HSBC looked into Mrs S’s claim but said it wouldn’t reimburse her. It had given scam warnings which Mrs S had not heeded, and in making the payments Mrs S had not had a reasonable basis for believing what she did. Both circumstances were permitted exceptions to reimbursement under the CRM Code, so HSBC did not need to refund Mrs S. Mrs S did not accept this. She referred her complaint to this service. I issued my provisional findings on the merits of this complaint in my provisional decision, dated 30 January 2026. In my provisional findings I explained why I intended to uphold the complaint in part and offered both sides the opportunity to submit further evidence or arguments in response. An extract of that decision is set out below and forms part of this final decision: A relevant consideration in this complaint is the CRM Code. It does not apply to the payments made by Mrs S to her husband’s account (because those funds were not lost as a direct consequence of that payment journey from Mrs S to her husband). However, there is no dispute that Mrs S made the payment of £15,500 to an account controlled by the scammers and that she did so as the consequence of an APP scam. This payment directly resulted in the loss of that sum and I am satisfied that the CRM Code applies. The CRM Code requires reimbursement of most APP scam payments subject to limited exceptions. HSBC says that two exceptions to reimbursement under the CRM Code apply in Mrs S’s case. I’ve therefore considered whether HSBC has correctly established it may apply an exception to reimbursement under the CRM Code. HSBC seeks to apply two of the possible exceptions to reimbursement: • The Customer ignored Effective Warnings […] by failing to take appropriate action in response. • In all the circumstances at the time of the payment, in particular the characteristics of the Customer and the complexity and sophistication of the APP scam, the Customer made the payment without a reasonable basis for believing that: (i) the payee was

-- 3 of 9 --

the person the Customer was expecting to pay; (ii) the payment was for genuine goods or services; and/or (iii) the person or business with whom they transacted was legitimate. In order to rely on an exception to reimbursement, the CRM Code says HSBC must have established that either one or both applies. I’ll address each in turn. Did Mrs S ignore an ‘Effective Warning’? When Mrs S spoke to HSBC in the course of making the payment (and previously), HSBC’s argument is that she was provided with an ‘Effective Warning’ which she chose to ignore, and which had she followed would have prevented her losses. Mrs S’s cover story also impeded HSBC’s staff from making a stronger intervention. I’ve carefully reviewed the call recordings provided, and Mrs S’s recollections from the time. The CRM Code sets minimum standards for any scam warning to be considered an ‘Effective Warning’. The list of requirements includes that the warning must be impactful and specific to the scam. The scam here involved Mrs S being tricked into believing she needed to give a cover story to HSBC. As a result, it seems to me that the warnings the bank could provide her were not as strong as they might otherwise have been. Simply put, the cover story impeded HSBC from correctly identifying the relevant scam risk to address and to warn against (no doubt the scammer’s intent). The warnings could not be made as specific to the scam risk as might otherwise have been possible. Perhaps in consequence, the provision of warnings given don’t strike me as sufficiently impactful in the circumstances of this type of scam. To be an ‘Effective Warning’ requires it to be impactful. As a minimum I consider that means it needs to have been one likely to break the spell of a scam such as this one. Unfortunately, the nature of the psychological manipulation and social engineering involved in this case (as often in this specific type of scam) meant HSBC had a very difficult job in providing an ‘Effective Warning’ to Mrs S. She had been cynically manipulated to believe that the scammers were the ones trying to protect her, and whomever she spoke to at HSBC might be part of an internal fraud. Regardless of whether the scammer’s misdirection was something HSBC could have avoided or not, the use of the exception in the CRM Code is contingent upon a customer ignoring a warning that was given to them, and that this would otherwise have prevented the scam. It cannot be correctly applied in respect of a better warning that might have been given but wasn’t (even when that was the result of a cover story). With all of the above in mind, I’m not persuaded that the warnings provided to Mrs S, while relevant scam warnings, were sufficient to meet the minimum requirement to be deemed an Effective Warning under the terms of the CRM Code. I consider that HSBC cannot therefore rely on this exception to reimbursement. Did Mrs S make these payments without holding a reasonable basis for believing what she did? When considering this reimbursement exception, the CRM Code specifies that all the circumstances at the time of the payment need to be taken into account. It highlights in

-- 4 of 9 --

particular the complexity and sophistication of the APP scam, and the characteristics of the customer. I’m persuaded that the scam here was a prolonged co-ordinated effort to manipulate Mrs S into making these payments. It involved the use of psychological pressure through repeated calls, and concerns being raised about the consequences of Mrs S not following the instructions of those claiming to be from a cross-bank fraud team investigating internal fraud at her bank. I think it is also relevant to this case, that by the time Mrs S first spoke to the scammers, her husband was already under their spell. I’ve thought carefully about all the relevant circumstances and the evidence provided by both sides. I’ve also noted the nature of this type of scam, including the insistence by the scammer on a cover story being used to avoid tipping off the internal fraudsters supposedly operating at the banks. With all taken into account, it seems to me that Mrs S had thoroughly been deceived at the time and did what she did (including providing a cover story) in the genuine belief that she was acting upon the specific instructions of an internal fraud team that had uncovered possible fraud at HSBC. Given the social engineering and psychological manipulation that appears to have occurred, I don’t think Mrs S’s belief on that point was unreasonable — bearing in mind the factors I must consider under the terms of the relevant exception in the CRM Code. So, while I’ve carefully considered the evidence provided by both parties, I don’t think HSBC has established that Mrs S made these payments without holding a reasonable basis for believing what she did at the time, in all of the circumstances. Under the terms of the CRM Code, the victim of an APP scam such as this should reimbursed unless the bank is able to establish that one (or more) of the exceptions to reimbursement can be applied. I’m not persuaded that HSBC has been able to establish that any of the exceptions to reimbursement under the CRM Code can fairly be applied in Mrs S’s case. It follows that HSBC should have reimbursed Mrs S under the terms of the CRM Code. Given the above, in the circumstances of this case, I am minded to find that HSBC should now fairly and reasonably refund the money Mrs S lost. I cannot know for certain how Mrs S would have used this money had it not been lost to the fraud. But if HSBC had refunded the money when I consider it ought reasonably to have done so, Mrs S would not have been deprived of it for the time she has. So, HSBC should also pay interest on the loss at a rate of 8% simple per year. This interest should be calculated from the date of each payment until the date of settlement Putting matters right For the reasons set out above, I think Mrs S ought reasonably to have been fully refunded under the CRM Code. Subject to any further submissions, to put matters right I intend to require HSBC UK Bank Plc to pay Mrs S: • the money Mrs S lost as a result of the scam, being £15,500 less any amounts the bank has already been able to recover or otherwise return to Mrs S. The bank should do so within 28 days of receiving notification of Mrs S’s acceptance of my final decision; plus, • interest at the simple rate of 8% per year on the above amount (less any tax properly deductible) to be calculated from the date Mrs S made each payment until the date of settlement.

-- 5 of 9 --

I invited both sides to provide any further arguments or information by 16 February 2026, after which point, I said I intended to issue my final decision on the matter. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. In deciding what’s fair and reasonable in all the circumstances of a complaint, I’m required to take into account relevant: law and regulations; regulators’ rules, guidance and standards; codes of practice; and, where appropriate, what I consider to be good industry practice at the time. In general, where evidence is incomplete, missing or contradictory I am required to make my findings based on a balance of probabilities – in other words what I consider is most likely given the information and evidence available to me. Responses to my provisional decision Mrs S responded on 30 January 2026, saying she accepted the provisional decision. HSBC responded on 16 February 2026. It said it disagreed with the provisional decision and detailed a number of points which it wanted me to consider before reaching my final decision. In very brief summary, these were as follows: • HSBC didn’t accept Mrs S had a genuine reasonable basis for belief. - She’d accepted what the caller told her without what should have been reasonable concerns in the situation. In particular, she ought to have had reasonable concerns when the person said they were calling from a cross- bank fraud team (which did not exist), and when she was instructed to make payments to third parties’ accounts. - Being advised to mislead her bank as to the purpose of a payment should have caused her to doubt that the person she was dealing with was legitimate. - Mrs S’s husband had been told by his bank this looked like a scam. He and his wife shouldn’t have accepted the subsequent reassurances of the scammer as to why that wasn’t a cause for concern. • HSBC had given Mrs S relevant scam warnings during and prior to this scam. - She’d been verbally told “The bank will never ask you to move money or help with an internal investigation”. - An in-app warning said “If someone has told you to mislead us about the reason for your payment and choose the wrong payment type, stop. This is a scam”. - A mailing that had previously been sent to Mrs S (and which she had opened) included the warning to “Ignore requests to move funds immediately for safekeeping – even if they seem to be from the police or other trusted organisations”. • On 12 April 2024, Mrs S had asked an HSBC advisor how she could know they were genuinely from HSBC and had been told she could call them back on the number shown on the back of her bank card if she had any concerns. If Mrs S had done the same on the scam calls, then no funds would have been lost.

-- 6 of 9 --

I’ve carefully reviewed this complaint in the light of HSBC’s further comments and submissions. I understand HSBC’s concerns about the impact of this scam and that it has resulted in a significant loss of funds to its customer which the bank is now being asked to reimburse. This is a particularly difficult type of scam for a bank to prevent. Once the scammer has gained the trust of the person they are targeting, the nature of the scam involves the victim being led to actively distrust what they are being told by bank staff (believing those they are speaking to may be implicated in supposed internal fraud of some sort). This is one of the main scenarios that the introduction of the banking protocol (over a decade ago) was intended to help address. In this case, the deception involved the belief that the person was operating in a cross-bank fraud team — so ostensibly operating above, and having oversight across, the individual banks. Mrs S had been deceived on this point (and by the time she was drawn into the scam her husband had already fallen under the scammers’ spell). Her later interactions with HSBC were tainted by the false beliefs engendered by the scammer. Unfortunately, I think it is fair to say that scammers often have great facility in being able to persuade victims. Here there is evidence of several scam techniques being deployed to prevent and assuage the reasonable doubts that might otherwise have surfaced for Mrs S. With everything in mind, and having carefully reviewed all of the evidence here, unfortunately I think Mrs S was under the spell of the scammer by the time she attempted even the first payments, and she believed that they were trying to protect them against supposedly corrupt bank staff. I consider she genuinely believed she was acting to help prevent fraud not assisting it. In the cold light of day, I accept that this reasoning might seem far-fetched to HSBC. But I’m persuaded that the operation of this scam was one of devious psychological manipulation, and by the time Mrs S became involved her husband was already under the scammer’s spell meaning the trusted person Mrs S could have asked for a second opinion in this situation would have unfortunately endorsed the wrong choice. In all, I think the belief Mrs S held was not unreasonably held in terms of the CRM Code’s criteria at R2(1)(c). The CRM Code requires all of the circumstances to be taken into account. That therefore includes, in this case, the factors I’ve described. While I appreciate the difficulty HSBC therefore faced in breaking the scammer’s spell, a bank’s ability to do so isn’t the criteria for reimbursement under the CRM Code (as HSBC will be well aware of from guidance issued by the code’s regulator the LSB, and by numerous decisions issued by the Financial Ombudsman Service). All of this holds despite the warning messages HSBC has highlighted. These warnings did have relevance to what was happening, but unfortunately, I find those messages were not sufficiently impactful to overcome the scammer’s persuasion. By the time Mrs S was interacting with the bank, the scammer had already gained a position of greater trust than the bank. Simply put, I find the warnings given by HSBC could not have been sufficient in themselves to have prevented what happened. Reading these warning messages in the cold light of day, the relevance of what HSBC was warning about is apparent, but I cannot overlook the fact that Mrs S was at the time under the spell of a dedicated and convincing scammer (who had likely constructed the details of the scam scenario with the specific objective of minimising the effect of a bank’s typical scam warnings). And by the point of the call on 12 April that HSBC references, Mrs S was already under the

-- 7 of 9 --

spell of the scammer and appears to have been extensively coached by the scammer in what to say to her bank. In other words, the comments she’d made about calling the bank back on the number on her bank card were being made whilst wholly under the sway of that scammer. Of course, while that verification was readily available when contacting the bank (and crucially from the scammer’s perspective would run no risk of uncovering the deception) there would be no equivalent option when dealing with a supposed ‘cross-bank fraud team’. So, I don’t accept there is therefore any inconsistency here in Mrs S’s actions. I’ve considered whether having no ability to carry out a similar check for the ‘cross-bank fraud team’ ought in itself have been a cause for concern, but I don’t find that most likely in the circumstances by that point (Mrs S having been interacting with the scammer for some time by then, and her husband prior before her). Again, what happened was simply another clever manipulation by a determined scammer and Mrs S was unfortunately acting wholly under the scammer’s spell by this point. All considered then, I simply don’t think the points raised by HSBC in response to my provisional decision change my findings. This scam involved significant manipulation of Mrs S and her husband. They were led to place their trust in someone who, despite appearances to the contrary, only intended them harm. A consequence of the scam was that they were led to place considerably less trust in what they were being told in interactions with their banks than would usually have been the case (in fact to actively distrust the motivations of those they spoke to at HSBC). That made the scam difficult for HSBC to prevent. But I don’t think Mrs S acted without any reasonable basis for believing what she did, given her own knowledge at the time and her circumstances at the time. So, I don’t find HSBC can rely on that exception to reimbursement under the CRM Code (nor, as I’ve addressed above, the warnings exception or any of the other permissible exceptions). Putting things right I’ve carefully considered the responses I received to my provisional decision. But these have not changed my findings on Mrs S’s complaint, nor changed what I consider to be the fair outcome in all the circumstances. For the reasons set out in my provisional decision and above, I find it fair and reasonable in all the circumstances that Mrs S ought to have been reimbursed under the terms of the CRM Code. I require HSBC UK Bank Plc to pay Mrs S: • the money Mrs S lost as a result of the scam, being £15,500 less any amounts the bank has already been able to recover or otherwise return to Mrs S. The bank should do so within 28 days of receiving notification of Mrs S’s acceptance of my final decision; plus, • interest at the simple rate of 8% per year on the above amount (less any tax properly deductible) to be calculated from the date Mrs S made each payment until the date of settlement. My final decision For the reasons given above, I uphold this complaint in part and require HSBC UK Bank Plc to put matters right as I have detailed above.

-- 8 of 9 --

Under the rules of the Financial Ombudsman Service, I’m required to ask Mrs S to accept or reject my decision before 17 April 2026. Stephen Dickie Ombudsman

-- 9 of 9 --