Financial Ombudsman Service decision

Revolut Ltd · DRN-5488492

Unauthorised TransactionComplaint upheldRedress £415,000
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint A company which I will refer to as ‘H’ complains that Revolut Ltd didn’t reimburse the transactions made by a fraudster which it says it didn’t agree to. The complaint is brought on H’s behalf by Mr H and the company is represented by a firm of solicitors. However, for ease I’ll refer to H or Mr H throughout. What happened The background to the complaint is known to both parties and so I won’t repeat it at length here. But briefly, H holds an account with Revolut and in October 2022, H added one of its employees who I’ll call ‘Ms E’ as an authorised user on the account. In July 2023, Ms E was called by someone she believed to be from her own bank, they knew personal information such as her date of birth and account details and said that they were calling as someone was attempting to make a payment from Ms E’s account in a different location. Given the information the caller had provided, and that Ms wasn’t asked to provide any secure details Ms E said she thought the caller was genuine. Ms E was led to believe that a personal loan had also been taken out in her name, and when she looked at her online banking, she could see the credit that the caller had referenced, further reinforcing her belief that she had been contacted by her bank. During the call, Ms E was told that her devices had been compromised. Ms E was instructed to download ‘Anydesk’ so the caller could block and refund the payments which were due to debit. After undertaking the requested actions on Ms E’s personal account, the caller then said that they could see the other account Ms E had access to had also been compromised. The account in question was H’s account with Revolut, and the caller said Ms E should expect a call from Revolut regarding payments which were due to debit H’s account. Shortly after, Ms E was contacted by who she believed was Revolut, she was instructed to delete her existing Revolut Business app from her phone, redownload it and log back in. The caller from Revolut also then requested access to Ms E’s laptop via ‘Anydesk’. Ms E didn’t realise at the time that both the people who had contacted her were fraudsters. After the caller had accessed Ms E’s laptop and phone, she received eleven emails from Revolut about suspicious transactions being made from H’s account. Ms E was reassured by the fraudster that these emails had been triggered because of the activity they were trying to stop. At this time, Mr H started to receive emails about the payments, he logged into his Revolut app but had no way to stop the payments being sent. He was also unable to contact Ms E as she was on the phone to the fraudster at that time. Mr H contacted Revolut about the payments, however by time he was able to speak to someone at 1:10pm, around £570,000 had already left H’s account. Revolut contacted the receiving banks between roughly 5:30pm and 8:00pm, however it was only able to recover around £150,000. In total, H’s loss was £420,261.80.

-- 1 of 8 --

H complained to Revolut as it thought Revolut should have done more to prevent the loss and noted that it had asked for a £10,000 limit to be applied to any payments made by Ms E. Revolut declined to reimburse H, so Mr H asked this service to look into H’s complaint. Our investigator recommended H’s complaint be upheld. She was satisfied that for the purpose of our rules H met the criteria of a micro-enterprise and therefore Revolut couldn’t rely on the provision for large corporate companies within its terms. She was also satisfied that based on the evidence available, the payments from H’s account hadn’t been authorised by H, nor had the company acted with intent or gross negligence. Although she also said that Revolut shouldn’t be held responsible for payments over £10,000 being released as H hadn’t completed the required steps to implement the limit. The investigator noted that our award limit was £415,000 and recommended that Revolut refund this amount along with annual interest at 8% simple and refund any lost interest as a result of the transactions. She also recommended that Revolut refund the £5,261.80 in excess of the limit on a voluntary basis, but she said that Revolut should not be held responsible for H’s legal fees as it was H’s choice to engage a legal firm. H agreed with the investigators opinion; however, it said that it had also suffered a consequential loss as a result of Revolut’s actions. It said that several of its partners had left the business and that it had ceased trading causing a loss off previous annual profits of between £250,000 and £400,000, which should be considered for an award by this service. Revolut didn’t agree with the investigator’s opinion. It wasn’t satisfied that H met the definition of a micro-enterprise and provided information it believed showed H was linked to other companies including H’s borrowing of funds from those companies. Revolut also asked our service to consider decisions that had been made on other cases with similar circumstances, whereby deductions had been made for contributory negligence. As an agreement couldn’t be reached, the case has been passed to me to decide. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Having done so, I’ve decided to uphold it. I’ll explain why. Firstly, I just want to say I’m really sorry that H has had to contact us in these circumstances. Fraud has a huge impact, both financially and emotionally. And we recognise how important these cases are to all complainants affected. Should the micro-enterprise rules apply to H? In broad terms, the starting position at law is that an Electronic Money Institution (“EMI”) such as Revolut is expected to process payments and withdrawals that a customer authorises it to make, in accordance with the Payment Services Regulations (‘PSR’s) (in this case the 2017 regulations) and the terms and conditions of the customer’s account. However, the general principle is that Revolut, as a payment service provider, can only deduct funds from an account if the payment was correctly authorised. If a payment is unauthorised, then Revolut would generally be liable for refunding it. There are certain conditions which can be applied, whereby a payment service provider such as Revolut would not be liable for an unauthorised payment, for example where an account holder has acted fraudulently or failed to keep their personalised security credentials secure

-- 2 of 8 --

– either intentionally or if they have acted with gross negligence. The PSRs also allow for payment service providers to ‘opt-out’ of some of the conditions within the regulations in certain circumstances, such as if the payment service user is not a consumer, micro- enterprise or charity. Revolut’s terms make use of this opt-out for what it deems “large corporate” customers. Revolut says that H should not be treated as a micro-enterprise due to its links with other businesses which are registered on the Financial Conduct Authority (‘FCA’) register. However, I’ve reviewed evidence from H, and I’m satisfied that it is a micro-enterprise. At the time of the transactions in dispute it had fewer than 10 employees, and a turnover of less than the equivalent of €2million. I’ve reviewed H’s filings with Companies House for the two previous years, and they would also be under the employee and turnover limits to be considered a micro-enterprise. I’m satisfied that H was an appointed representative for the other businesses which is why they are linked on the FCA register. I also haven’t seen there is any evidence of links via common owners or persons with significant control between the companies, so I don’t think the other businesses financial information should be included within the micro-enterprise calculations for H. Therefore, I’m satisfied that Revolut’s opt-out for large corporate customers in the PSRs should not apply to H in this case. Is it fair for Revolut to treat the payments as authorised? H says that it did not authorise the payments made to the fraudulent bank accounts and therefore it shouldn’t be held responsible for these payments. It also says that a payment limit of £10,000 had been requested on the account but not applied, and this would have prevented some or all of its loss. Revolut disagreed and said that the payments were created and authorised by H’s employee. It also said that at the time of the payments, the payment limit had not been applied by H. To consider a payment authorised, the PSRs explain that H must have given its consent to the execution of the payment transaction – and that consent must be in the form, and in accordance with the procedure, agreed between it and Revolut. Revolut say that on 20 July 2023 at 12:45, Ms E made a transfer for £60,000 to a new third-party beneficiary account via her laptop. It also says that Ms E was sent a text message containing a unique code to her registered mobile phone, as part of its two factor authentication security measures, and that Ms E entered the codes to release the payments. Revolut say that this was repeated for each of the 17 payments, so it was satisfied the payments were made by H. But I’m not persuaded that’s fair here. I’ve looked at Revolut’s terms to see what is set out for its consent, form and procedure, however there is limited information regarding this. Revolut’s terms simply say that “We will treat all instructions from Authorised Persons acting within the limits of their authority as if you had given the instructions yourself”. In this case, I don’t think H was responsible for authorising these payments. I say that because Ms E testimony has remained consistent that she was directed to download the ‘Anydesk’ application on her phone and allow the use of Anydesk on her laptop (which had already been used by H’s IT department) which gave the fraudster access to these systems and that she didn’t create the payments. Revolut hasn’t disputed this and given what we know about this type of scam, I think Ms E’s version of events is persuasive. So, I think it’s likely that Ms E wasn’t the one who input the information to make the payments initially. Whilst Revolut doesn’t dispute that the fraudster was able to use ‘Anydesk’ to create the payment information, it has said that it sent one-time passcodes (OTP’s) to Ms E’s phone for each of the payments to be released. It doesn’t believe the OTPs could have been accessed remotely by the fraudster on Ms E’s phone, and therefore Ms E must have shared the codes. I recognise that Revolut thinks this is unlikely, however, Ms E says that she didn’t see any of

-- 3 of 8 --

the SMS messages containing the OTPs as her phone screen was blank during this time. Given that these messages contained the amount, payee, device the payments had been made from and location, I think on the balance of probability that if Ms E had seen these SMS messages she would have been aware that the payments were being made, rather than cancelled as the fraudster had led her to believe, and I think the scam would have come to light. Furthermore, given the functionality of ‘Anydesk’ and that this is available for phone’s I find Ms E’s testimony persuasive. So based on the evidence available, I don’t think that Ms E (or anyone else from H), gave permission for the fraudsters to make the payments on her behalf. Therefore, I’m satisfied that Ms E did not complete the payments in the form and procedure agreed between H and Revolut. So, I don’t think it’s reasonable for the payments to be treated as authorised by H. Is it reasonable for Revolut to hold H responsible for these transactions? Although I don’t think these payments should be treated as authorised by H, there are certain scenarios where Revolut can still hold H liable for the transactions. The relevant section of the regulations says: Regulation 77 - (3) The payer is liable for all losses incurred in respect of an unauthorised payment transaction where the payer— (a) has acted fraudulently; or (b) has with intent or gross negligence failed to comply with regulation 72 (obligations of the payment service user in relation to payment instruments and personalised security credentials). There’s no suggestion that Ms E or anyone else at H has acted fraudulently here, so I’m satisfied part (a) doesn’t apply. Regulation 72 referred to in part (b) says that H would be expected to take all reasonable steps to keep safe the personalised security credentials of their Revolut account. Ms E has said that she allowed access to her laptop via ‘Anydesk’ and to her phone via ‘Anydesk’ downloaded from the app store, and the new ‘Revolut app’ which allowed the fraudster to access her log in information for H’s account. I’m satisfied these would be considered personalised security credentials under the PSRs. However, I’m not persuaded that Ms E intentionally gave over the secure log-in details for H’s account to allow the fraudster to make payments. I think that Ms E was tricked in to doing so, by thinking she was taking steps to secure H’s Revolut account. So, the key consideration here is whether Ms E acting on H’s behalf was grossly negligent, in that she acted recklessly or with extreme carelessness compared to the expectation of a reasonable person, with her personalised security details. The Revolut terms say they won’t refund in the account holder has “intentionally or carelessly failed to keep [their] Revolut account safe”. In this case Ms E was led to believe that she was speaking to Revolut’s fraud team and that H’s account was at risk, as she’d been reassured by the first caller who knew her personal information that she should expect a call from Revolut about pending payments on H’s account – which the second caller who said they were calling from Revolut then reiterated. Although Revolut says it wouldn’t call its customers and would only contact them via it’s app, given what Ms E was led to believe from the about H’s account being accessed and the app being compromised, I don’t think this would have appeared unreasonable. Ms E says that

-- 4 of 8 --

she received the call from ‘Revolut’ as she was told would happen and Anydesk was also reactivated by the second caller without her inputting any information. Ms E says the caller also instructed her to reload the Revolut app as it had been compromised and also to access the email account linked to H’s Revolut account, so she thought the caller was genuine. I think it’s worth noting here that H’s account held a significant balance at the time of the call, which put Ms E in a difficult position of being responsible for those funds. It’s fair to say that Ms E could have challenged the caller as not being genuine and chosen not to follow their directions until she’d sought confirmation of what she’d been told. However, had the payments been genuine and Ms E hadn’t acted quickly enough, she would have been responsible for the loss of H’s funds. As Ms E was led to believe that her phone had been hacked and her employers account had been accessed, I think it was understandable that Ms E felt under pressure here to follow the instructions from the scammer to log into H’s Revolut account to try and prevent the payments being made from the company’s account. I think it’s also worth noting here that Ms E says she was told that she would receive emails from Revolut as these were relating to the fraudulent payments which needed to be cancelled. Given that the emails were headed “Suspicious transfer detected’ and the information within the emails says the transactions were ‘being frozen’ and that these had to be ‘reviewed by clicking the blue button’ within the email, I think it was understandable that this helped further convince Ms E that the person she was talking to was from Revolut. I recognise that Revolut says that the payments were initiated via Ms E’s devices and that she accepted the security alerts to release these payments. However, there wasn’t any dispute that Ms E’s devices were being used to make create and approve the payments, but I haven’t seen any evidence that Ms E herself was responsible for these actions. Ms E says that she didn’t see the creation of the payments in H’s account, or the OTP’s and it appears from the SMS messages between Ms E and Mr H at the time that Ms E had no visibility of the payments until they were debiting the account. Given that Ms E was on the phone to the fraudsters at the time of the payment creation and release, I think it’s reasonable that Ms E didn’t have full visibility of the phone messages and Revolut’s system as she was juggling between them and was being put under pressure by the fraudster. I also think it’s worth noting here that there appears to have been no reason for Ms E to download ‘Anydesk’ on her phone other than for the fraudsters to view the OTPs, so I’m not persuaded that Ms E shared or had visibility of the OTPs at the time they were received from Revolut. I also think that it was reasonable for Ms E to have downloaded a remote access app in the first place, given the reassurance she’d been given by the first caller about her personal account being compromised. I acknowledge that with the benefit of hindsight Ms E probably ought to have asked further questions to confirm that the callers were genuine. However, the relevant test in this case is whether Ms E acted with gross negligence and with a serious disregard for any obvious risks, and I’m satisfied that’s not the case here. Given that I’m not persuaded that Ms E - as H’s agent acted with gross negligence here – which as mentioned above is the requirement under the PSR’s rather than Revolut’s own opt-out terms, I don’t think Revolut has acted reasonably by not refunding H’s losses. Revolut has suggested that a deduction should be made from any award due to the contributary negligence caused by Ms E’s actions. It has also cited a previous decision issued by this service. However, the circumstances of that case were different, and our service reviews each case on its own merits. But in any event, the PSRs are clear that in the case of unauthorised transactions the refund should be in full, so I don’t think it would be fair for me to make a deduction in this case.

-- 5 of 8 --

Should Revolut have done more before processing any of the payments? Revolut has a duty to exercise reasonable skill and care, pay due regard to the interest of its customers and to follow good industry practice to keep customer’s accounts safe. This includes looking out for payments which might indicate the consumer is at risk of financial harm. Taking these things into account, I think Revolut should fairly and reasonably have had systems in place to look out for out of character or unusual transactions, or other signs that might indicate that its customers were at risk of fraud. So, I need to decide whether Revolut acted fairly and reasonably in its dealings with H here, and if I think it should have done more before allowing the payments to leave H’s account. I can see that Revolut did take action regarding these payments. It blocked the majority of payments and sent emails requesting the payments be reviewed and then the OTPs be provided to release them. However, I’ve looked at the account and I think these payments were very suspicious, both for H’s account and for payments made by Ms E. The largest payment I can see in the year prior to the July 2023 payments was for around £10,000, so significantly less than the £60,000 first payment on 20 July and the total payments of around £570,000 which debited that day. So, I think it should have done more here to investigate the payments before they were released. I can see that Revolut sent Mr H an email about the second £60,000 payment, which he then requested be cancelled. Given Mr H’s response to this payment, and that Revolut had concerns about the activity, it’s not clear why other emails weren’t also sent to Mr H or why, if Revolut believed there was suspicious activity from Ms E’s log on, that it only sent the emails and OTP’s to Ms E and didn’t take further steps to investigate before releasing all the other payments and allowing around £560,000 to debit H’s account in around twenty minutes. So, I think Revolut could have done more here – particularly because as soon as Mr H was aware of the fraud, he contacted Revolut immediately. Therefore, I think it’s likely that had Revolut taken further steps to contact Mr H when the first payment was made from H’s account, all the company’s loss could have been prevented. Revolut’s actions after the scam was reported Revolut’s obligations as a payment service provider don’t end once a payment has been made. There is an expectation on it to attempt to recover any lost funds once a scam has been reported. In this case, I can see that Mr H attempted to report the scam at 12:10 within around half an hour of the first payment leaving H’s account, and that he was still trying to request that payments be stopped before the last three payments had been sent. When Revolut received the fraud report from Mr H, I’d have expected Revolut to contact the receiving banks at the earliest available opportunity to see if any funds could be returned. In this case, I can see that Revolut reported the fraud within six hours of Mr H’s notification to each of the various receiving banks. I’ve thought about whether Revolut could have taken action sooner once it was aware of the scam. However, from the evidence available it appears that the funds which Revolut was unable to recover were moved from the receiving accounts within less than an hour. So even if Revolut had contacted the receiving banks immediately, it’s unlikely that any extra funds would have been returned to H. I also understand that it took a while for some of the funds to be returned by the receiving banks, however I’ve seen evidence that Revolut was proactively chasing these banks, so I’m satisfied Revolut took the actions I’d expect here after the scam was reported.

-- 6 of 8 --

Putting things right As I’ve mentioned above, I’m satisfied that the payments from H’s account were not authorised, nor do I think that Ms E on H’s behalf acted with gross negligence. Therefore, the starting position is that Revolut should refund the unauthorised transactions which I’ve detailed in the table below. Time Amount 11.45pm £60,000 11.48pm £60,000 11.49pm £60,000 11.51pm £60,000 11.52pm £50,000 11.54pm £50,000 11.55pm £25,000 11.56pm £50,000 11.59pm £25,000 12.00pm £50,000 12.02pm £50,000 12.03pm £24,000 12.05pm £4,900 12.10pm £1,700 13.17pm £533.50 13.18pm £33 TOTAL £571,166.50 From what I can see, Revolut was able to recover £150,904.70 from the receiving banks, which has been returned to H. So, H has a remaining loss of £420,261.80. Where I uphold a complaint, in line with the DISP rules, I can award fair compensation requiring a financial business to pay compensation of up to £415,000, plus any interest and/or costs that I consider appropriate. If I consider that fair compensation is more than £415,000, I may recommend that the business pays the balance. In this case I uphold the complaint, and I think it would be fair for Revolut to refund the full amount of H’s loss, along with annual interest at 8% simple from 20 July 2023 to the date of settlement and refund H for the interest that it has lost. I’ve seen evidence that H has tried to mitigate its losses where possible, but in order to continue trading it had to source alternative funds, for example credit cards and director loans. I think it would be fair for Revolut to refund H the costs/interest it has incurred/is liable for as a result of the unauthorised transactions, subject to evidence being provided to Revolut in a reasonable format and within thirty days of the acceptance of the decision. H has said that it has incurred consequential losses as a result of Revolut’s actions here. However, this was raised as a subsequent point with our service and therefore has not been considered as part of this decision as it would need to be raised with Revolut first. As our award limit has already been reached in this complaint, I have not considered this further. My final decision My final decision is that I uphold this complaint. I instruct Revolut Ltd to do the following:

-- 7 of 8 --

• refund H up to the maximum award limit of £415,000 and add annual interest at 8% simple from 20 July 2023 to the date of settlement. • Refund H any interest lost or incurred as a result of the unauthorised transactions. I recommend Revolut also refund H the remaining funds that exceed our limit totalling £5,261.80 plus annual interest at 8% simple from 20 July 2023 to the date of settlement. This recommendation is not part of my determination or award. Revolut Ltd doesn’t have to do what I recommend. It’s unlikely that H can accept my decision and go to court to ask for the balance. H may want to get independent legal advice before deciding whether to accept this decision. Under the rules of the Financial Ombudsman Service, I’m required to ask H to accept or reject my decision before 7 October 2025. Jenny Lomax Ombudsman

-- 8 of 8 --