Financial Ombudsman Service decision

DRN-6249054

Authorised Push Payment (APP) ScamComplaint upheld
Get your free defence insight →Email to a colleague
Get your free defence insight on the case against you →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Ms C is being represented by solicitors. She’s complaining about Kroo Bank Ltd because it declined to refund money she lost as a result of fraud. What happened Sadly, Ms C fell victim to a cruel investment scam after responding to an online advert that appeared to be endorsed by a well-known celebrity. She was then contacted by a scammer who told her to download remote access software that allowed them to set her up with an account on a fake investment platform that appeared to show trades being placed and profits generated on her behalf. Ms C initially used her account with another bank to make two payments totalling £520 on 18 and 20 November 2024. She was then advised to set up an account with Kroo, from which she transferred funds from her other bank before making the following transfers to the scam: No. Date Amount £ 1 27 Jan 2025 10 2 27 Jan 2025 5,000 3 27 Jan 2025 4,950 4 27 Jan 2025 4,800 5 28 Jan 2025 4,900 The payments were sent to a cryptocurrency account in Ms C’s own name, from where they were transferred to the scammer. Ms C says payments 1 and 2 were to boost her investment that she’d previously been told was already worth over £16,000. She was then told she needed to pay fees to access her money and this is why she sent the further amounts in payment 3, 4 and 5. After this, Ms C was told she needed to pay further amounts to access her money. But when she tried to transfer this from her other bank to Kroo, these payments were stopped and the bank spoke to her on the telephone. It was following this call that she realised the investment scheme was a scam and no further payments were made. Ms C did receive some returns from the scheme totalling £476.30, which is a common tactic used by scammers to make their schemes appear legitimate. But I understand the rest of her money was lost. Our investigator recommended the complaint be upheld. She felt Kroo should have identified payment 2 as suspicious and that a robust intervention at that point would have prevented further losses. Kroo didn’t accept the investigator’s assessment and made the following key points: • Money was sent to the scammers from Ms C’s own cryptocurrency account over which Kroo had no control. This also means the payments are out of scope for

-- 1 of 7 --

reimbursement under the industry scheme covering authorised push payment (APP) fraud. • The nature of the payments wasn’t unusual for this type of account. Further, this was a newly-opened account meaning there was no past activity against which these payments could have been judged as out of character. • The payments were authorised by Ms C and there was no indicators of unauthorised access to her account or that they were unlawful, meaning it had a responsibility to process them in line with her instructions. • Ms C invested without carrying out appropriate due diligence or receiving relevant documentation, and despite the suggested returns being too good to be true. • The conclusion that Ms C wouldn’t have continued if Kroo had intervened as suggested is speculative. It did show her scam warnings in connection with the payments. She was also shown warnings by the cryptocurrency exchange. The fact she went ahead with the payments suggests she wouldn’t have responded to further intervention. • Also, Kroo contacted Ms C on 29 January for further information, including copies of statements from her other bank account, but she didn’t respond. This also casts doubt on whether she’d have responded to any further intervention from Kroo. • The text conversation with the scammers where Ms C was told how to respond to questions from her bank may have taken place after these payments were made, but it’s likely she was also being coached before this. • The fact Ms C was willing to allow the scammers to access her device and share personal documents to verify her identity shows the level of trust she had in what she was being told. The complaint has now been referred to me for review. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Having done so, I’ve reached the same overall conclusions as the investigator. In deciding what’s fair and reasonable, I’m required to take into account relevant law and regulations, regulators’ rules, guidance and standards, and codes of practice, and, where appropriate, I must also take into account what I consider to have been good industry practice at the time. I haven’t necessarily commented on every single point raised but concentrated instead on the issues I believe are central to the outcome of the complaint. This is consistent with our established role as an informal alternative to the courts. There’s no dispute that Ms C authorised these payments. In broad terms, the starting position at law is that a bank is expected to process payments a customer authorises it to make, in accordance with the Payment Services Regulations and the terms and conditions of their account. In this context, ‘authorised’ essentially means the customer gave the business an instruction to make a payment from their account. In other words, they knew that money was leaving their account, irrespective of where that money actually went.

-- 2 of 7 --

But, taking into account relevant law, regulators’ rules and guidance, relevant codes of practice and what I consider to have been good industry practice at the time, I consider it fair and reasonable that Kroo should: • have been monitoring accounts and any payments made or received to counter various risks, including preventing fraud and scams; • have had systems in place to look out for unusual transactions or other signs that might indicate that its customers were at risk of fraud. This is particularly so given the increase in sophisticated fraud and scams in recent years, which firms are generally more familiar with than the average customer; • have acted to avoid causing foreseeable harm to customers, for example by maintaining adequate systems to detect and prevent scams and by ensuring all aspects of its products, including the contractual terms, enabled it to do so; • in some circumstances, irrespective of the payment channel used, have taken additional steps, or made additional checks, or provided additional warnings, before processing a payment; and • have been mindful of – among other things – common scam scenarios, how fraudulent practices are evolving (including for example the common use of multi- stage fraud by scammers, including the use of payments to cryptocurrency accounts as a step to defraud consumers) and the different risks these can present to consumers, when deciding whether to intervene. Taking these points into account, I need to decide whether Kroo acted fairly and reasonably in its dealings with Ms C. Should Kroo have recognised that Ms C was at risk of financial harm from fraud? Losses to cryptocurrency fraud reached record levels in 2022 and, by the end of that year, many high street banks had placed restrictions or additional friction on cryptocurrency purchases owing to the elevated fraud risk. So, by the time these payments were made, I think Kroo should have recognised that payments to cryptocurrency carried a higher risk of being associated with fraud. The bank appears to be suggesting it didn’t know these particular payments were going to cryptocurrency but I think it should have. A simple online search shows the sort code of the recipient account was for a processing bank but that the associated branch/office for the account was the cryptocurrency exchange. This information is freely available and was something Kroo should have been able to discover. This notwithstanding, I am aware of how Kroo accounts operate and are sometimes used by its customers and that many similar payment instructions it receives will be entirely legitimate. I’m also conscious this was a new account and there was no history of past activity against which these payments might have looked suspicious. Having considered what Kroo knew about payment 1 at the time, I’m not persuaded it ought to have been concerned about it. While the payment was going to cryptocurrency, the amount was very low. In the circumstances, I don’t think there were sufficient grounds for the bank to think Ms C was at risk of harm from fraud when she made this payment and I can’t reasonably say it was at fault for processing it in line with her instructions. Payment 2, however, was for a much larger amount. When Ms C opened her account earlier that month she said it would be used for day-to-say spending but a transfer of this size doesn’t appear consistent with that, particularly as it was going to cryptocurrency. This is the

-- 3 of 7 --

point at which I think Kroo should have identified she was at risk of harm from fraud and taken steps to intervene in the payment process. What did Kroo do to warn Ms C? Kroo has confirmed that it showed a warning to Ms C when she set up the new beneficiary. This warned that scammers might pretend to be from her bank or HMRC and ask her to move money to a safe account or offer online deals that are too good to be true. Kroo then says for each outbound payment Ms C would have been shown a further warning that she shouldn’t continue if she was making a purchase that sounded too good to be true, she was being pressured to make the payment, was suddenly asked for help on social media or being told to ignore warnings. What kind of warning should Kroo have provided? The warnings Kroo provided were generic and didn’t apply to Ms C’s situation, so I don’t find it surprising that they weren’t effective. Having thought carefully about the risks payment 2 presented, I think a proportionate response would have been a human intervention where Kroo contacted Ms C, most likely by telephone or through an online chat function, to find out more about the circumstances of the payment. And that this should then have been followed with relevant tailored warnings relating to the type of scam that was most likely taking place. If Kroo had intervened as I’ve described, would that have prevented the losses Ms C suffered from payment 2? Ms C needed to speak to her other bank about transfers to Kroo she tried to make after payment 5 and the record of her communications with the scammers shows she was advised on how she should answer the questions she was likely to be asked. But contrary to what Kroo has suggested, there’s no evidence to show she received similar coaching previously and this wouldn’t have been necessary earlier anyway as nobody had contacted her to question the payments she was making. Either way, the recordings of her conversations with the other bank show she didn’t follow the scammers’ advice on what to say and it appears to be the case that the call on 29 January was what led to her realising she’d ben scammed. If Kroo had asked Ms C relevant questions about payment 2, including for example its purpose, how she found out about the opportunity, whether anyone was assisting her, whether she’d given anyone access to her device, I’ve seen no reason to think she wouldn’t have provided honest answers that would have allowed Kroo to establish she may be falling victim to a cryptocurrency investment scam and provide relevant tailored warnings. Even if Ms C wouldn’t have been honest about the reason for the payment and the circumstances in which it was being made, I think the fact she was making a large payment to cryptocurrency should have allowed Kroo to identify that if a scam was taking place it was most likely to be one that involved a fake investment scheme. Either way, I would have expected Kroo to provide an appropriate tailored warning that set out some common features of investment scams. These could have included that fake investment schemes are often promoted online, have fake celebrity endorsements, operate professional-looking fake platforms, promise extremely high returns, and often require victims to pay fees to access their money. It’s impossible to know for sure what would have happened if Kroo had intervened in this way before payment 2 was allowed to leave her account. But, on balance, I think Ms C

-- 4 of 7 --

would have recognised many of these features in her own situation. While it’s clear she had trust in the scammers up to this point, I think it’s also likely that an appropriate warning would have opened her eyes to the scam and stopped her from wanting to go ahead with the payment. Her other bank was successful in stopping the scam when it spoke to her on 29 January and I’ve no reason to think a robust intervention from Kroo only two days earlier wouldn’t have had the same result. In reaching this conclusion, I’m conscious that Ms C was shown a generic warning with links to various articles by the cryptocurrency exchange. But as with the warnings she was shown by Kroo, these weren’t specific to her circumstances and I wouldn’t have expected them to resonate in the same way as a tailored warning following a human intervention. I also note that Kroo asked Ms C for information on 29 January but I don’t think it’s necessarily fair to say she didn’t respond and to see this as a reason not to uphold her complaint. This was also the day that she appears to have realised the scheme was a scam after speaking to her other bank and she contacted Kroo very shortly afterwards (on 3 February) to report this. I think it follows that if the scam had been uncovered at the point of payment 2, payments 3, 4 and 5 would also have been prevented. Is it fair and reasonable for Kroo to be held responsible for Ms C’s loss? I have taken into account that Ms C remained in control of her money after making the payments from Kroo and that it wasn’t lost until she took further steps. But I think Kroo should still have recognised she was at risk of harm from fraud, made further enquiries about payment 2 and ultimately prevented her loss from that point. I’m satisfied Kroo can fairly be held responsible for any loss in these circumstances. While I have considered all of the facts of the case, including the role of other financial institutions involved, Ms C has chosen not to pursue a complaint about any other firm and I can’t compel her to do so. And I don’t think it would be fair to reduce her compensation because she’s only complained about one firm, as I consider that Kroo should have prevented the loss. Should Ms C bear any responsibility for her losses? I’ve considered the evidence carefully to reach a conclusion on this point and, while I accept Ms C believed these payments were being made in connection with a legitimate investment opportunity, I’m not persuaded that belief was a reasonable one. I’m conscious that by the time she began making payments from her Kroo account, Ms C appears to have been being told she’d made extremely high returns on her initial investment and I think she should reasonably have questioned whether this was too good to be true. In addition, she was told payments 3 , 4 and 5 were costs she needed to pay to obtain those returns but there’s no indication she’d been told about costs to withdraw previously. In the circumstances, I think Ms C ought to have proceeded with great caution. If she’d carried out any further research, for example online searches, I think she’d have discovered her circumstances were similar to those commonly associated with investment fraud. Overall, I think it’s fair and reasonable for Kroo to make a 50% deduction from the redress payable. Recovery of funds Ms C isn’t due any refund under the industry’s reimbursement scheme for authorised push payment (APP) fraud as these payments were sent to another account in her own name.

-- 5 of 7 --

Further, she transferred funds to a legitimate cryptocurrency account from where the currency purchased was transferred to a wallet address of her choosing (albeit on the scammers’ instructions). Kroo could only try to recover funds from Ms C’s own account and it appears the money had already been moved on by the time it was told about the scam. If not, anything that was left would still have been available to her to access. In the circumstances, I don’t think anything that Kroo could have done differently would have led to these payments being successfully recovered. In conclusion For the reasons I’ve explained, I don’t think Kroo acted fairly and reasonably in its dealings with Ms C and I’m upholding this complaint in part. While I don’t think it acted incorrectly in processing payment 1 in line with her instructions, if it had carried out an appropriate intervention before payment 2 debited her account, I’m satisfied payments 2 to 5 would have been prevented. Putting things right The principal aim of any award I make must be to return Ms C to the position she’d now be in but for the errors or inappropriate actions of Kroo, while allowing for any responsibility she should reasonably bear. If Kroo had carried out an appropriate intervention as I’ve described, I’m satisfied the scam would have been stopped and Ms C would have retained the money that was lost from payment 2 onwards. As outlined above, I’ve applied a 50% deduction to the amounts to be refunded in recognition of her own contribution to the loss. I can also see that Ms C received money back that she understood to have been a profit or return from her investment. As she fell victim to a scam and her investment wasn’t genuine, I don’t think this money should be attributed to any specific payment. Instead, I think it should be deducted from the amount lost by apportioning it proportionately across all of the payments made to the scam. This ensures that these credits are fairly distributed. To put things right Kroo should pay Ms C compensation of E + F, where: • A = £20,180, representing the total of her payments to the scam from Kroo and her other bank; • B = £476.30, representing the amount returned to her; • C = £19,703.70, representing the total loss to the scam (A - B); • D = 97.64%, representing the proportion of A that was lost to the scam (C divided by A); • E = a refund of 48.82 % of each of payments 2 to 5, representing a 50% refund of the proportion of these payments that was lost to the scam; and • F = simple interest on each amount being refunded in E at 8% per year from the date of the corresponding payment to the date compensation is paid. Interest is intended to compensate Ms C for the period she]was unable to use this money. I’ve used the above rate as the complaint was referred to us before 1 January 2026. HM

-- 6 of 7 --

Revenue & Customs (HMRC) requires Kroo to deduct tax from any interest. It must provide Ms C with a certificate showing how much tax has been deducted if she asks for one. I’m satisfied this represents a fair and reasonable settlement of this complaint. My final decision My final decision is that I partly uphold this complaint. Subject to Ms C’s acceptance, Kroo Bank Ltd should now put things right as I’ve set out above. Under the rules of the Financial Ombudsman Service, I’m required to ask Ms C to accept or reject my decision before 20 May 2026. James Biles Ombudsman

-- 7 of 7 --