Financial Ombudsman Service decision

HSBC UK Bank · DRN-6236938

Unauthorised TransactionComplaint upheldRedress £100
Get your free defence insight →Email to a colleague
Get your free defence insight on the case against you →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Mr C complains that HSBC UK Bank Plc declined to refund him for unauthorised transfers on his account. He also complained about the service he had received from HSBC following the unauthorised transactions. What happened Mr C is represented throughout this complaint. For ease I’ll refer to all correspondence as coming from Mr C. Mr C has an account with HSBC. In August 2025, Mr C had his wallet stolen which contained his HSBC card. Within hours, he was alerted via a text from HSBC to potentially fraudulent activity on his account. Mr C says he checked his account and he didn’t recognise several transactions and immediately reported this to HSBC and the police. HSBC looked into the transactions and refunded Mr C for several card payments that had been made using his stolen card. However, HSBC said they wouldn’t refund Mr C for four faster payment transfers totalling £2,800. They said this because the payments were made using the same device as genuine transactions on the account and they couldn’t identify how a fraudster would have been able to make these transfers without Mr C’s knowledge. Mr C complained to HSBC about this decision but HSBC thought they’d acted fairly in declining the claim. So, Mr C brought his complaint to our service. One of our Investigators reviewed Mr C’s complaint. They thought HSBC were fair in declining the fraud claim. They said this because the transfers were made from Mr C’s mobile banking which was accessed via Face ID on the same device as many genuine transactions. Mr C confirms his mobile phone was with him throughout the relevant period. So, they didn’t think it was plausible for someone else to have completed the transactions without Mr C’s knowledge. Regarding the customer service, our Investigator thought HSBC had acted fairly in freezing Mr C’s online banking after the fraudulent activity. Although there were several calls and attempted call backs between Mr C and HSBC to sort out his access, our Investigator advised Mr C how to regain access and didn’t ask HSBC to do anything further. Similarly, although Mr C said he didn’t receive any of the letters HSBC sent in relation to these matters, HSBC could evidence they had sent them. However, our Investigator did think there was more HSBC could have done with regards to their general customer service. They noted that Mr C was given contradictory information on a number of occasions causing frustration and confusion. They said they thought HSBC should pay Mr C £100 as a fair way of resolving this part of the complaint. HSBC accepted our Investigator’s view. But, Mr C didn’t. In summary, he said: • The current evidence conflates authentication and authorisation and he maintains he didn’t “willingly or knowingly” consent to the transactions. • HSBC hasn’t met the burden of proof to prove consent because they haven’t established who made the payment. He feels the absence of explanation as to how

-- 1 of 3 --

Face ID was used isn’t evidence that third-party interference didn’t occur. • He promptly reported the fraud and HSBC’s own systems flagged the fraud to him. • £100 was too low to cover the “appalling customer service” which has severely impacted his mental health. He thinks £500 is more reasonable. As Mr C disagreed, the complaint has been passed to me to consider. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. I know this will disappoint Mr C, but I will only be asking HSBC to pay him £100 in relation to the customer service element of his complaint. I won’t be asking them to do anything further regarding the declined fraud claim, and I’ll explain why below. Disputed transactions Generally, a bank is entitled to hold a consumer liable for authorised transactions, and the bank is liable for unauthorised transactions. Those rules are set out in the PSRs 2017. The regulations say that HSBC must prove that the payment transactions were authenticated. I note Mr C’s comment that authentication and authorisation have been confused. But, I’m afraid I disagree. To be clear, under the relevant regulations, authentication is the procedure used to ensure the person making the payment is either the genuine customer or someone acting on their behalf. In this case, I’ve seen evidence of authentication in the online banking audit logs that show the device that was used to make the disputed transfers was used for genuine transactions before. For example, on 10 August 2025, Mr C paid two new payees £250 using the same device and user ID. So I’m satisfied the transactions were properly authenticated. However, this alone isn’t sufficient to say Mr C authorised these transfers. I need to also consider if he consented to them on the balance of probabilities. When considering whether Mr C consented to the transactions, I’ve thought about what a third party would need to do to complete the payments without Mr C’s knowledge or involvement. These transfers were completed using Mr C’s online banking. So a third party would have needed Mr C’s mobile banking credentials to log in or access to Mr C’s device. But, Mr C says he hasn’t shared his security credentials and his device was with him the entire evening. So I’ve considered whether the details could be guessed or intercepted and I’m afraid I don’t think that’s the most likely scenario. There are thousands of possible combinations making it impossible to guess. And, this same device has been able to access Mr C’s accounts since January 2025. So, it’s unlikely that an unknown third party has had access for eight months before making a fraudulent transaction. This is supported by the fact the same user made genuine transactions in that period. Moreover, the evidence shows that the new payees for the disputed transactions were added during a session where biometric data had been used to access the account. Given biometric data is generally accepted as being unique to an individual, I’m not persuaded this could have been completed without Mr C’s knowledge or involvement. Mr C has suggested that the compromise to his online banking may have happened when he used a public WiFi network on the evening his wallet was stolen. While I understand Mr C’s concerns, this still wouldn’t explain how Face ID was used to access the account before the transactions were made or that a registered device was used.

-- 2 of 3 --

I acknowledge Mr C’s comments regarding the burden of proof and establishing who exactly made the payments. But, that isn’t the test here. There can’t always be certainty about what took place, and when that occurs, I take my decision according to what’s most likely to have happened, taking into account all the circumstances of the case. Overall, I’m satisfied it was fair for HSBC to hold Mr C liable for the disputed transactions and I won’t be asking them to do anything further in respect of this part of the complaint. Customer service issues In summary, I’ve seen evidence that there were multiple calls following Mr C reporting the fraudulent activity on his account. Many of these ended in Mr C being transferred and cut off. I acknowledge this is incredibly frustrating as a customer, especially when you’re trying to access your own account facilities. However, the evidence also shows HSBC did attempt to call Mr C back, which is what I’d expect, but the calls were unsuccessful. HSBC gave the right advice about registering a device for online banking, but I understand Mr C continued to have issues with registering. Mr C says he didn’t receive postal correspondence from HSBC. But, I’ve seen evidence to show letters were sent to him. While I accept Mr C didn’t receive these, I’m satisfied HSBC did send them and can’t fairly be held accountable for the postal service. Finally, I’m satisfied HSBC agents did give Mr C incorrect or misleading information during some calls which led to him being unable to use his card to pay for shopping. I understand this is deeply frustrating and is not what I’d expect of HSBC’s customer service. Putting things right I’ve considered Mr C’s representation that £100 is insufficient to compensate him for the severe impact the customer service has had on his mental health. I’m very sorry to hear Mr C has experienced personal difficulties and I don’t wish to downplay how frustrating his contact with HSBC has been. But, having thought about what HSBC did (or didn’t do) here, and consulted our trouble and upset guidelines, I’m satisfied that £100 is fair compensation for the impact caused to him. My final decision My final decision is that I partially uphold this complaint. And I direct HSBC Bank UK Plc to: • Pay Mr C £100 in compensation. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr C to accept or reject my decision before 25 May 2026. Cheryl Dior Ombudsman

-- 3 of 3 --