Financial Ombudsman Service decision

Modulr FS Limited · DRN-6013914

Unauthorised TransactionComplaint not upheld
Get your free defence insight →Email to a colleague
Get your free defence insight on the case against you →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Miss H complains that Modulr FS Limited (‘Modulr’) declined to reimburse payments which were debited from her account which she says she did not make or otherwise authorise. What happened The circumstances of this complaint are well known to both parties, so I will not go into every detail of what happened here. But in summary, Miss H said she noticed a series of transactions on her account which she did not make or otherwise authorise. She reported this to Modulr, but it declined to reimburse her on the basis that it said the evidence suggested that there was no evidence of fraudulent activity on her account. Miss H remained dissatisfied, so she escalated her concerns to our service where one of our investigators looked into what had happened. They did not recommend that her complaint should be upheld, because their review of the evidence led them to believe that it was most likely that the transactions were made or otherwise authorised by Miss H. Miss H did not agree, so the case has been passed to me to decide. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Having done so, I have reached the same overall conclusion as our investigator, and for broadly the same reasons. I will explain why. I think it’s important to explain I’ve considered all of the information provided by both parties in reaching my decision. If I’ve not reflected or answered something that’s been said it’s not because I didn’t see it, it’s because I didn’t deem it relevant to the crux of the complaint. This isn’t intended as a discourtesy to either party, but merely to reflect my informal role in deciding what a fair and reasonable outcome is. The regulations relevant to this case - the Payment Services Regulations 2017 (PSRs) – set out what is needed for a payment to be authorised and who has liability for disputed payments in different situations. The starting point is that the Miss H would be responsible for authorised payments, and Modulr would be responsible for unauthorised ones. The PSRs specify that authorisation depends on whether the payment transactions were authenticated correctly – and whether Miss H consented to them. So, the relevant finding for me to make here is whether I think it is more likely than not that Miss H made or otherwise consented to the payments in dispute. I have carefully considered this matter, and based on the evidence available to me I think it is more likely than not that Miss H made or otherwise authorised the transactions. This is because, in summary: • Miss H said that she only had one phone during the period of the disputed transactions. The technical evidence shows that there were two devices used to

-- 1 of 3 --

access her account – a Samsung and an iPhone. Miss H said she only used an iPhone, though the Samsung was the first device used to access Miss H’s account. Its description also includes her first name. It shares an IP address with the iPhone, which means they were most likely in the same location. Furthermore, to add a new device a text message with a code is sent to the registered phone number for the account, and Miss H has said no one had access to her phone to gain this code without her consent. So, it seems most likely that Miss H had access to both of the phones. • Modulr have provided technical evidence which shows that the payments were a combination of card transactions and Apple Pay transactions. The former would require her long card number, card holder name and CVV. Miss H has not been able to provide any plausible explanation as to how these details could have been compromised, such that an unknown third party would have been able to make the payments without her permission. • Miss H suggested that her card details were compromised because she ordered a sofa on an international website that never arrived. But this seems highly improbable, due to the fact the sofa was not ordered until after much of the disputed activity had already taken place. So, I think it is more likely than not that Miss H completed the card payments. • The Apple Pay payments would require access to a registered device with an Apple token. Modulr have provided evidence that to set up the Apple Pay token, a one-time passcode (‘OTP’) was sent to Miss H’s registered number. The only number added to the account in the relevant period is the phone number Miss H gave to our service – so it does not appear an unknown third party added their phone number to her account. Miss H has been clear that no one had access to her device or knows the password for it. So, it is unclear how an unknown third party could have set up Apple Pay without her knowledge. It was added to one of the registered devices, so it seems most likely that the Apple Pay transactions took place on Miss H’s device, which as I outlined above she said no one else had access to. And so it follows that it is most likely that Miss H made the Apple Pay transactions. • Modulr have shown that the disputed payments were further authenticated using 3D Secure (‘3DS’). In some cases this required someone to open the app to approve payments, and at another time it required the payer to enter an OTP which was sent to Miss H’s registered phone number. I do not see how an unknown third party could have completed these actions. So, it seems most likely that Miss H completed the 3DS authentication of the relevant payments. • The technical evidence shows a pattern of actions around the time of disputed transactions. This involved someone using both of the registered devices to block the card after disputed transactions, and unblocking it again before disputed transactions were made. Miss H said she did not share her password with anyone, and has not suggested that her passwords were recorded anywhere that someone could access. So, I cannot see that someone other than Miss H could have been accessing her app. Furthermore, an unknown third party would have had to have access to both of the registered devices and be able to get into them – and Miss H said that no one had access to her phone or passcode. So, it seems most likely that it was Miss H logging into her app during the period of the disputed transactions. • As I think it is most likely that Miss H was the one accessing her app, it would seem unusual that she did not keep the card blocked or report the disputed transactions earlier if she did not make them, or was otherwise aware of them.

-- 2 of 3 --

• Miss H also suggested that she lent a friend an old phone at the time of the disputed transactions, but that she had completely wiped the device beforehand. This does not seem to be a likely point of compromise for Miss H’s Modulr account, as a wiped device would not give access to Miss H’s accounts or information. Further to this, the model of phone she says she gave the friend does not appear in the technical data as a device used to access her account. • Along with the disputed payments out to gambling sites, there are corresponding credits from some of those gambling companies – and not for insubstantial amounts of money. It would seem highly unusual that an unknown third party with unfettered access to Miss H’s account would use it to gamble, given that the rewards for the successful bets were credited back to Miss H’s account. Miss H said that she does not gamble, but our service has seen evidence of gambling on another of Miss H’s accounts. It does not seem the most likely scenario that an unknown third party would have completed gambling transactions here. • Further to this, gambling sites tend to require accounts to be set up in the same name as the payment method – and we have confirmed this is the case for gambling sites which disputed transactions went to from Miss H’s account. They require ID verification to set up these accounts. Miss H said she had a photo of her ID on her phone, but had lost the physical ID in a house move. It seems unlikely that someone was able to access her ID along with her devices, passwords and card details. So it would seem difficult for an unknown third party to have set up gambling accounts in her name to undertake the disputed transactions. • Whilst there is no singular way fraud happens, the disputed activity on Miss H’s account does not line with what I would expect an unknown third party with complete access to her account to undertake. I say this not just because of the gambling activity, but because the spend takes place over several months. This would unnecessarily increase the risk of Miss H discovering the disputed activity and blocking the card or the account. So, considering all of this, I think it is most likely that the disputed transactions were made or otherwise authorised by Miss H – and so it follows that she is liable for these transactions, and Modulr do not need to refund them. My final decision I do not uphold this complaint and require Modulr FS Limited to do nothing further. Under the rules of the Financial Ombudsman Service, I’m required to ask Miss H to accept or reject my decision before 22 May 2026. Katherine Jones Ombudsman

-- 3 of 3 --