Financial Ombudsman Service decision

Barclays Bank UK PLC · DRN-6256148

Authorised Push Payment (APP) ScamComplaint upheldRedress £16,200Decided 6 March 2026
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Mrs K complains that Barclays Bank UK PLC won’t refund the money she lost when she was the victim of a scam. What happened In October 2024, Mrs K was contacted by a company who told her it could recover money she had lost when she had previously invested in cryptocurrency. It said it could see there was a significant balance in her account which it could return to her if she paid an amount up front. And as she had seen the company advertised on social media and after checking their website, Mrs K agreed. Mrs K then made a number of payments from her Barclays account to the recovery company, firstly to show liquidity and then for further fees and taxes the company said were necessary. The payments were sent to an account in her name with a cryptocurrency exchange the recovery company suggested she set up, before then being sent on to the company from there. I’ve set out the payments made from Mrs K’s Barclays account below: Date Amount 20 November 2024 £3,000 26 November 2024 £5,200 27 November 2024 £8,000 Unfortunately, we now know the recovery company was a scam. The scam was uncovered after the company kept asking Mrs K to pay larger amounts to receive the money it said it could recover. Mrs K then realised she had been the victim of a scam and reported the payments she had made to Barclays. Barclays investigated but said the losses occurred outside of its control, as they were made to another account in Mrs K’s name before being sent to the recovery company. So it didn’t agree to refund any of the money she had lost. Mrs K wasn’t satisfied with Barclays’ response, so referred a complaint to our service. I sent Mrs K and Barclays a provisional decision on 6 March 2026, setting out why I was intending to uphold the complaint in part. That provisional decision forms part of this final decision, and is set out below: “Should Barclays have been on the look-out for the possibility of APP fraud? In deciding what’s fair and reasonable, as set out at DISP 3.6.4R, I’m required to take into account relevant law and regulations; regulators’ rules, guidance and standards; codes of practice; and, where appropriate, what I consider having been good industry practice at the time.

-- 1 of 10 --

Barclays says that, if Mrs K brought this complaint in the courts, it would not be liable for the losses suffered. However, as outlined above, our service takes into account other relevant considerations in addition to relevant law. I’ve explained later what this means for my decision on this complaint. The starting point under the relevant regulations (in this case, the Payment Services Regulations 2017) and the terms of Mrs K’s account is that customers are responsible for payments they authorised. And, as the Supreme Court has recently reiterated in the case of Philipp v Barclays Bank UK PLC, banks generally have a contractual duty to make payments in compliance with their customer’s instructions. In that case, the Supreme Court considered the nature and extent of the contractual duties owed by banks when making payments. Among other things, it said, in summary: • The starting position is that it is an implied term of any current account contract that, where a customer has authorised and instructed a bank to make a payment, the bank must carry out the instruction promptly. It is not for the bank to concern itself with the wisdom or risk of its customer’s payment decisions. • The express terms of the current account contract may modify or alter that position. For example, in Philipp, the contract permitted Barclays not to follow its customer’s instructions where it reasonably believed the payment instruction was the result of APP fraud; but the court said having the right to decline to carry out an instruction was not the same as being under a duty to do so. In this complaint, the terms of Barclays’ contract with Mrs K modified the starting position described in Philipp by expressly stating that Barclays was permitted to not follow a payment instruction in certain circumstances. In respect of this, the terms and conditions said: “When we don’t have to follow your instructions We’ll do all we can to carry out your instructions. However, we don’t have to follow an instruction for any of these reasons. … • We reasonably believe it might expose us (or another Barclays company) to legal action or censure from any government, regulator or law enforcement agency. • We reasonably think that a payment into or out of an account is connected to a fraud, scam or any other criminal activity. This includes where we reasonably think the funds are being obtained through deception. … While we are checking that none of the reasons above apply, there may be a delay in getting the payment to its destination. This might happen even if everything turns out to be fine… Unless the law prevents us, we’ll try to contact you as quickly as possible to tell you we haven’t followed an instruction and to explain why. You can also ask us why we haven’t followed your instruction. We’ll tell you what you can do to correct any errors in the instruction, or to satisfy us that the instruction came from you.” So the starting position at law was that: • Barclays was under an implied duty at law to make payments promptly. • It had a contractual right not to make payments where it suspected fraud. • It had a contractual right to delay payments to make enquiries where it suspected fraud. • It could therefore refuse payments, or make enquiries, where it suspected fraud, but

-- 2 of 10 --

it was not under a contractual duty to do either of those things. Whilst the current account terms did not oblige Barclays to make fraud checks, I do not consider any of these things (including the implied basic legal duty to make payments promptly) precluded Barclays from making fraud checks before making a payment. As explained above, in addition to relevant law, I also take into account regulators' rules, guidance and standards, codes of practice, and what I consider to have been good industry practice at the relevant time. Taking into account longstanding regulatory expectations and requirements and what I consider to have been good industry practice at the time, I am satisfied that Barclays should have been on the look-out for the possibility of APP fraud and have taken additional steps or made additional checks, before processing payments in some circumstances – as in practice all banks, including Barclays, do. This is because of the following: • FCA regulated banks are required to conduct their “business with due skill, care and diligence” (FCA Principle for Businesses 2) and to “pay due regard to the interests of its customers” (Principle 6). • Banks have a longstanding regulatory duty “to take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime” (SYSC 3.2.6R of the Financial Conduct Authority Handbook, which has applied since 2001). • Over the years, the FSA, and its successor the FCA, have published a series of publications setting out non-exhaustive examples of good and poor practice found when reviewing measures taken by banks to counter financial crime, including various iterations of the “Financial crime: a guide for firms”.1 • Regulated banks are required to comply with legal and regulatory anti-money laundering and countering the financing of terrorism requirements. Those requirements include maintaining proportionate and risk-sensitive policies and procedures to identify, assess and manage money laundering risk – for example through customer due-diligence measures and the ongoing monitoring of the business relationship (including through the scrutiny of transactions undertaken throughout the course of the relationship). • The October 2017, BSI Code, which a number of banks and trade associations were involved in the development of, recommended firms look to identify and help prevent transactions – particularly unusual or out of character transactions – that could involve fraud or be the result of a scam. Not all firms signed the BSI Code, but in my 1 For example, both the FSA’s Financial Crime Guide at 4.2.5G and the FCA’s 2015 “Financial crime: a guide for firms” gave examples of good practice in relation to investment fraud saying: “A bank regularly assesses the risk to itself and its customers of losses from fraud, including investment fraud, in accordance with their established risk management framework. The risk assessment does not only cover situations where the bank could cover losses, but also where customers could lose and not be reimbursed by the bank. Resource allocation and mitigation measures are informed by this assessment. A bank contacts customers if it suspects a payment is being made to an investment fraudster. A bank has transaction monitoring rules designed to detect specific types of investment fraud. Investment fraud subject matter experts help set these rules.”

-- 3 of 10 --

view the standards and expectations it referred to represented a fair articulation of what was, in my opinion, already good industry practice in October 2017 particularly around fraud prevention, and it remains a starting point for what I consider to be the minimum standards of good industry practice now. • Barclays is also a signatory of the CRM code. This sets out both standards for firms and situations where signatory firms will reimburse consumers. The CRM code does not cover all authorised push payments (APP) in every set of circumstances (and it does not apply to the circumstances of these payments), but I consider the standards for firms around the identification of transactions presenting additional scam risks and the provision of effective warnings to consumers when that is the case, represent a fair articulation of what I consider to be good industry practice generally for payment service providers carrying out any APP transactions. Overall, taking into account the law, regulators rules and guidance, relevant codes of practice and what I consider to have been good industry practice at the time, I consider Barclays should: • Have been monitoring accounts and any payments made or received to counter various risks, including anti-money laundering, countering the financing of terrorism, and preventing fraud and scams. • Have had systems in place to look out for unusual transactions or other signs that might indicate that its customers were at risk of fraud (among other things). This is particularly so given the increase in sophisticated fraud and scams in recent years, which banks are generally more familiar with than the average customer. • In some circumstances, irrespective of the payment channel used, have taken additional steps, or made additional checks, or provided additional warnings, before processing a payment – as in practice all banks do. • Have been mindful of – among other things – common scam scenarios, the evolving fraud landscape (including for example the use of multi-stage fraud by scammers and the use of payments to cryptocurrency accounts as a step to defraud customers) and the different risks these can present to consumers, when deciding whether to intervene. Should Barclays have recognised Mrs K was at risk of financial harm from fraud? As I have explained above, I think Barclays ought to have been on the look out for unusual and out of character transactions on Mrs K’s account, such that it could identify payments which may be at risk of fraud or financial harm. I am mindful that Barclays did not have the same detailed information available to me now at the time they received Mrs K’s payment instructions. So, I have considered the steps Barclays ought to have taken with only the more limited information it had. The first payment Mrs K made here, for £3,000 on 20 November 2024, was for what I consider to be a significant amount, and for an amount much larger than any other payments made out of her account in the months prior to the scam. It used up a significant proportion of the available balance in her account. And it was identifiably related to cryptocurrency which, around this time, I think Barclays ought to have recognised meant it carried an elevated risk of being related to a scam. This payment was also made less than a week after Mrs K had tried to make another payment of the same amount to the same payee, which Barclays had identified as potentially relating to a scam. It had twice spoken to Mrs K over the phone about this attempted payment, suggested she use a regular bank account for her money instead as she wasn’t investing or purchasing cryptocurrency – which Mrs K appeared to accept – and then

-- 4 of 10 --

cancelled the payment. So, given the suspicions it had and the information it was given by Mrs K in these calls, I think Mrs K then attempting to make a payment for the same amount to the same payee should also have appeared suspicious to Barclays. And so, taking all this information it had about the payment into account, I’m satisfied Barclays ought to have recognised that Mrs K was at heightened risk of financial harm from fraud when he tried to make the first payment here, of £3,000 on 20 November 2024. I’m conscious Barclays would have been aware that the payments Mrs K was making here were to an account in her own name with the cryptocurrency exchange, and that this may have made the risk associated with them seem smaller. But I think Barclays should also have been mindful of the potential risk to Mrs K of ‘multi-stage’ fraud – whereby victims are instructed to move funds through one or more legitimate accounts held in the customer’s own name, before then being moved on to a fraudster. This is often done to make certain payments seem more legitimate and circumvent security measures bank have put in place. And the use of and risks to consumers of multi-stage fraud were well known to banks in November 2024. Barclays has also highlighted several payments Mrs K made out of her account in August 2024 for larger amounts than the payments she made here, which it says shows the scam payments weren’t out of character or unusual for her. But these earlier payments were all made to the same payee Mrs K had made a number of payments to previously, rather than to a new payee she’d not made a payment to before as the scam payments were. And they were all made on the same day, and are the only time Mrs K has made payments for what I consider to be a similar amount to the amounts of the scam payments in the seven months before them. So I think these payments Barclays has highlighted were a one-off and don’t represent typical behaviour on Mrs K’s account, to the point where the scam payments were no longer unusual. So considering all of this, I’m still satisfied Barclays ought to have recognised Mrs K was at an enhanced scam risk here. What did Barclays do to protect Mrs K? Barclays didn’t intervene when Mrs K made the first payment here, of £3,000 on 20 November 2024. Barclays says it did intervene when Mrs K tried to make the third payment here, for £8,000 on 27 November 2024, and spoke to her over the phone about the payment. But it hasn’t been able to send us recording of this call. And it’s record of the call just notes that she was paying her own external account and the payment was released. So I can’t see that Barclays went far enough in this call to address the risk I think it should have identified. I also don’t think the earlier phone calls Barclays carried out with Mrs K before the first payment here ought to have given it sufficient reassurance about what was happening that it wasn’t necessary for it to intervene again when she tried to make these later payments. In these calls, Barclays asked Mrs K what the payment was for and she replied that she was moving money to another of her accounts as part of her property business. Barclays explained that the payment was going to a cryptocurrency exchange and suggested that, if Mrs K wasn’t investing or using cryptocurrency, she would be better of using a regular bank account for her business. But I don’t think Barclays did enough to try to understand the circumstances surrounding the payments Mrs K was trying to make or the risk she was exposed to during these calls. And, as I explained above, if Barclays felt it had done enough to address the risk because Mrs K

-- 5 of 10 --

had said she wasn’t investing and suggested she would use a regular bank account instead, then I think it should have become concerned again when she tried to make a payment for the same amount to the same payee less than a week later. So I don’t think any of the interventions Barclays carried out around the time of these payments were a proportionate response to the risk I think it should have identified here. What should Barclays have done to protect Mrs K? I’ve thought carefully about what a proportionate response in light of the risk presented would be in these circumstances. In doing so, I’ve taken into account that many payments that look very similar to this one will be entirely genuine. I’ve given due consideration to Barclays’ duty to make payments promptly, as well as what I consider to have been good industry practice at the time this payment was made. Taking that into account, as well as I what I consider to be fair and reasonable, when Mrs K tried to make the first payment here for £3,000 on 20 November 2024, I think Barclays ought to have made further enquiries to attempt to establish the circumstances surrounding the payment before allowing it to debit her account. And I think it should have done this by carrying out some kind of human intervention with her, either via a live chat or over the phone, to discuss the payment further and ask more probing questions about the circumstances surrounding it. If Barclays had made further enquiries before the payment, would that have prevented the losses Mrs K incurred after that point? I’ve thought carefully about whether an intervention to attempt to establish the circumstances surrounding this payment would have likely prevented any further loss in this case. And on the balance of probabilities, I think it would have. I appreciate that in the intervention calls it had with her before this payment was made, Mrs K wasn’t honest with Barclays. She said she’d opened the account she was sending the money to as part of a property business she was trying to run, and that she was receiving training to help her with this property business. And she said she had just opened the account as a personal account, it wasn’t connected to an investment, and no-one had helped her open it. But she appears to have struggled when asked to provide any more detail than this. And when Barclays explained that the account the money was going to was held with a cryptocurrency exchange, Mrs K couldn’t explain why this was and suggested that she would send the money to a regular bank account instead. So if Barclays had asked more probing questions about the circumstances surrounding the payment, I don’t think Mrs K would have been able to provide any further details on what she was doing and I don’t think the answers she gave would have been particularly convincing or should have satisfied Barclays that the risk it had identified wasn’t a concern. I also don’t think Mrs K would have been able to plausibly explain why she was again trying to send money to the same cryptocurrency exchange Barclays had previously highlighted to her, and that she had then suggested she wouldn’t use. I also don’t think the explanations Barclays gave Mrs K in these calls about the reasons for its concerns and the questions it was asking were clear enough. Had it more clearly explained what a cryptocurrency or investment scam can look and feel like or that, if she was being told to mislead it in any way about what was happening, then she was likely the victim

-- 6 of 10 --

of a scam, I think it’s possible this could have broken the spell of the scam. And Mrs K may then have answered its questions more honestly. And so, if Barclays had carried out a more proportionate intervention with Mrs K here, I think it would either have persuaded her to answer its questions more honestly, and so found out she was making the payments in an effort recover money she had lost when she had previously invested in cryptocurrency. Or I think it would have had significant concerns about the information she was giving it, to the point where I don’t think it should have been satisfied with the information it was given and so should still have had significant concerns that she could be at risk of financial harm. Barclays should then have explained its concerns to Mrs K and provided her with a warning about the features of common cryptocurrency investment scams, such as third-party companies controlling accounts, companies advertised on social media, high returns following an initial low investment and being asked to make payments to receive the profits you have supposedly made. Mrs K appears to have taken at least some notice of the warnings Barclays gave her in the calls before this payment, as she allowed the payment to be cancelled and didn’t try to force Barclays to make it. I’m also conscious that she realised she had been the victim of a scam herself, when the recovery company later asked for further payments, so she was not irretrievably under the spell of the scammers or unwilling to consider that this might be a scam. And as several of the features I think Barclays should have warned her about were present in the circumstances of her payments, I think it’s likely a warning highlighting these features would have resonated with Mrs K and she would then have re-considered her circumstances and not made any further payments to the recovery company. Therefore, on the balance of probabilities, had Barclays carried out a more probing intervention and provided Mrs K with an impactful warning that gave details about investment scams and how she could protect herself from the risk of fraud when she made the first payment here of £3,000 on 20 November 2024 – as I think it should have done – I don’t think Mrs K would have made any further payments or suffered any further losses from this point on. Is it fair and reasonable for Barclays to be held responsible for some of Mrs K’s loss? In reaching my decision about what is fair and reasonable, I have taken into account that Mrs K initially transferred money from her Barclays account to an account in his own name with the cryptocurrency exchange, rather than directly to the fraudster. So she remained in control of her money after the money left her Barclays account, and there were further steps before the money was lost to the scammer. But as I’ve set out in detail above, I think that Barclays still should have recognised that Mrs K might have been at risk of financial harm from fraud when she made the payment of £3,000 on 20 November 2024, and in those circumstances it should have made further enquiries about the circumstances surrounding the payment. If it had taken those steps, I’m satisfied it would have prevented the losses Mrs K suffered. The fact that the money used to fund the scam wasn’t lost at the point it was transferred to Mrs K’s own account with the cryptocurrency exchange does not alter that fact and I think Barclays can fairly be held responsible for Mrs K’s loss in such circumstances. Barclays has said that Mrs K would not be entitled to compensation under either the Lending Standards Boards Contingent Reimbursement Model (the CRM code) or the Faster Payment Scheme (FPS) mandatory reimbursement rules. And I agree that neither of those sets of rules apply to Mrs K’s complaint. The CRM code was no longer in force when the payments

-- 7 of 10 --

were made. And the payments are not covered by the FPS mandatory reimbursement rules, as they went to an account in her own name. But the Payment Systems Regulator, when it introduced the FPS mandatory reimbursement rules, reminded firms that fraud victims have a right to make complaints and refer them to the Financial Ombudsman Service separately from the new reimbursement rights and that APP scam victims will still be able to bring complaints where they believe that the conduct of a firm has caused their loss (in addition to any claim under the reimbursement rules). So it is not correct to suggest, as Barclays appears to do, that the PSR’s mandatory reimbursement scheme represents the only refund requirements so far as fraud and scam reimbursement is concerned. I’ve also considered that Mrs K has only complained against Barclays here. I accept that it’s possible that other firms might also have missed the opportunity to intervene or failed to act fairly and reasonably in some other way, and Mrs K could instead, or in addition, have sought to complain against those firms. But Mrs K has not chosen to do that and ultimately, I cannot compel her to. In those circumstances, I can only make an award against Barclays. I’m also not persuaded it would be fair to reduce a consumer’s compensation in circumstances where: the consumer has only complained about one respondent from which they are entitled to recover their losses in full; has not complained against the other firm (and so is unlikely to recover any amounts apportioned to that firm); and where it is appropriate to hold a business such as Barclays responsible (that could have prevented the loss and is responsible for failing to do so). That isn't, to my mind, wrong in law or irrational but reflects the facts of the case and my view of the fair and reasonable position. Ultimately, I must consider the complaint that has been referred to me (not those which haven’t been or couldn’t be referred to me) and for the reasons I have set out above, I am satisfied that it would be fair to hold Barclays responsible for Mrs K’s loss from the payment of 20 November 2024 onwards (subject to a deduction for consumer’s own contribution which I will consider below). Should Mrs K bear any responsibility for her loss? Barclays has argued that Mrs K should have done more to protect herself here by doing a greater level of due diligence on the recovery company before making the payments. And I’ve considered whether it would be fair for Mrs K to bear some responsibility for her loss. In considering this, I’ve taken into account what the law says about contributory negligence as well as what’s fair and reasonable in the circumstances of this complaint. I appreciate that she has been the victim of a cruel scam, and was sent a number of documents by the recovery company as evidence of the funds she needed to pay. But I also think there were a number of things about what was happening and what Mrs K was told that should have caused her significant concern here. Mrs K appears to have been contacted unexpectedly by the recovery company, without having reached out to it beforehand. But I wouldn’t expect a legitimate company to contact potential clients in this way, so I think being contacted in this way should have caused Mrs K concern. She also says the company told her the previous investment she had made was now worth £35,000. But she’s also said she only invested £800 and was told the balance of her investment was £1,300 when it was lost. So I think being told her investment had increased

-- 8 of 10 --

so significantly, without any input from her, should have caused her significant concern that what she was being told was too good to be true. Mrs K was also told she had to pay £3,000 before her investment could be returned to her. And, after she paid this, she was then told she had to make further payments of £5,200 and £8,000 which she hadn’t previously been told about. And I think being asked to pay such a large amount before she could receive her investment, and then asked to pay even larger amounts unexpectedly, should also have caused her significant concern about what she was being told. I sympathise with the position Mrs K has found herself in and recognise that she has been the victim of a cruel scam. But I think there were a number of things here which should have caused her significant concern, particularly when taken all together. And I don’t think she did enough to satisfy those concerns or that the seemingly genuine parts of the scam should have been enough to overcome them. So I think it would be fair and reasonable for her to bear some responsibility for the loss she suffered. Redress For the reasons set out above, I think Barclays should have identified that Mrs K was at risk of financial harm from fraud as a result of the first payment she made here, of £3,000 on 20 November 2024. And I think the action I would have expected it to take in response to this risk would have prevented Mrs K making any further payments, and so losing the money she did from that point on. I also think it would be fair for Mrs K to bear some responsibility for the money she lost. I think it would be fair for Mrs K and Barclays to bear equal responsibility for what happened, and so Barclays should now refund 50% of the money Mrs K lost as a result of this scam.” I said I’d consider anything further Mrs K and Barclays sent in following the provisional decision, provided it was received by the deadline given. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Barclays responded to the provisional decision, agreeing to the recommendations set out in it. Mrs K replied questioning why, if Barclays knew a scam was happening, it didn’t stop the payments completely. She said she wasn’t aware of fraud, and banks shouldn’t rely on customers to stop payments. And I agree that Barclays should have prevented her loss here. I said in the provisional decision that I felt Barclays should have done more and that, if it had done what I would have expected, I think her losses would have been prevented. But, in addition to considering whether Barclays did enough to protect her, I also think it is fair to consider whether Mrs K should bear any responsibility for her loss. And, for the reasons I set out in the provisional decision, I think it would be fair for her to do so. In the circumstances of this complaint, I don’t think it would be fair to hold Barclays fully responsible for her loss. So I still think the conclusions I set out in the provisional decision are correct, and for the same reasons. I still think it would be fair for Mrs K and Barclays to bear equal responsibility

-- 9 of 10 --

for the loss she suffered as a result of this scam. And so I still think Barclays should refund her 50% of the money she lost. My final decision For the reasons set out above, I uphold this complaint and require Barclays Bank UK PLC to: • Refund Mrs K 50% of the money she lost as a result of this scam – totalling £8,100 • Pay Mrs K simple interest at 8% per year on this refund, from the date the payments were made until the date of settlement Under the rules of the Financial Ombudsman Service, I’m required to ask Mrs K to accept or reject my decision before 24 April 2026. Alan Millward Ombudsman

-- 10 of 10 --