Financial Ombudsman Service decision

Barclays Bank UK PLC · DRN-6258620

Authorised Push Payment (APP) ScamComplaint not upheld
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Mr K complains that Barclays Bank UK PLC won’t refund to him the money he lost to a scam. What happened On 13 March 2026 I issued my provisional decision on this complaint. I wanted to give both parties a chance to provide any further evidence or arguments before I issued my final decision. That provisional decision forms part of this final decision and is copied below. What happened In June 2025 Mr K says he was contacted on a social media platform with the offer of making money on the foreign exchange market. He understood he’d make profits, less a deduction for commission. Sadly, this scheme turned out to be a scam. Mr K says a cryptocurrency wallet was opened in his name, with a well known cryptocurrency platform I’ll refer to as B. The scammers sent him a link to sign a ‘Know Your Customer’ (KYC) document and told him the crypto currency wouldn’t be released to him unless he signed the document. Mr K says he followed the scammers’ instructions to make two faster payment transfers of £1,100 and £2,200 on consecutive days from his account with Barclays to a company I’ll refer to as Y. He says the scammers told him ‘coins’ would be transferred to his crypto wallet but they then blocked him and deleted the social messaging account. Mr K realised he’d been scammed and contacted Barclays. He said he never had access to the crypto wallet and asked Barclays to refund him the £3,300 he’d paid to the scammers through the cryptocurrency account. Barclays refused to refund the money. It said he’d need to pursue his loss with Y. Barclays said Mr K had submitted KYC documents for the crypto account to be opened from an IP address/geo location which matched Mr K’s details. As such, Barclays said the account was in Mr K’s control and Barclays wasn’t liable to refund the money to him. Unhappy with the outcome, Mr K asked this Service to look into his complaint. Our Investigator didn’t uphold it. He didn’t think Mr K’s payments to Barclays were unusual based on his account history or for particularly high amounts as compared to other transactions, so he didn’t think Barclays should have intervened to warn Mr K about scams. He didn’t think Barclays could successfully have recovered Mr K’s money. Mr K didn’t agree for several reasons and requested an Ombudsman’s decision. In summary, he said: • Barclays had failed to give him any meaningful, specific or targeted fraud warnings as required under the Contingent Reimbursement Model (CRM) Code and Financial Conduct Authority (FCA) guidance including the FCA’s Consumer Duty, despite his sending money to a high risk cryptocurrency exchange. Even if the CRM doesn’t

-- 1 of 7 --

apply (because the payment went to an account under his own control) this Service should still consider the wider principles including under the Consumer Duty. If Barclays had given him an effective warning he’d not have made the payments. • The cryptocurrency account was opened and controlled by the scammers, not by him. The account was set up on his behalf, he did not have independent access or control over it and he could not freely log in or manage funds himself. He was instructed to send money in the belief cryptocurrency coins would appear in the wallet for him. • He didn’t agree the payments represented normal or usual activity, as while he’d made large payments before he’d not made crypto or investment related transfers. This Service has upheld cases where banks should intervene for first-time crypto transactions far below these amounts. He’d been manipulated by the scammers who had told him to send one smaller amount (£1,100) followed by a second larger amount (£2,200) the following day; this is a well-known pattern for scams. • Our Investigator had not taken into account Barclays’ duty to protect ‘vulnerable situations’. He’d trusted the scammers and acted in good faith, but Barclays failed to protect him. He’s suffered financial and emotional hardship and distress because of the scam. Our Investigator explained why he hadn’t changed his mind. As an agreement couldn’t be reached the complaint was passed to me. I reviewed it and asked Mr K for some further information. In response he has told me that: • The scammers told him that he needed to open a cryptocurrency account with B to participate in the commission scheme. He followed their instructions and understood the payments he made were to fund the crypto account with B. • He did not independently select Y as the beneficiary of his two payments. The payment details were provided to him as part of the process he was guided through and he believed this was connected to B’s payment processing. • The scammers sent a link to him on the social messaging platform so that he could provide his identification document. They told him an account would be opened in his name and that login details would be provided later. He was asked to give a photo of his driving licence for identification purposes. After this, he was sent a KYC link and guided through the verification process step by step. • He completed the verification because he was told it was necessary to activate the account and receive the (crypto) coins. He did not independently research the link or company, as he believed he was following legitimate account set up instructions. • He did not independently choose Y and has not had direct contact with Y regarding the account. • At the time he made the payments to Y, he did not have login details or independent access to the account. • After he made the final payment (of £2,200), communication with the scammers reduced. He was later sent login details. He attempted to log in and, after several attempts including resetting the password, he was able to access the account.

-- 2 of 7 --

• However, he only saw the transaction history. He didn’t see any cryptocurrency credited, did not receive any funds, and was not able to withdraw anything. He did not have independent access or meaningful control over the account. Barclays has recently contacted this Service to say: Mr K’s money was sent to a Payment Service Provider I’ll call B1. B1 received the money on behalf of its corporate customer Y. B1 is covered by the Payment Systems Regulator’s rules and Barclays understands that any losses suffered by Mr K should be paid by the bank from where the scam was funded. So Barclays says Mr K should approach B1 to recover his loss – as Barclays has no liability on this occasion. What I’ve provisionally decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. I’m sorry that Mr K was the victim of a scam. I don’t underestimate the impact of the scam on him financially and personally, and he has my sympathy. But having considered all the available evidence I’m not intending to make Barclays refund him with the money he lost to the scam. I’ll explain why. The relevant reimbursement rules Mr K has referred to the CRM Code. But in October 2024 the Payment Systems Regulator’s Authorised Push Payment mandatory reimbursement rules (Reimbursement Rules) came into effect which were also designed to protect customers who’ve lost money in a scam. The CRM doesn’t apply here, because Mr K’s disputed payments were made after the Reimbursement Rules came into effect for payments made on or after 7 October 2024. The Reimbursement Rules apply to faster payment and CHAPS payments between banks in the UK, but the rules also require that the beneficiary account isn’t one that is under the control of the consumer (here, Mr K). Was the cryptocurrency account a relevant account controlled by Mr K? Mr K says that the cryptocurrency account wasn’t under his control. I’ve considered his comments and why he considers he didn’t have any meaningful control over the account with Y at the time he sent the payments to it. He said it was only later that was he given the login details. The Payment Systems Regulator defines an account controlled by the consumer as ‘A relevant account that a consumer can access and make payments from. It is not sufficient for it to be in the consumer’s name’. A ‘relevant account’ is an account that is: • Held by a customer of a payment service provider (‘PSP’), not the PSP itself; and • Can send or receive faster payments (commonly known as ‘bank transfers’); and is • Held in the UK. The account Mr K sent money to was held by the business B1. B1’s Business account can’t be a relevant account for the purpose of the Reimbursement Rules because it is held by a PSP. I understand B1 enables customers of Y to receive money by faster payment. In

-- 3 of 7 --

practice that means that the payment was made to B1 and then allocated to Y’s customer. But as B1 is an Authorised Payment Institution it can’t offer accounts to customers which can send or receive faster payments, so it didn’t provide either Y (or Y’s customer) with an account like that. What this all means is that Mr K didn’t pay a relevant account. As I’ve provisionally concluded Mr K didn’t pay a ‘relevant account’ this means I do not need to decide whether or not the account was under his control. I say this because even if I were to decide the account was not under his control, the account would still have to be a relevant account for the Reimbursement Rules to apply – and I’ve concluded it is not a relevant account. But that’s not the end of the matter. Should Barclays fairly and reasonably have intervened? Mr K says that Barclays acted contrary to the FCA’s regulatory requirements. In considering what’s fair and reasonable, I need to have regard to the relevant law and regulations, regulators’ rules, guidance and standards, codes of practice and, where appropriate, what I consider to have been good industry practice at the relevant time. Mr K says he’s seen other cases which he considers are similar to his own circumstances and which my Ombudsman colleagues have upheld. But I am not bound by my colleagues’ decisions. I decide each complaint on its own individual facts and merits, as I’ve done here. In broad terms, the starting position at law is that a bank is expected to process payments and withdrawals that a customer authorises it to make, in accordance with the Payment Services Regulations (2017) and the terms and conditions of the customer’s account. It isn’t in dispute that Mr K authorised the two transfers in question. He is therefore presumed liable for the loss in the first instance. However, Barclays is aware, taking longstanding regulatory expectations and requirements into account, and what I consider to be good industry practice at the time, that it should have been on the look-out for the possibility of fraud and made additional checks before processing payments in some circumstances. Should Barclays have recognised that Mr K was at heightened risk of financial harm from fraud? Mr K made two faster payment transfers to Y: £1,100 on 19 June 2025 and £2,220 on 20 June 2025 – so £3,300 in total. Barclays’ records show that the reason for payment was ‘Paying your other account’. I’ve carefully considered all the evidence including Mr K’s comments about his account history. I’ve reviewed his statements and his usual payments and activity, and I note that he has not made payments to cryptocurrency exchanges before the disputed transfers. He had made payments from his account of a similar size to the disputed transfers. Barclays should have been on the lookout for payments which could be the result of fraud or scams. But a balance must be struck between identifying and responding to potentially fraudulent payments and ensuring there’s minimum disruption to legitimate payments. I’ve thought carefully about whether Barclays should have done more in Mr K’s case. However, I don’t think the payments involved were quite so unusual or out of character that Barclays needed to intervene. While the transfers went to a crypto exchange, they were not so large or rapid at the point of the second payment that I consider they needed to be of

-- 4 of 7 --

particular concern for Barclays. I’ve noted Mr K’s comments about patterns of payments, but at the point the second payment was made I don’t consider they formed a particularly suspicious pattern such that Barclays should have intervened. Even if I had reached a different provisional conclusion and said that Barclays should have intervened with a scam warning, I’d still have to be persuaded that Mr K lost his money to a scam. Mr K has not been able to give us any evidence to show the money was lost to a scam. He’s told us the messages with the scammers have been deleted and he hasn’t been able to send any evidence to show the scammers moved his money to their own crypto wallet. While I have taken into account Mr K’s own testimony, I would need more persuasive evidence than he has provided to require the bank to compensate him for his loss, either in full or in part. I think Barclays took reasonable steps to recover Mr K’s money. But the receiving bank B1 said the money was used to purchase cryptocurrency and was then moved to a wallet outside Y’s cryptocurrency platform. So I’m satisfied Barclays couldn’t successfully recover Mr K’s money. Mr K has said Barclays has a duty to protect ‘vulnerable situations’ although he’s not referred to any specific vulnerability. But in any event I don’t consider Barclays was on notice the fraud was occurring or that it missed signs of any vulnerability in the circumstances. Finally, Barclays has suggested Mr K should complain to B1, which received his money. It’s open to him to do so, and our Investigator can give him details of the bank that received his money if he’d like it. But I should be clear that I cannot comment on any such complaint in this decision about Barclays, including whether this Service could investigate such a complaint if it is later referred to us or on the merits of the complaint. I have sympathy for Mr K, who has been the victim of a cruel scam. But for the reasons I’ve explained I don’t consider I can fairly or reasonably require Barclays to refund him the money he sadly lost to the scam. Barclays responded to say it accepted my provisional decision. Mr K responded to say he did not accept my provisional decision and asked me to reconsider for reasons that I’ll briefly summarise below: • He has now sent me further evidence of the scam. • The account (with Y) was opened in his name but was not under his control at the time of the payments, for reasons he has previously outlined. • The scammers deleted their account on the social messaging site and blocked him shortly after receiving the payments. This meant he was unable to retain a full conversation history. This is a common feature of these scams and should not be taken as evidence the scam did not occur. • The payments followed a clear scam pattern, for reasons he’s previously given. • While he understands my provisional view, his transactions indicated a higher risk of fraud and Barclays had an opportunity to intervene because this was his first time making payments to cryptocurrency, and a new beneficiary, where he was being guided by a third party (the scammers).

-- 5 of 7 --

Mr K said the evidence clearly shows he was a victim of a scam, that he didn’t have meaningful control over the cryptocurrency account at the time of the payments and he was manipulated into making the transactions. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. I’ve carefully considered all Mr K’s further submissions but they don’t persuade me to depart from the findings I reached in my provisional decision. I don’t uphold this complaint for the reasons I gave in my provisional decision and below. I’ve taken into account all that Mr K has said about the cryptocurrency account with Y not being under his control at the time he made his payments. He has not directly commented on my finding that the account with B1 to which he sent his money was not a ‘relevant account’ as defined by the Payment Systems Regulator. I do appreciate that my finding about the ‘relevant account’ is technical in nature. In summary, the account to which Mr K sent his money went to business B1. Only then was the money allocated to the account with Y. B1’s Business account can’t be a relevant account for the purpose of the Reimbursement Rules because it is held by a PSP. This all means that Mr K didn’t send his money to a ‘relevant account’. So while I appreciate Mr K has made several arguments to support his point that his account with Y wasn’t under his control, this is not an issue I need to decide. This is because he didn’t send the money to a relevant account for the purpose of the Reimbursement Rules. So the Reimbursement Rules don’t apply in Mr K’s circumstances, whether or not the account was under his control. I will turn now to the issue about whether Barclays should reasonably have realised Mr K was at a heightened risk of harm from fraud and whether it should have intervened. Mr K has restated his points about why he considers Barclays should have intervened. But his comments don’t change my mind for the reasons I’ve already given in my provisional decision. I did acknowledge in my provisional decision Mr K’s comments that he was making first time payments to a cryptocurrency exchange. But for the reasons I’ve given I remain of the view that the payments involved were not quite so unusual or out of character that Barclays had to intervene or that they formed a sufficiently suspicious pattern for intervention. I don’t consider Barclays should reasonably have been aware at the time he made the payments that he was being guided by the scammers in making the payments. Mr K has now been able to send us some further evidence of the scam, including the guidance he was given to set up his account with Y. I’ve reviewed this evidence. I didn’t mean to suggest in my previous decision that Mr K hadn’t been the victim of a scam. Rather I said he hadn’t sent us persuasive evidence that his money was lost to a scam - and that was the case even though I take his point that the scammers deleted his conversations with them. Mr K’s evidence shows that he was being guided by the scammers at every step and sent money to Y in line with their instructions. But this doesn’t change my decision. I have reached the finding that Barclays did not reasonably need to intervene in the payments that Mr K made to Y, because I don’t consider in all the circumstances that it should have been

-- 6 of 7 --

aware Mr K was at a heightened risk of financial harm from fraud. This means I don’t need to make a finding on whether Mr K lost his money to the scam. I would need to do so only if I’d found that Barclays should have intervened in the disputed payments, and here I don’t consider it should have done for the reasons I’ve explained. Despite my natural sympathy for Mr K, I’ve found that Barclays did not have to intervene when Mr K made his payments to Y. It follows that I don’t require Barclays to refund Mr K the money he sadly lost to the scam. My final decision For the reasons I’ve given in my provisional decision and in this final decision, I don’t uphold this complaint. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr K to accept or reject my decision before 27 April 2026. Amanda Maycock Ombudsman

-- 7 of 7 --