Bank fails to demonstrate negligence

Common scams targeting bank customers, Account information,
Boyd’s partner’s son impersonated him twice during phone calls to his bank on one day. He appeared to have Boyd’s account statements and passport and was able to answer Boyd’s security questions and pass the identity checks. In the first call, the son changed Boyd’s email address for his accounts and reset his internet banking password. In the second call, he was able to arrange for Boyd’s term deposit to be broken and $25,000 was transferred to his transactional account.
November 2020

With access to Boyd’s internet banking, the son withdrew a total of $67,500. Some of these withdrawals were payments to four individuals, three of whom had accounts at Boyd’s bank. The fourth had an account at another bank. All four were apparently associates of the son and were being used as “money mules”.

Boyd disputed the internet banking transactions as well as some that occurred before the son gained access to his internet banking and some that occurred after he reported the fraud to the bank. The son subsequently wrote to Boyd confessing to stealing money from his accounts.

Boyd’s bank said Boyd had breached its terms and conditions and failed to take reasonable steps to protect his banking. The bank said Boyd must have given the son the answers to his security questions, as well as his passport and account statement. It declined to reimburse him.

Our investigation

The bank agreed that Boyd did not authorise the internet banking payments. We found Boyd did make the other withdrawals, totalling $14,000.

The bank was required to reimburse Boyd for the unauthorised internet banking payments, unless it could show it was Boyd’s failure to take reasonable care that had enabled the son to get hold of the passport, the account statement and the answers to the security questions.

The son could undoubtedly answer Boyd’s security questions, but this did not mean Boyd had given him the answers. We noted that close friends and family members can often know the answers to a customer’s security questions. The bank also did not have any evidence of Boyd failing to take reasonable care with his passport and account statements.

In summary, there was nothing to show Boyd had failed to take reasonable steps to protect his banking details or that he had breached the terms and conditions. The disputed internet banking transactions were made without his consent after the bank granted the son access to his account and were unauthorised. Under the Code of Banking Practice, the bank had to reimburse him. 

We also had concerns about the son’s call to the bank. The son’s answers were somewhat vague. We had some concerns the staff member did not take further steps to confirm the caller’s identity. This could have prevented the son from being able to access Boyd’s accounts in the first place. 


We concluded the bank should reimburse Boyd for the full amount of the internet banking transactions, less any funds already received. Equally, Boyd should reimburse the bank if he received any reparation payments in future.

Print this page