Bank failed to prove lack of reasonable care when entering PIN

Cards and PINs, Common scams targeting bank customers,
Marcel visited several bars while overseas on a business trip. He was carrying a wallet containing two credit cards, one of which had been issued through his bank. At the last bar he visited, he paid for his drinks with his non-bank card. It seems someone in the bar watched him enter his PIN and then pickpocketed his wallet. The thief correctly guessed that Marcel used the same PIN for both cards and spent $30,000 on the bank card. The bank told him it would not compensate him because it believed he had disclosed his PIN and therefore contributed to the loss.
December 2020

Our investigation

Under the Code of Banking Practice, banks must compensate customers for fraudulent and unauthorised transactions on their card unless customers have breached the terms and conditions of their card or failed to take reasonable steps to protect their banking details, such as their PIN.

The card’s terms and conditions did not prohibit the use of the same PIN for different cards (something many banks do, in fact, prohibit). We concluded Marcel did not breach the card’s terms and conditions on that score.

We did not agree with the bank that Marcel had breached the card’s terms and conditions by “disclosing” his PIN. Marcel was observed entering his PIN without his knowledge. This did not amount to disclosure. Instead, the bank should have considered whether Marcel had taken reasonable care to prevent anyone observing him when he was entering his PIN.

In our view, the available information indicated he had taken reasonable care when entering his PIN.


The bank offered to reimburse Marcel for all unauthorised transactions, plus all interest that had accrued on the debt. He accepted the offer.

Print this page