Bank responsible for $95,000 loss despite customer’s lack of device passwords

Common scams targeting bank customers,
In 2020, a fraudster gained access to Scott's computer or mobile phone, or possibly both, in an attempt to log in to his internet banking. Unable to do this, the fraudster used Scott’s devices to reset his internet banking password, and set up access to his account on the fraudster’s own device via the bank's app. The fraudster then transferred $95,000 out of Scott's accounts.
August 2022

Scott alerted the bank and police, but they were unable to recover the funds. Scott asked the bank to reimburse him for the payments made from his account without his permission, but his bank declined. It said he had not taken reasonable steps to protect his banking details – as evidenced by the fact someone had been able to gain access to his accounts. It pointed out that he had previously breached the terms and conditions of his accounts by sharing his banking details with others.

Our investigation

Banks are liable for unauthorised payments unless a customer has contributed to the loss by breaching the terms and conditions of an account or by failing to take reasonable steps to protect banking details. The bank said Scott had told it that his cousin and accountant had helped him access his banking, but we found nothing to suggest either had anything to do with the loss. Scott had limited technical capability: he said he used his phone mainly to store the contact details of friends and family members and did not know it was linked to his banking. He did not realise someone could gain access to his bank accounts through his devices without his internet banking password.

The bank said Scott had failed to take reasonable steps to protect his banking by not password-protecting his devices. However, the terms and conditions of Scott’s accounts did not contain any clause requiring customers to protect their devices with passwords, and the bank's security information was not clear enough that such passwords were necessary to ensure the integrity of its authentication processes. In these circumstances, we considered Scott had not failed to take reasonable care by having no password protection on his devices.

We also considered the bank’s processes for resetting passwords and setting up new ways to access funds were vulnerable to unauthorised resets, and that the bank should take steps to minimise this risk.


We recommended the bank reimburse Scott the $95,000, plus lost interest. Not having access to his funds for over 18 months significantly impacted his lifestyle and financial planning, as the unauthorised transactions had drained his account and put it into overdraft. We therefore recommended the bank pay him $3,000 to compensate for the stress and disruption caused by failing to properly consider his claim and complaint.

Print this page