Arthur asked the bank to reimburse him for the loss, but the bank declined, saying the payments were authorised using two-factor authentication codes on a token to which only Arthur should have had access. The bank said there had been no bank error or system breach, so it wasn't responsible for his loss.

Our investigation

Banks are liable for unauthorised transactions provided customers have taken reasonable care to protect their banking details and have complied with other terms and conditions of their account or card. The question for us was whether Arthur had taken reasonable care of the token and how someone could have got hold of it.

Arthur told us that a few days beforehand, he had held a social gathering at his home with some friends and acquaintances. As it turned out, the person who had made the payments was one of those present. Arthur thought this person had probably gone through his things and found his customer number and token, using them to set up access to Arthur's banking on his own device.

We couldn’t understand why the bank considered Arthur had shown a lack of reasonable care: it is fair to assume visitors in your home won't abuse your trust, and the fact someone had gained access to Arthur’s account didn't, in itself, mean he had failed to take reasonable steps to protect his customer number and token. We also found it disturbing that someone had been able to set up access to Arthur’s account with such ease.

Outcome

The bank agreed to reimburse Arthur in full.