The next day, the bank noticed unusual payments from the account linked to her card and contacted Joyce. A scammer had set up the bank's mobile app on another device and accessed her account through the app to make transactions totalling $28,505. The bank tried to recover the funds but managed to retrieve only $4,490. Joyce asked the bank to reimburse her the difference but the bank declined her request, saying she had breached the terms and conditions of her account by entering her username and password into the fake log-in page and also by entering the codes to allow the scammer to set up the mobile app.

Our investigation

The Code of Banking Practice requires banks to reimburse unauthorised online transactions unless customers have acted dishonestly or negligently, breached the terms and conditions of their accounts or cards, or failed to take reasonable steps to protect their banking details. The bank accepted the transactions were unauthorised, but said Joyce was not entitled to reimbursement under the online guarantee because she entered her username, password and authentication codes into a fake bank website, in breach of the terms and conditions of her account.

 However, Joyce did not know she had disclosed her username and password to the scammer, and nor did she intend to disclose them to anyone other than the bank. As for the authorisation codes, she genuinely believed she was giving them to the bank. She did not know the scammer had access to her banking details and therefore was able to set up the bank's mobile app on another device. The text messages accompanying the codes were not sufficiently clear about what the codes were being used to authorise. We did not consider Joyce had acted negligently or breached the terms and conditions of her account when she entered her details and the codes into what she thought was the bank’s website.

Outcome

The bank agreed to pay the remaining $24,015.