Our investigation

We found the bank had failed to keep Randolph’s banking methods secure. Changing the biometrics on his phone required only knowledge of the device’s passcode. There were no further steps to take or details to be provided to access the bank's app. Other banks disable biometric log-in to their banking app when the biometrics on a device have been changed and require further credentials (such as the banking app PIN) in order to use the app. We found this lack of any further security or authentication steps amounted to a breach of the bank’s obligation to keep the way Randolph banked with it secure. We also agreed with the second part of his complaint, that he had taken all reasonable steps to protect his banking credentials and had not therefore breached the bank’s terms and conditions. Randolph said his passcode was relatively simple and could easily be guessed or obtained by “shoulder surfing” – that is, looking over the shoulder of the user while he or she was entering the passcode. However the bank’s terms and conditions said nothing about the strength or complexity of a device’s passcode, and Randolph did not disclose his phone's passcode or allow his son to change the biometrics on his phone. At no point had Randolph handed over his PIN or passcode or allowed them to be compromised. The requirement for customers to take reasonable steps to protect their banking does not extend to the protection of a customer's device passcode. We therefore found Randolph had taken all reasonable steps to protect his banking and had complied with all relevant terms and conditions.

Outcome

We upheld Randolph's complaint.