Customer entitled to reimbursement of only part of his scam loss

Categories:
Fraud & scams, Cards,
Summary:
In March 2024, Roscoe received a text from NZ Transport Agency Waka Kotahi about an overdue road toll. He clicked on a link in the text, entered his card details and paid the toll. Several hours later, he received a call from someone claiming to be from his bank who said there had been suspicious transactions on his account from clicking on a link and that his card and device were compromised. The caller said Roscoe would need to share codes to stop or reverse the transactions and then transfer some funds to prevent any further unauthorised transactions.
Published:
June 2025

Roscoe disclosed two codes that allowed two card transactions totalling $2,000 to go through, and he also transferred $5,626 to a so-called “secure” account. Roscoe complained about the bank’s decision not to reimburse his $7,626 loss, but the bank said it was not required to reimburse him because he had authorised the payments.

Our investigation

We considered the $5,626 transfer to be an authorised transaction given Roscoe knowingly transferred the funds to the recipient account. We considered there was nothing about the transaction that gave the bank any reason to suspect it might be a scam. The transaction was made via online banking and did not trigger the bank's fraud system. By the time the bank learned of the scam, the money had gone.

On the other hand, we considered the card transactions to be unauthorised because Roscoe did not consent to them. Disclosure of a code does not mean a transaction was authorised if the customer did not know about the transaction’s true purpose and agree to it. Banks are required to reimburse fraud losses for unauthorised transactions unless the customer has acted negligently.

Roscoe had not, in our view, acted negligently for four reasons. Firstly, the bank had a practice of asking customers to disclose codes over the phone. Secondly, the bank's terms and conditions did not prohibit customers from disclosing codes – and in fact they said the bank might require customers to disclose codes to process certain changes. Thirdly, the texts containing the codes said nothing about the acceptable use of the codes and contained no warning about scams or not sharing the codes with staff. Fourthly, Roscoe was reasonably convinced that he was talking to someone from the bank because the caller knew about a third transaction made by the scammer for $224 that had been processed without an authorisation code.

Outcome

The bank agreed to reimburse $2,224 of Roscoe’s loss. Roscoe accepted the bank’s offer.

Print this page