Roscoe disclosed two codes that allowed two card transactions totalling $2,000 to go through, and he also transferred $5,626 to a so-called “secure” account. Roscoe complained about the bank’s decision not to reimburse his $7,626 loss, but the bank said it was not required to reimburse him because he had authorised the payments.

Our investigation

We considered the $5,626 transfer to be an authorised transaction given Roscoe knowingly transferred the funds to the recipient account. We considered there was nothing about the transaction that gave the bank any reason to suspect it might be a scam. The transaction was made via online banking and did not trigger the bank's fraud system. By the time the bank learned of the scam, the money had gone.

On the other hand, we considered the card transactions to be unauthorised because Roscoe did not consent to them. Disclosure of a code does not mean a transaction was authorised if the customer did not know about the transaction’s true purpose and agree to it. Banks are required to reimburse fraud losses for unauthorised transactions unless the customer has acted negligently.

Roscoe had not, in our view, acted negligently for four reasons. Firstly, the bank had a practice of asking customers to disclose codes over the phone. Secondly, the bank's terms and conditions did not prohibit customers from disclosing codes – and in fact they said the bank might require customers to disclose codes to process certain changes. Thirdly, the texts containing the codes said nothing about the acceptable use of the codes and contained no warning about scams or not sharing the codes with staff. Fourthly, Roscoe was reasonably convinced that he was talking to someone from the bank because the caller knew about a third transaction made by the scammer for $224 that had been processed without an authorisation code.

Outcome

The bank agreed to reimburse $2,224 of Roscoe’s loss. Roscoe accepted the bank’s offer.