2016 - 2017
Mr D, a bitcoin trader, entered into a trade to sell a quantity of bitcoins for $5,000, which the buyer was to transfer by online banking into Mr D’s account. When the payment showed in Mr D’s account, he released the bitcoins to the buyer. Ten days later, the bank reversed the $5,000 credit and froze the account. By then, Mr D had no funds in his account, so the reversal caused his account to be overdrawn.
The bank called Mr D to explain that the transaction was fraudulent. The $5,000 had been taken from another customer’s account without authority. The bank said it would investigate. Six weeks passed before the investigation began. During that time, the bank’s debt recovery department called Mr D several times requiring payment of the overdrawn amount. Each time, Mr D explained that the matter was under investigation. To help the bank with its investigation, he sent it screenshots of bitcoin trades with the buyer. The bank eventually put the debt collection process on hold while its fraud department investigated.
The bank later told Mr D a malware infection had compromised the computer of the other customer, who had phoned the bank to say funds had been transferred out of his account without his authority. The bank traced the stolen funds to Mr D’s account and reversed the transaction. It told Mr D he would need to repay the overdrawn amount.
Mr D disputed the bank’s decision. He said it was not possible to reverse a completed bank transfer. He also said the account holder whose computer had been compromised should be liable for the loss.
The bank replied that the terms and conditions of Mr D’s account allowed it to reverse payments. However, it offered $500 in recognition of the delay in investigating the matter. Mr D continued to argue the bank could not reverse the transaction, whereupon the bank, as a goodwill gesture, offered to require him to repay only half of the transaction amount – $2,500. Mr D refused the offer, and the bank referred the debt to a debt collection agency.
Mr D complained to us. Our task in such cases is to establish which of the three innocent parties – the person whose account was hacked, the person into whose account the money was deposited, or the bank – must bear the loss.
The terms and conditions of Mr D’s account allowed the bank to reverse fraudulent transactions. Even so, we considered the bank could have communicated this more clearly to Mr D – and, indeed, to all customers. The terms and conditions did not explicitly state that the bank could reverse a payment even when a customer was an innocent recipient of fraudulently transferred money. This vital information should be clearly and prominently displayed in account terms and conditions.
Mr D argued the other bank customer must have been careless with the security of his computer and should bear some responsibility. However, malware can be highly sophisticated, eluding even protective software. Also, the fact a fraudster has been able to access a customer’s computer does not necessarily mean the customer has failed to take reasonable steps to safeguard his or her computer.
We considered Mr D had justifiably felt stressed and frustrated at the way the bank had dealt with the matter. It had delayed investigating the transaction and simultaneously referred the matter to its debt recovery team. In addition, the tone of some of the bank’s communications made Mr D feel he was being accused of doing something wrong. Banks dealing with such situations should be mindful that a recipient of these types of payments may well be innocent, and is in the unfortunate position of having to bear liability for a loss for which they were not responsible. The bank also failed to explain its legal basis for reversing the payment in a timely way.
We found Mr D was liable for the debt caused by the reversed transaction because the bank had the contractual right to reverse the transaction. However, we considered Mr D should not pay any interest, fees or collection costs given:
The bank accepted our views, but Mr D did not.