HSBC UK Bank Plc · DRN-6214551

Complaint Mr P is unhappy that HSBC UK Bank Plc didn’t reimburse him after he reported falling victim to a scam. Background The background to this case is familiar to the parties, so I will not repeat it in full here. What follows is a brief summary of the key points. Mr P had been exploring potential investment opportunities. During this process, he came across a company advertising online that appeared to offer an investment he was interested in pursuing. He didn’t know it at the time, but the company wasn’t a genuine investment firm. In reality, he had been communicating with fraudsters. Relying on what he believed were genuine instructions from a legitimate firm, Mr P made the following payments from his HSBC account: 1 7 March 2024 £42,700 2 29 April 2024 £95,000 3 7 May 2024 £30,000 4 8 May 2024 £64,088 HSBC intervened in relation to three of the payments and spoke with Mr P before agreeing to process them. Unfortunately, by this point the fraudsters had instructed Mr P to provide misleading answers to any questions asked by the bank. As a result, HSBC’s attempts to protect him from the risk of fraud were ultimately unsuccessful. When Mr P later realised the investment was a scam, he reported the matter to HSBC. The bank declined to refund the payments. Mr P wasn’t happy with that response and referred his complaint to this service. An Investigator reviewed the case and upheld it in part. She concluded that HSBC couldn’t reasonably have prevented the scam itself. However, she also found that payment #2 fell within the scope of the Lending Standards Board’s Contingent Reimbursement Model (CRM) Code and that, under the Code, HSBC should reimburse that payment. Mr P accepted the Investigator’s findings. HSBC did not. As the parties were unable to reach agreement, the case has now been passed to me to review and issue a final decision. Findings I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. As a starting point, the legal position is that a firm is generally required to process payments and withdrawals that have been authorised by its customer, in accordance with the Payment Services Regulations 2017 and the applicable account terms and conditions. It’s accepted that the disputed payments were authorised, so Mr P is, in principle, liable for them.

-- 1 of 3 --

However, that isn’t the end of the matter. At the relevant time, HSBC was a signatory to the Lending Standards Board’s Contingent Reimbursement Model (CRM) Code. The Code requires firms to reimburse customers who fall victim to authorised push payment (APP) scams in certain circumstances. Separately, good industry practice required HSBC to monitor account activity for transactions that appeared unusual or out of character and which might indicate a risk of fraud. Where such concerns arose, I would expect the firm to take proportionate steps to protect its customer. This may include issuing a clear warning during the payment process or contacting the customer to understand the circumstances behind the transaction. The CRM Code doesn’t apply to all payments. To be covered, a payment must fall within the Code’s definition of an APP scam, being: a transfer of funds executed across Faster Payments, CHAPS, or an internal book transfer, authorised by a customer in line with regulation 67 of the PSRs, where: (i) the customer intended to transfer funds to another person, but was deceived into sending the funds to someone different; or (ii) the customer transferred funds to another person for what they believed were legitimate purposes but which were, in fact, fraudulent. Payments 1, 3 and 4 These three payments are not covered by the CRM Code. Mr P transferred the funds into accounts held with another firm but registered in his own name. He then moved the money onwards from those accounts into the control of the fraudsters. Under the definition above, he cannot be said to have transferred funds to “another person” at the point of the initial payments, as he was in effect transferring the money to himself. Nonetheless, HSBC still had a duty to monitor his account for indications of potential fraud. It did so, and several conversations took place between Mr P and HSBC staff. However, Mr P was not entirely candid. He denied using remote access software, even though he was doing so, and he did not disclose the true purpose of the transfers. HSBC also provided general warnings about common scam types. Several aspects of those warnings reasonably should have caused Mr P concern. Despite this, he continued to insist on making the payments. In the circumstances, I am satisfied that HSBC’s response was proportionate. Mr P’s determination to proceed and his willingness to give misleading information meant there was little more HSBC could realistically have done to prevent these losses. Payment 2 Payment 2 was made to a different payee from the other three transfers. Mr P believed he was transferring money to an account in his own name and therefore considered the funds to be safe. In reality, the receiving account was controlled by the fraudsters. Mr P recalls that he was not asked to set up a new account for this purpose, and the messages between him and the fraudsters do not suggest that he did. However, by this time he had already provided the fraudsters with several key pieces of personal information. These would have enabled them to open an account in his name without his knowledge. In 2023, the Lending Standards Board wrote to CRM Code signatories and clarified that, in such circumstances, a customer “may have unknowingly shared sufficient details with the scammer to allow them to access the account. In such cases, the customer has, in effect, made a payment to another person for what they believed to be a legitimate purpose, and they have lost control of the funds at the point at which they are transferred to the crypto exchange.” In other words, even if the account was technically in Mr P’s name, it’s more likely than not that he had no practical control over it. For that reason, I am satisfied that Payment 2 falls within the scope of the CRM Code.

-- 2 of 3 --

Under the CRM Code, a firm must reimburse a customer who has been the victim of an APP scam unless an exception applies. However, a firm cannot rely on any exception if the customer meets the Code’s definition of vulnerability – i.e. where it would not have been reasonable to expect the customer to protect themselves against the particular scam. I am satisfied that Mr P meets this definition. His age placed him in a demographic statistically more susceptible to such scams. In addition, around the time these events took place, he had recently experienced a significant bereavement and an episode of mania. In those circumstances, it would not be surprising for him to have been suffering impaired judgement and critical thinking. For these reasons, I do not consider HSBC can reasonably rely on an exception to reimbursement for Payment 2. I recognise HSBC made several attempts to protect Mr P and that its efforts were ultimately defeated by factors beyond its control. I also accept that it could not reasonably have prevented the scam. However, under the CRM Code, the obligation to reimburse does not depend on any failing by the firm. Final decision For the reasons I’ve explained above, I uphold this complaint in part. If Mr P accepts my final decision, HSBC UK Bank Plc needs to refund payment 2 in the table above. It also needs to add 8% simple interest per annum to that payment calculated to run from the date it declined his claim under the CRM until the date any settlement is paid. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr P to accept or reject my decision before 23 April 2026. James Kimmitt Ombudsman

-- 3 of 3 --