Financial Ombudsman Service decision

New Wave Capital Limited · DRN-6243613

Unauthorised TransactionComplaint upheldRedress £29,899
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint D, a limited company, complains that New Wave Capital Limited (trading as Capital on Tap) won’t reimburse them for payments they say they didn’t make or agree to. What happened In July 2024 an employee of D was contacted by an individual claiming to work for Capital on Tap and were told they would need to take certain steps to protect D’s account. During the call they were persuaded to provide two one-time passcodes sent by SMS, and approve a notification they would receive within the app. It later transpired that the caller was a fraudster, and two payments of £16,768.45 and £29,899.07 had been make from D’s account with Capital on Tap to an online marketplace. These were taken as 12 smaller transactions, and there was a later partial refund of £10,750 from the marketplace. But this still left D £35,917.52 out of pocket. D reported this to Capital on Tap. However, Capital on Tap declined to issue a refund, saying that by sharing the OTPs and authorising a payment within app the employee had bypassed their security processes. So, they did not feel they should be liable for refunding D. Dissatisfied with this D referred their complaint to our service. One of our investigators looked into what happened and thought the complaint should succeed. She reasoned that while the employee had shared the OTPs, they didn’t think the payments could be consider authorised, or that Capital on Tap could otherwise hold D liable for the transactions. She recommended they be refunded, and the account reworked as if the payments had never been made. This was accepted by D. But Capital on Tap disagreed and asked for the complaint to be reviewed by an ombudsman. Upon review I reached a different conclusion to the investigator and issued a provisional decision My provisional decision Were the payments authorised? In this case there were two payments requests made from D’s account, that the online marketplace broke down into separate transactions, which while not the usual way of taking payments isn’t unheard of. The total amounts taken match those from the two payment instructions. So, it’s important for me to consider how these payment instructions happened. There are several key considerations relevant to this case. First and foremost is what’s set out in the Payment Service Regulations 2017 (PSRs). Broadly speaking, they state: • A customer is responsible for any payments made from the account which are properly authorised. • A payment is to be treated as authorised if a customer has given consent for a transaction. That consent must be given in the form, and with accordance with the

-- 1 of 5 --

procedure, agreed between the customer and the firm. • A firm will be responsible for any unauthorised payments, unless it can be shown the customer has failed with intent or gross negligence to keep their personalised security credentials safe. The terms of D’s account with Capital on Tap are broadly consistent with the PSRs. It’s accepted that the employee didn’t set up the payments themselves, and this was likely done by the fraudster. And it’s accepted that the employee shared OTPs that allowed the payments to be made. But I don’t see that the use of the OTP by the fraudster is enough to show that D gave consent for each transaction – ultimately the form and procedure is still being completed by the fraudster rather than the payer. So, on face value they are both unauthorised. Capital on Tap have said that initially the £16,768.45 transaction was declined, and the employee was asked to review the transaction in-app. And that in this interaction the employee confirmed they recognised the transaction. This meant when it was attempted again, it was put through. And D have accepted they agreed to this within the app. I see that by taking this step to confirm they recognised the transaction the employee was making a representation to Capital on Tap that this was a genuinely authorised payment. And I see that it’s reasonable for Capital on Tap to rely on this to process this payment. I’m minded it’s reasonable for the £16,768.45 transaction to be treated as authorised. However, I’ve seen no evidence an in-app check was carried out for the £29,899.07 transaction. There doesn’t seem to have been any interaction or representations made to Capital on Tap by the employee about this transaction. And as mentioned above, I’m satisfied that it’s appropriate to treat this transaction as unauthorised. Has there been a failure with intent or gross negligence to keep security credentials safe? There’s been no suggestion the employee deliberately gave over the OTPs intending for payments to leave D’s account. Capital on Tap have instead argued that the employee was grossly negligent when sharing the OTPs – as well as having been asked to review the payment in-app. And they’ve also highlighted that D will have received scam education in the past. When considering if the employee has failed in their obligations with gross negligence, the test isn’t simply whether they were careless. For someone to fail with gross negligence they would need to have seriously disregarded an obvious risk, falling significantly below the standards expected of a reasonable person. Here, I’m not persuaded that the employee’s actions meet the threshold of gross negligence. The employee has said that the fraudster already had details about D’s Capital on Tap account, and them personally. In the circumstances I can see how they were led to believe to they were genuinely dealing with Capital on Tap. While the message on the OTP is clear that it should not be shared, I can see how a person could be taken in and persuaded to share the code with someone they genuinely believed was from their account provider. I’m also not minded that that someone would necessarily recall education they’d received on scams in the moment. I accept that the employee has been careless, but I don’t see that their actions fall so considerably short of what I’d expect of a reasonable individual. So, in this case I’m not minded that Capital on Tap can fairly hold D liable for the unauthorised transaction.

-- 2 of 5 --

Are there any other considerations to take into account? I’ve considered whether Capital on Tap ought to have done more to prevent the transaction of £16,768.45, based on their obligations to monitor accounts for signs of fraud and financial harm. If a transaction looks particularly out of place, then I may expect them to ask further questions of the payment, although any intervention would need to be proportionate to any risk. Here though as the payment was confirmed within the app, I’m satisfied that no further intervention would have reasonably been expected. This was proportionate to the risk involved. D has also questioned why Capital on Tap didn’t raise a chargeback for any of the transactions. But having reviewed the relevant chargeback scheme rules, I’m not persuaded that there would have been a valid chargeback reason that likely would have succeeded. So, I don’t see that it’s unreasonable that Capital on Tap declined to pursue this. What is fair redress? I’m satisfied that Capital on Tap can treat the £16,768.45 transaction as authorised – and I don’t see that they need to refund D for this transaction. For the £29,899.07 transaction, I’m satisfied that Capital on Tap should not hold D liable for this. But I also note that the partial refund of £10,750 is from this transaction – so the outstanding loss here is £19,149.07. I’m minded that it would be reasonable for Capital on Tap to refund this to D and rework their account as if this amount had never been taken. If this means that D has paid more towards their account than they would have otherwise done so, then Capital on Tap should refund any overpayments directly to D. They should also add 8% simple interest per annum to any refunded overpayments, from the date of payment to the date of settlement. Responses to the provisional decision Capital on Tap accepted the outcome of the provision decision. D submitted several further points for consideration. They asked why a payment couldn’t be cancelled when it is still pending. They also made reference to rules within the PSRs in relation to payments where the cardholder is not present with the merchant. They said they were unclear why the in-app approval wasn’t covered by the Authorised Push Payment (APP) scam reimbursement rules. As such it now falls on me to consider the evidence afresh. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Having done so I remain satisfied with the conclusions reached in the provisional decision – I appreciate this will be disappointing to D, and I will respond to the points they’ve raised. Here the technical evidence shows there were two payment requests – one was approved in-app, and the other didn’t have any further intervention. As mentioned, these were broken down into small payments by the online marketplace, but the total amounts remain the same. This isn’t the most common way of payments being taken, but it isn’t unheard of, and there is provision for payments being structed this way in the card schemes’ operating

-- 3 of 5 --

guides. So, I’m not persuaded this makes any significant difference to the outcome of this complaint. I’m satisfied that by approving the payment in-app, the employee of D gave Capital on Tap the authority to debit the account – and I’m satisfied that this is in line with the terms of the account. So, it’s reasonable for this payment to be treated as authorised, and I don’t see there’s an obligation to reimburse D. The payment with no further intervention, I’m satisfied that the full form and procedure of the payment was completed by the fraudster, albeit with the code shared by the employee. It’s reasonable to treat this transaction as unauthorised. Capital on Tap have not added any additional points about whether this should be treated as grossly negligent, so I remain of the opinion that it wasn’t. Under the PSRs I’m satisfied it would be right for this payment to be refunded, and the account reworked as if it hadn’t been taken. D has raised a point about the PSRs having provisions for cardholder not present transactions – this is correct in the sense that section 77 of the PSRs says a payer isn’t liable for unauthorised payments in relation to a distance contract. But the definition of a distance contract comes from the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013. These regulations cover contracts between merchants and consumers. A consumer is defined as an individual acting wholly or mainly for purposes outside their trade, business, craft or profession. But here the payer is D – a limited company, and a business. The regulations on distance contracts wouldn’t apply to D. And in any case, I’ve recommended that the unauthorised payment be refunded – so it wouldn’t make a material difference to the outcome of this complaint. Likewise, D has asked about the APP scam reimbursement rules. But I’m satisfied these do not apply here – the payments all took place before these rules came into effect, and they are not retrospective. And the reimbursement rules only cover “push” payments, which is where a payer pushes the funds from their account – typically bank transfers, where the money leaves more or less immediately. Card payments are termed “pull payments” – essentially when you verify a payment using the card you agree for the merchant to take the payment later, and typically after a few days they will then pull the payment from the account. This is also why a payment that is showing as “pending” on an account can’t be stopped at that point – the payment authorisation has already been given, and the account provider has ringfenced the money for the merchant to collect. It’s not unreasonable for Capital on Tap to then pay the merchant when requested. Lastly, I’m not minded that Capital on Tap ought reasonably to have done more to question the transactions before processing them. There are no specific rules around what represents a high-risk transaction, and generally a business such as Capital on Tap are free to set their automated systems according to their own risk appetite. What I have to consider is whether the transaction is so unusual that it was obviously unreasonable to process it without further challenge, and what reasonably that challenge would have looked like. Clearly these transactions were different from the previous usage of D’s account. But when the £16,768.45 payment was challenged in-app, Capital on Tap received a positive response. So, here I’m not persuaded Capital on Tap needed to do more to challenge these transactions before completing the authorisation process.

-- 4 of 5 --

Putting things right I’m satisfied that it is reasonable for Capital on Tap to refund £19,149.07 to D and rework their account as if this amount had never been taken – including the refund of any interest or charges this amount has incurred. If this means that D has paid more towards their account than they would have otherwise done so, then Capital on Tap should refund any overpayments directly to D. They should also add 8% simple interest per annum to any refunded overpayments, from the date of payment to the date of settlement. My final decision My final decision is that I uphold this complaint and direct New Wave Capital Limited (trading as Capital on Tap) to settle it as outlined above. Under the rules of the Financial Ombudsman Service, I’m required to ask D to accept or reject my decision before 20 April 2026. Thom Bennett Ombudsman

-- 5 of 5 --