Paynetics UK Limited · DRN-6060262

The complaint Mr F complains that Paynetics UK Limited is holding him liable for two debit card payments which he says he didn’t authorise. What happened Mr F says that on 5 June 2025 at 01.00, his iPhone and wallet (which was attached to the back of his phone, and which contained his Trading 212 debit card) were stolen from out of his hand while he was on a night out. He reported the theft to Trading 212 the following day and was subsequently notified that the debit card had been used to at 11.37 and 11.53 for two transactions for £5,706.97 and £2,215. When Mr F disputed the transactions, Paynetics refused to refund them. It said the iPhone had been accessed biometrically and the card transactions were authenticated either through 3DS, or at a point-of-sale terminal. Mr F wasn’t satisfied and so he complained to this service about the transactions. He said the thief was able to log into his Trading212 app and remove the spending pot limit, and he’d contacted Paynetics as soon as he could. He believes the thief had watched him throughout the night and made a note of his mobile passcode, and then registered their own biometrics to the phone, before accessing the PIN for his debit card in the Trading 212 app. Our investigator has recommended that the complaint should be upheld. She noted the genuine card and PIN were used to make the transactions and that Paynetics had submitted evidence that the device used to log in before to the theft was the same device used to log in on 25 June 2025. None of this is in dispute. She commented that Paynetics had confirmed that when the phone is unlocked, no further security information is needed to log into the app and that it couldn’t confirm whether the biometrics were changed on the physical device before the disputed activity happened via the app. Bu t there was evidence that the debit card information screen was accessed using biometrics, and the PIN was changed. She further explained that the card spending limit was changed using the password, which isn’t displayed anywhere in the app, but Mr F had confirmed that he can log into the Google app to view saved passwords, and where Face ID isn’t passed, the passcode can be entered to override this feature. So, it was possible the password was accessed this way. Our investigator felt it was plausible that a thief could’ve observed Mr F enter his passcode earlier in the evening, and then used it to add their own biometrics to the iPhone, or access the Google app where his passwords were saved. And as the phone was unlocked while it was stolen, the thief would have had access to Mr F’s apps.

-- 1 of 3 --

She concluded on balance that Mr F hadn’t authorised the transactions and she recommended that Paynetics should reverse then and pay him £150 compensation to acknowledge the distress and inconvenience caused by its failings. Paynetics has asked for the complaint to be reviewed by the Ombudsman. It has argued that an unauthorised third party would have needed to use either biometrics or the device passcode to access apps, even if the iPhone was unlocked when it was stolen. And the idea that they observed the passcode or added their own biometrics wasn’t supported by evidence. They’ve also argued that the claim that the device was unlocked from 01:00 to 08:30 is implausible, which significantly undermines Mr F’s account of how access occurred. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Having done so, I’ve reached the same conclusion as our investigator. And for largely the same reasons. Authorisation Authorisation has two limbs – authentication and consent. So, Paynetics needs to show the transactions were authenticated as well as showing Mr F consented to them. Authentication Paynetics has been able to show the transactions were authorised using Mr F’s debit card and PIN, so I’m satisfied they were authenticated. Consent Mr F has said from the outset that his phone and debit card were stolen in the early hours of 25 June 2025 while he was on a night out. He says the phone, which he opened either with Face ID or with a passcode, was unlocked when it was stolen. I think this explanation is plausible and I’m satisfied Mr F has produced insurance documentation reflecting the theft claim has been settled, as well as confirmation of a new phone purchase. So, I think, on balance, it more likely than not that Mr F’s phone was stolen in the circumstances he’s described. Mr F has suggested that the thief could have obtained the passcode for his phone at some point earlier in the evening and used it to access his apps. He has also suggested that the thief could have used the passcode to re-set the biometrics on the phone, and/or accessed his passwords in the Google app. Paynetics has argued the fact the iPhone was unlocked doesn’t mean a thief would have had access to the apps. But it has been unable to confirm whether the biometrics were changed on the physical device before all the disputed activity happened, and it accepts the card information screen was accessed using biometrics and that the pin was changed. It is possible Mr F was observed or filmed by the thief when entering his passcode to open the phone previously. But I also need to take account of the fact that I can’t be 100% certain of what methods criminal gangs might be able to employ to bypass security, potentially through physical interference with a device or through malware once they are in possession of it.

-- 2 of 3 --

I’ve also considered the account activity including the movement of funds before the disputed transactions and the fact the PIN and daily card spend limit were changed, and I’m satisfied this is consistent with fraud. In addition, Paynetics has suggested that there was a delay in the reporting of the theft to it, but Mr F has explained that he was unable to do anything sooner as he wasn’t with anyone he knew, and he didn’t have a phone. He says he woke up at 8am and borrowed a phone to call the Police, Apple and his other banks, but he couldn’t find a number for Paynetics, so he couldn’t call until he got home. Having carefully considered all of the circumstances, I’m satisfied, on balance, that the disputed transactions were most likely carried out by an unauthorised third party who had gained access to Mr F’s app via the stolen phone before using his debit card to make the transactions without his consent. I don’t think any of Mr F’s actions amount to him failing with gross negligence (the bar for which is high) or intent in such a way that he shouldn’t be reimbursed under the PSRs. He, believed his phone was secure with both biometrics and a secure password, he took steps to block his phone, and I don’t think him not also contacting Paynetics until the following morning amounts to gross negligence. So overall, I think Paynetics needs to reimburse Mr F for the unauthorised transactions under the PSRs.. Compensation Finally, our investigator has recommended that Paynetics should pay Mr F £150 compensation for the impact of its failings and I’m satisfied that’s fair. For completeness, I’m also aware Mr F has raised some points about whether the transactions ought to have triggered Paynetic’s security systems. This involves both the types of transactions and the cumulative pattern of spending. But as I’m intending to direct that he is fully reimbursed under the PSRs, there is no merit in further discussing this. Putting things right My final decision is that that I uphold this complaint and direct Paynetics UK Limited to: • refund the disputed transactions. • pay 8% simple interest*, per year, from the respective dates of loss to the date of settlement. *If Paynetics UK Limited deducts tax in relation to the interest element of this award it should provide Mr F with the appropriate tax deduction certificate. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr F to accept or reject my decision before 24 April 2026. Carolyn Bonnell Ombudsman

-- 3 of 3 --