Currensea Limited · DRN-5771664

The complaint Mr W complains Currensea Limited won’t refund transactions made on his account which he says he didn’t make or authorise. What happened The facts of this case are well known to both sides so I will only briefly summarise them here. Mr W was the victim of a scam. He has explained that the scammers impersonated Currensea, knew personal information about him (name, email address, last four digits of his card and that he had recently been in Germany) and persuaded him that there had been unauthorised transactions on his account which only they could see. They told him that he would receive a One Time Passcode (OTP) which he would need to share with them in order for them to secure his account. While the scam was occurring, Currensea froze his account numerous times after detecting suspicious activity. However, on instructions from the scammers, Mr W repeatedly unfroze his card in the app. Mr W had a total of three calls with the scammer over a period of roughly two hours. Each of these calls were relatively short with the longest (the first call) lasting ten minutes. Using the OTP the scammers were able to add his card to a digitised wallet on a new device and complete three transactions successfully. Roughly one hour after his last call with the scammer, Mr W left a voice message with Currensea saying he thought he had been the victim of a scam. This voice message was before the last disputed transaction occurred. As such, as a gesture of goodwill Currensea refunded the last transaction. Mr W has expressed his frustration at not being able to contact Currensea by phone (or locate a phone number for them easily). And feels that if a number for Currensea had been easily available his loss could have been prevented. Currensea accepts that Mr W was the victim of a scam but is persuaded it took sufficient steps to inform Mr W about the suspicious activity on his account. It points to the numerous messages it sent him and the fact that it repeatedly froze his account – yet Mr W unfroze it. It therefore doesn’t think it would be fair to offer a refund for the remaining two transactions. Our investigator upheld this complaint concluding that the payments were unauthorised and there was no other reason why Mr W should be liable for the payments. She asked Currensea to refund the payments. As Currensea didn’t respond this complaint has passed to me for a decision. I issued my provisional decision on 13 March 2026. Mr W accepted the provisional decision as Currensea did not I am issuing a final decision.

-- 1 of 5 --

I’ve carefully considered the points Currensea provided following the provisional decision. Having done so I’m not departing from my provisional decision. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Having done so, I’m intending to reach the same conclusion as our investigator and as I set out in my provisional decision I’ll explain why. When looking at these sorts of complaints, the starting point is that Currensea is required to refund any unauthorised payments made from Mr W’s account, and Mr W should be responsible for transactions made on the account that he has authorised. Those rules are set out in The Payment Services Regulations 2017 (PSRs). But the PSRs also set out situations in which Currensea can hold Mr W liable for unauthorised transactions. This includes if Mr W failed with intent or gross negligence to take reasonable steps to keep his secure information safe. Can Currensea fairly treat the disputed payments as authorised? It isn’t disputed that Mr W was the victim of a scam. It also appears to be accepted that he didn’t make the disputed payment himself or give anyone else permission to make the payment, so on that basis the payment is unauthorised. The scammers carried out the transactions with a digitised wallet. To set up the wallet, the scammers needed Mr W’s card details and an OTP, a specific code that Currensea sent Mr W by text. Mr W says that he shared the OTP because he was persuaded that doing so would prevent unauthorised transactions on his account. Mr W also unfroze his account, but this appears to be on the advice of the scammers and not in order to allow payments. It is not clear how the scammers got Mr W’s card details, Mr W doesn’t recall sharing them over the phone – and it is possible that they were able to obtain the details some other way. When describing the circumstances of the scam, Mr W has mentioned that scammers knew the last four digits of his card, which is part of the reason he trusted them. So it is possible that the scammers had access to his full card details. Regardless of whether or not Mr W shared his card details in the call, considering the premise of the scam, that he was told there were unauthorised transactions on his account and he was following the scammer’s guidance in order to secure the account. I do not think Mr W gave his card details to the scammer with the intention of allowing transactions on his account. It isn’t however disputed that Mr W shared the OTP with the scammer. I appreciate that this is sensitive information. But from what I’ve seen, I’m satisfied Mr W was a victim of a scam, was under the spell of the scammers, and hadn’t understood that sharing his OTP, and unfreezing his account, would enable a third party to process payments on his account. Mr W has explained that he thought he was sharing the code with Currensea in order to allow them to access his account and prevent fraudulent transactions that were taking place on a cloned card. And that he thought he had to check this was working by freezing and unfreezing his card in in the app. Put simply, I’m persuaded Mr W divulged this information to help prevent, not authorise, transactions on his account. So while I accept that, by taking these steps, Mr W has allowed the payments, given the circumstances, I don’t find that Mr W authorised the payments. Are there other reasons why under the PSRs Currensea shouldn’t provide a refund?

-- 2 of 5 --

The PSRs set out situations in which Currensea can hold Mr W liable for unauthorised transactions. Of particular relevance here is where it says the payer (Mr W) is liable for losses for an unauthorised payment transaction where they have “with intent or gross negligence failed to comply with regulation 72 (obligations of the payment service user in relation to payment instruments and personalised security credentials).” For ease I’ve quoted the relevant part of regulation 72 of the PSRs below. “(1) A payment service user to whom a payment instrument has been issued must— “(3) The payment service user must take all reasonable steps to keep safe personalised security credentials relating to a payment instrument or an account information service.” I’ve gone on to consider this in more detail below I’m satisfied that the “personalised security credentials” means personalised features provided by a payment service provider (Currensea) to a payment service user (Mr W) for the purposes of authentication. Which would include the OTP in this case. I’m not satisfied that freezing and unfreezing the account alone is directly relevant to this obligation as it isn’t in relation to keeping personalised security credentials safe. Mr W has confirmed that he froze and unfroze his account after he shared the OTP with the scammer and so these actions aren’t part of the context in which Mr W shared the OTP. And the internal notes show that this occurred after Currensea sent Mr W the OTP. I’ve considered if Mr W has with intent failed to comply with the above obligation. As the premise of the scam was that Mr W believed he was speaking to Currensea – I’m not persuaded that Mr W intentionally disregarded his obligations as he didn’t know he wasn’t supposed to share the code with Currensea or that he wasn’t keeping his secure credentials safe. Under the PSR's if Mr W shared the OTP with gross negligence, then he'd be responsible for the payments. So whilst I'm satisfied Mr W did fail to keep the OTP safe because he shared it with the third party - the scammer, I'm not satisfied his actions amounted to gross negligence. I’ve explained why below. To determine whether Mr W was grossly negligent in sharing the OTP I’ve gone on to consider the wider context of the scam. Mr W received a missed call from the scammer at roughly 5.51pm. He didn’t pick up as it was from an unknown caller. However, he did pick up a second call from the unknown caller at 5.53pm as he thought somebody might need to speak with him urgently. He said he was persuaded that the scammer was legitimate as they knew personal details about him, such as his name, the last four digits of his card and that he had been to Germany recently. The scammer also explained that Mr W would be unable to see the transactions at his end. Mr W was tricked into thinking he needed to take steps to protect the account. I think the premise of the scam is credible as often financial institutions will contact consumers when it has concerns about transactions, and normally some sort of verification process is required to ensure they are speaking to the correct person. Given the amount of personal information the scammer knew about Mr W and the premise of the scam I think it was reasonable for Mr W to find the caller credible. Mr W has said that he shared the OTP during the second call he had with the scammer, but I’m persuaded that he in fact shared this during the first ten-minute call he had with the scammers. I say this based on the series of text messages he received and Currensea’s

-- 3 of 5 --

internal notes which show that the new payment token was set up at around 6pm. To do this the scammer would have needed the OTP. I’m also persuaded by Mr W testimony that he unfroze the card after he shared the OTP. While on the phone with the scammer, Mr W received five text messages at roughly the same time (at 6.02pm). One was sent after Mr W’s card was frozen and said there was a “suspicious attempt to add your card to your phone if this was you, you can unfreeze your card via your app”. Another message started with the phrase “FRAUD WARNING” and went on to say a code will arrive shortly and that if someone had been calling and asking for the code to end the call and that Currensea’s employees will never ask for this code. The message containing the code made it clear that it was to activate the card in the digitised wallet. And the code was contained at the end of this message. Another message told Mr W to be aware of fraud and that the card had been activated in the digitized wallet and that he should freeze the card in the app immediately if this was not him. And a final one saying the card has been frozen due to suspicious activity. Currensea’s internal notes show that Mr W unfroze his card roughly one minute after these messages. All of these messages appear to have been sent in quick succession. Mr W has said that he had his phone to his ear and was unable to read the messages and that he kept his phone on silent. He said that he read the messages only after he was off the phone with the scammer. He was however able to convey the OTP to the scammers which was contained towards the end of one of the messages he received. He said that this number just flashed up. Mr W has explained to our service that the scammer told him he would receive an OTP so he just read out the code thinking that he was doing the right thing. The fact Mr W received the message with the OTP suggests he likely received the others that were sent at roughly the same time. But I’m persuaded by what Mr W said – that as he was on the phone to the scammer, he didn’t pay attention to the messages. His phone log shows that he was on the phone to the scammer at the time the messages were sent by Currensea. Mr W has told us that the scammers told him to expect the code and that he needed to share codes with other businesses before so that they could access his account. So it appears he thought this was why he was sharing the code and that it was necessary to do so to allow Currensea access to his account to cancel fraudulent payments. Given the persuasive nature of the scam call, that the scammer knew personal information about Mr W, and the fact that Mr W thought his account was compromised – I can understand the reasons why Mr W shared the OTP with the scammer and didn’t read over the text messages. Doing so, does not in my opinion reach the standard of “gross negligence”. Scammers are often experts at social engineering and at creating a sense of panic and cause consumers to take steps that on the face of it seem illogical. That appears to be what has happened here, I say this because, Mr W has mentioned that he was kept talking and concerned during the call with the scammer. While Mr W sharing the OTP and not reading the text messages sent from Currensea – is arguably careless – at the time he thought he was speaking to Currensea and taking steps to secure his account. Given the circumstances of the scam, I’m not persuaded that he has met the bar for gross negligence. Currensea has also raised concerns around Mr W freezing and unfreezing his card , and I’ve also noted that Mr W said that he froze and unfroze his account after he shared his OTP. Mr W explained that he did this following the advice of the scammer and to ensure that everything was working. As this happened after Mr W shared “personalised security credentials relating to a payment instrument” (here the OTP) – I don’t think this is relevant to my finding of gross negligence as detailed in the PSRs. The PSRs make it clear that the payer (here Mr W) is liable for losses involving unauthorised payment transactions where the

-- 4 of 5 --

payer has acted fraudulently (which I’m not persuaded Mr W has here) or has with intent or gross negligence “failed to comply with regulation 72 (obligations of the payment service user in relation to payment instruments and personalised security credentials”). Given the timeline of events and the facts of this specific case – I’ve focused on whether Mr W was grossly negligent up to when he shared his OTP. His subsequent actions to unfreeze the account are not in my opinion relevant to my finding on whether he was grossly negligent as set out in the PSRs. And for the reasons explained I’m not persuaded that Mr W was grossly negligent when he shared the OTP with the scammers Conclusion For the reasons explained, I do not think Currensea has fairly declined Mr W’s request for a refund. Compensation I appreciate that this situation has been distressing for Mr W. The primary cause of this being the scammer who tricked him and took his funds. Mr W has also expressed concerns about the way Currensea treated him and how this experience may have affected other customers. However, within the scope of this complaint, I am limited to considered Currensea’s actions in relation to Mr W’s specific concerns. Having carefully reviewed all of the information provided, I agree with the investigator’s conclusions and as Mr W appears to accept this I’m not going into detail. I do not find that the level of service provided by Currensea was unreasonable and had such a significant impact on Mr W as to warrant an award of compensation. My final decision My final decision is that I uphold this complaint and requiring Currensea Limited to: 1. Write off the £162.99 from Mr W’s Currensea Ltd account. 2. Remove any associated fees or charges applied. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr W to accept or reject my decision before 27 April 2026. Sureeni Weerasinghe Ombudsman

-- 5 of 5 --