Financial Ombudsman Service decision
Wise Payments Limited · DRN-6191560
The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.
Full decision
The complaint A company I shall refer to as S complains to us that Wise Payments Limited have declined to reimburse them for transactions, they say they didn’t make or agree to. They’d like the funds reimbursed, plus interest and compensation. S has appointed representatives for this complaint, but for ease of reading I’ll refer solely to S in this decision. What happened The background and facts of the case are largely not in dispute, so I will cover this only briefly here. In January 2025 an employee of S was contacted by someone claiming to be from Wise. They were told that there were pending transactions on the business account and were told they would need to follow certain steps to prevent them. The employee was persuaded to give over two one-time passcodes (OTPs) during the call. But they then became suspicious and called Wise on a landline. They discovered two transactions on the account that they didn’t recognise, for £6,540 and £7,412. S reported these as fraudulently to Wise. Wise declined to refund S, citing the use of the OTPs to authorise the payments. They also didn’t feel the transactions were significantly out of character, such that they should have prevented them. But they did agree to pay S £150 for delays in the fraud investigation. Dissatisfied with this, S referred their complaint to our service. One of our investigators looked into what happened but didn’t think Wise had done anything wrong. He thought by sharing the OTPs it was likely the employee had authorised the transactions. S disagreed and asked for the complaint to be considered by an ombudsman. As such, the complaint was passed onto me to decide. I reviewed the file and reached a different conclusion to our investigator, and as such I issued a provisional decision that said: Firstly, both parties seem to agree that the employee of S was tricked into sharing the OTPs that allowed both these payments to go through. The employee also seems to have interacted with the Wise app, as there were push notifications to authorise the payments as well. One payment was declined in-app, the other approved. But Wise have confirmed that the OTPs are the method of authentication that allowed the payments to go through – and it’s likely that these were entered into the merchant’s websites by the fraudster. The relevant regulations to payments in the UK are the Payment Services Regulations 2017 (PSRs). These say that broadly an account holder is responsible for any payment that has been correctly authorised – and the financial firm should generally refund transactions that haven’t been authorised by the account holder, subject to certain caveats. These include where an account holder has intentionally or with gross negligence failed in their obligations to keep their security credentials safe.
-- 1 of 4 --
The PSRs allow some variation of these requirements if a business is larger than a “micro- enterprise”. This is a firm with assets or turnover less than €2million and fewer than 10 employees. From the figures given to us, this would include S who have more employees than this. The terms of S’ Wise account term this the “corporate opt-out” and say certain provisions of the PSRs will not apply – including those relating to refunds for unauthorised transactions, and the liabilities of each party. But the Wise terms go on to say about their own responsibility for losses: 29.6 Our liability to you for unauthorised payments. In case of an unauthorised payment, we shall at your request refund the payment amount including all fees deducted by us. We may require proof that such payments were unauthorised. This shall not apply where we believe: (a) Your Wise Account, or other personalised security features, are lost, stolen, or misappropriated. You will be liable for the first GBP 35 of any unauthorised payments if we believe you should have been aware of the loss, theft, or unauthorised use. We will not hold you liable for the first GBP 35 if the unauthorised payment was caused either by our acts or omissions, or those of a third party expressly carrying out activities on our behalf. Your liability for the first GBP 35 also does not apply to any unauthorised transactions made after you have notified us that your Wise Account or profile may have been compromised (using the details we’ve given you). … (d) The payment transaction was unauthorised, but you have with intent or gross negligence compromised the security of your Wise Account or profile or failed to comply with your obligations to use your Wise Account or profile in the manner set out in this Agreement. In such a case you shall be solely liable for all losses; This broadly mirrors the provisions within the PSRs around the obligations on the account holder in relation to their security credentials. The Wise terms also say about authorisations: 19.1 You authorise every transaction. You agree that any use by you of your Card, card number or PIN constitutes your authorisation and consent to the transaction. Here though it’s accepted that the employee at S didn’t make the transactions – Wise have confirmed they believe the entering in of the details, and the OTPs into the merchants’ websites, were carried out by the fraudster. Nor does there seem to have been any intent from the employee to allow the fraudster to make payments on their behalf. So, I’m not persuaded that the payments can be considered authorised. So, in line with the terms I’ve gone on to consider whether the employee was grossly negligent in sharing the OTP with the fraudster. I’m satisfied that the OTP constitutes one of the range of security features of the Wise account. The concept of gross negligence goes beyond mere negligence, or carelessness. To my mind it must be a very significant degree of negligence beyond that of what you’d expect of a reasonable person – an appreciation of the risk involved, and a serious disregard to that risk. Here, I can agree that the sharing of both OTPs may well be negligent, but I’m not minded that this reaches the level of gross negligence. The OTPs themselves were clear that they were to be used to authenticate a payment and certainly could have given the employee pause before sharing them. But in the circumstances, they thought they were genuinely speaking to Wise on the phone and taking steps to secure S’ account. They’ve commented that the caller already had knowledge about them and the Wise account. I’ve been given no
-- 2 of 4 --
reason to doubt the employee’s recollection on this point. So, I can see how this would have helped mitigate some concerns. Considering how the scam unfolded, I accept there is more they likely could have done to prevent the losses to the scam. But overall, I’m not persuaded that it would be fair to say the employee has been grossly negligent. On that basis I don’t see that it’s reasonable for Wise to have declined to reimburse S. It would be reasonable for Wise to reimburse S for the losses. They should reimburse the £13,952. If Wise wishes to deduct the £35 as specified in the terms, they should make S aware in advance. I also see that as S has not had the use of these funds for a considerable time, then Wise should also pay 8% simple interest per annum on this amount, from the date of payment to the date of settlement. I’ve also considered the customer service, and I can see that S initially had difficulty in communicating about their claim, and it took longer than I would say is reasonable. But I also see that Wise have already offered £150 in compensation for this. And most of the inconvenience will have been caused by the actions of the fraudster. So, I see that the offer of £150 is reasonable to reflect any disruption to S’ business caused by Wise. This was accepted by S. Wise did not agree, and presented evidence of what the employee of S would have seen when using the Wise app during the payment process. They said that the second transaction had also been agreed by the employee within the Wise app, which they felt shows it was authorised. They also provided a call recording which the felt demonstrated that the employee told them they were aware of payments being made to a “jar”. It now falls on me to consider the evidence afresh. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Having done so, I remain satisfied with the conclusions reached in the provisional decision. I’ve considered Wise’s additional points around the authorisation, and I’m not persuaded by their argument that the payments should be considered authorised. The technical evidence submitted by Wise shows that the SMS OTP was the token used to authorise both payments from S’ account. So, I’m satisfied that the form and procedure for authorising these payments was completed by the fraudster. Wise have argued that the employee also agreed to the second payment within app – although if this happened it would be after the payment was already authorised. I’m not persuaded that Wise can reasonably rely on this, as it was made after the payment was already authorised. If the employee had declined the transaction in-app then I’m not persuaded it would have prevented it, as the authorisation had already been given. I’ve considered whether this suggests the employee was aware that payments being made – and I’ve also considered the phone call Wise have provided. The discussion about the payments to a “jar” is very brief, and only in passing. It wasn’t explored at the time, which is understandable considering it wasn’t the primary focus of the call. But I’m not persuaded that this indicates the employee was expecting or agreeing to payments being made – they’ve denied this, and their story of believing the codes were being used to decline transactions is more consistent with the activity we can see on the account. I’ve not seen any compelling
-- 3 of 4 --
evidence that the employee more likely than not agreed to the transactions on the account. Wise have acknowledged but not commented specifically on my findings around gross negligence – and I remain satisfied that the employee’s actions don’t meet that standard. There certainly were opportunities for them to have done more to prevent the losses, but overall, I don’t see that their actions fell so far below the standard of a reasonable person that it would be fair for Wise to hold S liable for the transactions. Neither party commented on the findings in relation to customer service. I remain happy that the £150 is a reasonable reflection of the inconvenience caused to S by Wise. Putting things right To resolve this complaint, Wise should reimburse S the £13,952 – although if they wish to claim the £35 specified in the terms, they can but must let S know in advance. Wise should also add 8% simple interest per annum to this amount, to reflect the period in which S was without these funds. Lastly Wise should pay S the £150 offered, if they have not already done so. My final decision My final decision is that I uphold this complaint and direct Wise Payments Limited to settle it as outlined above Under the rules of the Financial Ombudsman Service, I’m required to ask S to accept or reject my decision before 30 March 2026. Thom Bennett Ombudsman
-- 4 of 4 --