Our investigation

The fact that one-time passcodes had been used to confirm the payments meant the bank could not seek a chargeback on the basis of fraud. It did ask the merchant to return any remaining funds, but the merchant did not respond. We found the bank fairly considered Yvonne’s request and applied the available chargeback rules correctly. 

We next looked at whether the bank still had to reimburse Yvonne under the online fraud guarantee. The bank’s records showed the two transactions were initiated from the same IP address Yvonne generally used to log in to the bank’s mobile app. The records also showed one-time passcodes were sent to Yvonne’s registered mobile phone and were successfully entered to confirm the transactions. The text messages told her not to share the code, even with bank staff. Yvonne said she did not authorise the transactions, did not remember receiving or entering the codes, and had obtained a report that found no evidence her phone had been compromised. 

There was no evidence to suggest Yvonne’s phone had been compromised or that another person had obtained the codes. We also did not accept that someone had guessed two successive four-digit codes. The evidence instead suggested the only plausible explanation was that Yvonne received and entered the codes herself, or had disclosed the codes to someone else. On that basis, the transactions were either authorised, or Yvonne did not take reasonable steps to protect her banking when the codes were entered or disclosed. In either case, the bank was not liable to reimburse the remaining $5,350. 

Outcome

We did not uphold Yvonne’s complaint.