Account security complaints - guidance for communications providers

Account security complaints – guidance for communications providers

Introduction

Account security is a broad area and has evolved as the communications sector itself has changed. This guidance note is designed to give our member companies useful information on our approach to complaints relating to this issue.

Overview

Today, most fraud and account security issues we encounter in our role as an ombudsman concern the theft of mobile handsets. Our remit allows us to investigate not the “fraud” itself, but rather the initial part of this process: access to the account. It also allows us to review whether the provider made “reasonable endeavours” – as required by Section C8.5 of the General Conditions – to ensure that the person they provided access to the account, had authorisation to perform the contract renewal or order.

If we feel a provider did not meet this standard, then we may take action – up to and including the cancellation of the order/contract.

Unlike mobile, where there is high-value equipment involved, account security issues in the landline sector generally relate to generating money via use of the lines themselves. Again, when investigating such complaints, we would assess the process the provider used to ensure the person was authorised to order or renew.

Decision-making principles

Here are the high-level principles we follow when investigating account security complaints:

  • Communications providers have a duty to check that the person taking out a contract is authorised to do so. We expect communications providers to evidence that they completed appropriate security checks.
  • Our remit is not limited to assessing whether a member company has followed its security procedures – we can also consider whether the company’s security procedures are, in themselves, robust.
  • Providers may have different levels of security depending on the risk associated with the products and services ordered. For example, the risk of accepting an order for a fixed telephone line could be seen as lower than accepting an order for a high-end mobile handset, as a fraudster may have less to gain by ordering the telephone line.
  • Providers may have different ways to establish the identity of the account holder. We don’t expect all providers to do this in the same way, but each provider will need to demonstrate that its procedures are robust.
  • If a provider only asks for information that is commonly collected or is widely known – such as someone’s date of birth and address – then we may decide that the measures in place are not enough in the event that an unauthorised person is able to access an account. This is particularly the case when a handset is delivered to address other than the registered account address.
  • If the customer alleges that their account was accessed by someone they know – or if the complainant does not know who ordered a handset but it was delivered to the account holder’s home address – it may be reasonable for the provider to expect them to report the issue to the police, to demonstrate that the customer genuinely has not authorised the account access.
  • If a company has failed to complete security checks or make reasonable endeavours to ensure the person taking the contract was authorised and has allowed an unauthorised third party to order and obtain a piece of equipment, we are likely to uphold the complaint and remove the disputed contract.
  • If a customer has allowed another individual access to their account by, for example, passing on their password, allowing them to obtain ID such as a bank card or driving licence or by giving them access to their handset, then we would normally conclude that the customer has effectively allowed the third party to access their account and would not uphold their complaint.
  • If the account holder has informed their provider that they are concerned an unauthorised third party may be trying to access their account, we would expect the provider to take steps to ensure the account is not accessed inappropriately - for example, by increasing the protection of the account.
  • If there is a dispute over whether third-party authorisation has been granted by the account holder, we will assess whether the account holder genuinely intended the third party to have authority to make changes to the account.
  • Similarly, if there have been multiple failed attempts to access an account in a short period of time – where the person attempting to access the account could not pass data protection checks – it may be reasonable to expect the provider to increase security protections on the account.
  • While a company may not disclose the precise details of its investigation, we expect a communications provider to give a clear and valid reason as to whether it considers an account security lapse has occurred. If a company failed to investigate or failed to give a clear reason for its decision, it’s likely that we would uphold the complaint.
  • We expect a communications provider to be able to demonstrate that it has acted responsibly and made robust attempts to identify any individual attempting to access an account.
  • In account security cases, we will consider the reason provided by the communications provider and whether the available evidence supports this conclusion.

Case studies

Case study 1: Mobile ‘scam’

The complaint: The customer stated he was a victim of a scam where he was tricked into taking out a mobile contract inclusive of a high-end mobile device. Upon giving the handset to the fraudster, he immediately realised what had happened and contacted the communications provider to ask that it cancel the contract. The communications provider refused and subsequently closed the account for non-payment, applying an early termination fee. The customer felt this was unfair as he had been a victim of fraud and insisted that the company remove the debt and repair his credit file.

The company’s position: The company’s security team had completed an investigation and determined this was not a case of fraud. The company maintained that it had completed appropriate security checks and provided the customer with all the necessary paperwork, which he had signed. As the customer had not paid his bills, the account was closed in accordance with the company’s terms and conditions.

Our decision: The focus of our investigation was whether the communications provider had acted incorrectly when selling the contract to the customer. We considered that the company had provided evidence it completed thorough security checks, and that the customer had signed the contract and provided their bank details. We were therefore satisfied that the company had verified the identity of the customer and taken reasonable steps to confirm the customer wished to take out the contract.

While we empathised with the customer, who had clearly been deceived by a scam artist, we found no evidence of wrongdoing on the company’s part. We recommended that the customer pursue the matter with the police and required no remedy or award.

Purple Line

Case study 2: Identity theft

The complaint: Upon receiving unusual letters in the post, the customer discovered he had been a victim of identity theft and that various accounts and financial agreements had been taken out in his name. One of these agreements was for a mobile phone contract. The customer reported the identity theft to the police and contacted the communications provider. After a short investigation, the communications provider contacted the customer to say it had found no evidence of fraud. The customer continued to dispute the outcome of the fraud investigation and maintained that the account should be closed, and the outstanding balance removed.

The company’s position: The company stated that its fraud team had investigated the account and determined no fraud. This was on the grounds that the suspected fraudster was the customer’s ex-partner and the contract had been sold in-store. This meant that photo ID would have been required to open the account. The company considered it was likely the customer had taken out the contract for their ex-partner only for their relationship to subsequently breakdown. The company was satisfied it had completed appropriate security checks at the point of sale and that the matter was a third-party dispute between the customer and their former partner.

Our decision: Upon review of the company’s case file, we noted that details concerning the sale of the disputed contract were very vague. After questioning the communications provider on this point, it transpired that the contract had been purchased in a third party retail store, not from the communications provider directly. Consequently, the company had very limited information about the sale – it could not even confirm if the contract included a handset. While the company had stated that the retailer had completed security checks, this was an assumption and not based on any solid evidence.

During the process of our investigation, we informed the customer that the contract had in fact been sold through a retailer. The customer then contacted the retailer to request further information. He received a letter from the retailer’s head office that stated the communications provider must be mistaken to say the contract was sold in one of its stores, as it had ended its relationship with the communications provider concerned two years ago. Considering this evidence, we were satisfied that the contract could not have been sold in the manner the communications provider stated. We therefore required the company to close the account, remove the outstanding balance and correct the customer’s credit file. We also required a financial award of £100 for clear shortfalls in the company’s fraud investigation.

Purple Line

Case study 3: Dial-through fraud

The complaint: The customer became aware that they had been a victim of dial-through fraud when their communications provider alerted them to high spend on their account. The customer took steps to secure their PBX (Private Branch Exchange – a private telephone network typically used within a company or organisation) but disputed their responsibility for the outstanding balance. At the time the communications provider alerted the customer, the outstanding bill was approximately £1,200, but it had risen to more than £3,000 once the unbilled usage had reached the communications provider’s billing system. The customer argued the communications provider should have noticed the fraud sooner and wanted the entire balance removed.

The company’s position: The communications provider explained that it was not responsible for the security of the customer’s PBX and that it had alerted the customer to the high spend as soon as its wholesale provider had made the company aware of it. The company had applied a credit of £1,000 as a gesture of goodwill but considered no further remedy was appropriate.

Our decision: On review of the contract, we agreed that the communications provider was not responsible for the security of the customer’s PBX. The question to consider was therefore whether the communications provider could have noticed the fraud earlier.

While we empathised with the customer’s situation, there was no contractual obligation upon the company to monitor for potentially fraudulent activity. We also recognised that the communications provider’s system (leased from Openreach) was limited in its ability to allow the provider to monitor an individual user’s account in real time. We were therefore satisfied that the company had acted to alert the customer as quickly as it could.

Ultimately, the customer was responsible for the security of his equipment and the root cause of the issue was that the customer failed to take appropriate security measures. We therefore recommended no remedy or award.

Purple Line

Case study 4: Credit file confusion

The complaint: The customer explained that she had closed an account with the communications provider several years ago. Upon recently checking her credit history, she discovered a default from the communications provider. This default related to an account the customer had no knowledge of, which had been opened approximately two months after she had closed her genuine account. The customer disputed ever purchasing this contract and stated she had been a victim of fraud. She requested that the default be removed from her credit file.

The company’s position: The company’s fraud team had investigated the account and found no evidence of fraud. This was because the disputed account had been opened using the same bank card that had been used to make several payments on the customer’s original account. The company stated it had completed security checks against the customer’s bank card and address and it was satisfied that the account had been opened by the customer.

Our decision: Given that the sale of the disputed contract had occurred several years ago, information related to the sale was limited. However, we considered the security checks that the company stated it had completed.

The company explained that for a customer to be verified, the bank card used at the point of sale must be registered at the account address. We identified that the two accounts in the customer’s name had different registered addresses. The customer still lived at the address registered against the genuine account and claimed to have no knowledge of the address linked to the disputed account.

The customer provided copies of her bank statements from the time that the disputed account was opened. The statements showed a £2 payment to the communications provider, but clearly showed the address of the bank card did not match with the mobile account. Considering the company’s explanation of its verification process, this should have caused the sale to be blocked.

We put this to the communications provider, but it could not provide an explanation. It therefore changed its position and agreed that the complaint should be upheld. We required the company to remove the outstanding debt and to correct the customer’s credit file. We also required a letter of apology and a financial award of £100 for failures in the company’s fraud investigation.