Account security is a broad area and has evolved as the communications sector itself has changed. This guidance note is designed to give our member companies useful information on our approach to complaints relating to this issue.
Today, most fraud and account security issues we encounter in our role as an ombudsman concern the theft of mobile handsets. Our remit allows us to investigate not the “fraud” itself, but rather the initial part of this process: access to the account. It also allows us to review whether the provider made “reasonable endeavours” – as required by Section C8.5 of the General Conditions – to ensure that the person they provided access to the account, had authorisation to perform the contract renewal or order.
If we feel a provider did not meet this standard, then we may take action – up to and including the cancellation of the order/contract.
Unlike mobile, where there is high-value equipment involved, account security issues in the landline sector generally relate to generating money via use of the lines themselves. Again, when investigating such complaints, we would assess the process the provider used to ensure the person was authorised to order or renew.
Here are the high-level principles we follow when investigating account security complaints:
The complaint: The customer stated he was a victim of a scam where he was tricked into taking out a mobile contract inclusive of a high-end mobile device. Upon giving the handset to the fraudster, he immediately realised what had happened and contacted the communications provider to ask that it cancel the contract. The communications provider refused and subsequently closed the account for non-payment, applying an early termination fee. The customer felt this was unfair as he had been a victim of fraud and insisted that the company remove the debt and repair his credit file.
The company’s position: The company’s security team had completed an investigation and determined this was not a case of fraud. The company maintained that it had completed appropriate security checks and provided the customer with all the necessary paperwork, which he had signed. As the customer had not paid his bills, the account was closed in accordance with the company’s terms and conditions.
Our decision: The focus of our investigation was whether the communications provider had acted incorrectly when selling the contract to the customer. We considered that the company had provided evidence it completed thorough security checks, and that the customer had signed the contract and provided their bank details. We were therefore satisfied that the company had verified the identity of the customer and taken reasonable steps to confirm the customer wished to take out the contract.
While we empathised with the customer, who had clearly been deceived by a scam artist, we found no evidence of wrongdoing on the company’s part. We recommended that the customer pursue the matter with the police and required no remedy or award.
The complaint: Upon receiving unusual letters in the post, the customer discovered he had been a victim of identity theft and that various accounts and financial agreements had been taken out in his name. One of these agreements was for a mobile phone contract. The customer reported the identity theft to the police and contacted the communications provider. After a short investigation, the communications provider contacted the customer to say it had found no evidence of fraud. The customer continued to dispute the outcome of the fraud investigation and maintained that the account should be closed, and the outstanding balance removed.
The company’s position: The company stated that its fraud team had investigated the account and determined no fraud. This was on the grounds that the suspected fraudster was the customer’s ex-partner and the contract had been sold in-store. This meant that photo ID would have been required to open the account. The company considered it was likely the customer had taken out the contract for their ex-partner only for their relationship to subsequently breakdown. The company was satisfied it had completed appropriate security checks at the point of sale and that the matter was a third-party dispute between the customer and their former partner.
Our decision: Upon review of the company’s case file, we noted that details concerning the sale of the disputed contract were very vague. After questioning the communications provider on this point, it transpired that the contract had been purchased in a third party retail store, not from the communications provider directly. Consequently, the company had very limited information about the sale – it could not even confirm if the contract included a handset. While the company had stated that the retailer had completed security checks, this was an assumption and not based on any solid evidence.
During the process of our investigation, we informed the customer that the contract had in fact been sold through a retailer. The customer then contacted the retailer to request further information. He received a letter from the retailer’s head office that stated the communications provider must be mistaken to say the contract was sold in one of its stores, as it had ended its relationship with the communications provider concerned two years ago. Considering this evidence, we were satisfied that the contract could not have been sold in the manner the communications provider stated. We therefore required the company to close the account, remove the outstanding balance and correct the customer’s credit file. We also required a financial award of £100 for clear shortfalls in the company’s fraud investigation.
The complaint: The customer became aware that they had been a victim of dial-through fraud when their communications provider alerted them to high spend on their account. The customer took steps to secure their PBX (Private Branch Exchange – a private telephone network typically used within a company or organisation) but disputed their responsibility for the outstanding balance. At the time the communications provider alerted the customer, the outstanding bill was approximately £1,200, but it had risen to more than £3,000 once the unbilled usage had reached the communications provider’s billing system. The customer argued the communications provider should have noticed the fraud sooner and wanted the entire balance removed.
The company’s position: The communications provider explained that it was not responsible for the security of the customer’s PBX and that it had alerted the customer to the high spend as soon as its wholesale provider had made the company aware of it. The company had applied a credit of £1,000 as a gesture of goodwill but considered no further remedy was appropriate.
Our decision: On review of the contract, we agreed that the communications provider was not responsible for the security of the customer’s PBX. The question to consider was therefore whether the communications provider could have noticed the fraud earlier.
While we empathised with the customer’s situation, there was no contractual obligation upon the company to monitor for potentially fraudulent activity. We also recognised that the communications provider’s system (leased from Openreach) was limited in its ability to allow the provider to monitor an individual user’s account in real time. We were therefore satisfied that the company had acted to alert the customer as quickly as it could.
Ultimately, the customer was responsible for the security of his equipment and the root cause of the issue was that the customer failed to take appropriate security measures. We therefore recommended no remedy or award.
The complaint: The customer explained that she had closed an account with the communications provider several years ago. Upon recently checking her credit history, she discovered a default from the communications provider. This default related to an account the customer had no knowledge of, which had been opened approximately two months after she had closed her genuine account. The customer disputed ever purchasing this contract and stated she had been a victim of fraud. She requested that the default be removed from her credit file.
The company’s position: The company’s fraud team had investigated the account and found no evidence of fraud. This was because the disputed account had been opened using the same bank card that had been used to make several payments on the customer’s original account. The company stated it had completed security checks against the customer’s bank card and address and it was satisfied that the account had been opened by the customer.
Our decision: Given that the sale of the disputed contract had occurred several years ago, information related to the sale was limited. However, we considered the security checks that the company stated it had completed.
The company explained that for a customer to be verified, the bank card used at the point of sale must be registered at the account address. We identified that the two accounts in the customer’s name had different registered addresses. The customer still lived at the address registered against the genuine account and claimed to have no knowledge of the address linked to the disputed account.
The customer provided copies of her bank statements from the time that the disputed account was opened. The statements showed a £2 payment to the communications provider, but clearly showed the address of the bank card did not match with the mobile account. Considering the company’s explanation of its verification process, this should have caused the sale to be blocked.
We put this to the communications provider, but it could not provide an explanation. It therefore changed its position and agreed that the complaint should be upheld. We required the company to remove the outstanding debt and to correct the customer’s credit file. We also required a letter of apology and a financial award of £100 for failures in the company’s fraud investigation.