Banking & cardsScams & fraud

Money taken from your account without permission? Your refund rights

Claire5 July 20266 min read

If money left your account through a payment you never made or approved, UK rules put the starting position firmly on your side: the bank should refund an unauthorised transaction as soon as practicable, and no later than the end of the next business day after you report it, unless it has reasonable grounds to suspect fraud by you. A refusal is challengeable.

This guide covers what counts as "unauthorised", the exact refund rules, the narrow exceptions banks can rely on, and how to rebuild your complaint if the bank has already said no.

Key takeaways

  • An unauthorised transaction is one you did not make and did not permit - a stolen card, a compromised account, a payment you never agreed to.
  • The Payment Services Regulations 2017 require a refund no later than the end of the following business day after you report it, in most cases.
  • Your maximum liability for a lost or stolen card used before you reported it is normally £35, and often nothing.
  • Full liability requires the bank to show you acted fraudulently or with gross negligence - a deliberately high bar.
  • Report within 13 months of the payment leaving your account, and as quickly as you can in practice.
  • If the bank refuses, the Financial Ombudsman Service is free and independent.

Authorised or unauthorised - why the difference matters

This is the single most important distinction in payment disputes, and it decides which rules apply:

Situation Type Main route
Someone used your card or account without your knowledge Unauthorised Refund under the Payment Services Regulations 2017
You were tricked into sending a bank transfer yourself Authorised (APP scam) The 2024 APP reimbursement rules - see what to do if your bank refuses to refund a scam
You paid a merchant by card and something went wrong Authorised Chargeback or Section 75

If you made the payment yourself - even under pressure or deception - it is legally "authorised" and different rules apply. This guide is about payments you did not make or approve at all.

What the refund rules actually say

Under the Payment Services Regulations 2017, where a payment was not authorised by you, the bank must refund the amount and restore your account to the state it would have been in had the payment not happened. It must do this as soon as practicable, and in any event no later than the end of the business day following the day it becomes aware of the unauthorised payment.

The bank can only hold back if it has reasonable grounds to suspect you acted fraudulently and it notifies the appropriate authorities. Suspicion is not enough on its own - the grounds have to be reasonable, and the Financial Ombudsman Service can test them.

Your liability is tightly limited:

  • If a lost or stolen card or device was used before you reported it, you can normally be liable for a maximum of £35 - and not even that if you could not reasonably have known the card was compromised.
  • You are not liable at all for payments made after you reported the loss or theft.
  • You can only be made to bear the full loss if you acted fraudulently, or deliberately or with gross negligence failed to protect your security details. Gross negligence means something far worse than ordinary carelessness.

Sources: Payment Services Regulations 2017, regulation 76 (bank's refund obligation) and regulation 77 (your liability limits), plus Financial Ombudsman Service guidance on fraud and disputed transactions. Last checked: 04.07.2026.

Why banks refuse unauthorised-transaction claims

Refusals tend to use a small set of arguments. Each can be tested.

"Your card and PIN were used, so you authorised it"

How a payment was authenticated is not the same as who authorised it. PINs are shoulder-surfed, cards are cloned or intercepted, phones are unlocked and stolen. If the bank's whole case is "the correct credentials were used", ask it to explain how it ruled out compromise - and point to anything showing the payments do not fit your pattern: location, timing, merchant type, rapid succession.

"You must have shared your details - that's gross negligence"

Gross negligence is a high bar: a very significant departure from how a reasonable person would behave. Falling for a convincing phishing message, or writing a PIN in a disguised form, is not automatically gross negligence. The bank has to consider what you actually did, what you knew at the time and how sophisticated the deception was.

"You reported it too late"

The outer legal limit is 13 months from the debit date. Inside that window, delay may complicate the evidence but does not extinguish the claim. Explain why you did not spot the payments sooner - small amounts, an account you rarely use, no notifications.

"A family member must have done it"

The bank needs evidence, not assumption. If someone did use your card without your permission, that can still be unauthorised - though the facts matter, especially if you shared your PIN voluntarily.

What evidence helps most

  • statements highlighting every disputed transaction, with dates and amounts
  • where you and your card or phone were at the time, if you can show it - receipts, travel records, work rosters
  • when and how you reported the problem, with any reference numbers
  • a police or Action Fraud reference if the card or device was stolen
  • any phishing texts, emails or suspicious calls received around that time
  • your normal account pattern, so the disputed payments stand out
  • the bank's rejection letter or final response

How to structure the complaint

  1. List the disputed transactions - date, amount, merchant, and state plainly that you did not make or authorise them.
  2. Tell the story around them - where you were, when you noticed, when you reported.
  3. Answer the bank's stated reason - authentication is not authorisation; gross negligence is a high bar; ask what evidence the bank relies on.
  4. List your evidence.
  5. State the outcome - refund of the transactions, restoration of interest or charges caused, and correction of any credit-file impact.

When and how to escalate

If the bank rejects the complaint or eight weeks pass without a final response, you can take it to the Financial Ombudsman Service. The Financial Ombudsman Service is free, independent, and you keep any compensation it awards. You generally have six months from the final response to refer the complaint - check the current time limits before waiting.

How HeyRefund can help

Unauthorised-transaction complaints are usually won on pattern and precision: which payments, when, how you reported, and why the bank's "you must have done it" reasoning does not hold. HeyRefund helps you organise the transaction list, timeline and evidence into a clear complaint you can send yourself.

You can complain and escalate for free. HeyRefund just helps you present the case so the decision-maker can follow it.

Frequently asked questions

How quickly should the bank refund an unauthorised transaction?

Under the Payment Services Regulations 2017, once you tell the bank about an unauthorised payment it should refund it as soon as practicable, and no later than the end of the following business day, unless it has reasonable grounds to suspect you acted fraudulently.

Can I be held liable for any of the loss?

Sometimes, but the limits are strict. If a lost or stolen card was used before you reported it, your liability is normally capped at £35, and it can be nothing at all. You are not liable for payments made after you reported the card. Full liability usually requires fraud or gross negligence, which is a high bar.

My bank says my card and PIN were used, so it must have been me. Is that right?

Not on its own. Card and PIN use shows how a payment was authenticated, not who authorised it. Details can be compromised. The bank should consider how your details could have been obtained and what the pattern of transactions shows.

Is there a deadline for reporting unauthorised payments?

Yes. You should tell the bank without undue delay, and in any case within 13 months of the debit date. Report as soon as you spot the problem - delay makes everything harder.

Is the Financial Ombudsman Service free?

Yes. The Financial Ombudsman Service is free and independent, and you keep any compensation it awards. You do not need a claims company.

Written by ClaireClaire writes HeyRefund’s consumer guides on refunds, complaints, and how to escalate to the Financial Ombudsman.

This guide is general information, not legal or financial advice, and does not guarantee any outcome. Rules and time limits change. Complaining to a financial firm and escalating to the Financial Ombudsman Service is free, and you keep any compensation. HeyRefund is not a law firm and does not provide legal advice or claims-management services; it offers document-preparation tools based on real complaints data and Financial Ombudsman decision patterns. For advice on your circumstances, consider a free service such as Citizens Advice.

Related guides