Barclays Fraud / GDPR breach

HiggiHiggins

Good Afternoon all, I’ll try and keep this simple and down to the GDPR issue. If anyone can help suggest how to proceed I’d really appreciate it. 

So over a 3 month period across 2 of my current accounts I had nearly £6k debited from each over approx 180 txn. These aren’t my main current accounts so rarely used and didn’t internet bank at the time.

Approx 25 merchants over same period across both accounts

Bank 1 - reported txns - refunded immediately and nothing heard from there on in from them.

Bank 2 Barclays - reported at same time - no refund given. The txn were split by them into 3 separate cases. 

Disclaimer forms were sent out, signed and returned via email. Shortly after this one of these cases was refunded in full and a letter supporting this too. 

Case 2 & 3 no information was given, daily calls emails and online chats got me nowhere, no reason could be given why the cases couldn’t progress and no one took ownership and it was just a vicious circle. 

Two months passed and a complaint raised, reason given for cases not being completed was no disclaimer forms received and after 10 days they auto close as without the authority the case cannot be investigated. £50 compensation was given but no resolution to these cases was put forward and the complaint handler “ghosted” my emails and calls for a week without any explanation.

This was then escalated to the ceo and exec complaints took the case. Again confirmed missing disclaimers prevented the progress but couldn’t explain why it had taken 3 months to raise this and deal. 

It was confirmed that one disclaimer form was received by them (CASE A)but this was then applied to the wrong case by them (CASE C). CASE C was then investigated, deemed fraud and refunded. However they did not have the signed authority to investigate CASE C and so disclosed personal and financial information without consent to third parties overseas. 

Advised that the two cases needed to be re raised and documentation was supplied for one of the original case ref numbers (CASE B - a carbon copy) and a new case ref number (CASE D). This was printed and signed by me and returned to exec handler by email. 

In my email I state that I have received forms for CASE D and existing CASE B. On each disclaimer I have signed and dated I have also handwritten the case ref number and transaction count for which it relates. I have also included a list of missing transactions quoting that these weren’t picked up on the refunded case, the case which has been re raised or the new case ref which was raised. 

I’m also then sent a refund payment which equates to the CASE D total amount in £. I raise the payment with the exec team who advise any refund has been picked up by the fraud team already and anything not refunded is still being dealt with. 

Some day or so later I went to print a copy of paperwork and noticed that the existing CASE B that had been raised was now replaced by a different new case ref (CASE E). This includes all the transactions I listed missing when the two signed forms were returned. 

I very quickly then receive letters advising customer liable for all transactions and the temporary refund, that I was never made aware of, was to be reclaimed. In fact the letter states that a decision has been reached on the two cases, but the letter fails to state what the decision actually is but is obvious given the reasons and reclaim. This left the account significantly overdrawn. I’m told that fraud don’t always make aware that refunds are temporary or being made. I make it clear that I was advised by the exec team that the payment was a refund from fraud and again no mention of temporary. The refund reference number doesn’t mention temporary and is the same reference in the refunds previously that were permanent. The account is still overdrawn by this amount that was confirmed a refund payment.

I make them aware that I have never returned any signed forms for the second new case raised CASE E and so haven’t given authority to investigate this claim. On the returned forms and email all references are to CASE B which I had been sent and I had never made any ref to the newest ref CASE E as it had not been seen at that point. 

I’m offered £250 in compensation for what they call “poor service and some delay in dealing”. A “very sorry” apology that paperwork was applied by mistake to the wrong case and no comment on the payment advised as a refund which has been reclaimed. 

No explanation as to why CASE C is deemed fraud and refunded and two cases being customer liable. The fact they split the cases into 3 and the entirety of one are fraud and the entirety of the other two not must be a grave coincidence. I’ve been given no reason for why transactions to the same merchants are deemed liable now, there are even payments on the same day to the same merchant which some are fraud and others liable. I’ve had no information on the merchants and any proof of products or services I have used, nothing. A generic statement that the decision is based on the information available to them yet cannot confirm why the decision on the closed case is the complete opposite. 

I believe their incompetence has led to data being unlawfully disclosed to third parties overseas. I am not sure what personal and financial information has been disclosed and what actions have been taken to ensure safety. 

I’m currently over £2000 out of pocket and £500 overdrawn as a result of all this and in a bad place. Can anyone help suggest a course of action please  

eskbanker

HiggiHiggins said:

I believe their incompetence has led to data being unlawfully disclosed to third parties overseas. I am not sure what personal and financial information has been disclosed and what actions have been taken to ensure safety. 

Hard work ploughing through all that but are you suggesting that Barclays investigating transactions that you've reported as fraudulent is in some way unlawful because you only signed a form with a different reference number on it?  In any case, investigation of such transactions is highly unlikely to entail disclosure of personal data as such, so I can't see any sort of data protection issue here.

In terms of the fraud claim, it is of course possible for some transactions to a merchant to be authorised by the account holder while others aren't, so in itself that aspect isn't inherently flawed.  No idea why Barclays subdivided the transactions into three groups but there must be some reason behind that (they won't be doing it for the hell of it), perhaps different authentication methods?  However, if you're confident that you didn't make any of the transactions and they assert that you (or someone with your security details) did then you'd need to escalate your complaint to the ombudsman if you've reached deadlock with the bank....

HiggiHiggins

Thanks for taking the time to reply appreciate it’s a lot.

So they wouldn’t investigate 2 cases as they hadn’t received the signed forms and without these they didn’t have authority to progress with the claim so the signed waiver carries significant relevance it seemed. I returned one signed form which they applied to the incorrect case (one I’d not given authority on) and investigated this. In the later instance again I’d signed no form giving authority to investigate one of the two cases having signed a form they supplied for another case. The case they investigated id not seen as the paperwork for as it wasn’t supplied or signed.

Interesting point tho, I’d assume to query the transaction the merchant would need a level of data to confirm if it is on their system.

It was sun divided due to the number of transactions able to recorded by a single case and so spread over 3. I appreciate some transactions can be deemed fraud and others not. I just find it too hard to believe that the case for which they admit had been investigated with the incorrect disclaimer being applied, contains every fraudulent transaction and the two cases that dragged out two months, then had to be re raised contain all liable transactions. All debit card payments.

I think the fact that the only information I’ve had is that we deem customer liable is the frustration here at the lack of justification and consistency. Had they given information on each transaction and what the difference between two transactions on the same day to the same company were that made one fraud and the other not I could better understand their position. When the companies appear non existent and don’t list any goods or services, given their locations it’s not anything I would ever utilise.

Their outcome letter doesn’t provide any details on transactions or reasons for decisions, just the fact that they are reclaiming a £500 temp refund that wasn’t communicated and when I queried it I was advised by email that any refund payments that have been given have been picked up already by the investigation team and any outstanding payments need further consideration. This was from the person directly liaising with the fraud team. Following this confirmation the letter advising it was temporary was sent.

I’m looking at the Ombudsman now once I have a bit more info 

thanks 

fwor

Before you go any further with your "Breach of GDPR" line, please be sure that you understand how GDPR relates to a situation of this type.

Specifically, be aware that because you notified the bank that these transactions were fraudulent, it follows that they were the result of criminal activity.

Here is what the GDPR regulation itself has to say about the investigation of criminal activities:

This Regulation does not apply to the processing of personal data:

1. in the course of an activity which falls outside the scope of Union law;
2. by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
3. by a natural person in the course of a purely personal or household activity;
4. by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

You can see from item 4. that as soon as you declare that fraud was involved, you immediately exempt the bank from the GDPR regulations (of course, specifically only in relation to investigating the situation).

born_again

HiggiHiggins said:

Interesting point tho, I’d assume to query the transaction the merchant would need a level of data to confirm if it is on their system.

thanks 

So when bank goes back to the retailer on fraudulent transactions. It is a chargeback, simply stating this transaction is fraud & giving the basic transaction details (all done by picking up the transaction on the banks system) NON OF YOUR PERSONAL DETAILS ARE GIVEN.
Retailer then can come back & provide any details they have. So that may/will include name & address of online purchases etc.

To claim this money back the bank nee you to sign a form confirming it was not you making the transactions. without out that they can not claim the money back from retailer & will re-debit you.
Each current account will require it's own form, due to different card numbers.

Problem with cases such as this is errors are easily compounded. Various transactions over more than one account, over a extended period. It is easy for both the person reporting & the rep dealing to get some transactions mixed up.

phillw

HiggiHiggins said: 

I believe their incompetence has led to data being unlawfully disclosed to third parties overseas. I am not sure what personal and financial information has been disclosed and what actions have been taken to ensure safety. 

I’m currently over £2000 out of pocket and £500 overdrawn as a result of all this and in a bad place. Can anyone help suggest a course of action please  

What information do you think has been unlawfully disclosed? Unless you have evidence of a serious breach, then I'd forget that. When you report a transaction as fraudulent they can't just take your word for it, or banks would be bankrupt in a day. If you don't give them permission to investigate, which will require some kind of information being exchanged about you, then what do you expect them to do? Charge backs can be reversed, mistakes may have been made but getting upset won't help you at all.

I wouldn't ever say people were incompetent either. You think it will make them more likely to sort your issue out, but it won't. Their eyes will glaze over and you'll just get angrier and unable to make your point.

Have you made a formal complaint? You have to specifically say "I want to make a complaint" they then have 8 weeks to solve your complaint, or you can take your complaint to the ombudsman.

Your complaint is "I didn't make any of these payments, I am confused why it's taking so long and why some refunds have been reversed, you can understand that this is quite stressful but I believe that I have given you everything you have asked for".

I wouldn't explain anything else as it will just give them a headache. If you're still in contact with the exec complaints team then I'd make the complaint to them.

HiggiHiggins

FWOR - I’ve really only asked for advice and not insisted it’s a breach.

when reporting the transactions are you actually stating they are fraudulent or just disputing them and seeking clarity on what they are. I know that may come across flippant but I never actually said I dispute these transactions and so the are fraudulent. surely it’s not a criminal offence until it’s investigated and proven so. I can dispute a transaction as I don’t recognise it and if given more information on it by the bank realise that it just an under a different merchant name to the shop I used for eg?

The disclaimer point below is off the disclaimer. This form is explicitly needed before they will proceed to look into the claim. Am I wrong in thinking that if you don’t sign to agree with the list of transactions and they then investigate, you’ve not actually given authority to let them do the below.

1. I/We authorise you to contact and disclose if necessary, information about me and transaction(s) carried out on my accounts to third party organisations including, Banks/Financial Institutions, Merchants and Service Providers, Police, and any other law enforcement agency, in order for you to fully investigate my claim

If the transaction list provided was wrong I wouldn’t sign for transactions that were listed that I recognise as if I allow them to investigate these I’d be making a false claim. This is why I’d guessed they send you a list of transactions for you to check and then sign to agree. If I don’t sign the form they auto close this in 10 days.

Born Again - yes errors are easily caused. There was one txn reported that they have just acknowledged was missing and not picked up and offered as a goodwill gesture  a refund on this txn. Trouble is with no transaction info from them I don’t know what’s been investigated really. I’ve got 98 txn, 32 all one one case refunded, a case they shouldn’t have been working on as they applied the wrong form. The case they should have been working of was worth significantly more in £ so had they worked on the right case that could and should have been refunded. I’ve got 65 txn that very quickly they deemed liable and 1 txn they missed and they just refunded. All a bloody mess.

if they feel customer is liable and so a fraudulent claim would they not report this as offence? 

phillw

HiggiHiggins said:

I know that may come across flippant but I never actually said I dispute these transactions and so the are fraudulent. 

If you aren't saying the transactions are fraudulent, then how are you out of pocket?

I’m currently over £2000 out of pocket

You made it sounds like there was no way these were transactions you made.

So over a 3 month period across 2 of my current accounts I had nearly £6k debited from each over approx 180 txn. These aren’t my main current accounts so rarely used and didn’t internet bank at the time.

So I'm a bit confused how these might be transactions you did make but just didn't recognize.

HiggiHiggins

Apologises, yes I don’t recognise the txns and as per the case they have already settled the outstanding ton are the same.

It was in relation to a GDPR comment when someone said that as soon as you declare fraud you have no right under GDPR as they can investigate criminal activity. My point was that the txn are reported as disputes and logged. The disclaimer you need to sign gives the authority to contact third parties and also confirms you did not make the payments, allow anyone else to make them, havent lost your card and finally advises it’s a criminal offence to make a false claim on any txn.

once I’ve signed that form I’m agreeing to the disclaimer details for the txn list related to it. My basis being that if it’s not signed there’s something you don’t agree with and so they have no authority to proceed and it auto closes in 10 days. 

If this form is so important that fraud cannot proceed without it and if it’s not received it’s automated to close the case. It must carry a significant level of legality otherwise surely it wouldn’t be required. If this is the case then a mistake causing a case to be processed without the form has to against process in some way. Also to then just proceed with another case without receiving a form is again against process?

phillw

HiggiHiggins said:

once I’ve signed that form I’m agreeing to the disclaimer details for the txn list related to it. My basis being that if it’s not signed there’s something you don’t agree with and so they have no authority to proceed and it auto closes in 10 days. 

So what you're saying is you want them to refund all the transactions as they are fraudulent but you also want them to pay you compensation because they had to split the transactions over multiple cases & for some reason the forms you filled in and sent back to them were not attached to the correct cases?

Disclaimer forms were sent out, signed and returned via email. 

Meanwhile, you seem to think arguing over this with them is more important than trying to get refunds for the £2000 that they have not refunded?

HiggiHiggins

I only ever wanted the transactions refunding, in a timely manner as was case one with no issue. 

No I didn’t want any compensation for it at that point. It was the fact that the two cases say idle not progressing from early Sept till early October when I raised the complaint. 

The whole delay was then blamed on the missing forms, had this been made clear very early id have supplied these and maybe the cases would have been resolved in the same manner as case one. Or if they didn’t need splitting and could have been done on a single case (as the other bank managed) then the whole case may have been refunded within 2 weeks.

when they’ve attached the wrong forms to wrong cases and investigated things incorrectly is doesn’t inspire me with any confidence that everything has been done correctly and following process. On top of a 2 month delay to advice it’s down to missing paperwork, a further 6 weeks after that that the cases are actually started to be looked at and then to refund one of those cases, tell me it’s a refund from the fraud team only to then send me a decision letter which doesn’t state what the decision is and that they are reclaiming a payment that I was told was a refund from fraud, I’m less than satisfied. 

I don’t want to argue anything. They have said that the decision made on the two cases is unable to be changed so getting the £2000 back from them isn’t an option I believe.