skip tocontent

ombudsman news

issue 46

May/June 2005

using plastic cards as credit-tokens

We deal with a number of complaints from consumers about disputed card transactions – particularly cash machine withdrawals, where the consumer denies either making the transaction or authorising someone else to do so.

In some cases, the consumer may have made the transaction and then simply forgotten about it. But sometimes we conclude that the consumer failed to look after their card or PIN properly, thereby enabling a third party to make the transaction.

In many of the complaints we see involving disputed card transactions, the card was used to obtain credit – in other words, it was used as what the Consumer Credit Act calls a "credit-token". Many firms appear uncertain about how to deal with disputes of this type, so this article explains our approach.

what is a credit-token-

The meaning of "credit-token" is set out in the Consumer Credit Act 1974. The definition is broad and open-ended, but it includes the use of a credit card or a debit card on an account which is overdrawn (up to the extent of its agreed limit) or which is taken overdrawn (up to the extent of its agreed credit limit) by the disputed transaction.

types of transaction

The principles discussed here apply to all disputed credit-token transactions, including:

  • cash machine withdrawals;
  • face-to-face transactions – whether retail purchases or counter withdrawals; and
  • telephone and on-line transactions.

The person carrying out the transaction will usually have been asked to provide something in addition to the card or card details. In the case of a cash machine transaction, that will routinely be a PIN. For other transactions it could be one or more of:

  • a signature;
  • a password;
  • the answers to security questions.

What is requested will depend on the nature of the transaction and – with the introduction of Chip-and-PIN cards – on the type of card and equipment used to process the transaction.

So where a consumer insists that they did not carry out the transaction in question and that an unauthorised third party must have been involved, we will consider both how a third party might have obtained the card (or card details) and how they might have had access to any additional security information that was used in making the transaction.

cardholder "negligence"-

The banking code says that if the consumer acts "without reasonable care" and this causes losses, the consumer may be responsible for those losses. Acting "without reasonable care" may mean not following the code’s provisions about what to do to prevent fraud. The code says that consumers should (among other things):

  • take care of cards, PINs and other security information;
  • learn PINs, passwords and other security information and not keep a written record of them; and
  • tell the card issuer as soon as a card is missing or stolen or if someone else knows the PIN, password or other security information.

Many firms’ terms and conditions broadly reflect the provisions of the banking code, by saying that a cardholder will be liable for the misuse of the card if that misuse is caused by the cardholder’s failure to take reasonable care. Previous editions of the Code used the term "‘gross negligence" instead of "without reasonable care". But the guidance notes issued with the code say that the standard has not changed.

Some firms think that if cardholders were grossly negligent in their care of a card and/or PIN, then they can always be held liable for the full amount of any transactions made with that card by a fraudster. But that is not the case. There must be an appropriate provision in the card’s terms. The lack of care must have been the cause of the loss. And even then, the consumer’s liability may be limited if the card was used as a credit-token. If it was, the effect of the Consumer Credit Act 1974 is that:

  • Cardholders are liable for withdrawals that they have made (or that somebody acting as their agent has made).
  • Cardholders can be made liable to a maximum of £50 for losses arising from the use of the card when it was not in the possession of someone authorised to have it (the act does not say in what circumstances, but we will look to the card terms in each case.)
  • Cardholders can be made liable for losses arising from the use of the card by someone who has possession of it with the cardholder’s consent (again, the Act does not say in what circumstances.)
  • Cardholders are not liable at all after they have told the card issuer that the card has been lost or stolen.
  • These provisions cannot be excluded by the account terms.


Where the Consumer Credit Act, the banking code and the account terms do not say the same thing:

  • the act takes precedence over the code and the account terms; and
  • the code takes precedence over the account terms.

So because the act says that liability for unauthorised use of a credit-token is limited to £50, a firm cannot use the cardholder’s negligence in caring for the card and security information as its grounds for seeking to make the cardholder liable for more than £50.

Cardholders are only liable for losses of more than £50 if they:

  • made the transaction; or
  • authorised someone else to make it.

But they can be made liable for:

  • losses arising from the use of a credit-token by someone who obtained possession of it with the cardholder’s consent; and
  • the first £50 of any losses caused by the cardholder’s gross negligence in the care of their card or security details.

In the last two instances, however, the relevant part of the act does not impose liability – it simply allows the card issuer to do so. Whether or not a cardholder is liable in any particular case is likely to depend on the account terms.


If a firm believes that a cardholder is seeking to disown transactions that they did – in fact – make or authorise, or that were made by someone who acquired the card with the cardholder’s consent, it will not usually be enough to say simply that the cardholder was (or must have been) grossly negligent.

If the losses were caused just by the cardholder’s negligence, then we would generally expect the card issuer to refund them (possibly with the exception of the first £50). But if the card issuer believes that the cardholder carried out the transactions, or authorised someone else to do so, then we would expect the firm to provide us with the reasons for that belief, and any supporting evidence.

Firms will not always be able to provide evidence to support their suspicions about disputed transactions. Particular difficulties can arise, for example, when family members are suspected of involvement. They might have legitimate access to security information, and might also be in a position to use cards without the holder knowing immediately.We are, however, familiar with the security systems which firms have in place – and the difficulties that these present to the opportunistic third-party fraudster.

case studies

using plastic cards as credit-tokens

disputed cash machine withdrawal – plastic card used as credit-token

Mr B came to us after the firm rejected his complaint about what he said was an unauthorised cash withdrawal made with his credit card.

He said he had given his credit card and PIN to his mother, so that she would have an emergency source of cash while she was on holiday in Spain for three weeks. She used the card to make several cash machine withdrawals during the first two weeks of her holiday. However, Mr B's credit card statement showed a further withdrawal of £500 that was made during the third week of her holiday.

Mr B said that his mother told him she had not made this £500 withdrawal. However, she recalled being distracted by a man who was standing behind her on one of the occasions when she had withdrawn money during her holiday. Mr B suggested that this man must somehow have been responsible for the £500 withdrawal.

complaint rejected
Mr B’s mother had only used the card at cash machines. There was no evidence that any of the machines she used had been tampered with – so there did not appear to have been any opportunity for the card to be "cloned".

The card had remained in her possession throughout the holiday. So even if the man had deliberately distracted her in order to observe her entering her PIN, he had not been able to obtain her card, so could not have withdrawn any money.

The disputed withdrawal of £500 was followed just one minute later by the withdrawal of a much smaller amount (which was not disputed) from the same cash machine. Even if the card had been cloned, the chances of a cloned card being used at the same cash machine at the same time as the genuine card were remote in the extreme.

Initially, Mr B had not mentioned that he had given the card to his mother. When he first complained to the firm about an unauthorised cash withdrawal, he had said that the card had been in his possession at the relevant time. He later said that it had been lost – and it was only some months later that he said that he had lent it to his mother.

We did not consider Mr B’s version of events to be either consistent or reliable. In any event, he had given his mother the card and PIN voluntarily. If she had then used them for purposes which he had not intended, that was a matter between them. We did not uphold his complaint.

plastic cash machine withdrawal – plastic card used as credit-token

Mrs A was very unpleasantly surprised when her statement showed that – over a 2-week period – withdrawals totalling £5,000 had been made from local cash machines. She knew that she had not made the withdrawals herself. She rarely used her credit card, which she kept in a desk drawer at home – together with the details of her PIN that the firm had sent her.

Mrs A contacted the firm to say that she had not made the withdrawals. She also reported the matter to the police – adding that she thought her teenage son might have been responsible.

The police later charged Mrs A’s son, and he was convicted of offences under the Theft Act. He did not suggest in his defence that his mother had allowed him to use the card.

The firm told Mrs A that she was liable for the withdrawals because she had been grossly negligent in the care of her card and PIN. It cited the card terms to support its view. Unhappy with the firm’s stance, Mrs A came to us.

complaint upheld
We were satisfied that the withdrawals had been made without Mrs A’s authority. We thought that if she had authorised the withdrawals:

  • it was unlikely that she would have told the police that she suspected her son; and
  • it was likely that her son would have mentioned it in his defence.

The card had been used as a credit-token, so it did not matter that the card terms said that Mrs A would be liable if she failed to take reasonable care of her card and PIN. This was because the provisions of the Consumer Credit Act take precedence.

We agreed with the firm that Mrs A had been grossly negligent in the care of her card and PIN. So she was made liable for the first £50 of the losses. We required the firm to refund the rest.

plastic card used as a credit-token – cardholder lends card to a colleague for a specific transaction – cardholder denies liability when the colleague then uses the card for a further transaction

Shortly before he was due to take some clients out to lunch, Mr D remembered that his credit card was very close to its limit. He persuaded his colleague, Mrs G, to give him her credit card and PIN, on the understanding that he would only use the card to withdraw sufficient cash to cover the cost of the meal. He said he would pay the money back to her at the end of the month.

A few weeks later, when Mrs G’s card statement came through, she found that – on the same date that she had lent her card to Mr D – the card had been used to pay for a number of very expensive drinks at a club. Mr D strenuously denied making this second transaction and refused to reimburse Mrs G, so she contacted the firm.

The firm agreed with Mrs G’s view that Mr D had made the additional transaction and it accepted that she had not specifically authorised it – in that her authority to Mr D had extended only to his withdrawing a certain amount from a cash machine. However, it said that she was still responsible for the transaction. Mrs G then came to us.

complaint rejected
The card terms said that the firm could hold Mrs G liable for all losses that arose from the misuse of her card by a third party who had possession of it with her permission. This provision was not inconsistent with the Consumer Credit Act, and we did not think it was unfair to allow the firm to enforce it.

It was, of course, arguable that Mrs G had been grossly negligent. But that, of itself, would not have been enough to make her liable for the unauthorised transaction – because the act would have limited her liability to £50. The reason Mrs G was liable was because Mr D had the card with her permission; the card terms said that she would be liable for all losses arising in such circumstances.

Walter Merricks, chief ombudsman

ombudsman news issue 46 [PDF format]

ombudsman news gives general information on the position at the date of publication. It is not a definitive statement of the law, our approach or our procedure.

The illustrative case studies are based broadly on real-life cases, but are not precedents. Individual cases are decided on their own facts.