Can a Bank Return Money Transferred by Fraudsters?

Can a Bank Return Money Transferred to Fraudsters?

Yes, in certain circumstances, and subject to strict conditions and time limits. Whether a bank can and must return money depends on how the transfer was made, which legal framework governs the account, whether the transfer was authorised or unauthorised in legal terms, and how quickly the victim reported the fraud. In the EU and UK, specific legislation creates enforceable obligations on banks in fraud cases — but these obligations are not automatic, and banks routinely challenge, delay, or reject legitimate claims without proper escalation.

The Legal Distinction That Determines Everything: Authorised vs. Unauthorised Transactions

The most important concept in any bank fraud recovery claim is the distinction between an authorised and an unauthorised transaction. This distinction — not the fact of fraud itself — determines which legal protections apply and what the bank is required to do.

Unauthorised Transactions

An unauthorised transaction is one the account holder did not consent to. This includes: funds stolen through account hacking, SIM-swap attacks, phishing that results in a criminal accessing and operating the account, or any transfer made without the account holder’s knowledge. Under the EU’s Payment Services Directive 2 (PSD2) and the UK’s Payment Services Regulations 2017 (PSR 2017), banks are legally required to refund unauthorised transactions promptly — in most cases by the end of the next business day — unless they can demonstrate the customer acted fraudulently or with gross negligence.

The burden of proof in unauthorised transaction cases sits with the bank, not the customer. A bank that refuses to refund an unauthorised transaction must demonstrate why the refusal is legally justified.

Authorised Push Payment (APP) Fraud

APP fraud is the most prevalent and legally complex category: the account holder authorised the transfer themselves, but did so because they were deceived — by a fake investment platform, an impersonated bank, a romance scammer, or a fraudulent business. Because the payment instruction came from the account holder, it falls outside the automatic PSD2 unauthorised transaction protections.

This distinction has historically allowed banks to decline fraud refund claims on the basis that “you authorised the payment.” EU and UK regulatory frameworks have progressively challenged this position, with significant developments in recent years that shift more responsibility onto banks — covered in detail below.

Recovery by Transfer Type

Bank Wire Transfers and SWIFT Payments

Bank wire transfers are among the hardest fraud losses to recover through the bank directly. Once a wire transfer is confirmed and the receiving bank has credited the funds, reversing it requires the cooperation of the receiving bank — which may be in a different country operating under different rules.

Recall requests: Your bank can submit a SWIFT recall request (using the gpi STOP and Recall mechanism for SWIFT transfers) asking the receiving bank to return the funds. The success of this depends on whether the funds are still in the receiving account (they frequently are not — fraudsters move funds rapidly), whether the receiving bank cooperates, and how quickly the recall is initiated. Speed is critical: recalls submitted within hours of the transfer have significantly higher success rates than those submitted days later.

UK – Mandatory Reimbursement under the PSR 2024: From October 2024, the UK’s Payment Systems Regulator (PSR) implemented mandatory APP fraud reimbursement rules for Faster Payments transactions. UK banks and payment firms are now required to reimburse APP fraud victims up to £85,000 per claim, split equally between the sending and receiving bank. This is a landmark shift — for the first time, both the bank that sent the fraudulent payment and the bank that received it share liability. Exceptions apply where the customer acted with gross negligence or ignored specific bank warnings.

EU – PSD2 and Evolving Standards: PSD2 does not currently mandate reimbursement of authorised push payments in the same way the UK’s PSR 2024 does. However, the European Banking Authority (EBA) has strengthened guidance on banks’ duty of care in fraud cases, and PSD3 — currently progressing through the EU legislative process — is expected to introduce stronger APP fraud protections aligned more closely with the UK model. In the meantime, EU victims of APP fraud have recourse through national financial ombudsman schemes, national consumer protection frameworks, and regulatory complaints.

Credit and Debit Card Payments

Card payments offer the strongest consumer recovery mechanisms of any payment method — and are the most clearly governed by established law.

Section 75 (UK credit cards): Under Section 75 of the Consumer Credit Act 1974, UK credit card issuers are jointly liable with the merchant for misrepresentation or breach of contract on purchases between £100 and £30,000. If a fraudulent platform accepted a credit card payment and failed to deliver what was promised — or was fraudulent from the outset — the card issuer shares legal liability. Section 75 claims are not discretionary; they are a statutory right.

Chargeback (all card payments): The Visa and Mastercard chargeback schemes provide a contractual dispute mechanism for card payments where goods or services were not delivered as described, or where fraud occurred. Chargeback is not a legal right in the same way Section 75 is, but it is a widely available and frequently successful route — particularly for card-not-present (CNP) transactions to fraudulent online platforms.

Time limits are strict: Visa and Mastercard chargeback rules generally allow 120 days from the transaction date or the expected delivery date to raise a dispute. Section 75 claims have a longer limitation period but should still be initiated promptly. Contact your card issuer immediately — do not wait.

Strong Customer Authentication (SCA): Under PSD2’s Strong Customer Authentication requirements, card issuers that processed a payment without proper SCA verification bear greater liability if that payment is subsequently identified as fraudulent. If your card issuer approved a transaction without requesting two-factor authentication, this strengthens your chargeback or refund claim.

Cryptocurrency Transfers

As covered in detail in our article on cryptocurrency recovery, crypto transactions are technically irreversible — the blockchain cannot be unwound, and banks have no mechanism to recall crypto transfers once confirmed. Banks that facilitated the purchase of cryptocurrency subsequently sent to a fraudulent platform are not directly liable for the crypto transaction itself.

However, if you purchased cryptocurrency using a credit card or bank transfer and can demonstrate the purchase was made as a direct result of fraud or misrepresentation, the card payment or wire transfer component may still be subject to chargeback or recall. The crypto element requires separate legal and forensic pursuit.

Some UK and EU banks have also introduced voluntary fraud prevention measures that flag or block payments to crypto exchanges in certain circumstances — if your bank failed to apply such measures despite clear fraud indicators, this may form the basis of a regulatory complaint.

Online Banking and Payment Apps

Payment apps operating within the EU and UK — including those running on the Faster Payments network (UK), SEPA Instant Credit Transfer (EU), and regulated e-money platforms — are governed by PSD2 and PSR 2017 and are subject to the same unauthorised transaction protections as traditional bank accounts.

For APP fraud through payment apps, the UK’s mandatory reimbursement rules apply where the app is a participating Faster Payments member. In the EU, the applicable protection depends on the e-money institution’s licence jurisdiction and the national transposition of PSD2 in that country.

For payments made through unregulated peer-to-peer payment tools or informal transfer methods, the legal protection framework is significantly thinner.

How to Make a Fraud Recovery Claim with Your Bank: Step by Step

Step 1 – Report Immediately

Contact your bank the moment you identify the fraud. Every hour of delay reduces recovery prospects for wire recall requests and weakens the position that you took reasonable steps to mitigate loss. Use the bank’s dedicated fraud line — not general customer service — and confirm the report in writing.

Step 2 – Request an Immediate Payment Recall or Freeze

For wire transfers, explicitly ask the bank to initiate a recall request to the receiving bank under SWIFT gpi or the applicable domestic payment scheme. For Faster Payments (UK), ask the bank to contact the receiving institution directly under the banking industry’s fraud recall procedures. Request confirmation in writing that this action has been initiated and the timeline for a response.

Step 3 – Submit a Formal Written Complaint

If the bank declines to refund, submit a formal written complaint referencing the applicable legal framework: PSD2 Article 73 for unauthorised transactions, the PSR 2024 mandatory reimbursement rules for UK APP fraud cases, or Section 75 of the Consumer Credit Act for UK credit card claims. A formal complaint triggers the bank’s regulated complaints handling process and creates the paper trail required for escalation.

Step 4 – Gather and Preserve All Evidence

Compile: bank statements showing the fraudulent transactions, all communications with the fraudulent party, any documentation the fraudster provided, records of how you were contacted and recruited, and all correspondence with the bank including complaint reference numbers. This evidence supports both the bank complaint and any subsequent legal or regulatory proceedings.

Step 5 – Escalate to the Financial Ombudsman

If the bank rejects your complaint or fails to respond within the regulated timeframe (8 weeks in the UK; varies by EU member state), escalate to the relevant financial ombudsman or dispute resolution body.

When Banks Refuse to Refund: Understanding the Legal Grounds

Banks commonly refuse fraud refund claims on the following grounds — and each refusal ground has a counter-argument:

“You authorised the payment.” For UK APP fraud cases post-October 2024, this argument no longer prevents mandatory reimbursement under PSR 2024 rules — the sending bank shares liability regardless of authorisation. For EU cases, the bank’s duty of care obligations under PSD2 and EBA guidelines still require it to assess whether adequate fraud prevention measures were in place.

“You acted with gross negligence.” Gross negligence is a high legal bar. Being deceived by a sophisticated fraud operation does not typically meet this standard. Banks that invoke gross negligence without specific evidence of the customer ignoring explicit fraud warnings are making a legal claim they must be able to substantiate.

“The transaction was processed correctly.” Technical correctness of payment processing is irrelevant to whether the bank met its obligations to prevent or detect fraud. Banks in the EU and UK have regulatory obligations around transaction monitoring, fraud detection, and customer alerts — failure to meet these obligations may give rise to liability independent of the payment instruction itself.

“It was a crypto transaction.” Banks that processed a payment to a crypto exchange as part of a fraudulent scheme — particularly where fraud indicators were present — may bear partial liability for the fiat currency component even where the subsequent crypto transaction is irreversible.

When Bank Recovery Channels Are Exhausted

Bank-level recovery mechanisms — recalls, chargebacks, ombudsman complaints — are the first line of response. They are accessible, relatively fast, and cost-free. But they have defined limits:

• They operate within the bank’s jurisdiction and cannot reach offshore fraudsters directly
• They do not recover funds that have already been moved, converted, or dissipated
• They address the symptom (the payment) rather than the underlying fraud
• They provide no recourse against the individuals who perpetrated the fraud