O Hell! What Have We Here?
All that glisters is not gold’
Merchant of Venice Act III Scene 7
Bilocation is a miraculous ability for you to be in two different locations at the same time. Many[1] believe that there is no scientific evidence that bilocation is a real phenomenon. It would appear that Revolut do! In this Blog essay, the interpretation by Revolut of the geolocation mapping data from a smartphone, in a card skimming complaint, is presented as anecdotal evidence. The Emperor would appear to have no clothes behind the new promises of all-inclusive analytics. Customers beware, read the Terms and Conditions, T&Cs, behind your online banking App. Do it now in real time. Check the definition of ‘fraudulent activity’ in your T&Cs.
Act I: The Dispute
The Revolut customer only had a physical personal Revolut card. No virtual Revolut card in Google Wallet. At 12.08 the Oyster card was used at Tottenham Court Road to travel to concert using the Elizabeth Line. Mobile phone is the entry ticket for a concert at location A in East London. Physical card used to buy merch at 12.48 location A. However, simultaneously in a different location B in West London, a ‘skimmed’ copy[2] of the physical card was used in a fraudulent ATM transaction at 12.10.
My complaint has been rejected by Revolut because customer indicated card remained in customer’s possession and as the disputed transaction was made by the same card, customer is responsible. No card skimming occurred. The customer bilocated. Geolocation data from customer’s smartphone at A was presented to Revolut but dismissed as compelling evidence to prove fraudulent activity at B on customer’s Revolut account. No fraudulent activity has occurred in the use of a skimmed Revolut card. Customer was careless. Therein lies a lesson for all customers as Revolut prepare a new direct-to-customer (my italics) product blitz in 2025 via their App.
Act II: Revolut Pings
A critical timeline is embedded in the Revolut App in your smartphone. It’s their USP – pings for each transaction. Legacy banks are slow to adopt this so far. The pings show 12.08 Oyster card entry point, customer travels to concert venue, buying merch at 12.48 at location A. Proof of entry with the mobile phone ticket entry in Google Wallet. Simultaneously, in location B, a skimmed copy of the card was used at an ATM in a fraudulent transaction pinged on the customer’s smartphone at 12.10. All monies withdrawn in cash at ATM, but no SCA by Revolut, only a ping.
Is there a Shakespearean tragedy unfolding in the world of virtual fintechs? Are we bilocating? When is a bank not a bank? Iago or Angelo[3]? Iago conceals his real identity behind a veil of honesty; he is manipulative, Angelo is deceitful. Macbeth, indeed, takes Duncan into his home as a friend while planning to murder him[4] ‘false face must hide what the false heart does know’. Maybe the pings endow Al.Gorithm with cognitive skills. We have been cyborgs all along. We are virtually immortal[5].
Act III: Geocoding
There is a conception of online banking reality, and our relation to it that is quite different from the reality of everyday legacy banking. Geolocation data and geocoding intelligence from your smartphone can now be dismissed as non-compelling evidence of fraudulent activity on your online banking App transposing a surreal confusion between what is real and what is not. You are bilocating, a modern-day saintly user of the Apps.
Double check with your virtual bank whether geolocation data mapped from your smartphone could be used as evidence in the case of fraudulent activity. Also check if digital skimming is regarded as fraudulent activity. In my case Revolut dismissed both: dismissed geolocation data as non-compelling evidence of fraudulent activity and assumed bilocation. Remember too that in the analogue world of T&Cs ‘fraudulent’ falls under the umbrella as activity performed without authorisation. But authorisation by whom or what? A thief or card skimming machine in the fraudulent possession of your PIN is able to transact with your authorisation. Ping. Customers beware! Do they really presume that you are bilocating?
Act IV: Analogue Law in a Digital World
Let’s see. You have agreed to Revolut’s Purchase Agreement when opening an account with Revolut. Thus, under Revolut’s Clause 8 of T&Cs it would appear that a skimmed copy of your personal card is an inference of [sic] ‘a sharing of security details’ and under Clause 21 a skimmed card or loss of smartphone elevates the customer to a person [sic] ‘acting fraudulently… if you carelessly failed to keep your security details or Revolut card safe’ [my italics]. It would appear that I dd not qualify as an eligible customer under the Deposit Guarantee Scheme, no chargeback, no refund. But a valuable case study to share.
The burden of proof falls on you. You may be really located at a moment in time at point A and, identity verification process from your smartphone can prove it. Simultaneously, you are also virtually at B, the point of location of fraudulent activity on your App. The written scroll behind the T&Cs mandate that you are virtually peripatetic. It would appear that having your Revolut card on your person at a time when, unknowingly, a skimmed card fraudulent transaction occurs at that time in a different geolocation data point is careless, and not grounds for fraudulent activity.
There is a weird presumption at Revolut that you the real customer, if a victim of digital skimming, are strictly liable (that is, the burden of proof falls exclusively on you the customer) should your physical card be skimmed on or inside ATMs, or any other POS terminal. A further presumption follows in the case of a virtual card should your smartphone be lost or stolen. It is irrelevant as to whether or not your smartphone is in your possession at the time of a fraudulent transaction. But I still had possession of the card. I still had possession of my smartphone. Surely it must be a mistake. At that moment an online banking hyper-reality hits you: the presence of a thief or scammer ‘O most pernicious villain’ who has[6] descended into the virtual reality of digital banking, an alter ego ‘one may smile, and smile and be a villain’.
Act V: Compelling Evidence
Although Revolut has collaborated with Visa in the rollout of their physical cards, it would appear that as a putative fintech bank they do not adhere to Visa’s zero liability policy[7], providing a guarantee that a customer won’t be held responsible for any unauthorised payments with their card or card details if there is compelling evidence. Under Visa rules when Revolut signed up a cardholder, they have to ensure that their T&Cs accommodate the standard requirements of Visa. This appears not to be the case. Once the monies and funds have left your Revolut account, that’s it, the issue of refund or chargeback lies wholly with Revolut apparently and not with the recipient banks or merchants who unwittingly processed the fraudulent transaction.
You’d think that mobile phone geolocation data mapping data would be compelling evidence in a case of fraud for a fintech offering all-inclusive analytics. Alas, Revolut apparently do not accept the analytics of geolocation data from a mobile phone as compelling evidence of fraudulent activity. Rather their dismissal of fraudulent activity relied on the analogue black letter law of their T&Cs. The T&Cs are required under Visa rules. Is it just a box-ticking exercise on the road to a banking licence? But you are drawn into the closed ecosystem. Your mind is transferred by the Apps to a truly conservative reality of non-existence, imprisoned by the virtual irreality of skimming and hacking. The hedonic[8] orbitofrontal thrill of splitting bills and receiving pings to your smartphone at each transaction is the opening carrot. But don’t forget as a real human customer, you could be deemed careless in (unknowingly) sharing your security details with the surreal scammer and the thief. It’s a virtual Shakespearean tragedy to avoid.
Purgatory
Revolut is moving forward as a progressive fintech, preparing new direct-to-customer products via the App, taking deposits, savings, offering mortgages and acquiring salary details from new customers every day. Check if you are strictly liable. There are banking regulations across the EU but[9] ‘we must not make a scarecrow of the law, setting it up to fear the birds of prey and let it keep one shape, till custom make it their perch and not their terror’. No customer should be held responsible for unauthorised transactions if they used reasonable care. Isn’t keeping your card in your possession acting responsibly? Maybe not. Ask RITA, the Revolut bot.
As fintech platforms engage with new encryption Al. Gorithms aimed to keep secrets safe and funds secure, surely, they ought to know that humans cannot bilocate. Could there be a hacker’s charter or a thief’s golden egg in the magpie nest of Clauses embedded in Revolut’s T&Cs? You might think your funds are safe and secure, your savings and deposits in multiple FX, your salary or your mortgage. Maybe they are for now. But it would be worth the effort to check in again with RITA, the Revolut bot, because nobody can ever be sure how secure Al. Gorithm really is: there is always a risk somebody somewhere, a saint of the Apps, might hack it. In the interim, keep your funds in Revolut to a minimum, check your ATM limit and remember that ‘a bird in the hand is worth two in the (virtual) bush’.
[1] In particular the sceptic Joe Nickell: https://en.wikipedia.org/wiki/Joe_Nickell
[2] Skimming occurs by inserting a device into a POS or ATM terminal which will copy the magnetic strip and PIN of the card
[3] In Measure for Measure, Angelo apparently incorruptible, is in reality deceitful.
[4] Act I Scene 7 Macbeth as Macbeth speaks to Lady Macbeth to ingratiate Duncan.
[5] Digital immortality or virtual immortality is the hypothetical concept of cloning a person’s personality in a robot or cyberspace.
[6] From Hamlet Act 1 Scene 5.
[7] Gleaned from a reading of Section 11.7.2.5, October 2024 draft.
[8] In the human brain the orbitofrontal cortex is an important hub for pleasure coding.
[9] – Measure for Measure, Shakespeare, Act II, Scene I Angelo’s speech.