Understanding the new Authorised Push Payment fraud rules, liability split changes, and how payment firms should prepare for mandatory reimbursement.
Introduction: The Scale of APP Fraud in the UK
Authorised Push Payment (APP) fraud has emerged as one of the most significant financial crime threats facing UK consumers and businesses. In 2023 alone, APP fraud losses exceeded £459 million, affecting hundreds of thousands of victims across the country. Unlike traditional card fraud, where transactions can often be reversed, APP fraud sees victims willingly transferring money to criminals—making recovery exceptionally difficult.
The Payment Systems Regulator (PSR) has responded to this growing crisis with sweeping new rules that fundamentally change how payment service providers (PSPs) must handle APP fraud cases. These requirements, which came into force in October 2024, introduce mandatory reimbursement obligations and a new liability framework that every payment firm must understand and implement.
This article examines the new PSR fraud rules in detail, explaining what APP fraud prevention measures firms must adopt and how to ensure compliance with the mandatory reimbursement regime.
What is APP Fraud?
Authorised Push Payment fraud occurs when a criminal deceives a victim into voluntarily making a bank transfer to an account controlled by the fraudster. The key distinction from other fraud types is that the victim themselves authorises the payment—they are not hacked, and their credentials are not stolen. Instead, they are manipulated through social engineering techniques.
Common APP Fraud Scenarios
Purchase Scams The most prevalent form of APP fraud involves fake goods or services. Victims pay for items advertised on social media, online marketplaces, or fraudulent websites that never arrive. In 2023, purchase scams accounted for approximately 56% of all APP fraud cases.
Impersonation Scams Criminals pose as trusted organisations—banks, HMRC, the police, or utility companies—and convince victims to transfer money to "safe accounts" or pay fictitious fines and tax bills. These scams often involve sophisticated spoofing of phone numbers and email addresses.
Romance Scams Fraudsters build emotional relationships with victims over weeks or months before requesting money for fabricated emergencies, travel costs, or investment opportunities. The average loss per victim in romance scams significantly exceeds other categories.
Investment Scams Victims are lured into fake investment schemes promising unrealistic returns. Criminals create professional-looking websites, provide fake documentation, and may even allow small "withdrawals" initially to build trust before stealing larger sums.
Invoice and Mandate Fraud Targeting businesses, these scams involve criminals intercepting legitimate invoices or posing as suppliers to redirect payments to fraudulent accounts. A single successful attack can result in losses of tens or hundreds of thousands of pounds.
The New PSR Reimbursement Rules
The PSR's new framework represents the most significant change to consumer protection in payments since the introduction of the Payment Services Regulations. Published through a series of policy statements and consultations, these rules create a mandatory reimbursement scheme for APP fraud victims.
Mandatory Reimbursement Requirement
Under the new regime, payment firms must reimburse eligible APP fraud victims within five business days of a claim being made. This is a dramatic shift from the previous voluntary Contingent Reimbursement Model (CRM) Code, which only covered certain banks and building societies and left significant discretion in decision-making.
The mandatory requirement applies to all payment service providers participating in the Faster Payments System (FPS), bringing consistency and certainty for consumers who were previously subject to varying levels of protection depending on their bank.
The 50/50 Liability Split
One of the most consequential aspects of the new framework is the introduction of shared liability between sending and receiving PSPs. When a reimbursement is made:
- The sending PSP (the victim's bank) bears 50% of the cost
- The receiving PSP (where the fraudster's account is held) bears 50% of the cost
This liability split creates powerful incentives for both sides of the transaction. Sending firms must invest in APP fraud prevention measures to protect their customers, while receiving firms must enhance their account opening procedures and monitoring to prevent criminals from using their services.
The receiving PSP liability is particularly significant. Historically, the focus has been almost entirely on preventing victims from sending money. Now, firms must equally prioritise preventing accounts being used to receive fraudulent funds—a fundamental shift in approach.
Maximum Reimbursement Limit
The PSR has set a maximum reimbursement limit of £85,000 per claim. This figure aligns with the Financial Services Compensation Scheme (FSCS) deposit protection limit and covers the vast majority of APP fraud cases.
Claims exceeding £85,000 may still be reimbursed at the firm's discretion, and victims retain the right to pursue additional recovery through other means, including the Financial Ombudsman Service.
There is no minimum claim threshold—all eligible claims, regardless of value, must be considered for reimbursement.
Exceptions to Mandatory Reimbursement
The rules recognise that not every claim should result in automatic reimbursement. Two primary exceptions exist:
Gross Negligence Where a customer has been grossly negligent, firms may decline reimbursement. However, the bar for gross negligence is deliberately high. The PSR has made clear that simply falling for a convincing scam does not constitute gross negligence. Rather, this exception applies to cases where customers have ignored clear, specific warnings or acted with extreme carelessness.
First-Party Fraud Claims will be rejected where the customer themselves has acted fraudulently—for example, making a legitimate payment and then falsely claiming to have been scammed.
The Consumer Standard of Caution
The PSR has introduced the concept of a "consumer standard of caution" to provide guidance on when customers may share responsibility for their losses. This standard sets out reasonable expectations for consumer behaviour, including:
- Heeding warnings provided by their payment firm
- Responding appropriately to Confirmation of Payee (CoP) mismatches
- Reporting fraud promptly once discovered
- Cooperating with the firm's investigation
Firms may apply an excess of up to £100 where a customer has not met the consumer standard of caution—but only if the customer's failure to meet the standard contributed to the fraud occurring.
Importantly, vulnerable customers are protected from any excess, recognising that exploitation of vulnerability is central to how many scams operate.
Timeline and Implementation
October 2024 Implementation
The mandatory reimbursement rules came into force on 7 October 2024. From this date, all PSPs within the Faster Payments System scope became subject to the new requirements, and all eligible claims must be assessed under the new framework.
Transition Arrangements
The PSR implemented transitional provisions to allow firms time to establish the necessary bilateral agreements and operational processes. The receiving PSP liability component required coordination between hundreds of firms to ensure the 50/50 split could be operationalised effectively.
Pay.UK, the operator of Faster Payments, developed industry infrastructure to support the liability-sharing arrangements, including mechanisms for identifying receiving PSPs and processing reimbursement contributions.
Ongoing Evolution
The PSR has committed to reviewing the effectiveness of the scheme and may adjust parameters—including the reimbursement cap and liability split—based on observed outcomes. Firms should expect continued regulatory attention in this area as the regulator assesses whether the rules are achieving their fraud-reduction objectives.
What Payment Firms Must Do
Compliance with the new framework requires action across multiple areas of the business. Below, we outline the key requirements for effective APP fraud prevention.
Enhanced Fraud Detection Systems
Firms must implement robust transaction monitoring capable of identifying potentially fraudulent payments in real-time. This includes:
- Behavioural analytics to detect unusual payment patterns
- Device and session monitoring to identify compromised access
- Beneficiary risk scoring based on account age, history, and patterns
- Integration of industry intelligence on known fraud typologies
Investment in technology is essential, but systems must balance fraud prevention with customer experience. Excessive false positives create friction and may push customers toward less protected payment methods.
Customer Warnings and Confirmations
Effective warnings are a cornerstone of APP fraud prevention. Firms must provide clear, specific alerts that:
- Are tailored to the apparent risk level of the transaction
- Explain the specific fraud type the customer may be experiencing
- Require positive confirmation that the customer has read and understood the warning
- Are delivered at the point of maximum impact in the payment journey
Generic warnings that customers routinely click through provide little protection. The PSR expects warnings to be behaviourally informed and regularly reviewed for effectiveness.
Confirmation of Payee (CoP)
Confirmation of Payee is now mandatory for most payment firms and plays a critical role in APP fraud prevention. CoP checks verify that the name provided by the payer matches the name on the receiving account.
Firms must:
- Implement CoP for all applicable payment channels
- Provide clear responses explaining match, partial match, or no match results
- Ensure customers understand the significance of CoP warnings
- Not allow payments to proceed without acknowledgment of CoP mismatches
CoP is not a silver bullet—criminals adapt by using "money mule" accounts in the correct name—but it remains an important layer of protection.
Faster Payment Blocking
Where firms identify a payment as potentially fraudulent, they must have the capability to:
- Delay the payment to allow additional verification
- Block the payment entirely where fraud is strongly suspected
- Notify the customer clearly about any intervention
- Provide a straightforward process for legitimate payments to proceed
The ability to intervene in real-time before funds leave the account is far more effective than attempting recovery after the fact.
Staff Training
Frontline staff remain a critical line of defence. Training programmes must ensure employees:
- Understand common APP fraud typologies and red flags
- Know how to handle customers who may be under the control of fraudsters
- Can apply appropriate scepticism without alienating genuine customers
- Are empowered to escalate concerns and delay suspicious transactions
The "banking protocol"—where branch staff contact police when fraud is suspected—has proven highly effective and should be supported through comprehensive training.
Compliance Checklist for PSPs
Payment firms should assess their readiness against the following requirements:
Governance and Policy
- [ ] Board-approved APP fraud strategy and risk appetite
- [ ] Clear policies on reimbursement decision-making
- [ ] Defined roles and responsibilities for fraud management
- [ ] Regular reporting to senior management on fraud metrics
Operational Readiness
- [ ] Five-business-day reimbursement capability
- [ ] Processes for receiving PSP liability contributions
- [ ] Vulnerable customer identification and protection
- [ ] Gross negligence assessment framework
Technology and Detection
- [ ] Real-time transaction monitoring
- [ ] Confirmation of Payee implementation
- [ ] Dynamic warning systems
- [ ] Payment blocking capabilities
Customer Journey
- [ ] Effective scam warnings at appropriate points
- [ ] Clear CoP mismatch messaging
- [ ] Straightforward fraud reporting process
- [ ] Customer communication templates for decisions
Complaints and Escalation
- [ ] FOS-ready complaint handling process
- [ ] Root cause analysis for fraud cases
- [ ] Feedback loop to improve prevention
Common Questions and Concerns
Does this apply to CHAPS and other payment systems? Currently, the mandatory reimbursement rules apply to Faster Payments only. However, the PSR has indicated that expansion to CHAPS may be considered in future. Firms should monitor regulatory developments closely.
What about payments to overseas accounts? The rules apply to domestic Faster Payments within the UK. International payments fall outside the scope of the current framework, though firms may still choose to reimburse at their discretion.
How should firms handle borderline cases? Where gross negligence is uncertain, the PSR has indicated that firms should err on the side of the customer. The burden of proof for denying reimbursement rests with the firm, and the threshold for gross negligence is deliberately high.
Can firms recover costs from other parties? Firms may pursue recovery from fraudsters, money mules, or other responsible parties, but this does not affect the obligation to reimburse victims within five business days.
How will disputes between sending and receiving PSPs be resolved? Pay.UK has established dispute resolution mechanisms for cases where the liability allocation is contested. Firms should familiarise themselves with these processes.
How MEMA Can Help
Navigating the new APP fraud prevention requirements demands specialist expertise in payments regulation, operational implementation, and fraud risk management. MEMA Consultants provides comprehensive support to payment service providers seeking to achieve and maintain compliance.
Our services include:
Regulatory Gap Analysis We assess your current fraud prevention framework against PSR requirements, identifying gaps and prioritising remediation activities.
Policy and Procedure Development Our team develops tailored policies, procedures, and decision frameworks that meet regulatory expectations while remaining operationally practical.
Technology Assessment We evaluate your fraud detection capabilities and provide recommendations for enhancement, drawing on deep industry knowledge of available solutions.
Training and Awareness We design and deliver training programmes for frontline staff, fraud teams, and senior management to ensure your organisation responds effectively to APP fraud.
Ongoing Compliance Support As regulatory expectations evolve, we provide continuing guidance to ensure your firm remains compliant and competitive.
APP fraud prevention is no longer optional—it is a regulatory imperative with significant financial and reputational consequences for firms that fall short. The PSR has made clear that it will monitor compliance closely and will not hesitate to take enforcement action where necessary.
Ready to strengthen your APP fraud defences? Contact MEMA Consultants today to discuss how we can support your compliance journey. Visit our contact page to arrange an initial consultation with our regulatory specialists.
This article is intended for general information purposes only and does not constitute legal or regulatory advice. Payment firms should seek professional guidance tailored to their specific circumstances.
MEMA Regulatory Team
The MEMA Regulatory Team includes ex-FCA supervisors and Big 4 consultants with deep expertise across all aspects of UK financial services regulation and compliance.
Need regulatory support?
Our team can help with FCA authorisation, compliance outsourcing, and regulatory change implementation.
Book a consultation
