The UK Payment Systems Regulator’s new APP reimbursement policy, that sees mandatory reimbursement for victims of authorised push payment (APP) fraud, is in force as of today.
First published by the PSR in 2023, the new policy prescribes mandatory reimbursement for victims of APP fraud. The cost of losses are split 50:50 between sending and receiving PSPs.
In its role as payment systems operator, Pay.UK has worked extensively and collaboratively with the industry to support in-scope PSPs in complying with the policy and meeting their legal obligations as part of the PSR’s Specific Direction 20 (SD20).
Pay.UK says that it has successfully delivered on this mandate and is satisfied that the industry is suitably prepared for the legislation, and any associated, resulting action.
Specifically, Pay.UK has gone beyond its mandatory requirements and developed a single, sophisticated, whole-of-market solution to facilitate the management of claims under the policy. Its Reimbursement Claims Management System (RCMS) will streamline the management of APP claims and support in-scope PSPs in meeting their legal obligations.
Industry reaction
Kate Frankish, Pay.UK
Pay.UK Chief Business Development Officer, Kate Frankish, said: “The launch of our RCMS is the culmination of months of dedicated work at Pay.UK and within the payments industry as a whole. Together, we have prepared the market for new legislation and worked to support compliance from 7 October 2024. While a significant achievement in its own right, I am immensely proud that we have gone beyond this mandate and delivered the RCMS. Designed to further support existing and new customers in meeting their regulatory obligations, it will also help to ensure that victims of APP fraud are reimbursed in a consistent manner, regardless of who they bank with.”
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataMarca Wosoba, COO, ZBD
There is a need for more measures to ensure that consumers can make transactions securely, without the risk of fraud or falling victim to scammers. The UK’s regulation on authorised push payment (APP) fraud is a positive step in this direction. It ensures that consumers who have been affected by APP fraud are redressed in a timely manner.
However, regulators and the sector should do more, including:
- Continuing to educate consumers about the risks of fraud and scams. However, an unintended consequence of this regulation is that it might encourage scammers, as they know they are unlikely to be caught but consumers are likely to be reimbursed.
- Coordinating to ensure that the latest scam tactics are widely known to the sector, consumers and financial crime investigators across the EU and globally to help mitigate future fraud and catch and prosecute fraudsters.
- Establishing a broader fund to support consumer education and fraud reduction through advanced procedures and information sharing.
- Coordinating with social media sites, which are often the source of financial scams, but have far less incentive to reduce or address fraud compared to the fintech industry, which bears the regulatory and financial responsibility to prevent and rectify such incidents.
Anil Nanda, Partner, UK and Europe Payments Lead, Capco
Today marks the official launch of the APP fraud rules in the UK, a significant milestone in enhancing consumer protection and reducing financial fraud. The new regulations mandate reimbursement for APP fraud victims, with liability now shared between sending and receiving Payment Service Providers (PSPs).
With annual APP fraud losses nearing £500m, these measures will be crucial in providing a more robust safety net for consumers while enhancing accountability across the financial services ecosystem.
While firms have made considerable progress in preparing for these requirements, some are taking a “wait and see approach” before conducting major upgrades of operational and technical infrastructure. With the rules now in force, the pressure will be on these firms to step up. There are several key areas we would suggest firms focus on as they look to comply. Retail banks, for example, must focus on optimising operational workflows to efficiently manage increased fraud claims within the five-business-day reimbursement timeline.
This includes streamlining processes and ensuring dedicated resources are in place to balance operational efficiency with maintaining a high standard of customer service. For PSP aggregators, the priority must be to enhance auditing of PSPs to ensure they have proper systems and controls in place as well as sufficient capital reserves to cope with fines. Finally, PSPs themselves must focus on implementing rapid and efficient dispute resolution processes to effectively differentiate between fraudulent claims and purchase disputes.
Across the board, all financial institutions must ensure that fraud teams are ready and adequately resourced to handle the anticipated increase in claims and investigations brought about by the new rules.
Scaling fraud teams as necessary, and investing in appropriate training and technology, will be fundamental to supporting swift and compliant fraud detection and resolution. These capabilities will be essential to maintain consumer trust and achieve the intended outcomes of the APP regulations—ensuring a more resilient and trusted payments environment.
Liz Edwards, money expert, Finder
Our research reveals the refund lottery that fraud victims are now facing.
Victims’ protection has been squeezed at both ends. When the upper refund limit was cut to just £85,000, many in the industry, including the PSR, justified this by saying it would still cover over 99% of claims. But because so many banks are now saying they won’t cover – or may not cover – the first £100, that 99% must surely be lower.
Based on 2023 fraud figures, more than 58,000 cases would have resulted in no refund if all companies had applied the excess, and now only 4 of the major providers have confirmed they won’t. £100 is a lot of money to many people. It doesn’t help that 12 banks said they might apply it – customers don’t know where they stand.
Dan McLoughlin, fraud and security expert, Lynx Tech
The PSR was wrong to lower the reimbursement cap to £85,000. The logic behind the high-value cap on reimbursement – £415,000 – was clear. By setting a substantial reimbursement limit, regulators clearly said to banks: “prevent fraud or be prepared to pay.
Dropping the value of reimbursement so dramatically takes away a big part of banks’ financial motivation to prevent fraud. While most APP fraud cases will still be covered by the regulation, the reduction shows an unwillingness from banks to accept responsibility and make tough decisions. It takes away their drive to invest in robust fraud detection and prevention systems, which ultimately safeguard consumers.
The Financial Ombudsman Service (FOS) reports that fraud and scams have hit their highest level for at least six years, with 8,700 cases reported in a three-month period. This clearly illustrates that more needs to be done by banks to protect consumers and combat fraudulent activity.
The constant bank lobbying to reduce the liability and pause the legislation shows organisations are seeing this as purely a punitive solution rather than a positive step in reducing fraud. Bold moves are often required to drive change and the reduction in the payout limit takes some of that boldness away.
Jake Moore, Global Cybersecurity Advisor, ESET
Fraud now makes up a huge portion of crime in the UK, and police forces have long been left in the wake of these evolving crimes. Authorised Push Payment (APP) fraud is where a victim is tricked into making a large bank transfer to an account posing as a legitimate organisation, and new regulations are forcing banks to reimburse customers who fall victim to these scams. However, not only could the new rules force banking costs to rise, but we could also see an increase in scam attempts, as fraudsters will know the money is available; creating a vicious cycle whereby these new regulations are fuelling this criminal activity. It’s also possible that we may see an uptick in first-party fraud, where the actual account holder uses their own credentials for fraudulent means.
There’s no doubt these new rules will offer comfort to those who may still be a bit wary of online payments and the security on offer with digital banking. Criminal gangs are continually improving their techniques from better skills to more advanced technology, so it is vital that people do not feel foolish if they become a victim of these sophisticated crimes. However, the powers that be may well need to consider ways, not only to protect consumers, but cut these criminal activities off at the source.
Riccardo Tordera, director of policy and government relations, The Payments Association
We will be monitoring the impact of the new APP fraud rules closely. We remain focused on pushing for effective data sharing that can tackle the fraud at source and for a mandatory involvement of social media platforms in the reimbursement scheme.
The launch of the Fraud Intelligence Reciprocal Exchange (FIRE) between some banks and Meta is a small step in the right direction, but other issues remain including the alignment of the definition of consumer standard of care to the interpretation that British courts give of gross negligence. We call for the regulator to review the rules in six months’ time, rather than 12 as currently planned.
Ignatius Adjei, UK financial services head of anti-fraud services, KPMG UK
While broadly positive, the new rules aren’t without drawbacks; there are concerns that it could see some people exploit reimbursement for personal gain. For example, making false claims in the knowledge that their bank will reimburse them. While the maximum compensation payable was reduced from £415,000 to £85,000 in September to minimise this issue, it may not be enough to curb fraudulent behaviour.
As such, banks are continuing to ramp up their controls in the prevention of fraud to determine whether a claim is in fact real.
On a positive note, where there have previously been inconsistencies in outcomes for customers who report APP fraud, the new rules should make reimbursement more straightforward and reliable. Also, the legislation encourages extra support for vulnerable customers, particularly when determining if gross negligence played a role in the loss. This reflects an ongoing effort to safeguard these customers, necessitating that financial institutions be more mindful of consumers’ personal situations.
Marcel Wendt, CTO & Founder, Digidentity
While the proposed reduction in payouts to victims of bank fraud announced by the Payment Services Regulator (PSR) could be seen as good news for banks, they should not get complacent about protecting their customers online.
While the responsibility to keep safe the sensitive information shared online ultimately lies with the end user, banks and other financial services businesses should play an active role too. By equipping themselves with the most up-to-date digital security tools available, banks can protect their customers’ identities from the outset and meet ever-tightening compliance obligations in the process.
Cifas, the UK’s largest cross-sector fraud sharing database, recently launched its 2024 Fraud Pledges, which includes guidance on the role of business in the fight against fraud. Taking onboard this guidance, Digidentity has partnered with Cifas to build a digital identity verification smartphone app to protect customers from identity theft and fraud. The app offers an extra layer of protection against account opening and will make it harder for these scams to succeed.
The fight against fraud is a collective effort. If it is left to the individual to fend for themselves against increasingly prevalent and mature online threats the trend will only worsen. Banks and financial services businesses can take the front foot on this by deploying the right digital checks and balances to safeguard their and their customers’ interests, whilst building their credibility and brand reputation where others continue to fall short.
Chris Oakley, Head of Fraud, Form3
PSPs need to have 3 elements in place for dealing with the new rules:
- Risk intelligence to identify potential frauds
- Adequate operational capacity to process alerts and handle customer complaints and queries
- End-to-end processing for managing reimbursement and capturing the required data to provide intelligence on volumes and values of reimbursements, as stipulated by the PSR Regulations
Is customer behaviour already changing?
In the period April to June 2024, there were over 8,700 complaints made to the financial ombudsman about how banks were handling fraud and scam complaints – a 43% increase from the same period in 2023. Customers have already shifted their expectations regarding how banks should handle their complaints and those higher expectations are not being met. Banks should be aware this may map to customer churn, and potentially impact on brand performance, as handling APP fraud becomes a key differentiator in personal accounts
Have PSPs done enough to be ready for the new rules?
Only time will tell as October will see the industry react to these new changes, but there is evidence that some PSPs believed that the PSR would delay the implementation of these new regulations and have campaigned for significant changes to the new regulations to better protect them – such as the proposed reduction of the maximum liability of £415,000 to £85,000. PSPs still have relatively immature controls in place but until we see the results of the impact of the new regulations, we won’t know if these controls are sufficient.
Who will be the winners and losers?
Winners: Consumers will be better supported for losses up to £85,000 (subject to PSR consultation). Large mature financial institutions that already refund their customers as they now get to share 50% of the refund burden with the receiving institution. Criminals will feel like this is a win as it makes banks responsible for the losses and may give them opportunities to exploit first party fraud.
Losers: Small financial institutions where controls are not mature and which potentially have large scale money mule accounts which could result in high volumes of claims that provide a very real threat to their revenues. Business accounts which are not in scope of the new regulations (which specify consumers as individuals or micro-enterprises).
Does Form3 expect the new regulations to drive down losses in APP Fraud?
In the short term, no. I expect the volumes and values to not drop significantly in the first 6 months, but in the long term, the opportunity exists for financial institutions to improve their controls.