The fight against fraud – APP fraud reimbursement regime and the path to reform

UK regulators have been engaged in a long-standing struggle against fraud.  According to the 2024 Annual Fraud Report published by UK Finance (the “Report”), UK consumers lost £1.17 billion to fraud in 2023 alone.  A significant proportion of that value was attributed to authorised push payment (“APP”) fraud.

APP fraud occurs when an individual willingly makes a bank transfer to a third party who they assume is a legitimate payee but is in reality a criminal.  This category of fraud has become the latest focus of the Payment Systems Regulator (“PSR”), who introduced a new reimbursement regime for victims in October 2024.

While the Financial Conduct Authority (“FCA”), amongst others, hail the reimbursement of victims as a “priority” and “have committed to enhancing [their] focus” on APP fraud, others such as Cifas, the not-for-profit fraud prevention service, consider the new regime to be “the most polarising policy initiative in the history of the UK counter-fraud industry”.  They caution against the impact of yet more regulation and red tape on payment service providers (“PSPs”).  While the UK government recognised this issue of “regulatory congestion” in their National Payments Vision, the new APP fraud policy undoubtedly compounds the financial and regulatory burdens imposed on PSPs and the fintech industry as a whole.

Background

In the Report, UK Finance stated that there has been a 12% increase in APP fraud cases in the UK since last year.  A key driver of this escalation is the increased sophistication of APP fraud schemes, often relying on comprehensive cover stories, advanced technology and artificial intelligence to mislead consumers.

Prior to 7 October 2024, no formal regulation existed that mandated PSPs to reimburse APP fraud victims.  Instead, only the banks signed up to the Contingent Reimbursement Model Code (“CRM Code”) would employ a reimbursement scheme.  CRM Code subscribers include Barclays, HSBC, NatWest and Santander, amongst others.  However, customers of PSPs not subscribed to the Code were not afforded this protection.  Further, PSPs subscribed to the CRM Code were entitled to refuse reimbursement under select circumstances (for example if the customer ignored official warnings, was aware that the transaction was not legitimate or was grossly negligent).  As such, victims of APP fraud were often left without recourse to recover their funds.

New APP fraud reimbursement regime

 The new policy mandates that any PSP must compensate their customers if they have fallen victim to APP fraud.  This marks a significant shift in the regulatory position, converting the previously voluntary system under the CRM Code into a mandatory legal requirement applicable to all PSPs.

While the new regulation offers significant protections for victims of APP fraud, it is crucial to note the reimbursement regime remains conditional.  These conditions were helpfully set out in the PSR’s guidance and are summarised below.

• The payment made to the criminal must have been transferred on or after 7 October 2024.
• The victim of APP fraud must bring their claim for reimbursement to the PSP within 13 months of the payment.
• The reimbursement regime only applies to payments made under the Faster Payments Scheme (being electronic payments you can make online, over the phone or in a branch) or CHAPS (payments to UK accounts that are guaranteed to arrive on the same day if made before a specified cut-off time). Payments made by an alternative method (e.g. BACS payments) would not qualify.
• The payment must have been made from a UK bank account to another UK bank account. Further, the UK bank account that made the payment must belong to an individual, microenterprise or charity.  This means that fraudulent payments will not be reimbursed if they are made: (i) from a company bank account; (ii) to or from a government savings account; or (iii) to or from an international bank account.
• For obvious reasons, the reimbursement regime will not apply to payments made for unlawful purposes.
• Any reimbursement claims that arise from a civil dispute cannot be reimbursed by a PSP under this policy. For example, if the consumer wishes to be reimbursed because they received goods or services from a genuine business that they became subsequently dissatisfied with, they would not be able to rely on this policy for reimbursement (as this would not constitute criminal fraud or dishonesty).
• The consumer must have exercised sufficient caution before making the payment. This is arguably the most critical and yet subjective condition.  As such, the PSR determined that if a consumer meets the Consumer Standard of Caution (“CSC”), this condition will be deemed satisfied.  To demonstrate compliance with the CSC, the victim must: (i) abide by any warnings given to them by their PSP; (ii) promptly report any suspected or actual APP fraud they have experienced to their PSP; and (iii) respond to all reasonable and proportionate requests made by their PSP so that the PSP can further understand the context of the claim.  This condition does not apply to vulnerable persons.

While the above conditions must be met in order for a claim to be successful, the PSR emphasised that PSPs must consider each claim on its own merits and in a timely manner.

If the APP fraud claim satisfies all of the above criteria, the victim’s PSP is obligated to reimburse them within five days. However, even the reimbursement remains subject to the following caveats.

• The policy states that PSPs are only obliged to compensate victims of APP fraud up to £85,000 per victim. While this limit was previously set to be £415,000, fierce backlash from prominent PSPs, including 30 members of the Payments Association, led the PSR to lower this limit.
• PSPs will be permitted to charge an excess of up to £100 per claim to the victim at the PSP’s discretion.

Positive impacts of the APP fraud reimbursement regime

The introduction of specific APP fraud regulation in the UK is undoubtedly a positive outcome for consumers, as the new reimbursement scheme provides consumers with a definitive safety net if they fall victim to APP fraud.  As noted by Ignatius Adjei, head of anti-fraud services at KPMG, “the legislation encourages extra support for vulnerable customers” as it forces financial institutions to reimburse vulnerable victims regardless of their qualification under the CSC.  This caveat within the regime effectively “necessitate[es] that financial institutions be more mindful of consumers’ personal situations” and increases the remit for protection for the consumer.

Further, the PSR hypothesised that the burden of mandatory reimbursements would encourage PSPs to “innovate and develop effective, data-driven interventions to change customer behaviour” further mitigate against their susceptibility to APP fraud.  For example, following the announcement of the regime back in July 2023, Monzo introduced new security controls to mitigate against fraudulent activity affecting their accounts and Revolut, Chase and Modulr recently announced their collaboration with the UK’s new emergency fraud helpline.

Critique

However, the new regulation is not without its flaws.  Critics have been quick to point out that providing compensation for victims of APP fraud only deals with the aftermath of the problem rather than fixing the problem itself – the frequency or probability of APP fraud is not decreased at all.  Ben Donaldson, Managing Director for Economic Crime at UK Finance asserted that while “reimbursement is important”, it “does nothing to prevent or reduce the psychological harms” associated with the fraudulent activity itself.  Instead, as asserted by the director general of The Payments Association, Tony Craddock, “scrapping fraud at its source is the most powerful way to ensure consumers don’t fall victim to a scam”.

In fact, the regulation is likely to encourage more victims to report instances of fraud due to their newly instituted entitlement to receive compensation.  Given that the National Crime Agency estimates that 86% of fraud is unreported, a significant surge in reported cases of APP fraud should be anticipated in 2025.

The reimbursement scheme is likely to be cause for concern for smaller challenger banks and emerging PSPs in particular, as they may not have sufficient funding or resources to be able to comply with the new requirements.  For example, the prospect of payouts worth thousands of pounds and new personnel appointed to investigate these claims poses a substantial financial burden to smaller-scale PSPs.  This reality is likely to dissuade new entrants to the UK fintech market, directly contradicting the UK’s current efforts to establish itself as the premier jurisdiction for innovation and growth in the fintech industry.

This only further supports the overall criticism of the regime; that PSPs are the ones who bear the burden of the new regulation rather than the criminals themselves.  As noted by CEO of Salv, Taavi Tamkivi, “fraudsters don’t care about regulations, and they certainly aren’t reading the legislation.”  Instead, it is the banks that “are caught between a rock and a hard place”, as they are placed under increased financial, regulatory and time pressure to comply.

Concluding thoughts

While the new reimbursement regime represents a significant step forward in the fight against fraud, it ultimately fails to prevent APP fraud itself.  This shortcoming is felt by not just the victims who are unjustly defrauded, but also the PSPs who face the financial burden of compensating said victims.  It is therefore hoped that the PSR’s focus on APP fraud inspires and instigates further action and policy reform to combat fraud in the near future, so that the interests of both PSPs and victims of APP fraud are better protected.

This piece was written by Alina Merchant-Mohamed with input from Henry Humphreys.  If you would like advice on the new reimbursement regime or would like to further understand how it could impact your business, please don’t hesitate to contact a member of the HLaw team.

All the thoughts and commentary that HLaw publishes on this website, including those set out above, are subject to the terms and conditions of use of this website.  None of the above constitutes legal advice and is not to be relied upon.  Much of the above will no doubt fall out of date and conflict with future law and practice one day.  None of the above should be relied upon.  Always seek your own independent professional advice.

Humphreys Law