Authorised Push Payment (APP) victim reimbursement scheme comes into effect today under rules from the Payment Systems Regulator (PSR). Payment service providers (PSPs) are now required to reimburse victims of APP fraud, up to £85,000, split evenly between
the sending and receiving PSP.
Reimbursement is likely great news for many consumers, however, for banks and financial institutions this will only increase the pressure to ensure they are taking as many steps as possible to prevent scams reaching the finish line.
With this in mind, we’re going to take a look at why these rules needed to come into play, what the rules include, and what fintechs are thinking about them.
Why are mandatory APP fraud reimbursements needed?
According to
UK Finance, APP scams accounted for £459.7 million in losses to the UK economy in 2023 alone. £376.4 million of that was personal losses and £83.3 million business.
Concerns about APP fraud started to grow around 2016, until in 2018 the PSR announced the Contingent Reimbursement Model (CRM) code. Signatories of this voluntary code committed to:
- protecting their customers with procedures to detect, prevent, and respond to APP scams, providing a greater level of protection for customers considered to be vulnerable to this type of fraud;
- greater prevention of accounts being used to launder the proceeds of APP scams, including procedures to prevent, detect, and respond to the receipt of funds from this type of fraud; and
- reimbursing customers who are not to blame for the success of a scam.
The Lending Standards Board (LSB), who oversaw the CRM, have confirmed the code is winding down as the PSR requirements come into place. The CRM had 10 PSPs sign up (including major banks like HSBC, Lloyds, and Metro Bank), for customers of PSPs that had
reimbursement rates went from 23% in 2018 to 73% in 2023.
Yet, despite the implementation of the code in 2019, APP fraud really seemed to take off during the pandemic, with losses to the crime overtaking card crime for the first time in the
first half of 2021.
The voluntary nature of the code also proved to be an issue, with the
Financial Ombudsman Service (FOS) finding that around half of the complaints they received about APP fraud in the first half of this year were not covered by CRM signees, making it less likely the customer would get their money back.
Emma Lovell, chief executive of the LSB, said: “The CRM Code has been a milestone improvement in customer protections – vastly increasing the chances of customer reimbursement after an APP scam and having a significant impact on the financial services sector’s
efforts to prevent their customers from falling victim to an APP scam in the first place.”
It became clear that although many PSPs did sign up to the CRM, it was proving to not be the way forward. The losses placed on just the sending PSP was an issue for many, and being only voluntary meant there were still some consumers left out of this pledge.
What do the new APP reimbursements include?
The PSR’s rules include payments made from one UK bank account to another on faster payments and
CHAPS.
The original ceiling for reimbursement was placed at £415,000, to include some of the highest volume cases the PSR had seen. Some concerns were raised over the impact that high ceiling would have on smaller PSPs.
However, prior to coming into effect, the PSR confirmed that it was lowering this bar to
£85,000. This came after their analysis that of the 250,000 cases they saw in 2023, only 429 were above £85,000. However, cases over this limit can be taken to the FOS.
The reimbursement is split 50:50 between the sending and receiving bank, the first time this requirement has been made of a receiving PSP.
Within the PSR rules PSPs have the ability to levy an excess of up to £100 per claim, but this cannot be placed on vulnerable customers.
Unlike the CRM, the new rules do not require PSPs to invest in more prevention and detection, however, it seems to be hoped these requirements will encourage this as a deterrent. Lovell commented: “PSPs that will now be required to reimburse customers for
the first time should look to the Code to catch-up on the lessons already learned by signatory firms.”
Only in cases of “gross negligence” or where consumers are found to be complicit on the fraud can pay outs be avoided. However, there is a high bar for this negligence. It cannot apply to vulnerable customers, and the onus is on PSPs to prove gross negligence
by, for example, ignoring specific warnings or not responding when given reasonable requests for information.
What are fintechs thinking about reimbursement?
Overall, there are many positive interpretations of these new rules. However, many emphasis that this only improves the pressure for banks to protect their customers from criminals.
David Geale, managing director of the PSR, said: “Our new requirements will see all payment firms involved facing strong incentives to introduce more robust ways of identifying and preventing these scams from happening in the first place. Firms have already
made a good start in making changes and we expect to continue seeing new and innovative systems being rolled out to drive fraud out of our payment systems.”
Marcel Wendt, CTO and founder of Digidentity, commented that banks “should not get complacent about protecting their customers online. While the responsibility to keep safe the sensitive information shared online ultimately lies with the end user, banks
and other financial services businesses should play an active role too. By equipping themselves with the most up-to-date digital security tools available, banks can protect their customers’ identities from the outset and meet ever-tightening compliance obligations
in the process.”
Bernadine Reese, managing director, risk and compliance at Protiviti UK, shared this sentiment. She stated that “PSPs need to implement an effective APP fraud strategy that demonstrates a commitment to achieving the consumer outcomes mandated by the Consumer
Duty.”
Reece further elaborated that PSPs will be required to maintain their prevention systems because, “in cases where notification is delayed due to the PSP's own reporting systems, consumers cannot be held accountable for the delayed reporting. To ensure a
seamless investigation and reimbursement process, as well as to enhance the customer experience, it is essential that PSPs engage in effective cross-industry collaboration. It is also crucial to understand that the rules and their implementation are not one
and done – they are expected to evolve in the coming months, so staying across regulatory development is vital.”
However, the concerns around the new regulations are not limited to financial institutions potentially taking a lax approach to anti-fraud. Caroline Greenwell, partner at Charles Russell Speechlys, flagged that there should be some concerns raised over new
types of crime developing.
Greenwell noted that mandatory compensation could “pave the way for more fraudulent schemes, potentially of a more sophisticated nature, with fake victims of fraud colluding with the fraudster who receives the money in the ‘scam’. Payment providers must
therefore focus on their prevention and detection mechanisms, as well as on their obligations to customers under the regime.”
However, Greenwell also pointed to another issue with the regulations, that even with the lowered cap to £85,000, this is likely to effects smaller banks and companies disproportionately. She stated: “Smaller institutions will not necessarily be able to
afford to pay compensation where customers have been careless and will probably apply greater scrutiny to the customer’s conduct. It is therefore possible that the gap will widen between large and small banks in how they handle APP fraud, and we may even see
smaller outfits allowing claims to be brought in front of the courts where they maintain that the customer’s conduct does not meet the standard required. The new regime could, despite its objective to the contrary, lead to more civil claims.”
Joey Glazer, director of AP automation at Quadient, placed further emphasis on the impact on small businesses specifically: “With limited ability to absorb unexpected losses like fraud or bounce back from financial setbacks, small businesses need more than
just recovery support. It’s like an insurance payout after a house fire: very welcome, but you’re still homeless. A two-pronged approach to tackling APP fraud is essential – pairing reimbursement with proactive prevention measures to create a truly comprehensive
fraud protection strategy.
“For instance, tax breaks and other incentives for small businesses who adopt preventative fraud measures will help stop fraud at the source. Integrating AI and automation into finance systems can help businesses analyse invoice patterns and detect and prevent
suspicious activity before any harm is done. But this can be out of many businesses’ reach.”
What is the future of APP fraud?
The whole world will be looking at the effectiveness of these regulations, nowhere else has taken this mandatory step towards APP fraud.
While the effectiveness of these regulations can only be seen over time, their existence may be a comfort to those customers who were not previously protected.
However, the emphasis should always be on prevention. Banks, PSPs, and any other financial institutions should continuously be doing everything they can to prevent their customers falling victim to scams.