In October 2024, the Authorised Push Payment (APP) victim reimbursement
scheme came into effect, under rules from the Payment Systems Regulator (PSR). The scheme means that Payment service providers (PSPs) are obliged to reimburse victims of APP fraud, up to £85,000 – and PSR asks that the value of reimbursement be
split 50/50 between the sending and receiving PSP. The introduction of this scheme spells great news for consumers but ratchets up the pressure on financial institutions to bolster their fraud defenses.
This short read explores why the
APP fraud reimbursement scheme is necessary, what the rules entail, and how the industry is responding to them.
The fraud landscape
In some ways, APP fraud can be considered the frontline of financial cybercrime – it is often bad actors’ initial attempt to siphon cash from unwitting victims. The APP attempt is executed by socially engineering personal information from a victim, with
the aim of encouraging the victim to make the payment themselves. If this is not successful, then the criminal tries to impersonate the victim, with a view to taking control of the existing account.
According to UK Finance, over
£570 million was stolen by fraudsters in the first half of 2024. Of this amount, £214 million was lost to APP fraud – comprising £167 million in personal losses and £47 million in business losses. The vast majority, 72%, of all APP frauds began online,
while 16% started via telecommunications networks. £127 million of the APP losses were returned to the victims.
Most importantly, the majority of victims were satisfied with their bank’s response: “53% of victims in the last five years were reimbursed to some extent, and 41% were reimbursed in full after losing money to an APP scam,” notes a Finextra
article. This data was released by PSR in November 2024, to mark International Fraud Awareness Week. Part of a wider study, which surveyed over 1,500 UK adults, PSR’s research underlined that falling victim to APP scams impacts not only on a consumer’s
financial life, but their economic activity and social wellbeing.
According to the study, the most common incidents of APP fraud were purchase scams under £200. The emotional impact, however, was far more pronounced, with one in five victims noting that the experience made them feel anxious and depressed – and 50% saying
it reduced their trust in others.
The scope of APP reimbursements
The PSR’s rules include payments made from one UK bank account to another on faster payments and CHAPS.
In a Finextra article, ‘What you need to know about APP reimbursement,’ it is noted that “the original ceiling for reimbursement was placed at £415,000, to include some
of the highest volume cases the PSR had seen. Some concerns were raised over the impact that high ceiling would have on smaller PSPs.” Before to coming into effect, the PSR confirmed that it was lowering this bar to £85,000 – following analysis that
of the 250,000 cases they saw in 2023, 429 were above £85,000.
Only in cases of ‘gross negligence’ can pay-outs be avoided. In these scenarios it is incumbent on PSPs to prove the end-user has, for example, ignored specific warnings or not responded when given reasonable requests for information.
While the value of the reimbursement is split 50/50 between the sending and receiving bank, PSPs can levy an excess of up to £100 per claim.
The industry response
It is important to note that the APP fraud reimbursement scheme does not mandate PSPs to invest in more prevention and detection, though the PSR has seen this to be the indirect outcome, in many cases.
In the fintech sphere, reactions have been nuanced – reflecting both the need to protect consumers, as well as the technology investments that must happen internally. Broadly speaking, firms have acknowledged that PSR’s scheme is a strong incentive to introduce
up-to-date digital security tools to prevent APP scams from happening in the first place. Some have pointed to the need for effective cross-industry collaboration, to ensure a seamless investigation and reimbursement process, as well as to enhance customer
experience.
Other firms expressed concerns that the scheme could herald new types of payments fraud, of a more sophisticated nature, with fake victims of fraud colluding with the fraudster who receives the money in the scam.
Regarding the cap itself, fintechs have argued that this could disproportionately affect smaller banks and companies, since they may not be able to afford to pay the compensation. This could widen the gap between large and small banks in how they handle
APP fraud.
A consensus was that fundamentally, firms must appreciate that the rules and their implementation are not one and done; they will continue to evolve – so remaining abreast of regulatory development is critical.
For a more detailed picture of fintechs’ reactions to APP fraud reimbursement scheme, read Finextra’s long read on the subject
here.
Looking ahead: The utility of victim reimbursement
In the UK, PSR’s scheme is a first-of-its-kind reimbursement scheme, protecting consumers from the pervasive threat of financial crime, and encouraging banks and PSPs to up their game in the face of cybercrime.
While there is little debate around the scheme’s necessity, it has yielded a colorful response from the industry, with some commentators airing concerns that it could encourage even more complex forms of cybercrime.
The planet of payments regulation is by nature a slow-moving beast – and only with time will it be clear how successfully this iteration delivered on its aims.