What is APP fraud?
APP fraud happens when a fraudster tricks someone into sending money to the fraudster’s account. According to the U.K.’s Payment Systems Regulator (PSR), there are more incidents of fraud than any other crime type in the U.K., with APP fraud accounting for 40% of fraud losses in 2022. The U.K. is the first country in the world to introduce a mandatory reimbursement requirement.
Summary of the new Reimbursement Scheme
Entry into force: October 7, 2024.
Allocation of reimbursement: Cost to be shared 50/50 between sending and receiving PSPs.
Consumer standard of caution exception: The standard encompasses four threshold levels of caution which, if not met by a customer, are grounds for a PSP to deny reimbursement. This exception does not apply to vulnerable customers.
Excess: Sending PSPs are allowed to apply an excess of up to GBP100 to an APP fraud claim, except for claims made by vulnerable customers.
Level of mandatory reimbursement: The maximum level of mandatory reimbursement is GBP85,000, which applies to all customers (there is no exception for vulnerable customers). There is no minimum claim.
Which PSPs and payments are within scope of the new requirements?
An in-scope payment is one which:
- Is authorised by a victim who holds a U.K. payment account as a consumer, micro-enterprise, or small charity; and
- Is settled through FPS or CHAPS to a receiving payment account located in the U.K. which is not controlled by the victim, and which was identified in the victim’s payment order as a result of dishonesty or a fraud perpetrated on the victim.
Sending and receiving PSPs which are indirect FPS or CHAPS participants, as well as direct participants, are within scope of the new requirements.
Which payments and claims are not within scope of the requirements?
The new reimbursement requirements do not apply to:
- Payments which take place across payment systems other than FPS and CHAPS;
- International payments;
- Payments made for unlawful purposes; or
- Payments which are the subject of a civil dispute, such as where a customer has paid a legitimate supplier but is dissatisfied with the goods sold.
The sending PSP is required to assess each APP fraud claim and determine whether it is valid and in-scope. A claim is not reimbursable if the sending PSP determines that:
- The customer claiming to be a victim is in fact party to the fraud (i.e. “first-party fraud”); and
- The victim (1) is not a “vulnerable customer”; and (2) through gross negligence, fails to satisfy the “consumer standard of caution”. Please see further details below as to the concepts of vulnerable customer and the consumer standard of caution.
How does the reimbursement requirement operate between the sending and receiving PSPs?
If a customer becomes aware that they are a victim of APP fraud, they must notify their sending PSP without delay, and in any event within 13 months of making their relevant payment.
The sending PSP must reimburse the victim within five business days. The sending PSP can ‘stop the clock’ if they need to investigate further (including to gather evidence from the receiving PSP), but the sending PSP must arrive at an outcome within 35 business days, regardless of how many times and for how long they ‘stop the clock’.
Having reimbursed the customer, the sending PSP is entitled to compensation from the receiving PSP for 50% of the amount paid to the customer.
However, the receiving PSP does not have to contribute to the reimbursement to the extent that the sending PSP chooses:
- Not to apply the claim excess, or to pay more than the maximum level (see further details below);
- To reimburse a claim submitted after the 13-month limit; or
- To reimburse a claim that is a first-party fraud or where a non-vulnerable customer acting with gross negligence failed to satisfy the consumer standard of caution.
What is the consumer standard of caution?
The consumer standard of caution is a set of requirements which all customers are expected to meet, and if any component is not met due to the customer's gross negligence, their PSP is entitled to reject their reimbursement claim.
‘Gross negligence’ is a higher threshold than that of negligence under common law – the PSR says that a customer needs to have shown a ‘significant degree of carelessness’ in failing to meet an element of the consumer standard of caution. The onus will fall on the PSP to prove that a customer has failed to meet any element of the consumer standard of caution due to their gross negligence.
A PSP cannot, however, reject a claim due to gross negligence if the victim is a vulnerable customer.
The PSR’s December 2023 Policy Statement sets out the four elements of the consumer standard of caution as follows:
- A requirement to have regard to interventions: customers should have regard to specific, directed interventions, such as warnings, made by their sending PSP or a competent national authority such as the police. The intervention must offer a clear assessment of the probability that an intended payment is an APP scam payment.
- Prompt notification: upon learning/suspecting that they have fallen victim to an APP scam, customers should report the matter to their PSP promptly and, in any event, within 13 months after the last relevant payment was authorised. Any delays due to the customer reporting directly to the police will not be considered to be evidence of grossly negligent behaviour.
- Information sharing: a customer should respond to any reasonable and proportionate requests for information from their PSP to help it assess a reimbursement claim, including requests under ‘stop the clock’ rules. If a customer, through gross negligence, fails to respond to such requests, they are ineligible for reimbursement.
- Police reporting: customers should, after making a reimbursement claim, and upon their PSP’s request, consent to one of two options for reporting the APP scam to the police. The PSP can either request that a customer agrees to have the details of their claim shared with the police, or request that the customer reports the details of the APP scam directly to the police. Where a customer, acting with gross negligence, rejects either option, will the PSP be able to refuse a reimbursement claim.
If a customer is vulnerable, their failure to adhere to any element of the consumer standard of caution cannot be used by the PSP to deny reimbursement:
- A vulnerable customer is a natural person “who, due to their personal circumstances, is especially susceptible to harm – particularly when a firm is not acting with appropriate levels of care”, according to FCA guidance.
- The PSR expects PSPs to evaluate each customer’s circumstances on a case-by-case basis to help determine the extent to which their characteristics of vulnerability led them to be defrauded, and therefore whether they meet the definition of vulnerability for the purposes of the particular APP scam payment.
Alongside its December 2023 Policy Statement, the PSR also published a ‘Consumer standard of caution exception notice’ and associated ‘Consumer standard of caution exception guidance’ which should be read together.
What is the claim excess?
The sending PSP can apply a claim excess of up to GBP100. The PSR confirmed in its December 2023 Policy Statement that ‘a maximum claim excess of GBP100 is an effective way of encouraging customer caution. A fixed excess, communicated well, will encourage customers to remain vigilant when making a payment and therefore mitigate the risk of moral hazard.’
The sending PSP can decide whether to apply the excess at the maximum value, a lower excess, or not at all. If a sending PSP chooses not to apply an excess, or to apply an excess below the maximum of GBP100, it cannot claim any part of the amount not levied from the receiving PSP as part of the 50:50 liability split between sending and receiving PSPs.
Vulnerable customers cannot be charged any excess.
What is the maximum reimbursement level?
The PSR originally proposed a maximum level of reimbursement of GBP415,000, in line with the maximum value (at the time) of a claim to the Financial Ombudsman Service (FOS). However, this has been reduced to GBP85,000, in line with the Financial Services Compensation Scheme (FSCS) limit, following feedback the PSR received from stakeholders, in particular prudential concerns for some smaller firms in the market.
According to the PSR, under the new limit 99.8% of all APP scam cases will still fall below the maximum reimbursement level, and around 90% of total APP scams value are likely to be reimbursed. However, the PSR notes that reducing the maximum claim value is likely to increase the number of complaints to the FOS if consumers seek to recover the full extent of their losses above the new GBP85,000 limit.
Going forward, the limit will change to track any revisions to the FSCS limit. The PSR will also review the effectiveness and impact of the FSCS limit being the maximum level of reimbursement after the requirement has been in force for 12 months.
When did the Reimbursement Scheme come into effect?
Any in-scope payments that take place on or after October 7, 2024 are covered by the reimbursement requirement. Where the claim relates to a series of payments, any payments made prior to October 7, 2024 are not in-scope.
Legal instruments
The legal instruments which give effect to the reimbursement policy, and place legal obligations on PSPs to comply with it, are:
Compliance and monitoring
In July 2024, the PSR published its final rules on compliance and monitoring in relation to the FPS APP Fraud Reimbursement Requirement. As the operator of Faster Payments, Pay.UK is responsible for monitoring all directed PSPs’ compliance with the FPS reimbursement rules. Although Pay.UK is responsible for monitoring compliance with the FPS reimbursement rules, enforcement remains the responsibility of the PSR.
Pay.UK’s FPS Reimbursement Rules: Compliance Monitoring Regime sets out how Pay.UK will monitor and manage directed PSPs’ compliance and applies to both direct and indirect participants. This covers compliance monitoring, managing the consequences of non-compliance by directed PSPs, and how Pay.UK will work with directed PSPs and the PSR to report on compliance.
Pay.UK is also providing the reimbursement claim management system (RCMS) and will be requiring all members of Faster Payments (those who are direct participants) to use it by May 1, 2025. This should allow PSPs to effectively manage FPS APP scam claims, communicate in respect of claims and more easily comply with data reporting requirements.
There is no central system for PSPs using CHAPS. Instead, reporting will be via email to the Bank of England. In addition, the CHAPS APP Scams Compliance Data Reporting Standard (CCDRS) contains the CHAPS APP scams data and information that directed PSPs are required to collate and retain, for the Bank of England to effectively monitor compliance with the CHAPS reimbursement rules.
Ability to delay payment following suspicion of fraud or dishonesty
Payment Services (Amendment) Regulations 2024
The Payment Services (Amendment) Regulations 2024 amend the Payment Services Regulations 2017 (PSRs) by allowing PSPs to delay the sending of an in-scope payment where they suspect that the payment order is subject to fraud or dishonesty.
Typically, when a payer orders its PSP to execute a payment order, the PSRs require the payee’s account to be credited by the end of the business day following receipt of the payment order (D+1). The Payment Services (Amendment) Regulations 2024 allow a PSP to delay crediting the payee’s PSP’s account for certain in-scope payments by up to a further 72 hours (D+4). This is only permitted when the payer’s PSP has established that there are reasonable grounds to suspect that the payment order has been placed following fraud or dishonesty perpetrated by someone other than the payer. These grounds must have been established by the end of D+1, and the PSP must establish that more time is needed for it to contact the payer or a relevant third party to make further enquiries as to whether it should execute the payment order.
PSPs must inform the payment service user of the fact of the delay, the reason for it, and what information or actions are needed to help the PSP decide whether to execute or refuse the payment order (unless providing any of that information would be unlawful). The PSP will be liable for any interest or charges that the payment service user incurs as a result of the PSP’s decision to delay a payment order, regardless of whether the payment order is ultimately executed.
The amendments apply only with respect to outbound authorised push payments wholly executed in the UK in GBP. The Regulations entered into force on October 30, 2024.
FCA’s Payment Services and Electronic Money Approach Document (Approach Document)
Following the publication of the Payment Services (Amendment) Regulations 2024, the FCA has published finalised guidance for firms that enables a risk-based approach to payments when deciding whether to delay a payment. The finalised guidance sets out:
- The requirements for delaying outbound payments and determining whether the threshold for "reasonable grounds to suspect" has been met;
- How PSPs should use the payment delay window;
- Obligations on PSPs if they delay an outbound transaction; and
- The treatment of suspicious inbound payments.
The FCA has updated its Approach Document to include the new finalised guidance. The guidance can be found in chapter 8 and came into effect on November 22, 2024.
FCA Dear CEO letters
On October 7, 2024, the FCA sent two Dear CEO letters—the first to banks and building societies, the second to payments and e-money firms—outlining its expectations of them as PSPs which may be captured by the PSR’s APP fraud reimbursement requirements. The FCA expects firms to:
- Enhance anti-fraud systems and controls to prevent APP fraud;
- Avoid causing foreseeable harm to consumers in line with the Consumer Duty, including by ensuring that their systems are adequate to detect and prevent scams and that customers are supported throughout the lifecycle of a product or service, particularly when making complaints;
- Provide information about the availability of alternative dispute resolution procedures for payment service users and how to access them as part of their pre-contractual information; and
- Ensure that approaches to intra-firm payments (where both sending and receiving payment accounts are held with the same firm) meet Consumer Duty obligations and, if a lower level of protection is provided for these payments than those subject to the reimbursement requirements, explain to the FCA the steps taken to satisfy these requirements with respect to intra-firm payments.
In addition, the FCA expects payments and e-money institutions to recognise and manage their potential liability and the impact this may have on their capital and liquidity. These firms should review and adjust their business models and transactions to mitigate against any risk of prudential impact that may result from potential APP fraud reimbursement liabilities.
Guidance on supporting the identification of APP frauds and civil disputes
Claims which relate to a civil dispute are not reimbursable under the new APP Fraud Reimbursement Scheme. The PSR has published a policy statement and guidance to support PSPs in assessing whether an APP scam claim raised by a consumer solely relates to a civil dispute and therefore does not fall within the requirement to reimburse. By private civil dispute, the rules mean a dispute between a consumer and payee which is a private matter between them for resolution in the civil courts, rather than involving criminal fraud or dishonesty. The guidance sets out five high-level factors that PSPs should consider when determining whether a claim is a reimbursable APP scam or a civil dispute. PSPs should consider all high-level factors and the information provided by the consumer or third party when assessing a claim.
National Payments Vision
HM Treasury published its National Payments Vision (NPV) on November 14, 2024, setting out the UK Government's priorities for the payments sector, including the importance of reducing fraud. The NPV has been published in response to the 2023 Future of Payments Review (also known as the Garner Review).
In relation to APP fraud, the NPV notes that further action is needed, particularly in relation to cross-sector sharing of information. The Government highlights that fraudsters are exploiting online platforms and telecommunications networks to access and coerce APP fraud victims. As such, in addition to payments firms, the technology and telecommunication industries must also play a role in tackling APP fraud. This has begun to be reflected in regulation, with the Online Safety Act 2023 which imposes obligations on large technology platforms to prevent fraudulent content on their services or face substantial fines if they fail to do so. The Government has therefore written to the technology and telecommunications sectors to call for demonstrable action to reduce the scale of incidents and losses from fraud taking place on their platforms and networks. The Government will request updates on progress and action taken at the next Joint Fraud Taskforce in March 2025 and will continue to monitor the issue.
Next steps
- The maximum reimbursement level will be reviewed in Q4 2025.
- The UK Government will release an expanded fraud strategy in 2025.
- The PSR has committed to publish a post-implementation review after 12 months of the APP fraud reimbursement policy being in force.
