APP fraud: The UK’s mandatory reimbursement requirement - Joseph Sullivan


This article first appeared on Thomson Reuters Regulatory Intelligence on 25 March 2024.

Starting Oct. 7, UK payment service providers must reimburse victims of APP fraud following new regulations by the government's payment regulator.

In the United Kingdom, the mandatory reimbursement requirement for authorized push payment (APP) fraud comes into force on Oct. 7. Announced by the Payment Services Regulator (PSR) on June 7, 2023, the new rules will require UK payment service providers to reimburse all in-scope customers who fall victim to APP fraud, save for limited exceptions.

The new rules — brought into force through directions made by the PSR and changes to the Faster Payments rules effected through Section 54 and Section 55 of the Financial Services (Banking Reform) Act of 2013 — replace the voluntary code introduced in May 2019, of which 10 payment service providers were members.

APP fraud 

APP fraud involves authorized payments made because of deception by fraudsters. It has been a growing problem in the payment services industry for years, and according to UK Finance’s 2023 fraud report, APP fraud losses surpassed card fraud losses in 2021.

In 2022, there were 207,372 incidents of reported APP fraud in the UK; and while most cases involved online fraud (78%), this was responsible for only 36% of reported losses, while telecommunications fraud, which accounted for 18% of cases, was responsible for 44% of losses.

Contingent Repayment Model (the voluntary code)

In 2019, seven payment service providers established a voluntary code for reimbursement of losses caused to customers by APP fraud. There are now 10 members of the code representing 19 consumer brands, which are responsible for more than 90% of APP transactions in the UK.

The code implemented the Contingent Repayment Model, which had been proposed by the PSR and applied to all personal customers, charities with an annual income of less than £1 million ($1.2 million), and micro-enterprises. The code applies standards of conduct to payment service providers in connection with detection, prevention, and response to APP fraud, imposing requirements to take reasonable steps to detect APP scams, sending warnings to potential victims, and offering advice as to how potential victims should seek to protect themselves.

The code also imposed an obligation to reimburse customers’ losses caused by APP fraud, subject to certain conditions, including:

  • Payments must be made within the jurisdiction, so international payments are not included.
  • The payment service providers have the discretion to refuse reimbursement if the victim: i) ignored a warning given under the code; ii) ignored a clear negative confirmation of the payee result; iii) made the payment without a reasonable basis for believing the transaction to be genuine; iv) did not follow its own procedures; or v) itself was guilty of gross negligence in connection with the payment.

In the situation between the paying payment service provider and the recipient, if both are at fault, then they are both liable to cover 50% of the reimbursement each. If only one is at fault, that payment service provider must pay the whole reimbursement. If both are at fault and the customer is at fault, each party bears 33% of the responsibility (meaning the customer receives reimbursement of only 66% of the loss). If neither payment service provider is at fault, the compensation is paid from a pooling fund to which all members contribute.

Changes under new requirements

The requirements under the new rules apply to the same types of customers as those falling within the scope of the voluntary code and, like that code, apply only to payments made within the jurisdiction. However, the new requirements differ from the voluntary code most notably in the following ways:

  • The rules are mandatory for all payment service providers using the Faster Payments system, rather than an opt-in, voluntary code.
  • They apply only to the Faster Payments system and no other payment systems (in practice this will cover most APP frauds: in 2021, 97% of such frauds used the Faster Payments system).
  • Decisions as to reimbursement are taken exclusively by the sending payment service provider, however ordinarily, that provider can claim back 50% of any reimbursement from the recipient payment service provider.
  • There is a 13-month deadline for claims (although payment service providers can voluntarily choose to give reimbursements for later claims).
  • A payment service provider must give reimbursement within five business days, although it can “stop the clock” to allow for investigations (to a maximum of 35 days).
  • Sending payment service providers will have the option of imposing a claims excess of a maximum of £100, and there will be a maximum level of reimbursement of £415,000 ($525,028) for each single APP fraud case.
  • The new requirements introduce the “consumer standard of caution” (detailed in a December 2023 policy statement issued by the PSR).
  • Reimbursement can only be refused if the customer has failed to meet the consumer standard of caution through gross negligence, and then only if the customer is not vulnerable (so long as the vulnerability had a material impact on the customer’s ability to protect themselves from the scam).

What payment providers should do now

The precise wording of the new Faster Payments rules is yet to be published by Pay.UK (the PSR’s direction set a deadline of June 7 for implementation of the new rules), although draft rules have been published. Payment service providers will need to review the details of their obligations once the new rules are published on Oct. 7.

Before then, however, payment service providers should actively engage in developing their systems and processes, to be ready for the implementation date of the new requirements in the following three ways.

First, the new requirements create further incentives for (and obligations on) payment service providers to strengthen their APP fraud detection systems, both at the know-your-client (KYC) stage and in the processing of payment instructions.

Second, payment service providers need to design appropriate systems to provide warnings to customers and to set interventions by which a customer’s compliance with the consumer standard of caution can be assessed. To comply with the requirements, these warnings and interventions will need to be developed flexibly, especially in the context of vulnerable customers.

Third, payment service providers will need to develop systems to deal with reimbursement claims under the requirements. This will require clear policies and procedures for assessing a claiming customer’s compliance with the consumer standard of caution, identifying vulnerable customers, and analyzing whether any vulnerabilities were the cause of a failure to comply with the standard.

While payment service providers will be able to create computer systems to assist in this process, the assessment is ultimately an evaluative one and accordingly, appropriate training programs will need to be put in place for staff involved in dealing with claims, even if the payment service provider decides to use artificial intelligence-backed assistance.