Skip to main content
Fraud HubArticles

An App-raisal of the new APP rules

On 7 October 2024 the Payment Systems Regulator’s (“PSR”) proposal for new reimbursement rules relating to Authorised Push Payment (“APP”) fraud (often referred to as “scams”) comes into force.

This article explores the background as to why these changes were needed, an overview of what they are and how they seek to improve detection and prevention of fraud and increase protection for customers of banks and other Payment Service Providers (“PSPs”).

Why?

The 2024 annual fraud report released by UK Finance[1] found that APP fraud has seen a significant rise in the UK in recent years. In 2023, APP fraud losses totalled around £459.7 million, with the number of cases rising by 12% to 232,429.  There are more incidents of fraud than any other crime in the UK and APP fraud is one of the most significant types of payment fraud globally.

Given the above, APP fraud is a growing area of concern in the UK and the PSR was tasked with overhauling the reimbursement rules relating to APP fraud in order to ensure consistency of reimbursement practices, enhanced consumer protection, and detection and prevention of fraudulently induced customer transactions.

Prior to 7 October 2024, consumers were protected by a voluntary code that the majority of large high street banks were signatory to.  The code is widely known as the ‘Contingent Reimbursement Model’ or “CRM” for short and it provides for reimbursement in specific circumstances. The PSR’s new reimbursement requirement takes that voluntary aspect and requires all PSPs to automatically reimburse consumers who have fallen victim to an APP fraud where Faster Payments or Clearing House Automated Payment System (“CHAPS”)[2] has been used.

In the past, reimbursement after an APP fraud was very inconsistent depending on which PSP firm the consumer banked with. One PSP firm (a bank) might refund one customer whilst another bank would not refund for a very similar type of APP fraud. The new requirement seeks to ensure that all consumers are treated equally and with clarity as well as incentivise PSPs to invest in prevention to avoid fraud in the first instance.

What?

The new APP fraud reimbursement rules come into effect on 7 October 2024 and represent a significant overhaul in the way APP fraud victims are compensated.

Here are the key aspects of the upcoming rules:

  1. Automatic Reimbursement for APP Fraud Victims:
    • From 7 October 2024, victims of APP fraud will be entitled to automatic reimbursement when using the Faster Payments and CHAPS.  This applies to individuals, microenterprises and charities. In order to be in scope a microenterprise has to have fewer than 10 people and an annual turnover and/or balance sheet that does not exceed £2 million.  In addition, charities have to have an annual income of less than £1 million.  As a reminder, international payment transactions are not covered by these rule changes.
    • The upper limit for claims will be £85,000, which aligns with the maximum level of reimbursement to the Financial Services Compensation Scheme limit.
    • The reimbursement will be split 50/50 between the sending and receiving PSP. This will be managed through the Reimbursement Claims Management System which will be operated by Pay.UK.
  2. Consumer Responsibilities:
    • Where a consumer as a result of gross negligence (meaning acting significantly carelessly), has not met one of the four requirements of the consumer standard of caution, a PSP may refuse the reimbursement request.
    • The four requirements making up the consumer standard of caution that a consumer needs to have met are:
      1. The requirement to have regard to interventions – Consumers should heed and note any interventions (such as warnings in a payment journey) from their PSP.
      2. The prompt reporting requirement – Consumers should report an APP scam promptly to their PSP and not more than 13 months from the scam.
      3. Information sharing requirement– Consumers should respond to any reasonable and proportionate request for information from their PSP.
      4. Police reporting requirement – Consumers should consent to the PSP reporting the APP scam to the police on the consumer’s behalf or report it themselves if so requested.
    • PSPs can deny reimbursement only if they can demonstrate gross negligence on the part of the customer. However, this is a high bar, and exceptions are expected to be rare​.
    • If a consumer is considered vulnerable, then the consumer standard of caution will not apply, and reimbursement will be made.
    • If a consumer is otherwise found to be involved in the fraud they complain of (i.e., are making a dishonest claim for reimbursement) their claim will naturally be rejected. This is commonly referred to as “first party fraud”.
  3. Reimbursement Excess:
    • PSPs are allowed to apply an excess fee of up to £100 on claims. However, vulnerable consumers will be exempt from this excess, ensuring they receive full reimbursement​.
  4. Stop the clock
    • PSPs are under an obligation to reimburse victims of APP fraud within 5 business days of reporting.  However, there is provision to ‘Stop the Clock’ to allow further time to investigate.
    • The Stop the Clock provisions can only be used in specific circumstances, namely:
      1. To gather information from the victim or receiving PSP to assess whether the claim falls within the reimbursement requirement.
      2. To verify that a claims management company is submitting a legitimate claim.
      3. To establish if the victim is a vulnerable person.
      4. Where there is evidence of fraud to gather additional information from the receiving PSP, law enforcement or other relevant parties.
      5. Where there is a multi-step scam to gather additional information from the PSP’s involved.
    • The Stop the Clock provisions can be used as many times as necessary, however, the PSP must close the claim before the end of the 35th day following the reporting of the APP fraud to them.
    • In addition, HM Treasury has announced new powers allowing PSPs to delay a suspicious payment for up to 4 business days[3] (up from the existing time frame of 24 hours) which will allow PSPs opportunity to check the validity of the payment with the consumer before the APP fraud occurs.

Who?

Originally there were 10 signatories to the voluntary CRM which made up approximately 85% of Faster Payments. The PSR’s new reimbursement requirement takes away the voluntary aspect and requires all PSPs who use Faster Payments (either directly or indirectly) and CHAPS to adhere to the new reimbursement requirement.

In July 2024 a list of all PSPs that needed to comply with the new reimbursement requirement was published by the PSR.  It totals over 35 pages[4] and consists of a wide range of PSPs.

The new reimbursement requirement is a substantial shift and for the smaller PSPs this will prove not only onerous to implement but may well cause challenges for funding improved fraud detection software, inward investment or worse, prudential risk.  This will lead to them having to make difficult decisions regarding their approach to business.  A range of the concerns by PSPs were summarised in the PSR’s final policy statement[4].

In addition to the changes outline in this article, all PSPs are now obliged to provide data to the PSR relating to how well they are tackling APP fraud.  The data covers many aspects including how much money is reimbursed, to how much money is received or sent as a result of APP scams.

Conclusion

These changes aim to enhance consumer protection while encouraging banks and payment firms to strengthen their fraud prevention strategies. Ultimately, the aim is to reduce the amount of fraud caused by APP scams with that money otherwise in the hands of criminals and likely leading to increased funding for other criminal activity.

Our experience of working in this area for fintech PSPs is that the reimbursement requirement is expected to hit smaller fintechs hardest in terms of speed of response and identification of transactions of concern. Moreover, data on APP fraud has shown that smaller banks and fintechs are disproportionately impacted by the flow of fraudulent funds, making compliance with these new regulations even more challenging.

While the ultimate goal of the reimbursement requirement is to reduce APP fraud rather than merely increase reimbursement, its success will depend on the implementation of robust processes and procedures by PSPs.  That said, tackling the root cause of fraud will require a collaborative effort involving public agencies, financial institutions, and social media platforms to intercept and prevent fraud before it occurs.

Tenet advises PSPs on all issues arising out of instances of consumer banking fraud from assisting on analysing whether a transaction was first party fraud or grossly negligent, through to dealing with disputes in Court or with the FOS arising out of fraud on a customer’s account.

If you would like to discuss your current arrangements for dealing with disputes arising from APP or are concerned about the implementation of the new reimbursement rules and how they will affect your business, then please do not hesitate to get in touch by contacting one of the authors on the details below.

Our team would be happy to arrange an initial meeting to better understand your business and explore how we can offer support moving forward.

For more information about this article please contact:

Esther Phillips, Rebecca Craig, Arun Chauhan

Published on October 4, 2024

Fraud Hub

View More
Read Case Study
Case Study

The one with the son stealing from his elderly mother…

Read Article
Article
January 10, 2025

Crossing the line – when does a misrepresentation become fraudulent?