Skip to content

Authorised push payment fraud and mandatory reimbursement

Insight

Data Protection

The Payment Systems Regulator (PSR) and the Bank of England are introducing a mandatory reimbursement scheme for victims of authorised push payment fraud (APP fraud). APP fraud is when a consumer is persuaded or tricked into authorising a payment to a fraudster, whether through being deceived as to the recipient of the payment, or as to the purpose for which they are transferring the funds.

The new reimbursement scheme is intended to come into force on 7 October 2024, and will apply to payments made after that date. Firms may decide to reimburse consumers earlier than this date, on a voluntary basis.

The scheme will be implemented through the PSR giving directions to Pay.UK, the independent operator of the Faster Payments scheme.

The Bank of England is also developing similar rules for UK retail Clearing House Automated Payments System (CHAPS) payments.

The PSR will also increase transparency by publishing APP fraud data and tasking industry with developing a data and intelligence sharing tool.

It is hoped that the new scheme will further encourage and incentivise payment service providers (PSPs) to develop better systems for identifying fraud and effective interventions to change consumer behaviour.

Summary of new scheme:

  • Mandatory reimbursement within five working days.
  • Cost to be split 50/50 between sending and receiving PSPs.
  • Coming into force on 7 October 2024.
  • No minimum, maximum £415,000.
  • Voluntary excess of £100.
  • Faster Payments and retail CHAPS payments are within scope.
  • Special requirements for vulnerable consumers.

Background

UK Finance stated in its 2023 annual fraud report that in 2022 there were over 200,000 reported APP fraud cases on personal accounts, and losses totalled over £485m.

Previous efforts to address the problem of APP fraud, which can result in consumers losing significant amounts of money with little prospect of redress, have included strong customer authentication requirements and the Lending Standards Board’s Contingent Reimbursement Code.

In 2022 the PSR expanded Confirmation of Payee to 400 new PSPs, some of which had to comply by 31 October 2023 (Group 1) and the rest by 31 October 2024.

However, the UK Government’s concern is that these measures do not go far enough, and as part of its wider fraud strategy has legislated to allow a requirement for mandatory reimbursement (via the Financial Services and Markets Act 2023).

Among other things, the Government amended the Payment Services Regulations (PSRs 2017) to clarify that regulation 90, under which a PSP is not liable for the defective execution of a payment which is executed in accordance with a unique identifier, does not affect the liability of a PSP where the PSR has exercised its regulatory powers in relation to APP scams.

In June 2023, the PSR published a policy statement on enhancing consumer protection from APP fraud in Faster Payments. This followed previous consultations and a call for input in 2021 and 2022.

The Bank of England separately confirmed that similar rules will apply to retail CHAPS. These changes will be implemented via directions from the PSR to CHAPS participants (due for consultation in Q1 2024) and changes to the CHAPS scheme rule book.

The reimbursement requirement

The reimbursement requirement is underpinned by 10 key policies, as follows:

  • Sending PSPs must reimburse all customers who fall victim to APP fraud,
  • The receiving PSP must pay the sending PSP 50 per cent of the reimbursement, within a time period to be set by Pay.UK,
  • There will be two exceptions:
    • Where the customer has acted fraudulently, or
    • Where the customer has acted with gross negligence, that is, outside the consumer standard of caution: see below for more details.
  • Customers must be reimbursed within five business days,
  • There will be a claim excess, which was finalised at £100 (see below for more details),
  • There is no minimum threshold for claims,
  • There will be a maximum level of reimbursement of £415,000 (see below for more details),
  • There will be a time limit for making claims of 13 months after the last payment,
  • The customer standard of caution and claim excess will not apply to vulnerable consumers, and
  • "Multi-step" fraud cases that involve more than one payment will also be covered. The reimbursement requirement will apply to an account controlled by a person other than the customer, where the customer has been deceived into granting that authorisation as part of an APP fraud case.


Who is in scope?

The reimbursement requirement applies to payments made by consumers, microenterprises and charities.

PSPs that operate the sending or receiving payment account for a qualifying transaction are in scope, including direct and indirect Faster Payments participants. It is expected that this will be similar for CHAPS participants, taking into account its unique characteristics.

The PSR is unable to mandate reimbursement for a payment made to a recipient hosted by the same PSP, as it is not made via a payment system. However, it expects PSPs to reimburse such victims of APP fraud anyway.

The consumer standard of caution

The PSR has proposed two exceptions to the reimbursement requirement: the first being if the consumer has acted fraudulently, and the second being if the consumer has acted with gross negligence. We refer to the latter as "the consumer standard of caution".

The PSR has proposed that customers should be subject to an express standard of care in relation to authorised push payments and has published guidance on this.

The guidance notes that the standard of care includes four elements:

  • The requirement to have regard to specific, directed interventions made either by the sending PSP or by a competent national authority. The guidance notes that any intervention for the purpose of this exception should be bespoke. They must be consumer, scam and transaction specific and should not consist of "boilerplate" written warnings. Where a consumer chooses to proceed with a transaction after an intervention by the PSP, they should not automatically be deemed to be grossly negligent. Rather, the PSP should conduct an assessment of the degree of negligence including, for example, the complexity of the scam to which the consumer has become victim.
  • The prompt notification requirement (as soon as possible, and no later than 13 months after the last payment was authorised).
  • The information sharing requirement. Consumers will be required to respond to any reasonable and proportionate requests for information made by their PSP, which should allow providers to assess reimbursement claims and whether the consumer is vulnerable. Firms will need to consider carefully what is reasonable and proportionate, and appropriate action if a consumer does not respond.
  • The police reporting requirement: consumers should, after making a reimbursement claim, consent to the PSP sharing their details with a competent national authority.


The burden of proof will fall on the PSP to show that the consumer has acted with gross negligence. This is a higher standard than the general standard of negligence under common law and the consumer needs to have shown a very significant degree of carelessness to fall within the exception. PSPs should not place additional standards on consumers. For example, the guidance notes that PSPs cannot impose any terms and conditions on their consumers that shift the burden of proof to the customer or require consumers to disprove that they were grossly negligent.

Vulnerable consumers are excepted from this standard. Firms should note that when considering whether a consumer is vulnerable, they should take into account the consumer’s circumstances when making the transaction, in addition to personal characteristics of vulnerability. They should have regard to the FCA’s guidance on vulnerable customers and be mindful of their obligations under the Consumer Duty.

Claim excess and maximum reimbursement level for Faster Payments and CHAPS

The claim excess: £100

In Policy Statement 23/4  the PSR set the claim excess at £100.

The claim excess amount is designed to balance encouraging consumer caution while maintaining appropriate incentives on firms to prevent APP fraud. Consumers will be encouraged to report lower-level frauds to PSPs, which should still investigate and attempt to repatriate funds. PSPs will be free to levy the full excess, a partial excess, or no excess at all. If PSPs reimburse in full and do not levy an excess, they will not be able to claim back any of the excess from the receiving PSP.

The cap

The cap has been set at £415,000, which matches the cap for compensation from the Financial Ombudsman Service and under which the vast majority of APP frauds fall. The PSR has decided not to raise the cap every year in line with inflation. The maximum reimbursement level is intended to allow firms to understand and manage their potential liability to APP fraud.

The PSR encourages PSPs to take steps to mitigate the risks of reimbursement liabilities and to do this prior to its policy coming into effect. These include considering appropriate transaction limits, improving "know your customer" controls, strengthening transaction-monitoring systems and stopping or freezing payments that PSPs consider to be suspicious for further investigation.

Vulnerable consumers

Vulnerable consumers will not be subject to the excess, but they will be subject to the cap.

Data and intelligence sharing

The PSR has tasked industry to develop a data and intelligence sharing tool to facilitate improved risk detection and fraud prevention, for example by stopping or delaying high-risk payments. Pay.UK has consulted on the first iteration of data standards to support this information sharing and is working towards building an application programming interface (API) solution through which standardised customer data will be sent. The PSR expect PSPs to start implementing aspects of the system at the earliest opportunity.

The rules

The PSR will direct Pay.UK, as the payments system operator, to amend its rules to implement the reimbursement policy, as this will allow the rules to be amended more quickly than regulatory instruments.

The reimbursement requirement is being implemented via the following legal instruments:

  • Specific Requirement 1 to Pay.UK to insert the reimbursement policies into the Faster Payment Scheme rules (including separate instruments mandating the value of the maximum level of reimbursement, the maximum excess and the Consumer Standard of Caution).
  • Specific Direction 19 which imposes responsibilities on Pay.UK to monitor compliance with the reimbursement rules, to take steps to improve PSPs’ compliance and to gather data and report to the PSR.
  • Specific Direction 20 which directs PSPs to reimburse APP scam payments and comply with the Faster Payments Rules.
  • The PSR will give a similar direction to direct and indirect CHAPS participants.
  • Amended Faster Payments Scheme rules (only published in draft).
  • Amended CHAPS scheme rules (not yet published).


Next steps

Pay.UK will publish the final Faster Payments Scheme rules, further to its October consultation. The PSR will consult on a direction on CHAPS participants in Q1 2024, when we can assume we will also see draft amendments to the CHAPS scheme rules. (see Annex 1)

As part of its review and call for evidence on the Payment Services Regulations 2017,  published in January 2023, HM Treasury invited views on legislating to amend the requirement that PSPs ensure payments to a receiving account by the end of the next working day. This would allow firms to take a more risk-based approach and delay payments to engage with the customer where firms suspect that a customer may be at risk of fraud. This would be in addition to firms’ current ability to refuse to process payments.

HM Treasury also sought views on whether there were benefits in allowing receiving banks to delay crediting an account, if it suspected a payment was fraudulent, before following procedures under the Proceeds of Crime Act.

The PSR has committed to publish a post-implementation review in 2026.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, January 2024

Want to know more?

Contact us

About the authors

Grania Baird banking lawyer

Grania Baird

Partner

Grania leads the financial services regulatory and funds practice at Farrer & Co. She has over 20 years of experience acting for clients across the sector, including private banks, wealth managers, asset managers and, more recently, payment services firms and Fintech businesses.

Grania leads the financial services regulatory and funds practice at Farrer & Co. She has over 20 years of experience acting for clients across the sector, including private banks, wealth managers, asset managers and, more recently, payment services firms and Fintech businesses.

Email Grania +44 (0)20 3375 7443
Nandini Sur lawyer photo

Nandini Sur

Senior Associate

Nandini advises private banks, payment service providers, asset managers and wealth managers on implementing and complying with financial services law and regulation. 

Nandini advises private banks, payment service providers, asset managers and wealth managers on implementing and complying with financial services law and regulation. 

Email Nandini +44 (0)20 3375 7990
Nina_Caplin_RGB

Nina Caplin

Knowledge Lawyer

Nina is a knowledge lawyer in the Banking and Financial Services team. She supports the Financial Services team, keeping them up to speed with the latest regulatory developments and providing them with the resources required to undertake client work efficiently and accurately. She trains the lawyers in new law and practice, answers legal queries, and assists with knowledge sharing and resources across the firm’s practice group.

Nina is a knowledge lawyer in the Banking and Financial Services team. She supports the Financial Services team, keeping them up to speed with the latest regulatory developments and providing them with the resources required to undertake client work efficiently and accurately. She trains the lawyers in new law and practice, answers legal queries, and assists with knowledge sharing and resources across the firm’s practice group.

Email Nina
Back to top