17 Apr 2025 / 9 min read / Blog

What PSPs need to know about the APP fraud risk and reimbursement regulations

Authorised Push Payment (APP) Fraud - where a customer is tricked into sending money to a fraudster posing as someone legitimate - is a growing issue. APP Fraud presents a particular risk to payments companies or PSPs who could be penalised for not properly looking after their customers.

According to UK Finance, in the first half of 2024, £570 million was lost due to payment fraud and scams and of that overall figure, £213.7 million was due to APP Fraud.

Regulations continue to change to protect the consumer, so it’s important to understand what is required. We explore the changes here, how they might affect you and the appropriate steps to take.

Why should PSPs take note?

On 7 October 2024, a mandatory reimbursement requirement for victims of APP Fraud was implemented by the Payment Systems Regulator (PSR) in the UK (the APP Fraud Reimbursement Regulations).

These regulations require all UK payment service providers (PSPs) that use the Faster Payments System (FPS) or the Clearing House Automated Payment System (CHAPS) to reimburse in-scope customers with eligible APP Fraud claims.

The regulation is in place to avoid monetary loss and reputational damage. Below is a summary of the new APP Fraud Reimbursement Regulations. This summary is not intended to replace the legislation, and all PSPs should refer to the existing PSR guidelines to assess their risk exposure.

Overview of APP Fraud Reimbursement Regulations

Sending PSPs need to reimburse victims with eligible APP Fraud claims. Customers that are eligible for reimbursement of eligible APP Fraud claims are consumers, micro-enterprises and charities. More information about our reimbursement rules can be found here.

Here are the key facts you need to know about the APP Fraud Reimbursement Regulations:

In-scope payments are:
- - payments that have been sent in GBP using FPS or CHAPS;
  - payments that have been authorised by a customer of a PSP to a third party in the UK from 7 October 2024;
  - payments that have been received in a relevant account in the UK that is not controlled by the customer and which account is identified in the customer’s payment order as a result of dishonesty or a fraud perpetrated on the customer; and
  - the payment was authorised by the customer within 13 months of the date they are making a reimbursement claim.

Time limit to reimbursement: Unless the PSP requires additional information from the customer regarding the reimbursement claim, they must reimburse the customer within 5 business days of receiving the claim. If additional information is needed, PSPs can “stop the clock” but a final decision is still required within 35 workings days.
Time limit to claim: Customers need to make claims no later than 13 months from the date the payment was authorised.
Maximum level of reimbursement: £85,000. This applies to all customers, including vulnerable customers.
Liability: The sending PSP must reimburse customers when required, but can recover 50% from the receiving PSP, who must reimburse this amount to the sending PSP within 5 working days of notification.
Exceptions: Reimbursements don’t need to be made in cases of consumer fraud, gross negligence, breach of caution standards, or legitimate disputes with merchants over goods and services.
Treatment of vulnerable customers: The consumer standard of caution and claim excess does not apply to vulnerable customers.
Claim excess (maximum): Sending PSPs can apply a claim excess of up to £100 per claim. Sending PSPs can’t apply claim excess to vulnerable customers.
Reporting: Under reporting standard A, on 6 January 2025 PSPs were required to send the first report to Pay.UK (the Payment System Operator of Faster Payments) for claims closed in the previous month and from 31 January 2025 PSPs must submit these reports to Pay.UK on a monthly basis. It was announced in April 2025 that further consulting on reporting requirements will take place.
Contractual terms: PSPs were required to amend their contractual terms by 9 April 2025.
Record-keeping requirements: PSPs must collect and keep all relevant data and records for at least 5 years.

Common types of APP Fraud

Not only is it important to be clued up on the mandatory reimbursement requirements, it's also essential for PSPs to have a better understanding of the common types of scams - creating a culture of readiness and responsiveness across the business:

Purchase scams: Requesting an individual to send money in advance for goods or services that do not exist. For example, a car, a puppy, a holiday or event tickets.
Romance scams: When a criminal uses a fake profile to form a relationship with the victim and uses emotional pressure and/or blackmail to obtain money from the victim.
Investment scams: There are multiple types of investment scams, including crypto investments and other asset investments, property, pyramid and ponzi schemes.
Tech support: Fraudsters pose as tech support to infiltrate systems.
Social Engineering: These scams attempt to prey on people’s good nature and often include some of the methods above with individuals posing as the police, banks, HMRC or card issuers such as VISA.

How to proactively guard against APP fraud

The cost of not assessing the risk of APP Fraud could be highly detrimental to a PSP, both financially and reputationally. The best way for PSPs to protect themselves against APP Fraud is to ensure they have established a Fraud Target Operating Model, along with conducting appropriate customer due diligence via a Fraud Control Checklist.

Fraud Target Operating Model

An effective Fraud Operating Model begins with a vision to align the strategic direction of the company and compliance function, including its financial crime appetite. Cascading down from this vision are three main pillars which include, processes, people and technology.

The Processes pillar includes all actions taken in financial crime prevention; documented in policy, procedures and desktop manuals. The People pillar includes how the PSP’s resources are structured across all financial crime functions. The Technology pillar is all about the systems, applications, and data that support the compliance function.

Of course, it’s important when selecting a technology vendor to do extensive due diligence. Financial crime and compliance is an increasingly crowded marketplace of providers and not all will deliver what you’re after. It’s important to ask the question, will this technology really solve this problem or just add another process to the tech stack?

Underlying the three pillars is the foundation of governance and management information (MI). Ongoing quality assurance and tailoring is needed to make sure it’s achieving its aims. For a target operating model to be successful it needs to be measured and monitored effectively. This can only happen if clear MI flows from each area of the target operating model to ensure good governance and reporting.

To enable PSPs to test the robustness of their Fraud Target Operating Model, a Fraud Control Checklist can be implemented. Here are the key elements for PSPs to have in place:

1. Establishing a risk owner

As part of the fraud control checklist, assigning a risk owner will create accountability for decision making for PSPs to mitigate and manage the risk of fraud.

2. Gauging your risk appetite

To gauge the company’s risk appetite for fraud, i.e. the type and amount of fraud risk that the PSP is willing to accept in achieving its objective, the risk owner should work with senior management to set an appropriate risk appetite and key risk indicators for fraud.

3. Conducting a risk assessment

A risk assessment will help the PSP to understand the inherent fraud risks to the business.

4. Control mapping

During the risk assessment, the PSP should examine the controls they have mapped to their risks. Taking a layered approach to adopting tools will deliver the most effective outcome, while exploring the array of the latest technologies available such as biometrics.

5. Monitoring and measuring

Appropriate Governance and MI is key to monitoring fraud risk indicators. For example, does the PSP produce sufficient MI to fulfil its regulatory reporting obligations related to fraud reporting, and can the PSP produce MI on refunds issued and total costs?

6. Assurance and Audit

Conducting regular reviews, testing and audits of the PSP’s fraud controls will help to ensure they are effective.

7. Customer Communication & Education

By adopting a clear, transparent communication approach the PSP can provide support to protect both themselves and its users against fraud.

8. Horizon Scanning

Identifying and staying ahead of the latest fraud tactics will enable PSPs to keep informed and tailor its approach to the evolving threat landscape. As part of horizon scanning, the PSP should consider whether a new failure to prevent a fraud offence will apply to it.

Delay payments following suspicion of fraud

Another defence mechanism PSPs can use is the ability to delay payments it suspects may be subject to fraud or dishonesty. According to the Payment Services Regulation 2024 if a PSP has reasonable grounds to believe a payment is fraudulent, it can delay payments for up to four business days.

Importance of Sharing Fraud Intelligence

To help PSPs combat fraud, collaboration is key.

Stop Scams UK encourages collaboration between banking, telecoms, and technology to support the creation of anti-fraud solutions and helps prevent payment scams at the source. IFX has recently become a member of Stop Scams UK, being the first specialist Payment Services Provider to join its membership. IFX is also a member of CIFAS, an anti-fraud organisation working to combat the threat.

The evolving fraud regulatory landscape: 2025 and beyond

On 11 March 2025, it was announced that the PSR will be abolished and will become a part of the Financial Conduct Authority (FCA). However, no immediate changes will be made to the PSR’s remit or statutory powers until legislation is passed by Parliament to enact these changes. With the ease and speed of payment transactions, it’s essential that PSPs stay vigilant in relation to the evolving regulatory landscape. As the PSR is consolidated into the FCA, PSPs should keep a close eye on how this will affect payments regulations, including the APP Fraud Reimbursement Regulations.

By focusing on prevention, protection and transparency, while also harnessing the latest technology, PSPs can protect themselves and their customers from the impact of APP Fraud.

Check out this list of further reading and resources to help PSPs stay on top of the evolving threats of APP fraud:

Service-led cross border payments service

If you’re looking for a payments partner that takes care of compliance and delivers cross-border payments products with a human touch, we’d be happy to chat. Any concerns around your payments and we have a dedicated team who can help.

Cookie Preferences

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorised as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyse and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies, but opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionality and security features of the website. These cookies do not store any personal information.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
pll_language	1 year	This cookie is set by Polylang plugin for WordPress powered websites. The cookie stores the language code of the last browsed page.

Functional

Performance

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
CONSENT	16 years 5 months	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customised ads.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.

Others

Other uncategorised cookies are those that are being analysed and have not yet been classified into a category.

Cookie	Duration	Description
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".