Fraud Prevention and APP Scams — What UK Payment Firms Must Do

The Scale of the Problem

Authorised push payment (APP) fraud is the UK's largest category of payment fraud by value. In 2023, UK consumers and businesses lost over £450 million to APP scams — where victims are tricked into authorising payments to accounts controlled by criminals. Unlike unauthorised fraud (where the payment is made without the customer's consent), APP fraud involves the customer voluntarily making the payment, albeit under false pretences.

Common APP scam types include: - Purchase scams — paying for goods or services that do not exist - Romance scams — sending money to a fictional romantic interest - Investment scams — investing in fraudulent schemes promising high returns - Impersonation scams — making payments after being contacted by someone impersonating a bank, HMRC, the police or a utility company - Invoice and mandate scams — paying legitimate-looking invoices where the payment details have been altered by fraudsters

The Mandatory Reimbursement Regime

The Payment Systems Regulator (PSR) introduced mandatory APP scam reimbursement on 7 October 2024. The regime applies to payments made through the Faster Payments system and requires:

Reimbursement obligation: - The sending payment service provider (PSP) must reimburse eligible victims within five business days of the claim - The maximum reimbursement is £85,000 per claim - There is no minimum claim threshold — all eligible claims must be reimbursed regardless of value - Reimbursement must include both the principal amount and any consequential losses up to the cap

Cost sharing: - The receiving PSP must reimburse 50% of the claim value to the sending PSP - This cost-sharing mechanism creates incentives for both sending and receiving firms to prevent fraud

Eligibility: - The victim must be a consumer, micro-enterprise or charity - The payment must have been made through the Faster Payments system - The victim must have been deceived into making the payment — genuinely authorised payments for legitimate purposes are not covered - The claim must be made within 13 months of the final payment

Exceptions: Firms can refuse reimbursement in limited circumstances: - First-party fraud — where the claimant is complicit in the fraud - Gross negligence — where the customer has failed to meet the "consumer standard of caution." This includes ignoring specific warnings from the firm about the transaction being a potential scam, failing to report the fraud promptly, or ignoring advice from law enforcement. The threshold for gross negligence is deliberately high — firms cannot use it to routinely deny claims - Claims outside scope — international payments, payments not through Faster Payments, and payments made before the regime's effective date

FCA Expectations for Fraud Prevention

Beyond the PSR's reimbursement regime, the FCA expects all payment firms to implement robust fraud prevention controls as part of their overall systems and controls obligations. Key expectations include:

Transaction monitoring for fraud indicators: - Real-time monitoring of outgoing payments for indicators of APP fraud — such as new payee payments, payments significantly larger than the customer's normal pattern, rapid successive payments or payments to accounts flagged for fraud - Monitoring incoming payments for mule account indicators — such as accounts receiving and rapidly dispersing funds, accounts with a high volume of payments from diverse sources or accounts where the pattern of activity is inconsistent with the account holder's profile

Customer warnings and interventions: - Providing specific, contextual warnings to customers at the point of making a payment that matches fraud risk indicators — generic warnings are insufficient - Implementing "effective friction" — deliberate pauses or additional verification steps for higher-risk payments that give customers time to reconsider without unduly disrupting legitimate transactions - Offering confirmation of payee (CoP) — verifying that the name provided by the customer matches the name on the receiving account

Intelligence sharing: - Participating in industry intelligence-sharing initiatives (e.g., the Banking Protocol, UK Finance fraud data sharing) - Reporting fraud trends and patterns to the FCA, PSR and law enforcement - Sharing information with other PSPs where legally permitted to prevent fraud

Mule account management: - Implementing controls to detect and prevent accounts being used as mule accounts (accounts used to receive and launder the proceeds of fraud) - Taking prompt action when mule activity is identified — including freezing the account, recovering funds where possible and reporting to law enforcement - Conducting enhanced due diligence on accounts displaying mule indicators

Practical Prevention Measures

1. Behavioural analytics: Invest in transaction monitoring systems that use behavioural analytics to identify anomalous payment patterns. Traditional rule-based systems generate excessive false positives; machine learning models can more effectively distinguish between legitimate unusual payments and potential fraud.

2. Confirmation of Payee (CoP): Implement CoP to allow customers to verify the name of the recipient before making a payment. Where the name does not match, provide a clear warning and require the customer to confirm they wish to proceed. CoP is not a silver bullet but significantly reduces impersonation and invoice redirection fraud.

3. Customer education: Proactively educate customers about common scam types and how to protect themselves. Use targeted messaging based on customer demographics and transaction patterns — for example, warning older customers about romance scams or warning business customers about invoice fraud.

4. Staff training: Train front-line staff to recognise the signs of APP fraud when customers are making payments — such as reluctance to explain the purpose of the payment, being coached by a third party during the transaction or displaying signs of distress or confusion.

5. Recovery and response: Establish rapid response procedures for reported APP fraud: - Contact the receiving PSP immediately to attempt to freeze the funds - Use the CRM (Contingent Reimbursement Model) processes to coordinate recovery - Provide the customer with a clear explanation of the investigation process and timeline - Report to Action Fraud and the NCA where appropriate

The Receiving Firm's Obligations

The mandatory reimbursement regime places significant obligations on receiving PSPs. As a receiving firm, you must:

• Implement controls to detect mule accounts and prevent your accounts being used to receive the proceeds of fraud
• Respond promptly to repatriation requests from sending PSPs when fraud is reported
• Pay your 50% share of reimbursement claims within the prescribed timeline
• Maintain records of fraud-related communications and decisions

Receiving firms that fail to implement adequate mule detection controls face significant financial exposure through the 50% cost-sharing mechanism — and potential FCA enforcement action for inadequate systems and controls.

Governance and Oversight

Board-level accountability: Fraud prevention should be a standing agenda item for the board or risk committee. Senior management should receive regular reports on: - Fraud volumes and values (both outgoing APP fraud and incoming mule activity) - Reimbursement claim volumes and outcomes - The effectiveness of prevention controls (detection rates, intervention rates, recovery rates) - Emerging fraud trends and threats

SM&CR responsibility: Under SM&CR, a designated SMF holder should be accountable for the firm's fraud prevention framework. This is typically the SMF24 (Chief Operations) or a specifically designated SMF holder, working alongside the SMF17 (MLRO) for financial crime aspects.

Regulatory Outlook

The PSR has indicated it will review the £85,000 reimbursement cap and the broader effectiveness of the regime after its first year of operation. Potential developments include: - Adjustment of the reimbursement cap based on fraud trends and consumer impact data - Extension of the regime to other payment systems (currently limited to Faster Payments) - Enhanced data-sharing frameworks to improve fraud detection across the payment ecosystem - Greater regulatory focus on receiving firms' mule detection obligations

Firms should prepare for a regulatory environment in which fraud prevention obligations continue to increase and where both sending and receiving firms face growing accountability for fraud outcomes.