Authorised Push Payment (APP) Fraud is an industry term used when a customer authorises a payment to a fraudster, either online or via mobile. Typically, the fraudster has targeted the customer by posing either as a vendor, service provider or a member of payments firm staff, tricking them into misdirecting a payment to the fraudster’s account.

Fraudsters use psychological manipulation or deception to cause confusion or build trust quickly, convincing the customer to make a payment before they recognise that they are being misled. The impact is significant both in terms of the psychological toll on customers and also financially. UK Finance statistics from 14 of the UK’s largest banking groups show they lost nearly half a billion pounds in 2022 from APP Fraud, accounting for roughly 40% of total fraud losses.

The PSR has set out a number of new requirements, clarifying the liability for customer reimbursement and how it should be handled. From 7th October 2024, the new requirements include:

• Mandatory reimbursement of APP fraud losses to customers within five working days
• Cost of reimbursement to be split 50:50 between sending and receiving firms
• Scope includes both Faster Payments and retail CHAPS payments
• No minimum value for reimbursement, whilst the maximum is set at £415,000
• Additional protections for vulnerable customers
  

The maximum value applied will cover 98% of APP cases, and while there are scenarios in which reimbursement would not be required, the PSR guidance makes it clear that these will be rare. This means payments firms will need to plan on the basis that the vast majority of APP Fraud losses will be reimbursed, with sending and receiving firms sharing liability. Firms will need to set aside funds for reimbursement based on their historic APP fraud losses and market trends.

In terms of a process, the sending firm is obliged to reimburse the customer in full, but they can claim 50% back from the receiving firm.

The five working day time limit for reimbursement will present a challenge when it comes to processing claims, with potential impacts across the operating model. The sending firm will need to identify the payment in question, confirm it meets the scope set out by the PSR, match it with the receiving firm, confirm funds and send payment in a relatively short timescale. Most banks already have teams who are doing elements of this, but rarely all of it. New technology may need to be introduced, as well as new processes, procedures, governance and sign-off points, which potentially represent an even larger challenge than a technology change.

For receiving firms, the problem is that inbound payment information is normally sparse and not set up as a key control point, because most fraud prevention and detection efforts have concentrated on outbound payments. Going forward, firms will need to increase their focus on payments received, creating a challenge around how to analyse, detect and prevent inbound fraud. Software vendors are already addressing this challenge, with multiple offerings available. However, where payments firms choose this route, full consideration should be given to the resource, integration and governance efforts needed to introduce the new technology. Given the long-term capacity planning of payments firm technology teams, and the short-term nature of the PSR deadline, this could present a significant capacity challenge.

It should also be noted that any change programme performed in a regulatory context brings additional considerations of transparency and communication with the regulator. Firms can expect that the PSR will need some sort of validation that they have implemented the changes correctly before the October deadline.

The longer term expectation is that detection and preventative technology solutions will continue to mature, with fraud modelling through machine learning becoming increasingly effective. However, given the growing sophistication of fraudsters and their use of democratised generative-AI to support attacks, it is difficult to predict the short to medium term result of this arms race. Finance and business teams will need to stay engaged and educated about the threats and PSR requirements to ensure that their organisation is able to keep up with new developments.

The PSR’s new APP Fraud requirements are a positive move to protect customers from a dangerous and rising fraud trend. However, implementing these changes will present significant challenges for most sending and receiving firms. Technology solutions will undoubtedly form part of the response, particularly for inbound payments, but the challenge of integrating a solution must not be underestimated or forgotten during a vendor selection process. Integrating any new solution may prove ineffective or even counterproductive without careful analysis of the impact on the wider operating model, and a realistic plan for delivery within the regulatory timeframe. Both sending and receiving firms should be working now to rapidly identify their goals, their approach, and who is best placed to help them deliver effective, lasting change.