Six Months of the UK’s APP Scam Reimbursement: Lessons for Banks
It’s been six months since the UK’s new reimbursement rules came into effect.
A bold move that’s drawn attention from financial institutions and regulators around the world. So, what has the APP fraud liability shift meant for banks and consumers so far? Let’s take a closer look at the good, the bad, and everything in between.
The UK’s new reimbursement rules came into force on 7 October 2024. Introduced by the Payment Systems Regulator (PSR), the aim was clear: to provide stronger protections for victims of APP scams, offering a level of consumer safeguarding that, in the PSR’s words, “no other country had done before.”
What does this mean in practice? In short: victims of APP fraud are now entitled to reimbursement of up to £85,000. Once a scam is reported, the customer’s payment service provider (PSP) must issue the refund within five business days, or within 35 days if more time is needed for investigation. PSPs may also deduct a £100 excess, though this cannot be imposed on vulnerable customers.
The cost of reimbursement is shared equally between the sending and receiving firms and the rules apply to all payments made via Faster Payments or CHAPS between UK bank accounts, ensuring broad coverage across the most commonly used rails.
Get the Whitepaper: Exploring the Liability Shift
Early Signals from the PSR
The PSR recently published an early assessment based on data from the first three months of the policy, covering the period up to the end of 2024. According to the regulator, the new rules are already making a difference: “the policy is having an impact and we’re seeing positive results. A high proportion of APP scam victims are being reimbursed consistently across a larger number of PSPs.”
In practical terms, the PSR has shared the following data:
- High reimbursement rate in early months: During the first three months of the policy, 86% of money lost to APP scams was returned to victims—amounting to approximately £27 million.
- More firms are reimbursing victims than ever before: Under the previous voluntary Contingent Reimbursement Model Code, only 10 payment firms and banks had committed to reimburse scam victims. Now, the rules apply to all PSPs, giving every customer the same right to reimbursement—regardless of who they bank with.
- Most claims are resolved quickly: 84% were closed within five business days, showing strong collaboration between sending and receiving firms.
- Stronger collaboration between firms: In 86% of cases, the sending firm reports the claim to the receiving firm within two business hours of the customer raising it—showing that the new rules are encouraging faster, more effective communication around fraud.
- No surge in claims so far: Despite concerns that generous reimbursement rules might trigger a spike in (potentially illegitimate) claims, early data shows the opposite—consumer claim volumes were actually lower than during the same period in 2023.
- No sharp drop in consumer vigilance: While some feared the new rules would make consumers less cautious, only 2% of claims have been rejected for failing to meet the required standard of caution.
Liability Alone Won’t Solve Fraud
From the PSR’s perspective, the early rollout of the policy has been largely successful—many of the initial concerns haven’t materialized, and several intended benefits are already visible. But the UK’s fraud liability landscape is still far from perfect.
The first issue lies in how the rules shift liability from consumers to banks, and banks alone. While this approach is certainly preferable to placing the burden solely on victims, it oversimplifies the reality of today’s fraud landscape, which often involves multiple actors and complex social engineering tactics.
The reality is that APP scams don’t originate within the banking system. Banks are often the last line of defense, not the first. According to 2024 data from UK Finance, 72% of scams begin online, primarily on social media platforms and search engines, while 16% originate via telecom channels.
Some industry voices have called on the UK government to broaden its approach to tackling APP fraud, arguing that telecom providers and social media platforms should also be held accountable, not just banks.
Mark Garnier, the UK’s Shadow Economic Secretary to the Treasury, has argued that new legislation is needed to make social media and tech companies more accountable in terms of responsibility and financial contribution to fraud prevention efforts.
Many Scams Remain Outside the Scope
While the PSR’s reimbursement rules are unmatched globally and have been welcomed by consumer organizations, they are far from a complete solution to victim protection.
First, around one third of APP fraud cases involve losses of £100 or less, meaning many victims could still lose money due to the optional £100 excess fee applied when settling claims.
Second, many types of scams still fall outside the scope of the reimbursement rules, leaving some victims unprotected.
The PSR’s APP fraud reimbursement rules are designed to cover authorized transfers between UK bank accounts via Faster Payments or CHAPS. This means that many common scam tactics, such as those involving transfers through cryptocurrency wallets, fall outside the scope of these protections. According to the Financial Times, such cases are not even counted in UK Finance’s APP fraud data.
Additionally, when funds are sent to foreign accounts (a scenario common in romance scams and other fraud types) victims may not be eligible for reimbursement under the current framework.
Financial Times also reports that, in some investment scam cases, banks have argued the situation amounts to a civil dispute, framing it as a poor investment choice rather than APP fraud.
Slow Start for the Reimbursement Platform
There have also been setbacks in fully implementing the policy—most notably, the slow adoption of the Fraud Reimbursement Platform. Launched in October 2024 and operated by Pay.UK on behalf of the PSR, the platform had onboarded just 558 firms by February, well below its target of 1,500. According to Bloomberg, only 10 claims had been processed through the system during that period.
The PSR had planned to launch a consultation in April 2025 on making the use of the Reimbursement Claims Management System (RCMS) mandatory, aiming to improve how banks manage and report APP scam claims. However, the consultation has been delayed by three to six months. This pause allows the PSR to align its efforts with the government’s National Payments Vision (NPV)—a broader initiative involving regulators and Pay.UK to modernize the UK’s payment infrastructure—and to take stakeholder feedback into account.
Gaps in Protection for Businesses
The recent Santander v. CCP Graduate School case highlights a critical blind spot in the UK’s APP fraud reimbursement regime: businesses remain vulnerable. While the Payment Systems Regulator’s rules now guarantee reimbursement for individuals, charities, and microbusinesses, larger businesses are not protected. In this case, the court ruled that the receiving bank owed no duty to the victim who was not its customer—a stark reminder that beyond the regulatory safety net, legal options are limited. As scams targeting businesses continue to rise, this gap exposes them to significant financial risk.
What’s Next for the PSR?
In March, the UK government announced that the PSR will be abolished, with its responsibilities transferred to the Financial Conduct Authority (FCA). The stated rationale is to simplify the regulatory landscape by providing firms with a single point of contact. While the full impact of this decision remains to be seen, there’s hope that a more streamlined approach to regulation could benefit the industry.
Liability Matters, But It’s Not Enough
The UK’s experience highlights an important truth: regulation around liability plays a vital role in protecting people’s life savings and motivating financial institutions to prioritize prevention. But in today’s complex fraud landscape, regulation alone isn’t enough. Fighting fraud effectively requires a collective effort across the entire ecosystem.
That’s why banks can’t afford to be passive or wait for regulators to address other parts of the ecosystem. They need to take a proactive stance in protecting their customers and safeguarding their own assets. After all, shifting liability doesn’t stop fraud from happening. Only smarter, more advanced detection does.
A siloed approach, whether in legislation or within individual banks, simply won’t work. Fraud is a complex, interconnected problem that demands a coordinated, holistic response. Because at the end of the day, the real adversaries aren’t regulators or competitors. They’re the fraudsters.
Building a Fraud Disruption Ecosystem
To fight fraud effectively, banks need to keep their focus on the fraudsters and invest in solutions that address fraud holistically, across every stage of the attack. That’s exactly what ThreatMark’s Fraud Disruption Ecosystem offers: a strategic, end-to-end framework that goes beyond simple detection to actively disrupt the fraud lifecycle from start to finish.
1. Active Threat Detection
ThreatMark’s Cyber Fraud Fusion Center actively identifies and dismantles phishing and smishing infrastructure that impersonates banks—before customers ever interact with it. This proactive approach protects not only end users, but also the bank’s brand, reputation, and trust.
2. Empowering Customers
Today’s fraud often targets the customer directly so banks must keep users informed, alert, and involved. ThreatMark’s ScamFlag empowers consumers with real-time, omnichannel scam detection directly within the banking app. It analyzes images, such as photos and screenshots, from SMS, WhatsApp, email, or web to instantly flag phishing attempts, fake payment requests, and other deceptive content before the damage is done.
3. Detecting Fraud Before It Happens
When even vigilant customers fall for increasingly sophisticated scams and APP fraud, banks need technology that spots fraud before money leaves the account. ThreatMark’s Behavioral Intelligence Platform is the world’s first full-stack fraud prevention solution built entirely on behavioral intelligence and monitors how users interact with digital banking in real time. It confirms identity and detects subtle anomalies that signal fraud, enabling instant intervention with unmatched accuracy and speed.
Fraud has long been underestimated and under-resourced. As the Financial Times points out, fraud now accounts for over 40% of all recorded crime in England and Wales, yet receives just 1% of police resources. It’s no wonder some argue that fraud has been tolerated for too long on too many fronts.
But the tide is turning. With smarter regulation, more accountability across the ecosystem, and powerful, real-time tools like those offered by ThreatMark, banks can take back control. ThreatMark brings value not only by reducing the costs associated with reimbursement, but also by helping institutions disrupt fraud at every stage and protect their customers more effectively. Because stopping fraud isn’t just about shifting liability; it’s about outsmarting the threat before it strikes.
Start Disrupting Fraud
Related Articles
-
January 17, 2025
What You Need to Know About Fraud Liability in 2025
Over the past year, significant changes have reshaped the landscape of fraud liability. What drove these shifts, and...
-
October 7, 2024
What the UK PSR Liability Shift Means for Banks and Fraud Prevention
As of October 7, 2024, the UK Payment Systems Regulator (PSR) introduced a liability shift that requires banks...
-
August 6, 2024
Navigating the PSR Liability Shift: Ensuring Security for UK’s Smaller Financial Institutions and Fintechs
In today’s complex financial landscape, smaller banks and fintech in the UK are prime targets for fraudsters.
These institutions...