Facing into the UK's APP Fraud Reimbursement Requirement

The Payment Systems Regulator (PSR) has hailed the UK's APP Fraud Reimbursement scheme 'groundbreaking' and a 'world-first'.  Many others, however, would choose rather different adjectives to describe the scheme, which came into effect this week.

Aimed at incentivising payment service providers (PSPs) to 'up their fraud detection and prevention game', unless those PSPs are waiting until the new measures are in place to start that work (which seems unlikely), the stats aren't telling a winning story – FOS data released in early September showed that fraud and scam complaints were at their highest ever quarterly level, and over half related to APP fraud.

But, with the PSR having committed to a review of the reimbursement requirement in 12 months' time, it seems we are where we are for the next year at least.

Setting the cynicism aside for a moment - as well as bedding in the new scheme, how can stakeholders make best use of the run-up to October 2025?

Firms

In its September consultation, the PSR acknowledged that some PSPs (including some smaller firms who have not been operating under the voluntary CRM code which the scheme replaces) may have further to go in terms of investing in and operationalising systems and controls for managing fraud risk. There is helpful good practice guidance for those (and all) PSPs on mitigating the risks of APP scams in the FCA's reviews on 'Reducing and preventing financial crime' published in February and (more specifically) 'Anti-fraud controls and complaint handling in firms (with a focus on APP Fraud)' published last November. 

In a 'Dear CEO' letter[1] sent to PSPs on the day the reimbursement scheme came into effect, the FCA made clear that anti-fraud systems and controls remains an area of focus and that it continues to work with PSPs on this.   Be aware: against the backdrop of continued FCA Supervisory and Enforcement focus on financial crime generally, we might expect more Skilled Persons reviews and even enforcement action in this area. 

Government

A bit later than hoped, the secondary legislation permitting PSPs to delay processing a payment transaction by up to 4 business days where they have reasonable grounds to suspect fraud or dishonesty has now been made.  It will come into effect on 30 October 2024.  This statutory instrument is critical to the fight against fraud in the payments ecosystem; the FCA's related finalised guidance is awaited.   

Consumer education and awareness are key.  More effort must be made to share real life examples of fraud – in particular given the ever-increasing sophistication of fraud and fraudsters.

And the Government simply must be open minded to assessing whether other models, including those being introduced elsewhere in the world and which include greater shared liability.  These may prove to be more successful in reducing both the overall prevalence of APP fraud and the damage this pernicious type of fraud does consumers – this is, after all, the ultimate aim.

As the PSR has said: We also consider that the wider ecosystem has an important role to play. To curb the devastating impact of APP scams and make better inroads to prevent them happening in the first place, more action from a broader set of private sector industries could support the ecosystem response to tackle APP scams.

FOS

We strongly encourage FOS engagement with firms and industry bodies – the stakes are high with the PSR saying that a customer could potentially be awarded £945k redress following a successful FOS complaint (comprising an award of £85k against the sending PSP for failure to reimburse under the scheme, plus the FOS award limit of  up to £430k for any unrecovered loss if the sending PSP is found to be at fault, plus up to £430k from the receiving PSP if it is at fault). 

FOS recently reported (not for the first time) that its uphold rates for the last quarter were higher in respect of scams that fall under the current voluntary CRM code, than those to which the voluntary code is not applicable.  All PSPs of course are now subject to same regime – but what is the expected standard in practice?  FOS's fair and reasonable assessment must surely incorporate a degree of customer responsibility? Not least when taking into account that, since the Supreme Court decision in Philipp v Barclay, a court would not ordinarily entertain this sort of claim at all. 

PSR and FCA

The regulators must monitor and analyse the data coming out of the scheme and from the FOS and other relevant sources carefully.  Clearly that includes the volume and value of APP fraud in the next 12 months, but other key aspects of the scheme must also be tested, including:

• the appropriateness of the current maximum and excess levels;
• the feasibility of the short time limits afforded to PSPs to assess claims; and, more generally
• any indication of a decrease in customer caution/increase in moral hazard.

In short, it feels rather too early to be congratulating ourselves on having a 'groundbreaking' scheme – only time will tell whether it's a successful one and, meantime, it is incumbent on all stakeholders to do their bit to reduce the levels of APP fraud, within and out with the parameters of the reimbursement scheme.