An Authorised Push Payment (APP) scam happens when you unwittingly transfer funds from your bank account to that of a fraudster. You believe that the transaction, individual and or the company is genuine. However, it is not what it seems – and a fraudster is sitting behind it. Such scams usually start through seeing something online, via an email or via a text. Fraudsters are very sophisticated and draw in their victims using “social engineering” using both psychological and emotional manipulation.

Usually this happens via the Faster Payments System (FPS), i.e. online banking. However, large payments made under the Bank of England’s CHAPS system are also within the scope of the protections, for example when buying a house. Conversely, card payment transactions are outside the scope and have their own in-built protections (though at a cost).

APP Scams are a significant and growing problem – one that can cause both significant financial losses, as well as serious emotional harm to the victim. According to the UK Finance Annual Fraud report 2024 (see Section 6, page 42), APP Scams losses in 2023 amounted to £460m (down 5% since 2022) and reached 232,000 cases (up 12%). Although some types of fraud have shown a decrease, there have been increases in purchase, romance and investment scams.

Purchase scams are high volume, low value scams – typically arising from online purchases of goods on sites such as eBay. Bargain prices may seem “too good to be true” but the goods don’t materialise after purchase. They account for more than 50% of scams by number.

Romance scams happen when you meet someone online and develop a relationship with them. Having gained your trust, they then find a pretext to persuade you to transfer money to them.

Investment scams are high value, low volume (the opposite of purchase scams). They have grown in importance and sophistication, in recent years – in particular, involving cryptocurrencies. Investors find (or are approached with) opportunities online, offering attractive returns. However, in reality, they are simply transferring their funds to a fraudster.

Clearly, fraud on this scale represents an organised business (even if carried out by criminals). As payment firms seek to detect and prevent frauds, fraudsters are very quick to adapt their ‘business models’. Fraudsters are becoming increasingly sophisticated and are exploiting customers’ weaknesses. They develop elaborate methods, sometimes involving a chain of multiple steps/ transfers of funds and taking control of a customer’s account (with their approval), to side-step protections.

Fraudsters may also increase the pressure upon victims – by introducing a time-critical factor. Such urgency is a key factor relevant to the plan to slow payments (see more below).

A key feature is gaining the trust of the victim (often via social engineering) – the so-called ‘falling under the spell’ of the fraudster. This is done by finding an emotional/psychological vulnerability of the consumer. However, we are all potentially vulnerable to this – even the “smartest” amongst us – because we all have a weakness somewhere. And such vulnerability may only be temporary – for example during periods of stress during our lives – such as during grief, relationship break-ups and loss of employment.

Clearly, those who are vulnerable in the traditional sense – including the elderly, are particularly susceptible to such manipulation

This is why we all need protection.

Reimbursement and the limits 

• The Payment Systems Regulator (PSR) went live with this protection for consumers on 7th October.
• Victims will be reimbursed for the value of the scam, up to £85k. And within 5 days.
• Only applies to consumers (and small businesses/ charities).
• Does not apply where the claimant is part of the fraud. Nor in cases of gross negligence (this is deliberately narrow – for example, where a customer has exercised no caution and handed over their passwords).
• The loss is shared 50:50 between the sending bank (the customers’ bank) and the receiving bank (where the fraudster holds an account).
• Operationally, this has resulted in significantly enhanced co-ordination being introduced between the sending and receiving payment firms. To support the reimbursement happening and improved reporting of fraud.

Aligning incentives:

Regulation is about aligning the incentives for firms, with the interests of consumers (where that is not already the case).

In an era of free current account banking, banks operate payments as a service to customers but receive no income from them directly. Their incentive is to process the payment at minimum cost. By introducing a reimbursement requirement, banks bear the cost of ‘failure’ through fraud – and should be incentivised to invest more in innovating new forms of fraud prevention.
Why are receiving firms being asked to contribute

“It takes two to tango”.

Any payment involves two parties – a sender and a receiver. Fraudsters need to find a “home”, to receive their funds (even if only temporarily – for a matter of minutes or days, before transferring them abroad, through a series of foreign accounts – so that they are almost untraceable/ unrecoverable).

To do this, fraudsters can masquerade as legitimate customers, to open accounts with receiving firms and hide within their customer base.
By bearing 50% of the cost, receiving firms will be incentivised to improve their account take-on procedures, so as to identify and reject such suspicious parties.

Why has the limit been reduced from £415k to £85k?

Initially, the PSR proposed a higher, upper limit of £415k. This was because of the existence of a few, very high value scams. For example, victims have been persuaded, unknowingly, to part with their life savings – perhaps through re-mortgaging their house or handing over their pension pot.

Though small in number, these scams can have a devastating impact upon the individual/ families involved – both financially and emotionally. The ability of larger retail banks to withstand such shocks is much greater than that of the individual concerned.

However, following consultation in September 2024, the PSR has subsequently reduced the limit to £85k . This means that although the vast majority of transactions will be covered, a few very high-value ones will be unprotected.

The limit was reduced from £415k to £85k, following prudential concerns raised by smaller payment firms. Receiving payment firms must share 50% of the loss with the sending bank. Therefore, this could expose a small payment firm to reimbursing £208k for an individual claim, which could impact on solvency.
The lower limit is consistent with the limit on bank deposit protection for consumers, under the Financial Services Compensation Scheme (FSCS). The PSR has committed to review its effectiveness after 12 months.

A lower limit may, however, have an advantage – in that it could encourage customers to take more care, when engaging in transactions – particularly high-value ones.

What are the pros and cons of this measure?

The advantages of this requirement are:

• individuals will be compensated for their loss, and promptly
• payment firms will be incentivised to stop fraud
• better co-ordination, communication and reporting between payment firms.

The disadvantages are:

• a risk that consumers take less care, when entering into such transactions
• the cost of such frauds increases the costs of retail banking and may effectively be shared with all other customers (through higher account charges)
• organised crime becomes effectively financed by banks.

Is this enough? What wider action could be taken to combat such frauds?

Banks are in the “front-line” regarding the execution of the payments related to these transactions/ frauds. However, many of these frauds originate on online platforms and via mobile phones or broadband providers. There is an argument that Big Tech and communication providers are in a much better position to spot and prevent such frauds from happening, in the first place. Indeed, with AI and multiple data points about the consumer, they may be able to develop sophisticated tools to combat such frauds. (See for example, Section 7, page 43 of the UK Finance report UK Finance report above).

A positive sign of such developments has recently come from Meta (owners of Facebook, WhatsApp and other social media). On 2nd. October 2024, they announced the expansion of their Fraud Intelligence Reciprocal Exchange (FIRE) pilot (which involved two UK banks - NatWest and Metro). This allows banks to share intelligence with Meta, to help in identifying and closing down fraudsters’ profiles with Meta.

Co-ordination is key to combatting fraud. The criminals are agile and adaptable, swiftly switching their attacks from one platform or method to another, as loopholes are closed. Frauds often span multiple organisations. Firms, law enforcement and the government need to be able to co-ordinate activities and share intelligence, in real-time, to combat this crime effectively.
The PSR’s reimbursement regime has generated an additional benefit of greater co-ordination and communication between the payment firms involved in a transaction. This is supported by the work of organisations such as Pay.UK, who are responsible for operating the Faster Payments System and the reimbursement scheme above.