Authorised Push Payment (APP) fraud has long been a concern in financial services, but how firms must respond to it has now changed significantly.
APP fraud occurs when a customer is tricked into sending money to a scammer. With new mandatory rules now in force, Payment Service Providers (PSPs) – including banks, fintechs, and other payment institutions – must change how they handle fraud losses.
Under the latest requirements from the Payment Systems Regulator (PSR), any firm sending or receiving payments via Faster Payments (FPS), or CHAPS is now legally required to reimburse customers who fall victim to APP fraud, unless the customer has acted with gross negligence.
Our specialist financial services solicitors can help you interpret the new rules, assess your current processes, and implement practical, compliant solutions to ensure your firm is prepared. Get in touch to ensure your business is protected—and ready to meet the new regulatory standards with confidence.
Contents:
What are the new APP fraud rules?
Previously, reimbursement was governed by the Contingent Reimbursement Model (CRM) Code, a voluntary industry initiative that only some banks and PSPs chose to adopt. Even among those who did, outcomes were inconsistent. Some customers were reimbursed, others weren’t, and there was no legal obligation to ensure fairness across outcomes. Notably, the receiving firms (the banks holding the fraudster’s account) weren’t expected to share any responsibility for the loss.
That’s now changed. Under the Payment Systems Regulator’s Specific Directions 19, 20, and 21, reimbursement is no longer optional. If you are a PSP, you are legally required to reimburse victims, unless the customer has acted with gross negligence - a high bar to meet. The liability is shared 50/50 between the sending and receiving PSPs for the first time.
These new rules apply to all payments made via Faster Payments (FPS) and CHAPS, covering the majority of real-time bank transfers in the UK. The CRM Code has been replaced with a binding and enforceable framework you cannot opt out of.
This marks a major shift in the UK payments landscape. Customers now benefit from much stronger protection, and as a financial institution, you are under clear, enforceable obligations to step up your fraud response efforts or face serious regulatory and financial consequences.
The Consumer Duty and APP fraud
The Financial Conduct Authority’s (FCA) Consumer Duty requires you to act in your customers' best interests and deliver fair outcomes. This now directly applies to how you handle APP fraud cases.
If a customer falls victim to a scam, you must provide clear communication, fair treatment, and a straightforward reimbursement process. Unjustified refusals, poor explanations, or delays could mean you risk breaching the Duty, which could result in the FCA launching an investigation into your firm, imposing fines, requiring redress, or taking public enforcement action.
The FCA will monitor how firms apply the new rules in practice. Your fraud response requires compliance with the PSR and the Duty.
What you need to do now
With the rules now in force, you should review your systems and processes to ensure they are fit for purpose and ready to withstand regulatory scrutiny.
First and foremost, your fraud detection tools must be robust enough to flag suspicious payments before they leave the customer’s account. Real-time monitoring, risk scoring, and behavioural analytics will play a bigger role here, especially for high-value or unusual transactions.
You must also have systems in place to collaborate with other PSPs. Since liability is now shared, whether you are the sending or receiving firm, you will both have a stake in detecting and preventing fraud. That means you may need to work together with others to identify common fraud patterns.
Your frontline staff needs to understand the rules and be able to guide customers through the reimbursement process. Staff training should cover the regulatory framework and how to manage these customer conversations with empathy and clarity.
Finally, you should review and update your internal policies and customer communications. Customers need to understand what to expect from you if they report a scam, and you need to have clear and consistent decision-making processes in place to respond quickly and fairly.
The financial implications of the APP fraud reimbursement rules
The financial stakes under the new rules are significantly higher, as your firm is now exposed to reimbursement costs for any eligible APP fraud claim. With liability split 50/50 between sending and receiving PSPs, even if you are a receiving bank, you are on the hook for scams involving fraudulent accounts.
This shift means that preventing fraud before it happens is now the most reliable way to manage your financial risk. The more scams slip through, the more claims your firm may be liable for. And the more inconsistent your firm’s approach is, the higher the risk of customer complaints and regulatory attention.
Beyond direct reimbursement costs, there are also indirect impacts, from the cost of upgrading your systems and training your staff to potential damage to your brand, customer trust, and relationships if you are seen to mishandle fraud cases.
Internal transfers vs external transfers
Not all payments fall under the new rules, as the mandatory reimbursement scheme only applies to payments made to a third party through Faster Payments or CHAPS. These are the typical scenarios where a scammer tricks a customer into transferring money to a fraudulent account.
Internal transfers, such as moving money between a customer’s own accounts within the same bank, aren’t covered
FCA monitoring and enforcement
The PSR introduced the new rules, but as announced in March 2025, it will be abolished, and its responsibilities are expected to move to the FCA.
In practice, this means the FCA will take full responsibility for APP fraud reimbursement, alongside its existing role of overseeing Consumer Duty compliance. Your firm must be ready to show that it treats customers fairly, handles claims correctly, and prevents fraud where possible.
In short, enforcement is very much on the table, and implementing the new APP fraud reimbursement rules isn’t a one-off compliance task.
Need support?
With enforcement on the rise and financial exposure firmly on your shoulders, compliance is no longer a box-ticking exercise – it’s business-critical.
Our financial services solicitors are here to help firms like yours navigate complex regulatory change confidently and clearly. Whether you need to overhaul internal policies, strengthen fraud detection, or ensure your approach aligns with FCA expectations, contact our experts to discuss how we can help.
