A summary of the new UK APP Scam (Fraud) Reimbursement Rules and the potential impact on non-UK Payment Service Providers
What has changed?
The Authorised Push Payment (APP) fraud reimbursement rules, took effect on 7 October 2024 and introduced significant changes to how victims of APP fraud are protected and reimbursed in the UK.
As noted by the UK specialist payments law form Osborne Clarke:
“In 2023, APP fraud losses in the UK alone amounted to £459.7 million across almost a quarter of a million cases. Just over 60% of this amount was reimbursed to the victim under the current voluntary Contingent Reimbursement Model Code, to which 10 financial institutions have signed up.”
These new regulations and rules, mandated by the Payment Systems Regulator (PSR), aim to enhance consumer protection and incentivise payment service providers (PSPs) to improve fraud prevention measures.
APP fraud occurs when a fraudster tricks a victim into authorising a payment from their own payment account to the fraudster’s account. This is usually done by social engineering tactics, such as where the fraudster impersonates a trusted entity like a bank, a government agency, or a family member, and convinces the victim to make the payment. The emergence of sophisticated AI only increases the risk of such fraud.
The PSR provides the following examples:
“There are various types of APP scams which are either:
- ‘malicious payee’, for example, tricking someone into purchasing goods which don’t exist or are never received.
- ‘malicious redirection’, for example a fraudster impersonating bank staff to get someone to transfer funds out of their bank account and into that of a fraudster.”
Note: The PSR sometimes reference ‘APP fraud’ and sometimes ‘APP scams’. They are synonymous terms.
The new rules are implemented primarily through various regulatory instruments including PSR Directions to Pay.UK (as the operator of Faster Payments and the standards body for the UK’s retail interbank payment systems) and PSPs, although there are also a range of statutory instruments that require consequential amendments to be made. The PSR’s powers to make rules are derived from to the Financial Services (Banking Reform) Act 2013 and they were required to bring in mandatory reimbursement rules by the Financial Services and Markets Act 2023 .
Specific Direction 20 contains the overriding Faster Payments APP reimbursement requirement and directs in-scope PSPs to comply with the reimbursement rules.
The PSR also issues a range of guidance on the rules. In addition, the FCA has issued a “Dear CEO” letter explaining the changes and their expectations pending forthcoming changes to the Payment Services and Electronic Money Approach Document following the recent FCA consultation on the same.
It applies to ‘Affected PSPs’, being PSPs that provide UK payment accounts i.e. operate from the UK. See more about this issue below. Interestingly it has been suggested that much of the serious APP fraud is international so these attempts to protect UK consumers may have limited success.
Under the new rules, the Policy Statement by the PSR makes clear that PSPs will be required to reimburse victims of APP fraud for eligible payments made through the Faster Payments Scheme and also the higher value CHAPS system. Reimbursement must occur within five business days of any claim, subject to certain exceptions.
Consumers have a maximum of up to 13 months from a fraud related payment to make a claim but timeliness in making a claim is advisable.
The PSR has issued early guidance on what they call the Consumer Standard of Caution Exception Guidance.
Note that the gross negligence exception to PSP liability does not necessarily apply to vulnerable consumers who are exempted from the Standard of Caution requirement.
The PSR has described gross negligence as a “very high bar which will critically depend on the individual circumstances of each case”.
The threshold for establishing gross negligence is higher than that for negligence under common law. It requires the consumer to have shown a ‘significant degree of carelessness’ in relation to the four key requirements outlined in the Guidance. The burden of proof to demonstrate this level of negligence falls exclusively on the PSPs.
Summary of the Standard of Caution Exception Guidance:
This term ‘vulnerable; is used across a range of regulatory obligations, including the wider new Consumer Duty obligations:
Under the Consumer Duty, firms also have a wider obligation to act to deliver good outcomes for all customers, including those with characteristics of vulnerability.
There is potentially some confusion as to how the vulnerable consumer exception to the Consumer Standard of Caution will be interpreted and applied.
For example, the current Contingent Reimbursement Model (CRM) voluntary Code links the vulnerability to the specific fraud committed against them (and to the extent of the same):
Under Specific Requirement 1 (July 2024) to Pay.UK (as the Faster Payments rules operator), the requirement for a link between the fraud and a vulnerability to that particular type of fraud is, perhaps, less clear or direct:
“This exception [the Consumer Standard of Caution exception] does not apply if the victim was a vulnerable consumer when they made a FPS APP scam payment and this had a material impact on their ability to protect themselves from the scam.“
A key feature of the new rules is the shared liability between sending and receiving PSPs:
Interestingly, it appears that consumers who are subject to APP fraud will still be able to complain to the Financial Ombudsman Scheme) FOS and receive awards of up to £430,000 from it and it is likely that the full cost will fall on the sending firm.
While the rules primarily target UK-based PSPs, non-UK PSPs involved in Faster Payments or CHAPS transactions may also be affected.
One of the biggest issues we have seen is in respect of the level of confusion as to the applicability to non-UK PSPs. This has also led some UK PSPs to request that non-UK PSPs must register and comply with the rules.
As detailed below, only non-UK PSPs operating within the UK (e.g. through a regulated local branch) currently need to comply with the new APP scam reimbursement rules (Affected PSPs).
The rules require that a non-UK PSP must be undertaking operational activities within the UK (i.e. holding funds in UK based payment accounts that are offered to consumers and executing authorised transactions from the UK) and not merely that they offer accounts that have a UK sort codes (as for example Gibraltar PSPs do) or using a UK virtual IBAN (which is currently often provided by UK PSPs to non-UK PSPs and not always directly from the UK based PSP to UK consumers).
The advice received by the Gibraltar E-Money Association (and various other bodies in Gibraltar) is that it is clear Gibraltar PSPs and accounts provided by them from Gibraltar are currently out of scope. The same logic applies to PSPs in the US, Isle of Man and elsewhere which are overseas (not least due to the definition of “UK”) irrespective of whether transactions route through the UK or via accounts with UK sort codes or identifiers.
The PSR has stated:
“The Policy applies to PSPs which participate in the Faster Payments Scheme (FPS) and which provide an account in the UK to their payment service users that can send or receive Faster Payments, (which we refer to in SD20 as ‘Relevant account’).”
A more detailed review of the latest Policy statement, as well as Specific Directions 19 and 20 and Specific Requirement 1, are most relevant here, for example:
“means an APP, authorised by a victim as part of an APP scam, that has all the following features:
- It is executed through the Faster Payments Scheme.
- It is authorised by a PSP’s consumer.
- It is executed by that PSP in the UK.
- The payment is received in a relevant account in the UK that is not controlled by the consumer.
- The payment is not to the recipient the consumer intended or is not for the purpose the consumer intended.”
“Directed PSP means a PSP participating in the Faster Payments Scheme to which this specific direction applies.
..This specific direction applies to all PSPs participating in the Faster Payments Scheme that provide relevant accounts.
…For the purposes of this specific direction, a directed PSP is capable of being a sending PSP if it:
- Provides a relevant account for a consumer
- From which it is or will be possible for an FPS APP scam payment to be made
…Relevant account means an account that is provided to a service user, is held in the UK and can send or receive payments using the Faster Payments Scheme, but excludes accounts provided by credit unions, municipal banks and national savings banks.“
However, we expect that the PSR may change the rules and guidance at some point to bring into scope those situations where UK consumers are sending or receiving payments to a UK payment account address (including virtual IBAN and UK sort code) irrespective of the location of the underlying PSP which is responsible for providing the relevant sending or receiving payment accounts to the consumer.
In conclusion, these new rules represent a significant shift in the UK’s approach to APP fraud, placing greater responsibility on PSPs to protect consumers and share the financial burden of fraud. This is already leading to wider industry collaboration to reduce fraud (e.g., see the Meta partnership with UK banks under the Fraud Intelligence Reciprocal Exchange (Fire) initiative).
Non-UK PSPs involved in the relevant UK payment systems should carefully review these regulations and consider whether they are Affected PSPs due to having a UK presence and offering accounts from the UK.
The impact of international APP scams/fraud will need to be carefully monitored to ensure that this does not inadvertently increase incidents of international fraud for UK consumers.
The Gibraltar Authorisation Regime (GAR) represents the permanent legislative framework enabling Gibraltar-based financial services firms, including payment service providers (PSPs) and e-money institutions (EMIs), to access the UK market following Brexit. It requires transparency and careful management by Gibraltar firms benefiting from UK market access.
Ramparts, the Gibraltar-based law firm, is pleased to highlight the recent expansion of its team through the arrival of five new professionals across its legal and support workstreams. The appointments of Peter Young, Fiona Young, Tessa Rosado-Standen, Arnas Urbutis, and Laura Felipes reflect a strategic broadening of the firm’s expertise across its core practice areas. This intake significantly enhances the firm’s capacity in international dispute resolution, tax, and private client services, while further extending its specialist offering into property law,…
Gibraltar offers internationally mobile founders and family offices a robust toolkit of holding companies, trusts, private foundations and funds, all within a common‑law, English‑speaking and well‑regulated jurisdiction. This practical playbook explains when to use a company versus a trust or foundation for exits, operating businesses and long‑term wealth, how Category 2 (Cat 2) residency and UK anti‑avoidance rules fit in, and why working with a Gibraltar firm that combines legal, fiduciary and accounting services makes implementation and ongoing governance significantly easier for UK advisors and their clients.
The regulatory landscape for UK and Gibraltar payment institutions (PIs) and e‑money institutions (EMIs) is undergoing its most significant overhaul in a decade. The Financial Conduct Authority’s (FCA) Supplementary Safeguarding Regime (CASS 15) takes effect on 7 May 2026, introducing much more granular, CASS‑style expectations into the payments and e‑money space.
