16 June 2025
by Payments Intelligence
What is this article about?
The early impact of the UK’s mandatory reimbursement policy for authorised push payment (APP) scam victims, implemented in October 2024.
Why is it important?
It assesses whether the new policy is effectively protecting consumers and reducing fraud, while also highlighting ongoing challenges and debates about a broader, cross-sector approach to tackling APP fraud.
What’s next?
An independent review of the policy’s effectiveness is scheduled for October 2025, which will critically assess its impact, including the liability cap, success in reducing fraud, impact on competition, and operational shortcomings.
Authorised push payment (APP) scams remain one of the most devastating forms of financial fraud affecting UK consumers. These scams, where victims are deceived into sending money to accounts controlled by fraudsters, resulted in losses of £450.7 million in 2024, representing a two per cent decrease from the previous year. After years of inconsistent protections across the financial sector, the Payment Systems Regulator (PSR) implemented a mandatory reimbursement requirement for APP scam victims on 7 October 2024.
The PSR describes the policy as providing “world-leading protections” for consumers, but industry voices question whether reimbursement alone tackles the root causes of these sophisticated scams. At the six-month mark, the industry is closely monitoring emerging outcomes and debating whether implementation requires a more comprehensive, ecosystem-wide strategy. It also looks ahead to the independent review scheduled for October 2025, which will provide a crucial assessment of the policy’s effectiveness in both protecting consumers and actually reducing fraud.
Prior to October 2024, consumer protection against Authorised Push Payment (APP) fraud was highly inconsistent across UK financial institutions. Under the voluntary Contingent Reimbursement Model (CRM) Code, only a limited number of firms committed to reimbursing victims, and the rates varied sharply—TSB reimbursed 91% of APP fraud losses in 2022, while AIB Group reimbursed just 10%, according to PSR data. This disparity created a postcode lottery for victims, depending largely on where they banked.
The PSR’s mandatory reimbursement requirement was introduced to rectify this inconsistency, mandating a standardised framework for compensation across all payment service providers (PSPs). However, critics argue that merely redistributing liability within the financial sector fails to address the wider fraud ecosystem, particularly as scams often originate on platforms beyond the reach of PSPs—such as social media networks, online marketplaces, and telecom channels.
While the PSR frames the policy as engaging “the entire payment ecosystem,” the practical burden of reimbursement continues to fall disproportionately on banks and PSPs. This has sparked growing frustration among financial institutions, especially in the absence of enforceable obligations for upstream platforms that facilitate fraud initiation.
Compounding this is the uncertainty surrounding the application of the consumer standard of care, one of the few grounds on which reimbursement can be denied. Despite only 2% of claims being rejected on these grounds during the first quarter of implementation, 23% of firms invoked this exception at least once—highlighting inconsistencies in interpretation, a lack of regulatory clarity, and potential unfairness for consumers. These ambiguities are particularly concerning as instances of first-party fraud—where consumers knowingly authorise payments but later claim deception—are believed to be on the rise.
Meanwhile, fraud techniques have continued to evolve at pace. In the past five years, the UK has seen a sharp increase in the sophistication of APP fraud, driven by innovations such as deepfake technology, real-time payment abuse, and social engineering. Criminals are adapting quickly, often outpacing defensive responses. Although regulators have issued updated guidance, they have not promoted the data-sharing initiatives that industry experts argue are essential for effective fraud prevention. The consensus across the sector remains that a cross-sector, prevention-focused strategy—encompassing telcos, tech platforms, law enforcement, and government—is urgently needed to prevent fraudulent transactions before money moves, rather than attempting recovery after the fact.
The PSR mandatory reimbursement framework, which came into effect in October 2024, outlines key provisions for firms to follow to maintain consistency in reimbursement practices.
The PSR published its first assessment of the policy in May 2025, covering the first three months of implementation (October to December 2024). The results show an 86% reimbursement rate for in-scope APP scams—amounting to approximately £27 million returned to victims—a substantial improvement on the 68% rate recorded in 2023. This expansion of redress reached across 60 firms, a significant jump from the handful of CRM Code signatories under the prior regime.
However, UK Finance’s ‘Annual Fraud Report 2025‘ paints a more complex picture. While APP fraud losses (value) declined modestly by 2%, the number of APP cases (volume) fell by 20%. Conversely, overall fraud volumes increased by 12%, reaching a record 3.31 million cases, whilst total fraud losses remained broadly unchanged at £1.17 billion. These findings suggest that the new policy is not deterring criminals but are instead shifting their tactics—conducting more numerous, lower-value attacks rather than fewer high-value scams, particularly toward unauthorised fraud and remote purchase scams.
As a result, some industry observers question the true impact of the reimbursement policy. The UK Finance report warns that while more victims are receiving their money back, there is no evidence of reduced criminal activity, and the reimbursement itself offers no remedy for psychological harm or systemic prevention. Some experts have also raised concerns that easy access to compensation could dull consumer vigilance, especially in the absence of clear, consistently applied standards for what constitutes gross negligence.
The operational data show a mixed picture: 86% of claims were passed from the sending to the receiving firm within two business hours, and 84% were closed within the five-day deadline. But implementation challenges remain, particularly around data standardisation and inconsistent application of exceptions like the consumer standard of care. These factors are likely to come under scrutiny during the October 2025 independent review, where early optimism will need to be balanced against shifting fraud patterns and unintended consequences.
A key concern raised before the October 2024 policy launch was the risk that guaranteed reimbursement might prompt an increase in fraudulent claims by consumers themselves—commonly known as first-party fraud. In the first three months, the PSR recorded approximately 46,000 consumer claims under the new regime. However, these figures are not directly comparable to previous periods, as they exclude transactions made before 7 October 2024 and focus only on cases eligible under the new framework. Claim volumes have reportedly grown month-on-month, likely driven by rising public awareness and broader eligibility.
Industry sources report that cases indicating first-party fraud are beginning to emerge with increasing frequency. As further data accumulates, industry voices are calling for a clearer, more enforceable definition to balance consumer protection with responsible behaviour, ensuring the reimbursement system protects victims while deterring abuse.
Among these, 14% of claims came from consumers flagged as vulnerable, resulting in £7 million in reimbursed losses—a figure highlighting the policy’s value for at-risk individuals, but also one that raises questions about adequate controls and documentation standards in assessing such claims.
The most contentious issue to emerge so far is the application of the consumer standard of caution—the only discretionary exception that allows PSPs to refuse reimbursement if a customer is deemed to have acted with gross negligence. While the PSR reports that just 2% of claims were rejected on this basis in the first quarter, 23% of firms applied this exception at least once, pointing to a troubling lack of consistency in interpretation. This inconsistency introduces both legal uncertainty and reputational risk for firms and undermines consumer confidence in the fairness of the reimbursement regime.
Industry voices are increasingly concerned that the current definition of gross negligence creates a paradox within the UK’s legal framework. Whilst courts characterise gross negligence as ‘jaw-dropping’ or ‘truly exceptionally bad’ conduct, the PSR applies a more consumer-friendly standard as a ‘very high bar’ for only a ‘small minority’ of cases. This divergence is compounded by the FOS overturning more than 75% of bank decisions on APP fraud, emphasising criminals’ ‘sophisticated use of technology and manipulative social engineering’. The result is a multi-tiered system where identical consumer conduct faces different standards depending on which regime is investigating—creating regulatory inconsistency that prioritises consumer protection over established legal precedent. The result is a multi-tiered system where identical consumer conduct faces different standards depending on which regime is investigating—risking regulatory consistency and prioritising consumer protection over established legal precedent.
As the policy matures, leading voices across the payment landscape are calling for proactive internal monitoring by PSPs, highlighted as critical to identifying emerging abuse patterns, particularly instances where consumers may not be entirely truthful about their circumstances or actions during fraud incidents. Whilst implementing the consumer standard of care serves the industry’s broader interests in consumer protection, the challenge lies in effectively introducing systems to prevent fraud at its source.
Assessing the early effectiveness of the mandatory reimbursement regime is complicated by substantial changes in definitions, reporting scope, and data methodology introduced alongside the policy. The Payment Systems Regulator (PSR) has acknowledged that pre- and post-implementation data are not directly comparable—an important caveat that limits the ability to assess trends over time.
One of the most significant changes lies in how APP fraud is now defined. Previously, it referred to payments made into accounts controlled by a fraudster. Under the new rules, it includes any transaction where the funds move into an account that is no longer under the control of the victim, broadening the definition to encompass payments to non-complicit third parties, including legitimate businesses or individuals unknowingly used in fraud.
In addition to this definitional shift, several technical changes affect the data landscape:
Furthermore, the reporting structure has changed. Prior to implementation, most data came from a relatively small group of major banks. Post-policy data reflects activity across the full range of payment service providers (PSPs), but is currently published only at the aggregate industry level, making firm-level comparison or benchmarking more difficult.
In light of these complexities, the PSR announced it will publish two separate data streams for 2024—one for pre-policy and one for post-policy transactions—acknowledging that a single unified dataset would be misleading at this stage.
Payments experts have noted that these changes, while operationally necessary, pose challenges for transparency and evaluation. Some have expressed concern that the fragmented approach may hinder efforts to measure whether the policy is reducing fraud or simply shifting it elsewhere. Without a consistent, comparable baseline, it becomes more difficult to assess whether improved reimbursement rates are accompanied by genuine fraud reduction or improved preventative controls.
As the sector looks ahead to the October 2025 independent review, many in the industry are calling for clearer, more standardised reporting metrics. A more consistent dataset is seen as essential for understanding not only how the policy is functioning, but whether it is delivering meaningful protection, behavioural change, and systemic resilience.
An independent review of the APP reimbursement regime is scheduled for October 2025. It will assess whether the policy is achieving its goals and where refinements may be needed. Key areas of focus are expected to include:
For many across the industry, the 2025 review is a crucial opportunity to assess whether the policy effectively supports victims, incentivises prevention, and ensures liability is more fairly distributed across the wider fraud ecosystem.
While mandatory reimbursement has improved redress for victims, payments experts widely agree it does not address the root causes of APP fraud. A longer-term solution will require broader cooperation beyond the financial sector.
Key priorities now emerging include:
As the October 2025 review approaches, the consensus is clear: compensation alone is not enough. Tackling APP fraud at scale will require a cross-sector strategy that aligns incentives, closes gaps in accountability, and strengthens defences at the point of fraud origination—not just at the point of payment.
A 2025 survey of UK retailers reveals how payment challenges and innovation priorities are shaping merchant strategies across the sector.
UK SME survey shows open banking intrigues merchants with faster, cheaper payments, but gaps in awareness and security fears slow adoption.
The Bank of England’s offline CBDC trials show it’s technically possible—but device limits, fraud risks, and policy gaps must still be solved.
The Payments Association
St Clement’s House
27 Clements Lane
London EC4N 7AE
© Copyright 2024 The Payments Association. All Rights Reserved. The Payments Association is the trading name of Emerging Payments Ventures Limited.
Emerging Ventures Limited t/a The Payments Association; Registered in England and Wales, Company Number 06672728; VAT no. 938829859; Registered office address St. Clement’s House, 27 Clements Lane, London, England, EC4N 7AE.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
