APP fraud reimbursement rules: The countdown is on

by Alison Kopra, Financial Crime Director at Grant Thornton UK LLP

Share this post

From 7 October this year, all consumers who are victims of automated push payment (‘APP’) fraud paid via faster payments must be reimbursed within 5 business days, with the cost split equally between the paying and receiving payment service providers (PSPs).

With five months to go, what should PSPs do now to prepare?

Looking to the Regulators…

PSPs can look to regulatory expectations to inform their preparations now and set themselves up for success come October. In particular, the PSR’s final Policy Statement includes a section addressing ‘PSP readiness’, and the FCA has published common weaknesses they identified in PSP firm’s antifraud controls and complaint handling processes. From these, PSPs can get a good indication of broader activities they should be doing over the coming months in the run-up to implementation.

Four key themes

  1. Governance & MI: The FCA has clearly stated that fraud management information (MI) should include metrics and measures relating to customer impact and treatment and should not unduly (or solely) focus on metrics for commercial risk appetite and financial loss. Customer-centric MI measures should inform decision-making, strengthen anti-fraud controls, and improve customer outcomes and service. There’s a clear crossover here with the Consumer Duty principle to deliver good customer outcomes and avoid foreseeable harm.
  1. Fraud controls: Given the current fraud epidemic in the UK, mandatory reimbursement may increase fraud losses for many PSPs. As the PSR points out in the policy statement, now is the time to review your fraud preventative and detective controls and optimise your fraud control environment to limit your exposure once the new rules go live. Consider the design of onboarding controls, transaction and device monitoring, customer and account level monitoring, and how intelligence is used to inform the control environment. Look at the risks of making and receiving fraudulent payments, including through money mules, and how technology could enhance your control environment. Then, test and monitor your controls regularly to ensure they operate effectively and as intended.
  1. Policies and procedures: The FCA has made it clear that treating customers fairly is a core principle that runs throughout a firm’s business, and it should be at the forefront of PSPs’ minds when PSPs implement the new APP fraud reimbursement rules. Robust policies and procedures should set out a PSP’s approach to:
    • The ‘consumer caution’ standard – When will you seek to rely on the consumer caution standard to refuse reimbursement? How will you identify when any of the four requirements have not been met? How will you ensure consumer caution assessments are not applied to vulnerable customers?
    • Vulnerable customers – How do you define ‘vulnerable customers’, and is it consistent with APP fraud and other parts of your business? When and how will you assess vulnerability in a fraud claim cycle? How will you ensure vulnerable customers’ needs are met throughout the process?
    • Excess – As a sending PSP, in what circumstances will you seek to apply the £100 excess to reduce the reimbursable amount? Have you trained your staff on how and when to apply excess?
    • Customer intervention strategy – What intervention methods will you employ (‘standard text’ and tailored written warnings, phone calls, payment and account blocking) and when? Are your staff appropriately trained to deliver customer interventions whilst treating customers fairly and avoiding foreseeable harm?
  1. Operational readiness: While the nuts and bolts of operationalising the new requirements will vary from organisation to organisation, PSPs should consider their reimbursement management system, resourcing needs, data capture requirements, training, and MI capabilities for internal and external reporting.

In a nutshell…

To comply with regulator expectations under the new rules, PSPs need to ensure that APP fraud is easy to report and reimbursement is made within the new regulatory timescales while ensuring consumers are given clear communication throughout the process.

PSPs should invest in their end-to-end anti-fraud framework now to avoid costly non-compliance and reputational damage further down the line. The PSR and FCA will be on the lookout for any firms seen to be underperforming in either reimbursement or fraud prevention.


More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?