Banks, fintechs, regulators set a course for APP security

by Thomas Müller, CEO, Rivero
Showing a victim of APP fraud

Share this post

As consumers worldwide leverage the ease and convenience of automated push payments (APP), APP fraud is rising proportionately. UK Finance reports businesses lost £42.6 million, and consumers lost £196.7 million in the first half of 2023, with a 22% increase in reported cases (116,324) over the previous year. Researchers found fraudsters used social engineering in a variety of ways, with purchase fraud accounting for two-thirds of all APP cases.

Ben Donaldson, managing director of economic crime at UK Finance, observed that criminals are exploiting social media, online platforms, SMS, phone and email channels to deceive victims into sharing sensitive data and transferring funds. “The financial services sector continues to lead the fight against these awful crimes,” he said, urging public and private sector leaders to join forces and rein in abuse of telecommunications and digital channels.

Reinforcing infrastructure

We’re seeing the result of launching a new payment method without establishing rules for participants or considering the outcomes of that new payment method. APP is a shortcut and not a new payment scheme. Because APP runs on the UK’s Faster Payments, an infrastructure based on existing payment rails, the transactions performed are subject to the same terms and conditions set by the bank as wire transfers, which typically do not contain any dispute or refund clauses and can also be substantially different at different banks.

Fraudsters do not need stolen bank credentials to launch app scams. They can just as easily use Instagram or TikTok to convince people to send money to an illegitimate source. Criminals have high success rates because most people don’t carefully check the recipient’s name and details before confirming the transmission of funds. Bankers and regulators are calling for better consumer protections, which is highly unusual for an industry where consumer protections are directly embedded into payment methods.

Proper consumer protection laws are crucial because otherwise, people may stop using apps altogether and return to cards. Rivero and other members of The Payments Association and its financial crime working group actively explore these issues with industry stakeholders and policymakers.

Rivero would like to bring our domain knowledge from the card payment space to support the financial crime working group, especially in the domain of consumer protection rules. When Pay.UK implements the first consumer protection and dispute framework, currently in development, and releases APIs like Mastercard and Visa; we will connect our Amiko dispute management system to this emerging system. This will enable our Amiko Virtual Agent to interface with customers and manage reimbursement claims similarly to Rivero’s for card payments.

Building resilience

In July 2023, the UK Payment Systems Regulator (PSR) introduced a reimbursement requirement for APP fraud within the Faster Payments System. This requirement requires sending and receiving payment firms to share the costs of reimbursing customers and protect those deemed most vulnerable. The PSR urged payment service providers (PSPs) to review the new reimbursement guidelines before the effective date of 7 October 2024.

“We know that our incentives are already working, with PSPs taking significant steps to improve end-to-end fraud prevention,” the PSR wrote, noting that Pay.UK, operator of Faster Payments, will provide a reimbursement claim management system (RCMS) for APP fraud and invite public commentary on this and other reporting and compliance policies until 28 May 2024.

Believing these policies will stimulate fraud prevention, increase consumer protections and expand Pay.UK capabilities as a payment system provider, the PSR is confident that it can leverage its regulatory toolkit to improve cross-market security, compliance and operational efficiencies, commenting as follows:

As the operator of Faster Payments, Pay.UK will be responsible for monitoring all directed PSPs’ compliance with the FPS reimbursement rules. Where necessary, and where it has the power to do so, it will take action to manage compliance. Pay.UK has been developing its compliance monitoring regime in consultation with industry and the PSR. It has now submitted its regime to the PSR for review, which we will assess using the confidence objectives. Subject to our approval, Pay.UK will publish the regime on its website no later than 7 June 2024.

Changing public perception

Szymon Morytko, principal consultant, global business consulting team, FICO, has seen a shift in public perception of individuals and firms impacted by fraud and noticed less of a tendency to stigmatise victims.

“While historically scams have often been seen as a ‘customer’s problem,’ where poor judgment or carelessness has been seen as a reason for customers becoming victims, this perception is changing as scams become increasingly more sophisticated and harder to spot even for the cautious,” he wrote in the FICO 2023 Annual Global Fraud Report.

Noting that 45% of FICO survey respondents believe banks can do more to protect them from scams, 77% want banks to have better fraud detection systems, and 64% want more warnings and education about known scams when making payments, Morytko remarked that regulatory bodies in the UK and EU are prioritising consumer protection and US banks are working on refunding customers for illegitimate payments on Zelle.

Looking ahead, Morytko said he would like more collaboration among banks, telecom services, internet service providers, and social media platforms to detect, prevent, and remediate APP fraud. He stated, “Scams are not going anywhere anytime soon, and it’s the responsibility of everyone involved to protect ourselves better.”

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?