Businesses remain vulnerable to APP fraud despite mandatory reimbursement rules

by Alan Schweber, Founder and CEO, Lucra

Share this post

The Payment Systems Regulator (PSR) has set 7 October 2024 to implement the new mandatory reimbursement rules for victims of authorised push payment (APP) fraud.

Why it matters

The proposed changes will require banks and other payment service providers (PSPs) to, among other things, share the cost of reimbursing victims 50:50 between sending and receiving payment firms. In effect, banks and other PSPs will be picking up the ~£500M bill that gets generated each year from APP frauds.

The bigger picture

This is a significant shift in regulatory positioning to tackle what is today one of the world’s most pressing financial crime issues. APP fraud has claimed hundreds of thousands of victims and leads to devastating emotional as well as financial losses for victims. One recent example saw a business lose £1.6 million in 20 minutes.

Here are some high-level insights based on the most recent data from UK Finance:

  • Average losses are relatively small. The average APP fraud scam steals £2k from consumers and £11.4k from businesses.
  • Business victims are minority, but likely underreported. Micro businesses are not the most common category of APP fraud victim (6,729 business cases vs. 200,643 consumer); the PSR estimates that this is significantly underreported (more on why below).
  • Volume is increasing, but value see-sawing. APP fraud volume has increased steadily over the past 3 years, going up 10% on average each year. APP fraud value increased overall 4% between 2020-2022, but dropped 17% from 2021 to 2022.
  • Lowest volume scams tend to be highest value. CEO, mandate/invoice and impersonation scams – typically affecting businesses – are the least frequent but carry the highest value (CEO being highest, with average value of £31k). Whereas purchase scams – typically affecting consumers – are the highest in volume but the lowest in value (90% of all cases involved values less than £1k).

Zoom in

Alan Schweber, Founder and CEO, Lucra

The proposed reimbursement rules cover consumers, charities and micro businesses (those with less than 10 employees and a turnover of EUR 2M) for payments made through Faster Payments (the Bank of England is proposing similar rules applicable to CHAPS, but consultation is not expected to finish until Q1 2024).

The scope is not surprising given that 98% of APP frauds occur by Faster Payments. And while technically only 10% of the UK’s 2.7m businesses are ineligible for mandatory reimbursement, all businesses remain vulnerable to APP fraud.

  • There is a strong disincentive to report APP fraud because it can adversely affect credit ratings and insurance premiums… let alone reputation and trust.
  • Being a victim of APP fraud might be perceived by creditors, underwriters and customers as the business having weak payment controls, poor compliance and/or incompetent staff.
  • It’s not yet clear that the new rules will do anything to mitigate these cost effects and create an incentive to report the fraud. 

State of play

Compensation or not, at the end of the day a business victim of APP fraud – be it a micro, medium or large enterprise – ultimately ends up losing. Large and medium businesses are left to hang dry, and small ones might get their money back but suffer other financial and reputational consequences.

What can be done?

It goes without saying that businesses should do everything possible to prevent an APP fraud scam from arising in the first place. But more can be done to beef up defences than just ‘Confirmation of Payee’ and telephone call backs.

  • Enhanced checks such as determining how old a payee’s bank account is (anything under a year is a high-risk indicator) and its activity levels (payment totals and net money flows, etc.) offer valuable insight as to whether the bank account is genuine and matches the economic profile of the payee. Clever fraudsters steal identity documents to open bank accounts in the name of the real payee a few days before they strike; relying only on a name check won’t uncover the fact that the account is brand new or has no activity.
  • Digital verification using open banking improves accuracy and security, as this pulls in trusted data from the bank itself as opposed to manually obtaining it from bank statements and other documents (which may be forged).

At Lucra, we’ve made it our mission to eliminate APP fraud with a digital, plug-n-play solution that delivers all this insight and more using verifiable data from trusted sources (including open banking and credit agencies).  Get in touch to learn how we can help you defend your business against APP fraudsters.

Article by Lucra Technologies Ltd.

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?