Key insights: October 2024 APP fraud reimbursement policy changes

by Benjamin David, Editor, The payments Association

Share this post

What is this article about?

New regulatory changes for Payment Services Providers (PSPs) to combat APP fraud, requiring them to reimburse victims up to £415,000 per claim starting October 2024.

Why is it important?

It aims to enhance consumer protection and address significant financial losses from APP fraud, which amounted to £459.7 million in the UK in 2023.

What’s next?

PSPs need to review compliance documents, complete registrations by August 20, integrate necessary systems by October 7, and stay informed on updates to ensure compliance.

The payment services providers (PSPs) community is on the brink of significant regulatory changes due in October 2024, as the Payment Systems Regulator (PSR) enforces new rules under the authorised push payment (APP) fraud reimbursement policy. This policy aims to combat the escalating issue of APP fraud, where victims are tricked into authorising payments to criminals. According to UK Finance, Britons lost approximately £459.7 million to APP fraud in 2023, highlighting the urgent need for robust protective measures.

The PSR’s decision mandates that banks and payment companies reimburse victims up to £415,000 per claim. The May 2024 bulletin from Pay.UK provides detailed guidance on the upcoming changes and the steps PSPs must take to comply. PSPs are advised to review the published documents, complete their registration promptly, and integrate the necessary systems to be ready by the October deadline.

However, this move has sparked considerable debate within the industry. The Payments Association (TPA) has voiced concerns about the timeline, advocating for a one-year delay to ensure proper implementation and avoid severe repercussions for smaller fintech companies.

Despite these concerns, the new rules are set to take effect in October, making it imperative for all stakeholders to stay informed and prepared. Key actions for PSPs include reviewing all compliance documents, completing registration by August 20, and integrating RCMS systems. Regularly monitoring updates from Pay.UK and attending industry briefings will also be crucial. By staying proactive and engaged, PSPs can ensure compliance, protect their customers, and contribute to a more secure payments ecosystem.

Key developments in the APP fraud reimbursement policy

The APP Fraud Reimbursement Policy, as outlined in the May 2024 bulletin by Pay.UK, mandates several new compliance measures for PSPs aimed at enhancing the transparency and effectiveness of reimbursement processes for APP fraud victims. The policy introduces significant tools and deadlines that PSPs must adhere to, ensuring they are well-equipped to handle the changes. (To see how the legislation affects your organisation, click here). 

The bulletin highlights the introduction of two primary compliance tools for PSPs:

  • RCMS Core: This tool provides a directory of PSPs and functionality for Reporting Standard A data submissions to Pay.UK, crucial for maintaining accurate and comprehensive records.
  • RCMS Core + Claims Management: An extension of RCMS Core, this tool includes a robust claims management system, facilitating efficient processing and resolution of fraud reimbursement claims.

These tools are accessible via API or a secure web-hosted user interface, offering flexibility to PSPs in integrating the new systems into their existing frameworks. Comprehensive API specifications and contract frameworks have already been published, aiding PSPs in preparing their systems for seamless integration.

Publication of compliance documents: On June 7, 2024, Pay.UK released critical documents, including the FPS APP Reimbursement Rules and Compliance Monitoring Process. These documents were accompanied by a phased “Best Practice Guide,” which addresses various implementation challenges identified during the policy rollout. Pay.UK said the guide aims to provide PSPs with practical insights and recommended procedures to navigate the new requirements effectively.

Targeted marketing and registration campaigns: In May, Pay.UK initiated a targeted marketing campaign, contacting PSPs likely to fall within the APP Reimbursement scope as directed by the PSR. PSPs are encouraged to check Pay.UK’s website regularly for updates and documentation. Registration for APP reimbursement is now open, with firms expected to complete their registrations by August 20, 2024.

These developments are part of Pay.UK’s broader effort to ensure that all PSPs are adequately prepared for the October 2024 deadline. By providing these tools and resources, Pay.UK said it aims to facilitate a smooth transition and ensure compliance with the new APP fraud reimbursement policy, which it claims will protect consumers and enhance trust in the payments industry.

Key dates for PSPs

To ensure compliance and readiness for the new APP Fraud Reimbursement Policy, Payment Services Providers (PSPs) must adhere to several critical milestones outlined in the May 2024 bulletin by Pay.UK. These dates are pivotal for the successful implementation of the policy and the smooth operation of the associated systems and processes.

  • 7 June 2024
    Registration opens: PSPs can begin registering for the APP reimbursement process. Early registration is crucial to ensure adequate preparation time and compliance with subsequent requirements.
    Major documentation release: Key documents, including the FPS APP Reimbursement rules and Compliance Monitoring Process, will be published. This release also includes the phased “Best Practice Guide,” which will provide detailed procedures and recommendations for PSPs to follow.

  • 31 July 2024
    Contract release/issue ready for signing: Contracts for RCMS Core and RCMS Core + Claims Management will be available for PSPs to sign. Completing this step promptly is essential for PSPs to proceed with onboarding and system integration.

  • 20 August 2024:
    Deadline for PSPs to register as in scope for SD20: PSPs must complete their registration and attest to Pay.UK that they are within the scope of Specific Direction 20 (SD20). This step involves answering relevant questions to prepare for compliance and accepting the Registration Terms & Conditions.

  • 7 October 2024
    Deadline to reimburse all claims 50/50: By this date, PSPs must be fully capable of reimbursing APP fraud claims, sharing liability equally with other involved parties. This capability is crucial to meet the policy’s requirements and ensure consumer protection.

  • 30 November 2024
    First entry for new reporting: PSPs must start submitting data under the new reporting standards. This initial reporting will help establish a baseline and ensure ongoing compliance with the new policy.

  • 31 March 2025
    Final switch-over date: This marks the complete transition to the new reimbursement and reporting systems. By this date, PSPs must have fully integrated the RCMS Core and RCMS Core + Claims Management systems into their operations. (This date assumes planning data to support the 1 May deadline currently under consultation by PSR.)

These dates highlight the urgency and complexity of the upcoming changes. PSPs are encouraged to stay proactive and diligent in meeting these milestones to ensure a smooth transition and compliance with the new APP fraud reimbursement policy.

Next steps for PSPs

With the APP fraud reimbursement policy’s critical deadlines rapidly approaching, PSPSs must take immediate and strategic actions to ensure compliance and readiness. Here are the key steps PSPs need to follow:

  1. Review published documents: PSPs should begin by thoroughly reviewing all the published documents provided by Pay.UK. This includes the FPS APP Reimbursement rules, the Compliance Monitoring Process, and the phased “Best Practice Guide.”
  2. Complete registration promptly: The registration process opens on June 7, 2024. PSPs must ensure they register as soon as possible to avoid last-minute complications. The registration process involves attesting to Pay.UK that the PSP is within the scope of Specific Direction 20 (SD20), answering relevant questions and accepting the Registration Terms & Conditions. Timely registration will also facilitate signing contracts for RCMS Core and RCMS Core + Claims Management, scheduled for July 31, 2024.
  3. Integrate RCMS systems: Once registered, PSPs must focus on integrating the RCMS Core and RCMS Core + Claims Management systems into their operations. This integration is crucial for meeting the new reporting standards and managing reimbursement claims efficiently. PSPs can access these systems via API or a secure web-hosted user interface. Pay.UK has said it is important to utilise the comprehensive API specifications and contract frameworks published to ensure seamless integration.
  4. Prepare for reimbursement capabilities: By October 7, 2024, PSPs must be fully capable of reimbursing APP fraud claims, sharing liability equally with other involved parties. This capability is a core requirement of the new policy, designed to protect consumers and enhance the industry’s accountability. PSPs should establish robust internal processes and systems to handle claims efficiently and accurately.
  5. Stay informed and proactive: PSPs should regularly check Pay.UK’s website for updates and new documentation. Staying informed about changes or additional requirements will help PSPs remain compliant and prepared. Engaging with industry briefings, such as the June 20, 2024 Industry Monthly Briefing, can provide insights and guidance.
  6. Leverage available resources: Attending industry briefings and demonstrations, like the demonstration of the Reporting Standard A data capture and reporting functionality at the Industry Monthly Briefing on June 20, 2024, will be beneficial. These sessions also provide opportunities to address any questions or concerns.
  7. Monitor and adjust systems: PSPs must continually monitor their systems and processes to ensure they align with the new requirements. Regular audits and reviews can help identify and rectify compliance gaps. Adjustments may be necessary as the policy is fully implemented and operational challenges arise.
  8. Engage with The Payments Association: PSPs should maintain active communication with The Payments Association and other industry bodies. These organisations can provide support, share best practices, and advocate for the industry’s interests.

Industry concerns and The Payments Association’s position

The new APP fraud reimbursement policy has not been without contention. The Payments Association (TPA) has raised significant concerns about the potential impacts of these regulations. In a letter to City minister Bim Afolami, thirty members of TPA outlined several key issues that could affect smaller fintech companies and the broader financial services landscape.

Concerns raised: Robert Courtneidge, board advisor and payments expert at TPA, has highlighted that the proposed mandatory reimbursement scheme could threaten the viability of smaller fintech companies. He states, “The maximum per claim reimbursement threshold of £415,000 is considered both disproportionate compared to average losses for individuals of less than £2,000 and also illogical as a mandatory amount that must, in most cases, be paid out in 5 working days without any chance to properly review a case.”

Courtneidge further explains, “The Financial Ombudsman, from where the limit was taken, would never be able to review a claim in this timeframe. Even with the longest timeframe with the ‘stop the clock’ invoked of 35 working days, any similar claim in court for this value would take years and be very thoroughly reviewed. This timeframe for review and payout is irresponsible, making it impossible to allow for proper review of claims.”

He argues that this high threshold could lead to significant additional costs, making many payment service providers economically unviable and potentially forcing them out of the market. “Please understand, we are not saying to remove the higher limit, but to give sufficient time in the (less than 5%) of cases above the £30,000 threshold (suggested by us) for the sending and receiving banks to conduct a proper review to determine if there was fraud and if the criteria (which need to be decided) have been met so that the victim should be reimbursed. Without a proper dispute resolution mechanism and thorough scrutiny of cases, the UK will fail one of its most important industries.”

Impact on competition and innovation: TPA emphasised that the new rules could stifle competition and innovation in areas such as open banking and digital challenger banking. They noted that the increased costs associated with the mandatory reimbursement scheme could create higher barriers to entry for new players and make it more difficult for challenger banks to compete with established incumbents.

Consumer and industry risks: The association also expressed concerns about the potential for increased first-party fraud and moral hazard, as the near-100% reimbursement policy could be exploited by fraudsters. They pointed out that without clear criteria for consumers to act cautiously, the policy might inadvertently encourage riskier behaviour among consumers.

Call for a balanced approach: The Payments Association urged for a more balanced consumer standard of caution and a lower per claim upper liability threshold. They suggested reducing the threshold to £30,000 and implementing measures to incentivise consumers to exercise greater caution. Additionally, they called for delaying the reimbursement obligations until the necessary industry utility for managing reimbursement reporting and settlement is operational.

Need for multi-stakeholder involvement: Highlighting that 77% of all APP fraud cases originate online, TPA stressed the need for social media platforms and telecommunication providers to play a more active role in preventing fraud. They advocated for these entities to share the costs of mandatory reimbursement and participate in new data-sharing requirements to mitigate fraud risks at the source.

These concerns underscore the broader tension between regulatory demands and industry readiness. The Payments Association’s recommendations aim to ensure that the new reimbursement rules are both effective in protecting consumers and sustainable for the industry, particularly for smaller fintech companies.

Final thoughts

The APP Fraud Reimbursement Policy represents a pivotal shift in protecting consumers and enforcing accountability within the payments sector. As the October 2024 deadline approaches, payment leaders must act decisively: review all compliance documents, complete registration by August 20, and integrate RCMS systems promptly. Regularly monitor updates from Pay.UK and attend industry briefings for the latest insights. By staying proactive and engaged, PSPs can ensure compliance, protect their customers, and contribute to a more secure payments ecosystem.


Read more Payments Intelligence

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Continue reading

New UK regulations mandate PSPs to reimburse APP fraud victims up to £415,000 from Oct 2024. Join The Payments Association to read the full article.

Become a member to continue reading

Member of The Payments Association? Log in to continue reading

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?