Mandatory Reimbursement: The Impact on PSPs

Share this post

If you look at fraud statistics in the UK, it is clear why APP scams are front and centre of the payments agenda. With total losses to customers exceeding £480 million in 2022[1], the drive to protect customers’ funds from malicious actors is a top priority for regulators and politicians alike. What is also clear is that the Government’s efforts in combating APP fraud remain squarely focused on the payment services sector.

What do firms need to know?

These are some of the key takeaways for firms on the PSR’s proposals:

  • The PSR’s rules will only apply to payment transactions processed through Faster Payments, but there are plans to roll out reimbursement requirements for CHAPS and me-to-me payments too in due course.
  • PSPs will need to reimburse customers up to a maximum amount less an excess which the customer must pay (the precise amounts are subject to consultation).
  • Sending PSPs will be on the hook for reimbursing their customer but may share the costs 50/50 with receiving PSPs.
  • Only in circumstances where customers are deemed grossly negligent, will PSPs be able to avoid reimbursement.
  • Vulnerable customers must be treated more favourably under the rules. For example, vulnerable customers won’t need to pay an excess if they make a claim.
  • The new rules are designed to protect the smallest businesses, unlike the Code – all payers who are consumers, microenterprises and small charities will be covered. This gives some good news to smaller businesses following the Supreme Court decision in Phillips, which restricted the scope of the Quincecare duty of care on banks so as not to cover prevention of payment scams.

When are customers responsible for their own actions?

In response to industry requests for clarity on when a customer should be held responsible for their own actions in an APP fraud scenario, the PSR has issued Consultation Paper CP23/7: ‘The consumer standard of caution’. This ‘standard’ refers to the criteria the customer should meet for their claim to be valid and comprises three key elements:

  1. a requirement to consider specific, directed scam warnings by the PSP;
  2. a requirement to notify their PSP promptly; and
  3. an obligation to respond to reasonable and proportionate requests for information.

The desired effect of the ‘standard’ is clear: the bar will be set higher for PSPs to give “specific, directed” warnings. This suggests that generic warnings appearing as standard as part of all payment journeys may be insufficient: now there will need to be an element of tailoring which is a much higher bar. If this is the approach, the implication is that any lesser warning would invalidate a refusal to reimburse on the basis that the customer had not met the required standard of caution. Firms might be tempted to warn the customer that all ‘at risk’ payments are likely to be scams. However, such a blanket approach to warnings seems unlikely to pass the test of being specific and direct.

Gross negligence

Even if the customer fails to meet the ‘standard of caution’, PSPs must still show the customer was fraudulent or met the ‘gross negligence’ threshold before they can refuse reimbursement. This concept of ‘gross negligence’ will be familiar to PSPs in the context of unauthorised payment fraud and means PSPs must show that the customer acted with a ‘significant degree of carelessness’. However, it is notoriously difficult to prove and often leaves PSPs with little choice but to reimburse. The PSR’s consultation paper does little to remove that uncertainty.

Vulnerable customers

Finally, firms must take heed of the carve-out from the standard for vulnerable customers. Determining who is a vulnerable customer (or who is not) will be one of the most difficult challenges for PSPs given the broad interpretation applied by regulators. In a digital age where many Faster Payments are instructed online, and with less opportunity to engage with customers face-to-face, this is easier said than done.

What the PSR’s proposals mean for the provision of banking services

On the positive side, the new rules will help to incentivise the deployment of more sophisticated technology to combat APP scams, and some PSPs may even manage to use this to their competitive advantage if done well. Already, there are industry initiatives in motion to improve fraud information sharing between PSPs, with other PSPs also exploring introducing their own tools. For example, Monzo recently announced a new in-app feature to help customers check in real-time if they are talking to a customer agent or a fraudster.[2]

The flip side is that such solutions come at a cost – a not-so-small ask when firms are already grappling with the extra costs of enhanced transaction monitoring, new process-builds for APP scam warnings, and the steadily rising costs of payment systems.  All of this has an impact on PSPs’ business models and ultimately their bottom line. If an unwelcome consequence of the proposals is to lead PSPs to increase charges to offset these costs, this will hit consumers and small businesses hardest, and at a time when their finances are already stretched.

Some final thoughts

Despite the potential for some fine-tuning, it is clear that the PSR’s proposals are a genuine step forwards in combatting APP fraud. Indeed, the introduction of the new reimbursement framework was (and is) an important pillar of the Government’s wider fraud strategy, in the hope that these measures will incentivise PSPs and indeed other industries to prevent APP fraud from happening in the first place. Only time will tell, however, whether or not the mandatory reimbursement proposals can truly set the benchmark in the fight against fraud, without equally robust action in other sectors, or whether they will simply create greater incentives to perpetrate more fraud, with compulsory reimbursement reducing customer caution and encouraging fraudsters.

If you would like to discuss how the PSR’s new proposals are likely to impact you, please reach out to:

Rebecca Hickman, partner, Addleshaw Goddard

[1] UK Finance Annual Fraud Report 2023 (accessed on 12 September 2023 at

[2] (accessed on 13 September 2023)

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?