Tackling APP fraud: An industry at a crossroads

by Nick Fleetwood, head of data services, Form3
APP fraud

Share this post

Authorised push payment (APP) fraud has been steadily climbing the charts of global payment frauds with nearly £240m lost to UK consumers and businesses in the first six months of 2023.

The Payment Systems Regulator’s (PSR) announcement in June 2023 highlighted the urgency to counter this issue by proposing a new reimbursement framework.  The Payment Association’s  , published in collaboration with Form3, offers insights into the industry’s preparedness and concerns as we edge closer to the regulatory deadline.

Unravelling the institutional landscape

Among the respondents, a significant 68.8% operate as selling participants directly connected to the Faster Payments Service (FPS). At the same time, 18.8% navigate their financial transactions using a Nostro account with a different entity. Another 6.2% favour agency banking. The diversity in institutional operation modes suggests that the PSR’s proposed obligations might be perceived and implemented differently across the spectrum. With varying operational frameworks, the capacity to counter APP fraud and align with the PSR’s requirements might differ significantly.

Final legal instruments will be published in December 2023, finalising the mechanism for refunding victims and the definition of gross negligence and customer vulnerability, which further adds to the complexity of ensuring uniform understanding and implementation across various institutional types. 

Ticking clock: Anticipated readiness for new PSR obligations

The 7 October 2024 deadline stands as a significant marker for the industry. However, there’s a pronounced call for clarity. A dominating 81.2% believe that the PSR must provide more explicit guidance, revealing an industry that’s looking for direction. Moreover, only 12.5% of banks responded positively about being prepared for the PSR’s obligations by October 2024. This implies that the majority of banks need clarity in order to expedite their efforts to align with the regulations.

Drawing a parallel with the survey’s primary objectives, we aimed to gauge institutional readiness for the impending APP rules. The substantial uncertainty reflected in the 81.2% underlines the necessity for enhanced communication from regulatory bodies. A significant 36% or respondents are concerned about their ability to fund reimbursements, especially among the smaller participants of the faster payments network.

“Will mandating the cost of fraud to institutions reduce the overall fraud cost to the UK economy? The rules will have a much larger impact on institutions which do not currently have comprehensive financial crime solutions from others. As well as mandating the cost aspect, more needs to be done to create national solutions for better fraud identification, investigation, and prevention, requiring banking and tech industry collaboration,” says Nick Fleetwood, head of data services, Form3.

The challenge spectrum

The survey sheds light on multiple challenges. The complexity of processing reimbursements stands out for 64.3% of the respondents, driven by the lack of clarity around this instrument before the final publication from the PSR . Half the institutions highlight concerns related to internal resource constraints and tooling, indicating potential scalability and efficiency issues as the rules come into play. Nearly 30% of those surveyed emphasised challenges around screening inbound transactions for fraud risk.

Furthermore, a substantial 50% underscore the challenge of meeting new reporting requirements to Pay.UK. This sentiment echoes the survey’s objective to understand what tools or resources are necessary for institutions to be ready by April 2024. Clear, streamlined reporting processes are evidently high on the industry’s wish list. However, there’s a shared concern that manual processes might be introduced to facilitate the rules, while many respondents favour comprehensive industry-wide technical solutions, which should ideally be tested before October 2024.

A call for clarity

One can’t help but notice the recurring theme of ‘clarity’ resonating through the survey. Institutions seem particularly keen on gaining insights into the ‘gross negligence’ definition (81.2%), liability positions (68.8%), and the intricacies of vulnerability (62.5%). These figures might suggest that while institutions are not against the spirit of the PSR’s legislation, they find its current form somewhat nebulous.

Given the backdrop, this theme aligns with the open questions the PSR or Pay.UK have yet to clarify or finalise. The evergreen debate on defining ‘gross negligence’, discerning ‘prompt reporting’, and understanding ‘vulnerability’ are evident pain points, potentially acting as stumbling blocks to seamless implementation.

The transitioning phase: A split vote

Our survey participants seemed divided on the preferred transition period post the rules’ clarification. It’s intriguing that while 50% advocate for a minimum of a 12-month period,  31.2% feel that half that time should suffice. The variance here possibly hints at a split in institutional confidence or perhaps operational agility.

“The PSR’s proposals overlook the support needed by small innovative payment firms facing heavy regulatory burdens. This could drive some out of business, missing an opportunity for regulator-encouraged collaboration in preventing financial crime, rather than making it a competitive issue,” says Jane Jee, lead of project financial crime at The Payments Association.

Post-implementation landscape

Post the rule’s potential enactment, concerns seem to revolve around first-party fraud, the survival of smaller PSPs in a potentially less competitive environment, and the overarching responsibility of defining APP fraud cases. These anxieties, especially regarding smaller PSPs, might be indicative of fears that compliance costs and challenges could lead to industry consolidation, reducing consumer choice.

Charting the path ahead

Responses suggest a unanimous call for more proactive measures. Strengthening data sharing mechanisms, intensifying education efforts for payment users, and establishing shared financial and technical liabilities with tech platforms are some of the focal recommendations. These reflect a broader sentiment: while institutions are ready to adapt and align, they hope for an environment that fosters collaboration, knowledge sharing, and shared accountability.

“Financial fraud is a national emergency needing effective preventive measures. Bringing every player, including big tech and merchants, to the table with state-of-the-art data sharing solutions is crucial. Mandating reimbursement doesn’t solve fraud issues but could encourage more first party fraud,” says Riccardo Tordera, head of policy and government relations at The Payments Association.

In conclusion, the survey paints a vivid picture of an industry standing at the crossroads of innovation, regulation, and adaptation. While the PSR’s intentions are unanimously acknowledged as vital, the journey to October 2024 seems rife with challenges, calls for clarity, and a collective aspiration for a collaborative road ahead. The ball is now in the court of regulatory bodies to respond, guide, and collaborate for a fraud-resistant future.

Nick Fleetwood is head of data services at Form3.

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?