APP Fraud: Who Bears the Cost?

Authorised Push Payment (APP) fraud continues to be one of the most financially and emotionally damaging crimes facing the UK public and businesses. Unlike unauthorised fraud where a criminal accesses an account without permission, APP fraud involves convincing victims to willingly send money to scammers posing as trusted parties. These can include banks, solicitors, HMRC, or even a romantic partner.

According to UK Finance, £485.2 million was lost to APP fraud in 2024. Yet despite the staggering losses, only 62% of stolen funds were returned to victims; a figure that is expected to improve with the introduction of mandatory reimbursement legislation. But while the new rules enhance consumer protection, they also raise critical questions: Is this a sustainable model? Are the right actors bearing the cost? And is the broader fraud supply chain being held to account?

What is APP Fraud?

APP fraud occurs when a victim is tricked into authorising a payment to a criminal, often under false pretences such as bank impersonation, fake invoices or fraudulent investment schemes. Unlike unauthorised fraud where stolen credentials are used without the account holder’s consent, APP fraud involves a transaction made by the victim themselves. This makes it particularly challenging to reverse or recover. It also differs from civil disputes, such as paying a legitimate supplier for faulty goods or services not received, which fall under consumer protection legislation like the Consumer Rights Act. APP fraud is, by contrast, rooted in criminal deception.

The Regulatory Landscape: From Voluntary Codes to Statutory Redress

In 2019, the UK's Contingent Reimbursement Model (CRM) Code was introduced to provide a voluntary framework for fair and consistent outcomes in APP fraud cases. Signatory banks agreed to reimburse customers who were not grossly negligent and took reasonable care. However, critics have noted inconsistent implementation and limited coverage, as only a portion of banks subscribed to the Code.

Recognising the limitations of this voluntary scheme, the UK government introduced new rules under the Financial Services & Markets Act 2023 from 7 October 2024. Protections apply to individuals, microenterprises (with fewer than 10 staff and turnover or balance sheet not exceeding €2 million), and registered charities with income under £1 million. Larger businesses and organisations are not currently covered. Victims will be reimbursed within five working days, except in cases involving gross negligence, fraudulent claims, or where a firm triggers a “stop-the-clock” provision for further investigation. Vulnerable customers are specifically protected from gross negligence exclusions.

All UK payment service providers (PSPs) using Faster Payments or CHAPS are within scope, including high street banks, challenger banks, building societies, e-money firms, and smaller PSPs. The scheme excludes credit unions, municipal banks, and National Savings & Investments (NS&I). For the first time, liability is shared equally between sending and receiving institutions ensuring that firms hosting fraudster accounts are financially incentivised to improve onboarding, monitoring, and fraud detection controls.

Reimbursement is capped at £85,000 per claim, in line with the Financial Services Compensation Scheme (FSCS) limit. This figure, finalised by the Payment Systems Regulator (PSR), reflects analysis showing that the vast majority of claims fall below this threshold. Consumers who suffer losses above the cap can still escalate their complaint to the Financial Ombudsman Service (FOS), where additional compensation may be awarded if the PSP is found to have acted unfairly or negligently.

The reimbursement regime places substantial demands on firms. In-scope PSPs must build or enhance systems to detect inbound and outbound fraud, investigate cases quickly, and process claims within tight deadlines. The cost and compliance burden is especially acute for smaller firms and fintechs, some of which may respond by de-risking high-risk customers or limiting access to real-time payment services. The PSR has signalled that it expects full compliance and will monitor firm behaviour closely.

So Who Pays? And Who Doesn’t?

The cost of APP fraud under the new model falls entirely on financial institutions. This includes both the bank that sent the funds and the one that received them. Whilst this approach encourages shared responsibility, it has profound implications:

• Sending banks must improve customer authentication, scam detection, and education.

• Receiving banks, often criticised for failing to detect mule accounts, are now directly liable for facilitating fraud.

• Fintechs and e-money firms face mounting pressure, particularly those with rapid onboarding models and lean compliance teams.

  
  

Despite playing a central role in the fraud ecosystem, non-financial enablers such as telecoms providers, social media platforms, online marketplaces and digital advertisers remain entirely outside the current liability framework. These entities are often the starting point for scams by facilitating the phishing texts, spoofed emails, fraudulent ads and social engineering tactics that lead to APP fraud. Yet they bear no legal responsibility to prevent such activity, nor are they required to contribute financially to victim reimbursement.

Most APP scams originate well before the payment stage, often via messages sent through mobile networks, adverts hosted on social media, or links circulated on encrypted platforms. According to Ofcom, 45% of UK mobile users received scam texts or calls every month—a staggering figure that underscores the scale of the problem. Investigations by Which? have repeatedly exposed persistent failures by Meta and Google to take down fraudulent investment adverts, even when reported. Encrypted messaging apps are also widely used to coordinate mule networks and disseminate scam scripts.

Despite this, these platforms remain untouched by the UK’s reimbursement regime. They are not required to detect or remove scam content, share intelligence with financial institutions, or compensate victims for the role their systems play in facilitating fraud. This lack of accountability undermines the deterrent effect of the reimbursement model and enables the broader fraud infrastructure to operate unchecked.

Emerging Reform: Online Fraud Accountability

A critical next step in tackling APP fraud lies in broadening the scope of liability beyond the financial sector. The proposed Online Fraud Accountability Bill, currently under parliamentary review, seeks to address this by introducing enforceable obligations on digital platforms and communications providers. If enacted, the legislation would require online platforms, including social media companies, search engines, and messaging services, to swiftly identify and remove scam content, such as fake investment adverts and impersonation profiles. It would also enable regulators to impose fines on firms that fail to act on fraudulent activity, creating clear financial consequences for inaction.

In addition to content moderation, the bill aims to promote cross-sector collaboration through mandatory data sharing and joint intelligence mechanisms between financial institutions, telecoms providers, online platforms and law enforcement. This whole-system approach recognises that fraud is no longer a banking-only issue, but a complex, multi-actor threat that requires cooperation across industries. The bill builds on the Online Safety Act 2023, which already imposes duties of care on digital platforms to prevent users from being exposed to illegal and harmful content, including fraud-related material. However, the Online Fraud Accountability Bill would go further by introducing explicit obligations tied to financial harm, creating the regulatory teeth currently missing from the fight against online-enabled fraud.

What More Is Needed?

While mandatory reimbursement provides vital redress to victims, it must not become the end of the UK’s fraud response. To move from compensation to systemic resilience, the UK needs a multi-sector, preventative strategy that addresses the full lifecycle of a scam, from initial contact to fund recovery. One urgent priority is the extension of Confirmation of Payee (CoP) to cover all account types, including business, savings, and non-standard accounts, thereby reducing misdirected payments and impersonation attacks.

Stronger controls are also needed to detect and disrupt mule accounts, which are critical to the movement and laundering of stolen funds. Real-time transaction monitoring and blocking tools, particularly at receiving institutions, should be standard practice. Additionally, there is an urgent need for industry-wide data sharing infrastructure to identify emerging fraud typologies, coordinated with law enforcement investment to ensure criminal actors are traced, prosecuted, and deterred. These efforts should be supported by nationwide public education campaigns aimed at improving digital hygiene, raising scam awareness, and reducing susceptibility to social engineering.

Conclusion: A Necessary Reform, But Not Enough

The UK’s mandatory reimbursement regime for APP fraud represents a significant advancement in consumer protection, addressing long-standing concerns around fairness, consistency, and redress. It ensures that victims and particularly individuals, charities, and small businesses, are no longer left to carry the financial burden of sophisticated scams. However, this model is fundamentally reactive. It compensates after the fact, rather than disrupting the conditions that allow fraud to flourish.

As long as digital platforms, telecom providers, and other enablers remain outside the liability framework, the financial sector will continue to carry the cost of crimes it cannot fully control. To create lasting change, the UK must adopt a shared responsibility model, underpinned by legislation, technology, and collaboration. This is the only viable path to disrupt the fraud supply chain, protect consumers at scale, and ensure that those profiting from the proliferation of fraud are held to account.