APP Fraud Liability and FCA Rules: Frequently Asked Questions
The Payment Systems Regulator's mandatory APP fraud reimbursement scheme, effective October 2023, transformed the liability landscape for UK payment firms. The £459 million lost to APP fraud in the first half of 2023 is no longer purely a consumer protection issue — firms that send payments on behalf of customers who are defrauded face direct financial liability. This FAQ addresses the most common questions from payment firms, banks, and financial advisers navigating their obligations.
£459M lost to APP fraud in H1 2023 (UK Finance). PSR mandatory reimbursement scheme (effective October 2023) places direct liability on payment firms for the majority of APP fraud losses.
The APP Fraud Regulatory Landscape
Multiple regulatory frameworks govern APP fraud obligations for financial firms:
- PSR mandatory reimbursement scheme: Applies to UK Faster Payments transactions — sending and receiving PSPs must split reimbursement liability 50/50
- FCA SYSC rules: FCA-regulated firms must implement controls proportionate to the risk of financial crime including cyber-enabled fraud
- CRM Code (voluntary, now largely superseded): The Contingent Reimbursement Model Code established the framework that the mandatory scheme codifies
- Payment Services Regulations 2017: Underlying legislation governing authorised push payments and firm obligations
Frequently Asked Questions
Which payment firms are subject to the PSR mandatory reimbursement scheme?
The scheme applies to payment service providers (PSPs) that offer Faster Payments services — including banks, building societies, authorised payment institutions, and e-money institutions that send or receive Faster Payments. It applies to transactions where the sender is a UK consumer or small business and the receiving account is in the UK. The mandatory scheme applies to transactions up to £415,000 per claim. Transactions above this threshold and most business-to-business payments are not covered by the mandatory scheme, though voluntary reimbursement may still apply.
How is liability split between the sending and receiving bank under the mandatory scheme?
Under the PSR mandatory scheme, reimbursement liability is split 50/50 between the sending PSP (where the victim holds their account) and the receiving PSP (where the fraudster's account is held). The sending PSP is the primary point of contact for the customer claim and must reimburse within 5 business days. The sending PSP then recovers 50% from the receiving PSP. This structure creates incentives for both PSPs to implement controls — sending PSPs to prevent customers from making fraudulent payments, and receiving PSPs to detect and prevent fraudulent accounts.
Are there circumstances where we can decline to reimburse a customer?
Yes — the PSR scheme includes a limited number of exceptions. A firm can decline reimbursement (or reduce the amount) where: (1) the customer acted fraudulently themselves; (2) the customer was grossly negligent — for example, sharing security credentials with a third party; or (3) the customer is a vulnerable customer who was not provided with appropriate support. The bar for "gross negligence" is high — the FCA and PSR expect firms to apply it sparingly and to give vulnerable customers significant protection. Firms must document their decision-making on reimbursement and be prepared to defend it to the PSR.
What cybersecurity controls most directly reduce APP fraud liability?
The cybersecurity controls with the most direct impact on APP fraud liability: (1) email security and MFA — BEC is the primary enabler of APP fraud; preventing email compromise prevents the most common fraud pathway; (2) Confirmation of Payee — mandatory for UK Faster Payments, CoP blocks misdirected and fraudulent payments by verifying account name against account number; (3) transaction monitoring — real-time detection of APP fraud patterns (unusual beneficiaries, first-time high-value payments, "safe account" transfers) allows intervention before payment completes; (4) customer friction — appropriate friction on high-risk payments (delay, out-of-band confirmation) provides a final line of defence.
Does the PSR scheme apply to international payments?
The PSR mandatory reimbursement scheme applies to UK Faster Payments transactions only — domestic GBP payments sent via Faster Payments. International payments (CHAPS, SWIFT, SEPA, card payments) are not covered by the mandatory scheme. However, FCA SYSC rules requiring proportionate anti-fraud controls apply regardless of payment rail. Firms processing international payments that are vulnerable to APP fraud (payment instruction hijacking, BEC-enabled fraud) should implement equivalent controls to those required for Faster Payments, even where mandatory reimbursement does not apply.
Implement controls that reduce APP fraud liability
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.