APP Fraud Beyond the UK: How Authorised Push Payment Scams Are Going Global and What Regulators Are Doing About It

Authorised push payment (APP) fraud represents a fundamental paradigm shift in the fraud landscape. Unlike traditional payment fraud where the criminal bypasses the victim's authorisation, APP fraud manipulates victims into voluntarily initiating payments to fraudster-controlled accounts. This distinction has profound implications for liability, detection, and prevention — because the conventional fraud detection signal (an anomalous, unauthorised transaction) is largely absent. The payment looks legitimate because, from the payment system's perspective, it is.

APP fraud encompasses a wide spectrum of criminal typologies: investment scams, romance fraud, impersonation scams (bank, government, police), purchase fraud, invoice and mandate fraud, and CEO impersonation. What they share is the social engineering element — the manipulation of the victim's behaviour to authorise a payment they believe to be legitimate. The sophistication of these social engineering campaigns has increased dramatically, aided by AI-generated scripts, deepfake audio and video, and highly personalised targeting based on data harvested from social media.

While the UK has been the most advanced jurisdiction in terms of regulatory response to APP fraud, the typology is now a global phenomenon. Every jurisdiction with a real-time payment infrastructure is experiencing material and growing APP fraud losses. The regulatory debate about how to apportion liability between victims, sending institutions, and receiving institutions is playing out across multiple jurisdictions simultaneously.

Regulatory, Enforcement, and Market Context

The UK's mandatory APP reimbursement scheme, implemented by the PSR in October 2023, fundamentally changed the economics of APP fraud for UK banks. Under the scheme, victims are entitled to reimbursement of up to £415,000 per claim from sending institutions, with the cost shared equally between sending and receiving banks. This 50:50 liability split is explicitly designed to incentivise the receiving bank — the mule account host — to invest in controls to prevent its accounts being used as fraud destinations.

MAS has implemented a shared liability framework for scam losses in Singapore under the Shared Responsibility Framework (SRF), allocating liability between banks and telcos based on where control failures occurred. The Australian government's Scams Prevention Framework Bill imposes obligations on banks, telcos, and digital platforms to take reasonable steps to prevent scams, with civil penalty provisions for failure. The EU's revised Payment Services Directive (PSD3) includes enhanced requirements for APP fraud detection and consumer protection. These frameworks are converging on a clear regulatory direction: institutions will bear a meaningful share of APP fraud losses.

Regulation Asia has documented a significant increase in APP-type scam losses across the Asia-Pacific region, with Singapore, Hong Kong, and Australia all reporting record scam loss figures. The UNODC has documented the industrialisation of APP fraud operations through scam centres in Southeast Asia — industrial-scale operations in Myanmar, Cambodia, and Laos employing tens of thousands of workers in conditions amounting to forced labour, generating billions of dollars in APP fraud proceeds annually.

What the Data Is Showing

UK Finance data shows that APP fraud losses in 2024 totalled £571 million, with investment scams and impersonation fraud accounting for the majority of value losses. However, the reimbursement rate under the mandatory scheme has reached approximately 67% — a significant improvement from the 59% voluntary reimbursement rate in 2023. The residual losses falling on victims are concentrated in claims where contributory negligence or gross negligence exceptions apply.

In Singapore, the Singapore Police Force Anti-Scam Centre reported scam losses exceeding SGD 651 million in 2023, with investment scams and government impersonation accounting for the largest categories. Australian Competition and Consumer Commission data shows Australians lost AUD 2.74 billion to scams in 2023 — a 13% increase despite significant public awareness campaigns. The persistence of losses despite awareness efforts underscores that detection and intervention, not awareness alone, must be the primary control strategy.

Implications for Financial Institutions

Effective APP fraud detection requires signals that go beyond the transaction itself to the customer behaviour context: is this customer sending to a new payee? Is the amount unusually large? Has the customer recently been contacted through an unusual channel? Is there a device behaviour change or a new device? Are there browsing or in-app signals of social engineering in progress? These contextual signals, not the payment anomaly itself, are the primary detection surface for APP fraud.

Receiving bank controls are equally important under the emerging shared liability frameworks. Institutions must invest in controls that identify accounts being used as fraud destinations — particularly first-party mule accounts and accounts showing characteristic APP fraud receipt patterns. The 50:50 liability split creates a direct financial incentive to strengthen these controls, and institutions that have not yet made this investment will face material reimbursement exposure.

Conclusion

APP fraud is the defining financial crime challenge of the instant payment era, and the regulatory response across the UK, Singapore, Australia, and the EU is establishing a clear new standard: financial institutions are expected to bear meaningful liability for the losses that occur through their platforms and are expected to invest in prevention accordingly. Institutions that approach APP fraud as primarily a customer education problem are systematically underestimating both the threat and their regulatory exposure.

Suggested Next Steps

• Map your APP fraud detection capability against the sending-side and receiving-side control expectations of the applicable regulatory framework in each jurisdiction you operate in.

• Deploy behavioural analytics that capture contextual signals of APP fraud in progress: new payee patterns, large unusual amounts, device behaviour anomalies, and in-session social engineering indicators.

• Strengthen receiving-side controls to identify fraud destination accounts, including machine learning models trained on APP fraud receipt patterns and coordinated mule account indicators.

• Quantify your reimbursement liability exposure under applicable mandatory frameworks and develop a business case for prevention investment against projected reimbursement cost reduction.

Sources: UK PSR APP Fraud Mandatory Reimbursement Scheme (2023); UK Finance Fraud Report (2024); MAS Shared Responsibility Framework (2024); Australian Government Scams Prevention Framework (2024); ACCC Scam Watch Report (2024); Singapore Police Force Anti-Scam Centre Report (2023); UNODC Scam Centres in Southeast Asia (2024); Regulation Asia APP fraud and scam enforcement reporting (2025–2026).

TrustSphere helps financial institutions design and deploy intelligent fraud and financial crime detection solutions. Visit www.trustsphere.ai