Authorised Push Payment Fraud: Reimbursement Regimes and the New Liability Landscape

Authorised Push Payment (APP) fraud has emerged as the defining financial crime challenge for retail payment service providers in the era of instant digital banking. Unlike traditional payment fraud where a transaction is initiated without the account holder's knowledge, APP fraud involves the victim being manipulated — through social engineering, impersonation, and elaborate deception — into authorising a payment to a fraudster-controlled account. The technical authorisation of the payment means that conventional fraud detection systems, which are calibrated to identify unauthorised transactions, are largely blind to it.

The scale of APP fraud losses reflects both the effectiveness of the social engineering techniques deployed and the structural vulnerability of payment systems that combine instant irrevocability with weak pre-payment victim warning mechanisms. UK Finance reports that APP fraud losses in the UK exceeded £580 million in 2025, and similar loss trajectories are observable in Australia, Singapore, India, and across the European Union as instant payment infrastructure has matured in each jurisdiction.

The policy and regulatory response to APP fraud has been more decisive and more consequential for financial institutions than any previous fraud typology. The introduction of mandatory reimbursement obligations, shared liability between sending and receiving payment service providers, and supervisory expectations around pre-payment fraud screening have fundamentally changed the economics and governance of APP fraud risk management.

Regulatory, Enforcement, and Market Context

The UK's Payment Systems Regulator (PSR) introduced mandatory APP fraud reimbursement rules in October 2024, requiring all payment service providers participating in the Faster Payments scheme to reimburse victims up to £85,000 per claim (subsequently revised), with costs split 50/50 between sending and receiving institutions. The rules explicitly create liability for receiving institutions, establishing a strong regulatory incentive for banks to implement robust mule account detection and outbound payment monitoring capabilities. The FCA has indicated that PSR rules compliance will be a supervisory priority.

Australia's National Anti-Scam Centre (NASC), operated by the ACCC, has driven the development of the Scam-Safe Accord, under which Australian banks have committed to specific APP fraud prevention measures including Confirmation of Payee, biometric authentication, and 24/7 scam intelligence sharing. ASIC has signalled enforcement interest in institutions that fail to meet their Scam-Safe obligations. MAS in Singapore has issued the Shared Responsibility Framework, allocating reimbursement responsibilities between telcos, banks, and other platform providers based on failure points in the scam delivery chain.

What the Data Is Showing

The typology breakdown of APP fraud losses reveals a dominant role for investment scam and impersonation fraud, which together account for over 70% of APP fraud losses by value in most jurisdictions with reliable data. Romance scam and purchase fraud account for a significant proportion of case volumes but lower average loss values. The average loss per investment scam victim has increased consistently year-on-year, reflecting the growing sophistication of the social engineering scripts deployed by organised scam centre operations.

The impact of mandatory reimbursement frameworks on institutional behaviour is already measurable. UK data indicates a significant increase in payment friction and pre-payment warning deployment by major banks following the introduction of PSR rules, with some institutions reporting 15-25% reductions in high-risk outbound payment completions following enhanced pre-payment intervention programmes. The challenge is calibrating these interventions to minimise false positives — blocking legitimate payments creates customer harm and regulatory exposure of a different kind.

Implications for Financial Institutions

Under shared liability reimbursement frameworks, both sending and receiving institutions must invest in APP fraud detection capability. Receiving institutions must ensure that mule account detection, onboarding friction, and inbound payment monitoring are calibrated to identify APP fraud proceeds before they are moved onward. Sending institutions must invest in pre-payment risk scoring, contextually appropriate friction injection, and customer warning mechanisms that are effective without creating unacceptable customer journey degradation.

The governance implications of mandatory reimbursement are significant. APP fraud losses are now a direct P&L exposure for payment service providers, requiring board-level financial crime reporting that captures reimbursement liability alongside direct fraud losses. Institutions should develop clear methodologies for attributing APP fraud reimbursement costs to business lines and channels, and should use this data to prioritise investment in the preventive controls that deliver the highest loss reduction per unit of cost.

Conclusion

APP fraud has become the central financial crime challenge for payment service providers globally, and the introduction of mandatory reimbursement regimes has transformed it from a customer protection issue into a direct financial and regulatory risk for institutions. The institutions that build genuinely effective APP fraud detection and prevention capability — spanning pre-payment screening, real-time intervention, mule detection, and cross-institutional intelligence sharing — will have a material competitive advantage as the regulatory framework continues to tighten.

Suggested Next Steps

• Model your APP fraud reimbursement liability exposure under applicable frameworks and ensure board-level financial crime reporting captures this as a distinct P&L risk category.

• Implement or enhance pre-payment risk scoring and contextually appropriate friction mechanisms for high-risk outbound payment journeys, calibrated to minimise false positive customer impact.

• Strengthen receiving-side mule account detection and inbound payment monitoring to reduce your liability exposure under shared responsibility frameworks.

• Participate in industry APP fraud intelligence sharing initiatives and bilateral reimbursement dispute resolution processes to improve detection efficiency and cost recovery.

  
  

Sources: UK Finance APP Fraud Report 2025; Payment Systems Regulator APP Fraud Reimbursement Rules; ACCC National Anti-Scam Centre Scam-Safe Accord; MAS Shared Responsibility Framework; ASIC Scam Prevention Guidance; EBA PSD3 Draft Guidance; BIS CPMI Fast Payments Fraud Guidance.

TrustSphere helps financial institutions design and deploy intelligent fraud and financial crime detection solutions. Visit www.trustsphere.ai