The promise of enhanced fraud protection vs the reality of unexpected challenges

This October marks exactly one year since the UK financial services industry underwent a major shift to help victims of Authorised Push Payment (APP) fraud. On October 7, 2024, the Payment Systems Regulator (PSR) implemented mandatory reimbursement rules for APP fraud; banks must compensate APP scam victims up to a maximum of £85,000, within 5 working days of a claim. You can read the article Edgar, Dunn & Company published about the UK and European APP fraud before these new reimbursement rules were implemented, here.

The new regulation provides guaranteed protection to customers, and ensures consistent reimbursement across all APP scam victims, a promise that was not kept under the previous Contingent Reimbursement Model (CRM), a voluntary code introduced in 2019.

Whether or not the new intervention has delivered on its promise is a complex question. The new rules have improved customer protection, and standardised practices across all PSPs; however, new challenges have arisen, alongside legacy weaknesses in the UK’s approach to APP fraud.

What do the numbers say?

According to the 2025 UK Finance Annual Fraud Report, the total amount lost to APP fraud in 2024 was £450.7 million, slightly down from total losses in 2023 (-2%), but notably lower than the figures for 2020 – 2022 (the years of CRM). The total number of cases where a loss occurred was also down, by a much larger 20% in 2024, at 185,733. The 2024 figures for both losses and cases are the lowest numbers on record, however it must be noted this reduction in the statistics began before the implementation of the mandatory reimbursement rules, meaning this trend cannot be attributed solely to the new regulation.

The average loss per case jumped 23% to £2,427 in 2024, compared to £1,978 in 2023. This is a concerning statistic, and demonstrates that whilst cases are on the decline, we may be seeing evidence that fraudsters are shifting their tactics and changing scam types. Fraudsters, for example, could be targeting fewer, but richer, victims with sophisticated cons. Criminals are also leveraging AI-powered tools to create realistic investment opportunities and impersonation scams, which trick victims into making larger payments in a single transaction.

Another point that must be kept in mind is the limited scope of the scheme. Any payments made across payment systems other than FPS and CHAPS are not included in the mandatory reimbursement, and neither are international payments. Combine this and you are left with a large number of unprotected victims who may have been targeted by increasingly sophisticated international fraud operations. Investment scams, in particular, are driving the rise in average APP scam value, with losses in this fraud type increasing sharply even as the number of cases fall. Moreover, APP scams that involve cross-border or cryptocurrency elements, tend to have higher transaction values, compounding the average case value.

The human impact

Numbers only tell one side of the story – there is always a person on the other end whose life has been severely impacted by APP fraud. One prospective homeowner was tricked into sending £22,000 to someone she thought was a conveyancer. The fraudster had cloned the real conveyancer’s email address and sent their bank details instead. Luckily the regulation came into play and the victim was reimbursed the full £22,000 (minus the £100 excess) and was able to buy her new home.

Another elderly woman was scammed out of £100,000 by fraudsters claiming to be from her bank’s fraud department. She had been spending time at the hospital with her husband in his final days and was both emotionally and physically drained. Despite the amount being over £85,000, the bank decided to reimburse her the full value since she was deemed to be a vulnerable customer.

Another example involves a young man who fell victim when he received a call from fraudsters pretending to be from Royal Bank of Scotland (RBS), who convinced him to move £1000 from his RBS current account to what he thought was his Revolut account. The fraudsters then re-directed the funds from Revolut to Coinbase and Transak, both of which are platforms for cryptocurrencies. This scam happened within 40 minutes.

In addition to this, the £100 excess has proven highly controversial amongst customers. The sending PSP can choose not to refund an amount up to the first £100 lost, in an attempt to ‘encourage customers to remain vigilant when making a payment.’  Whilst banks can decide themselves whether they apply this £100 excess or not, many customers have reported feeling unfairly penalised by this.

The unintended consequences: Fraudsters adapt, problems persist

The excess is creating unforeseen headaches for regulators: fraudsters may evolve their tactics to defraud people via smaller individual payments of less than £100, in the hope that the victim will not report it due to them not being able to get the money back (in some cases).

The new reimbursement rules have also created "moral hazard" concerns – the fear that customers might become less cautious knowing they will be reimbursed. However, PSR statistics suggests this has not materialised, with only 3% in the 1st quarter of 2025 of claims rejected for failing to meet the “consumer standard of caution”, meaning the consumer not being cautious enough.

Looking forward: What this means for the industry

As we mark the first anniversary of this regulation, several key implications emerge for PSPs and customers:

• For large banks: Major institutions were already broadly following the voluntary reimbursement procedures of the CRM. As such, the main impact observed is increased compliance costs and the need for enhanced collaboration with receiving institutions.
• For smaller PSPs: The regulatory burden has become more manageable since the reduction to £85,000 (note: the reimbursement threshold was first proposed to be £415,000). However, sophisticated fraud detection capabilities continue to favour larger institutions with greater resources. Some smaller providers also report struggling with sharing the cost of reimbursement, at half for the sending and half for the receiving institution when dealing with traditional banks that may be slow to collaborate.
• For customers: Protection has undoubtedly improved, but gaps remain. The exclusion of international payments and certain payment types creates ongoing vulnerabilities, while the £100 excess continues to generate dissatisfaction amongst the cost-sensitive accountholders.

The evolving threat landscape presents new challenges. AI-facilitated APP fraud is growing rapidly, with AI enabling fraudsters to quickly identify victims and tailor attacks to individuals with unprecedented sophistication. This means reactive reimbursement alone is not enough – a standardised reimbursement scheme was the necessary first step, but increased data sharing between financial institutions is the natural next step to stay ahead of fraud.

The upcoming 12-month review of the £85,000 cap will be crucial. Further updates published in 2025 found that since the regulation has been introduced, 88% of money stolen through APP fraud was returned to victims (roughly £112 million, from 7 October 2024 to 30 June 2025 – according to the PSR). This is great for many customers, but we cannot forget about the remaining £15.3 million that is permanently lost and will probably reach £30m by the end of 2025. The balance between consumer protection and systemic risk remains delicate. How regulators and banks adapt to navigate the new challenges of APP fraud will remain a key topic of interest, and Edgar, Dunn & Company will continue to monitor developments in this field closely.

‍

The content of this article does not reflect the official opinion of Edgar, Dunn & Company. The information and views expressed in this publication belong solely to the author(s).