New UK Bank Rules Mean APP Scam Victims Must Be Refunded from October 2024

Authorised Push Payment (APP) fraud has surged across the UK, ensnaring thousands of individuals and small businesses each year. Victims are deceived into transferring money to fraudsters under false pretences — a situation that, until now, has left many without meaningful redress. But a turning point has arrived. From 7 October 2024, banks are legally required to reimburse eligible victims of APP scams under a mandatory framework driven by the Payment Systems Regulator (PSR).

This development doesn’t just represent an improvement in consumer protection; it reshapes how the financial sector handles fraud, shifting liability and pushing prevention to the top of the agenda. With financial losses from APP scams reaching £459.7 million in 2023, the urgency behind this regulatory overhaul is clear.

This report explores how these rules work, who is protected, what exceptions exist, and how the changes are expected to impact consumers, financial institutions, and fraud prevention efforts.

The Regulatory Shift: What Changed in October 2024?

A Legally Enforceable Safety Net

Before October 2024, victims of APP fraud were at the mercy of the voluntary Contingent Reimbursement Model (CRM) Code. While well-intentioned, the code only applied to banks that had opted in, and reimbursement outcomes varied wildly. Victims could face rejection depending on the bank’s internal policies or interpretation of the rules.

Now, under new PSR directives — Specific Direction 20 (SD20) and Specific Requirement 1 (SR1) — all payment service providers (PSPs) handling Faster Payments or CHAPS are legally bound to reimburse eligible victims. This includes both high street banks and e-money institutions such as fintech providers.

Who Oversees the New Framework?

The Payment Systems Regulator is the central authority enforcing the scheme. Working with Pay.UK, which operates the UK’s core payment systems, the PSR mandates that reimbursement rules are embedded directly into system architecture. Every qualifying bank must now play by the same rulebook.

Key Differences: Voluntary vs. Mandatory

Here’s a breakdown of how the new regime compares to the old:

What Are APP Scams – and Why Are They So Hard to Stop?

Understanding the Scam Structure

An Authorised Push Payment scam happens when someone is tricked into sending money to a fraudster. The victim authorises the payment, believing they’re paying a contractor, a friend, or an investment provider. Because the victim consented, these scams fell into a grey area where reimbursement was not guaranteed.

This contrasts with unauthorised fraud, where criminals steal funds directly without consent. Banks typically cover unauthorised fraud quickly. With APP fraud, though, victims bore the emotional and financial costs — until now.

Most Common Types of APP Scams

Understanding the tactics can help prevent more victims. Here are the most frequent APP fraud types:

1. Impersonation scams: A caller claims to be from HMRC, the police, or a trusted business, demanding immediate payment.
2. Purchase scams: Victims pay for goods that never arrive — often advertised on social media or fake websites.
3. Investment scams: Fake offers for high returns on stocks, cryptocurrency, or property trick people into transferring funds.
4. Romance scams: Fraudsters build emotional connections online, then ask for money.
5. Invoice redirection: A business or individual is duped into changing payment details to a fraudulent account.
6. CEO fraud: An email from a supposed executive directs a team member to send money urgently.
7. Advance fee scams: Victims pay a “processing fee” to unlock loans, inheritances, or lottery winnings that never exist.

Fun Fact: According to UK Finance, purchase scams make up the largest number of APP fraud cases, but impersonation and investment scams cause the highest value losses.

Why These Rules Were Introduced

The Scale of the Problem

Losses from APP fraud totalled nearly £460 million in 2023, with more than 116,000 reported cases in the first six months alone — a 22% increase on the previous year. The true scale is likely much higher, as 86% of fraud incidents are never reported, according to the National Crime Agency.

Telecom-related scams, while less frequent than online fraud, account for 45% of the value lost, suggesting more sophisticated tactics lead to higher-value thefts.

The Failure of Voluntary Protection

Despite the CRM Code’s introduction in 2019, only 51% of victims were reimbursed in 2021, and some major banks refused to participate. This inconsistent patchwork led to the so-called “postcode lottery” of reimbursement.

The PSR determined that voluntary measures were not strong enough. Their solution: make reimbursement mandatory, with a firm set of rules and shared liability to encourage better fraud detection.

Who Is Protected?

Eligible Consumers and Organisations

The new rules cover:

1. Consumers: Any individual with a UK payment account.
2. Micro-enterprises: Firms with fewer than 10 employees and a turnover or balance sheet under €2 million.
3. Charities: Those with annual income under £1 million.

Payment Types Covered

Only Faster Payments and CHAPS transfers are included. That means most UK bank transfers — including online banking and mobile app payments — now fall within the scheme.

Payments and Scenarios NOT Covered

Some transactions remain outside the scope:

1. International payments
2. Card payments (covered by other protections like Section 75)
3. ‘Me-to-me’ scams (moving money between personal accounts set up by fraudsters)
4. Cash, cheque, or ATM transactions
5. Civil disputes (e.g., poor service, not fraud)
6. Illegally proposed payments
7. Payments involving credit unions or national savings banks

The “Gross Negligence” Test

What It Means – and How It’s Applied

A bank can deny reimbursement if it proves a non-vulnerable consumer acted with gross negligence — a significantly higher bar than simple carelessness.

Examples might include:

1. Ignoring a direct warning from the bank about potential fraud
2. Sharing full banking passwords or one-time passcodes
3. Authorising a transfer after being told it was likely fraudulent

However, the bank bears the burden of proof, and according to PSR data, only 2% of claims were rejected on this basis in the first three months of the scheme.

Special Protections for Vulnerable Customers

Under the new rules, customers deemed vulnerable receive enhanced protection:

1. The £100 claim excess cannot be applied.
2. The gross negligence clause does not apply if the vulnerability was relevant to the scam.
3. Banks must evaluate vulnerability on a case-by-case basis, including mental health, bereavement, financial hardship, or digital literacy challenges.

In early PSR data, 14% of all APP scam claims came from vulnerable consumers — a key focus for regulators under the FCA’s Consumer Duty obligations.

The Refund Process: What Victims Can Expect

Step-by-Step: How the Reimbursement Works

Once a victim reports an APP scam, their bank — the sending payment service provider (PSP) — must act swiftly. Here’s how the process unfolds:

1. Report the scam: Victims must contact their bank as soon as they realise they’ve been scammed. Claims must be made within 13 months of the last fraudulent payment to be eligible.
2. Initial investigation: Banks must reimburse the victim within five business days, unless they invoke a “stop the clock” clause to gather more information.
3. Final decision: Even with delays, the bank must issue a decision — to reimburse or not — within 35 business days.
4. If denied: Victims can file a formal complaint with their bank and, if unresolved, escalate to the Financial Ombudsman Service (FOS).

Required Documentation

Victims must supply reasonable information to support their claim, including:

1. Scam description and timeline
2. Payment details (amounts, dates, account info)
3. Screenshots or transcripts of communication
4. Any relevant documents (e.g. fake invoices or contracts)

Banks must treat these requests proportionately and cannot reject a claim without clear justification.

Who Pays? A 50/50 Split Between Banks

Shared Liability Explained

In an effort to reduce complacency among financial institutions, the PSR introduced a 50/50 liability split:

1. The sending PSP reimburses the victim up to £85,000.
2. The receiving PSP must repay half of that amount to the sender within five days.

This ensures both institutions are financially invested in preventing fraud, especially the receiving bank — often where fraudsters operate mule accounts.

Incentives to Improve Security

Banks and PSPs are now investing heavily in:

1. Advanced fraud detection systems using AI and behavioural analysis
2. Improved account screening to detect fake or risky users
3. Better warnings and prompts to stop consumers mid-transaction
4. Stronger interbank data sharing to flag suspicious activity faster

This collaborative push is already showing results. The PSR’s initial report noted a marked improvement in cooperation and faster response times across the industry.

Limitations and Responsibilities for Consumers

When Reimbursement May Be Denied

Despite the stronger protections, reimbursement is not guaranteed in every case. Banks may deny refunds if:

1. The consumer was involved in the scam (first-party fraud)
2. The consumer acted with gross negligence and is not vulnerable
3. The claim was made too late (beyond the 13-month window)
4. The payment falls outside the covered scope (e.g., international transfers)

What Is the “Consumer Standard of Caution”?

This is a formal set of expectations for consumers. To remain eligible for reimbursement, individuals must:

1. Pay attention to specific scam warnings
2. Report fraud promptly
3. Cooperate fully with the investigation
4. Allow police reporting where requested

Again, simple mistakes don’t disqualify a victim. Banks must prove the consumer’s behaviour amounted to gross negligence — a deliberately high threshold.

Caps and Excesses: How Much You Can Get Back

Reimbursement Limits

1. Maximum cap: £85,000 per case
2. Optional excess: Banks may deduct up to £100 from a refund

However:

1. The excess cannot be applied to vulnerable customers
2. Some banks waive the £100 excess entirely for all customers
3. Claims below the excess threshold may not result in a payout

For claims above £85,000, the Financial Ombudsman Service can award up to £430,000 if it finds fault in how a bank handled a case.

Broader Impact on the Financial Sector

Changes Consumers Might Notice

The new regime is reshaping the consumer experience in several ways:

1. Longer payment times: Banks can now delay suspicious payments by up to four business days.
2. More security prompts: Expect stronger on-screen warnings during high-risk transactions.
3. Increased account scrutiny: Customers may face stricter ID checks or transaction limits as banks try to clamp down on mule accounts.

Industry Investment in Technology

With liability now shared, banks are accelerating tech adoption:

1. Behavioural biometrics to detect duress.
2. Machine learning to analyse transaction patterns.
3. Real-time alerts for unusual payments.

This “arms race” against fraudsters is part of a broader drive to enhance systemic fraud resilience.

Reactions from the Public and Advocacy Groups

Consumer Rights Groups: Cautious Praise

1. Which? Applauded the move as long overdue, but criticised the £85,000 cap and £100 excess.
2. Age UK welcomed the special protections for vulnerable customers, noting the risks older people face.
3. MoneySavingExpert expressed concern that scammers might begin targeting lower amounts to avoid triggering reimbursements.

Despite these reservations, the consensus is that the reforms are a major step forward in consumer protection and financial fairness.

Practical Advice for Consumers

What to Do If You’re Scammed

1. Stop contact with the scammer immediately.
2. Contact your bank via a trusted number or by dialling 159.
3. Gather evidence — screenshots, emails, transaction details.
4. Report to Action Fraud via www.actionfraud.police.uk or 0300 123 2040.
5. If your bank denies your claim, escalate to the Financial Ombudsman Service.

Ongoing Tips to Protect Yourself

1. Be cautious with unexpected calls, texts, or emails.
2. Use Confirmation of Payee (CoP) to verify account names.
3. Avoid transferring money to new payees under pressure.
4. Keep your software and devices secure.
5. Use two-factor authentication wherever possible.
6. Pause before paying — especially if something feels rushed, emotional, or “too good to be true”.

Conclusion: A Safer Banking Future — But Stay Vigilant

The mandatory APP scam reimbursement rules mark a new era in financial accountability. By forcing banks to reimburse eligible victims and share the financial burden, the UK has set a global benchmark for protecting consumers from deception.

The early signs are promising, with 86% of victim losses now being reimbursed. But the fight is far from over. Scammers are already evolving, and both banks and consumers must remain alert.

The new rules offer a robust safety net, not a substitute for caution. As fraud tactics grow ever more sophisticated, it is this balance of regulation and vigilance that will ultimately determine how safe our financial system becomes.