APP fraud update – the new Payment Systems Regulator rules

read time: 6 mins
12.11.24

The new mandatory reimbursement requirement for Authorised Push Payment (APP) fraud came into force on 7 October 2024 in the United Kingdom. This marks a significant development in how Payment Service Providers (PSPs) must address APP fraud and comes hot on the heels of two key recent decisions in Larsson v Revolut and Terna Energy Trading v Revolut which have further shaped the landscape of compensation for victims of APP fraud.

In this article, we provide detail on the new APP fraud rules and the separate guidance published regarding civil disputes. We also provide commentary on the two-tier system that may be created by the new rules, whereby only certain customers will be protected from APP fraud.

What are the new Payment System Regulator rules?

APP fraud takes place when an individual is tricked into sending money from their account to the account of a malicious third party. It presents a major problem in the UK, with over £459.7 million lost to APP scams in 2023 alone

In a bid to prevent APP fraud and better protect customers, the Payment Systems Regulator has implemented new regulations that require PSPs to reimburse eligible victims of APP fraud. Firms including high street banks, building societies, smaller payment firms and e-money firms must comply with the new rules.

Under the new rules, sending firms are obligated to reimburse eligible individuals, microenterprises and charities, collectively termed ‘consumers’ in the new rules, that fall victim to APP fraud and transfer money from one UK bank account to another UK bank account via the Faster Payments system. Those who transfer money via CHAPs will also have recourse, as the Bank of England has implemented a similar mandatory reimbursement requirement. Once aware of an APP scam, the sending firm may notify the receiving firm and seek a 50% contribution to the cost of reimbursement, which must be paid to the sending firm within five working days.

Those who fall victim to APP fraud should promptly contact the sending PSP, and in any case must report the fraudulent payment within 13 months in order to be eligible for reimbursement. PSPs may also charge an excess of up to £100 per claim and there is a cap of £85,000 per claim, reduced from the original proposal of £415,000. The PSR estimates that the £85,000 claim cap will cover over 99% of claims. However, should a victim suffer loss in excess of this cap, they can still refer the matter to the Financial Ombudsman Service to make a claim for up to £430,000. 

Where a valid claim is made, consumers can expect to be reimbursed within five days of making the claim. However, the sending PSP may extend this time period by 35 days in order to investigate the APP fraud and gather further information.

Whilst the new rules might seem particularly harsh on firms, the burden of addressing APP fraud does not fall exclusively on them - consumers must remain vigilant and exercise caution when making payments. Firms are not obligated to reimburse consumers who have been grossly negligent in making a payment, save for those who are vulnerable. This means failing to have regard to any warnings or interventions issued by the sending firm or a competent authority before the payment is made. Any such intervention must be more than a generic warning however, and time will tell how firms will detect potential APP scams and report these to customers. 

In meeting the consumer standard of caution, consumers must also promptly report any suspected APP scam and co-operate with the sending firm by responding to any reasonable and proportionate requests for information. Consumers should also consent to the firm making a report to the police on their behalf, or report the fraud to the police directly. If a firm refuses to reimburse a consumer on the basis that they have been grossly negligent, the burden is on that firm to demonstrate the same.

Civil disputes

Firms are not obligated to reimburse consumers who are engaged in a private civil dispute, rather than an APP scam, even though the two may in some cases appear similar. 

The Payment Systems Regulator has published guidance to assist firms in making such an assessment. In summary, a civil dispute may involve payments made to a genuine retailer or business where the customer is not happy with the product or service received. Where there is no indication of an intent to defraud, there is no requirement for a firm to reimburse the customer, and instead the dispute should be resolved via the civil court system.

Two-tier system

Whilst it is anticipated that the new requirement will have a positive impact on consumers across the UK who fall victim to APP fraud, there is a risk that the reimbursement requirement will create a two-tier system whereby only certain customers, i.e. eligible individuals, microenterprises and charities, will be protected from APP fraud. Businesses that are not eligible for reimbursement may suffer from the same type of fraud but have no recourse through the scheme and will, instead, be forced to turn to the limited protections provided by the courts. 

Following the Supreme Court decision in the Philipp v Barclays UK Plc case, it’s well established that banks do not owe a duty to customers where they expressly authorise the bank to make payment on their behalf – such as in cases of APP fraud. This was upheld and restated in the CCP Graduate School Ltd v National Westminster Bank Plc and Santander UK Plc case.

As there appears to be little prospect of recovery against the sending firm, victims are seeking recourse against the receiving firm. In the Larsson v Revolut case, the claimant was a victim of APP fraud – Mr Larsson sent funds from a bank account to five bank accounts held at Revolut, which were quickly emptied by fraudsters. 

The claimant had a separate bank account with Revolut, which was not involved in the APP scam. On this basis, Mr Larsson sought to establish that both contractual and tortious duties of care were owed by the bank. It has long been the case that no such duty is owed to non-customers , and the court found no reason to impose a duty of care just because the claimant who authorised the payment was also a customer of the receiving firm.

The door has not been completely closed on claims against the receiving PSP, however.  In the Terna Energy Trading v Revolut case a claim was brought against Revolut, again the receiving firm, on the basis of unjust enrichment. The claim was struck out on the basis that there was no direct transfer to Revolut and therefore no basis on which to establish unjust enrichment. However, the court left open the possibility of future claims in unjust enrichment being brought where there was a first payment. Revolut is appealing this element of the decision.

In addition, in the CCP v NatWest case, the claimant put forward a ‘Retrieval Duty’ argument, contending that in the context of APP fraud the sending and receiving banks should owe a duty to the victim to retrieve the misappropriated funds. This case is subject to appeal, therefore we await clarification on whether the retrieval duty may be available to those who are not eligible under the new mandatory reimbursement requirement. 

For more information on the new mandatory reimbursement requirement or assistance relating to APP fraud more generally, contact our commercial disputes team.

Sign up for legal insights

We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.  

Sign up