PSR Consultation on APP scams

Thank you to Richard Creed from Creed Solicitors ( for providing this very useful insight into the PSRs latest consultation paper.

The Payment Systems Regulator issued consultation paper (CP22/4) in September 2022 relating to authorised push payment (APP) scams. Responses to the consultation paper are required by 5pm on 25 November 2022. If the Payment Systems Regulator's plans come into force, this will be a significant (and detrimental) change for payment institutions and electronic money institutions.

At the moment, ten PSPs have signed up to a Contingent Reimbursement Model Code. However, the overall level of reimbursement under the Code is still below 50% – and participation in the Code is voluntary. Many PSPs are not signatories. In July 2022, the government published its Financial Services and Markets Bill. This would allow the Payment Systems Regulator to use its regulatory powers to require PSPs to reimburse APP scam victims. It would also place a duty on the Payment Systems Regulator to take regulatory action.

The proposals set out by the Payment Systems Regulator: mandatory reimbursement and allocating costs

The Payment Systems Regulator wants the payments industry to change the way it manages APP scams. It is proposing measures to:

  • require reimbursement
  • improve the level of protection for APP scam victims
  • incentivise PSPs to prevent APP scams, whether as a sending PSP (which has the account the payment is made from) or a receiving PSP (which has the account the payment is made to)

These measures aim to protect people from scams and build their confidence in UK payment systems.

Mandatory reimbursement

The Payment Systems Regulator proposes to require all PSPs sending payments over Faster Payments to fully reimburse APP scam victims, with only limited exceptions. This will apply to consumers, micro-enterprises and charities. This will apply to both PSPs as Faster Payments participants and PSPs which access Faster Payments through an indirect access provider.

The exceptions will include scams where the consumer is involved in the fraud themselves, or where they have acted with gross negligence. The exception for gross negligence is a high bar, which the Payment Systems Regulator expects will apply in only a small minority of cases. It would not apply where a consumer was vulnerable.

The sending PSP will have to reimburse the victim as soon as possible, and no more than 48 hours from the fraud being reported. If the PSP has evidence or reasonable grounds for suspicion of either first party fraud or gross negligence, it will have more time to investigate and can delay the payment.

The Payment Systems Regulator proposes to allow PSPs to:

  • have a minimum threshold for a reimbursement claim (of no more than £100)
  • withhold an ‘excess’ (of no more than £35)
  • set a time limit for claims (of no less than 13 months)

Allocating the costs of reimbursement

Both sending and receiving PSPs can take steps to detect potential frauds, and can stop payments or block accounts if they suspect fraud. Currently, sending PSPs pick up the vast majority of the costs of reimbursement under the CRM Code (over 95%). This means receiving banks do not have strong incentives to prevent fraud and stop fraudsters controlling their accounts.

The Payment Systems Regulator proposes to allocate the costs of reimbursement equally between sending and receiving PSPs, with a default 50:50 split. PSPs can use a dispute management process to adjust the allocation, to better reflect the steps each PSP took to prevent the scam. The Payment Systems Regulator doesn’t intend the 50:50 default to be a fine-tuned allocation, but to provide adequate incentives for both sending and receiving PSPs.

The Payment Systems Regulator would like to see its core requirements for mandatory reimbursement in place for consumers as soon as possible, and no later than during 2024.

Concerns with the proposals

We have a concern that mandatory reimbursement will lead to an increase in fraud, as fraudsters could easily claim that they have been the subject of APP fraud, when in fact the money they have asked to be sent by a PSP is in an account they control. This would allow the fraudster to get reimbursement fraudulently. Whilst PSPs have the ability to claim that there has been fraud on the account and not reimburse the client, it will be difficult / impossible for PSPs to know which is genuine APP fraud and which is not. The risk is that the amount of fraud actually increases but it is just that PSPs now pick up the tab instead of consumers and that consumers have little incentive to be cautious when they think that they are possibly going to be the victim of APP fraud. If you have similar concerns, you can make this point in answer to question 2, ."Do you have views on the impact of our proposals on PSPs".

Rather than having a fixed excess of £35, we think it would be better to base the excess on a percentage of the payment which has been executed. In our industry it is obviously common to send hundreds of thousands of pounds on behalf of consumers. If the most amount of money a consumer can possibly lose is £35 (unless the PSP can prove fraud or gross negligence which the PSR admits is a very high bar), then the incentive for the consumer to double check that they are not the subject of APP fraud is minimal. However, if they were potentially going to lose 10% of the payment then this keeps the consumer interested in ensuring that they are not the victim of APP fraud. If you agree to this suggestion, you can respond to this proposal in question 7.

If you would like any more information about the proposals, please don’t hesitate to contact Richard Creed directly -