PSR shares early findings from APP fraud repay scheme 

The Payment Systems Regulator (PSR) shared early findings from the authorised push payment (APP) fraud reimbursement scheme at Pay360 on March 26, exactly 170 days after the scheme came into force. It said APP fraud was on a downward trend, based on four months of data from the PSR and UK Finance.

The like-for-like data shows a 40% decrease in APP fraud, while the reimbursement rate has increased by 20%, said Mark Thynne, PSR senior manager, enforcement and compliance monitoring. “When we started there were concerns that reported fraud would go up, but we haven’t seen that.”

Thynne cautioned not to overstate the results based on four months of data.

The rejection rate for the Consumer Standard of Caution is also “very low” — firms are less frequently rejecting reimbursement claims on the basis of consumers’ gross negligence, which Thynne considered as a “positive” sign in some ways.

Based on industry feedback, firms remain “cautious” when applying the the Consumer Standard of Caution, Thynne said.

“It is there to be used. It should be used in exceptions. But we are not saying don’t use it if the circumstances justify it,” he added.

The data received through Compliance Reporting on the reimbursement contribution amount (RCA) was lower than Thynne would have liked; however, industry feedback suggested that this was a “systems issue” at firms, caused by their inability to attribute payments to RCA contributions, which the PSR is looking to improve.

The PSR will publish further guidance on APP fraud reimbursement by the end of April and conduct a full review of the regime in October.

Shared responsibility framework

Several payments firms cited Singapore’s shared responsibility framework (SRF) as the potential next step to the reimbursement scheme. The Monetary Authority of Singapore (MAS) imposed the “waterfall approach” in October, which requires all financial institutions, telecommunications and consumers to share liabilities from phishing scams.

Rory Tanner, head of UK government affairs at Revolut, commented that payments service providers alone should not bear liability. “If a financial institution fulfils its responsibilities, but the telecom company fails in its duties, the full responsibility for reimbursement falls on the telecom provider,” he said.

“In other markets, there has been a shift to focus reimbursement on other players in the value chain. With the PSR regime now in place in the UK and continuing under the FCA long-term, it raises the question of whether we should consider a new framework.”

Lee Fitzgerald, global fraud risk strategy director at Barclays, expressed a similar concern about sharing liabilities between all parties, depending on the scamming process. She said while customers were at the heart of Barclays, it was important for the bank to strike a balance between protection and responsibility, rather than shifting the problems away from them.

Social media is another key entry point of the APP fraud ecosystem. Both Thynne and David Geale, interim managing director at the PSR, noted that social media platforms have not taken as effective action as they could, a view that aligns with Revolut’s latest data, which shows fraudsters have taken “a significant shift” towards encrypted messaging platforms from other communication channels.

According to Tanner at Revolut, 46% of all losses in the last quarter of 2024 were linked to scams on WhatsApp and Telegram, with the majority being job and purchase scams. He added that the two messaging platforms were not signatories of November 2023ʼs Online Fraud Charter, making them a “weak spot” in the system.