For an overview of the key publications, you can also take a look at our Engage article ‘UK APP fraud mandatory reimbursement regime: Next steps for PSPs and overview of key publications’.

Key aspects of the new APP fraud rules for consumers

The key aspects of the new regime for APP fraud reimbursement include:

• Rules apply from: 7 October 2024.

• In-scope customers: Consumers, micro-enterprises and charities.

• In-scope payments: Faster Payments and retail CHAPS payments in the UK in pounds sterling.

• Liability: The sending PSP must refund the consumer, where required, but the receiving PSP must reimburse 50% of the refund amount to the sending PSP within 5 working days of being notified.

• Refund limit: £85,000. There is no minimum threshold for a claim (although see the excess below).

• Reporting requirements: Claims must be reported within 13 months after the last payment was authorised.

• Refund timeframes: Refunds must be provided within 5 working days unless more information is required by the PSP. If so, PSPs can “stop the clock” but a final decision must be provided within 35 workings days.

• Refund exceptions: Refunds do not need to be made in the case of consumer fraud, gross negligence and breach of the consumer standard of caution; or a genuine dispute with the person paid by the consumer for the relevant goods and services.

• Burden of proof: The sending PSP must show the consumer has acted with gross negligence.

• Optional excess: £100.

• Vulnerable customers: Vulnerable customers will not be subject to the consumer standard of caution and no excess will be applied.

• Documentation requirements: Payment account terms and conditions must be updated by 9 April 2025.

• Reporting requirements: The first report of data required by reporting standard A must be submitted by 6 January 2025, then monthly from 31 January 2025.

• Record-keeping requirements: PSPs must collate and retain relevant data and records for a period of at least 5 years.

Investigating reimbursement claims

Gross negligence and the standard of caution

PSPs are not required to reimburse where, as a result of the consumer’s gross negligence, one or more elements of the standard of caution have not been met. This includes:

• The requirement to have regard to interventions - consumers should have regard to specific, directed interventions made either by the sending PSP or by a competent national authority;
• The prompt reporting requirement - as soon as possible, and no later than 13 months after the last payment was authorised;
• The information sharing requirement - consumers are required to respond to any reasonable and proportionate requests for information made by their PSP, which should allow their PSP to assess reimbursement claims and whether the consumer is vulnerable;
• The police reporting requirement - consumers should, after making a reimbursement claim, consent to the PSP sharing their details with a competent national authority.

What does this mean for PSPs?

Assessing claims

It’s clear that the standard for gross negligence is higher than the standard of negligence under common law and that consumers must have demonstrated a significant degree of carelessness in failing to meet the required standard of caution. It is the responsibility of the sending PSP to prove that the consumer has acted with gross negligence. In practice, this requires a subjective assessment by the sending PSP, taking into account the individual consumer’s circumstances and the nature of the scam.

In assessing gross negligence, consumers shouldn’t automatically be deemed to be grossly negligent for proceeding with a transaction despite warnings, including in situations where PSPs have personally engaged with consumers. PSPs need to review claims on a case-by-case basis, taking into account various relevant factors, including:

• the nature of the intervention made by the sending PSP including whether it was sufficiently tailored;

• the content of any warnings including the degree of certainty that a prospective transaction was an APP scam;

• the complexity of the scam;

• any claims history from the consumer suggesting a propensity to fall repeatedly for similar types of scams.

PSPs must ensure their complaints processes have been sufficiently updated to reflect the new rules and that complaint handlers have received adequate training. Given the subjective nature of the assessment, it’s important that PSPs also monitor their refund and claims data to ensure fair outcomes have been achieved for consumers. Otherwise, PSPs risk a potential avalanche of Financial Ombudsman Service (FOS) claims.

Interventions

The PSR guidance is clear that any interventions from PSPs must be bespoke and not boilerplate. To reduce the risk of APP fraud (and the associated liability on PSPs), PSPs will need to ensure any warnings or interventions are sufficiently tailored to the consumer, scam and transaction. In practice, this means that passive warnings which routinely accompany transactions of a similar type won’t be sufficient. Written warnings can still be provided but they must be actively brought to the attention of the consumer and in many situations PSPs will need to proactively engage with customers.

Information requests

PSPs must consider the essential information required to establish whether a consumer has been a victim of APP fraud. Information requests must not be used to frustrate or deter reimbursement claims. Requests will therefore need to be proportionate to the value and complexity of a claim, taking into account any claims history of the consumer. In assessing gross negligence in this context, PSPs must have regard to the individual consumer’s circumstances, as there may be valid reasons for not responding to an information request.

Delaying payments

The Payment Services (Amendment) Regulations 2024 come into force on 30 October 2024. Under the new Regulations, PSPs will be able to delay the execution of a payment in the UK in pounds sterling by up to four business days (D+4) from the time a payment order is received if they have reasonable grounds to suspect fraud or dishonesty by someone other than the customer. This is an increase from the existing requirements for payments to be executed by D+1. PSPs need to consider whether to include this in their terms and conditions. In adjudicating claims, the FOS is likely to consider whether a PSP should have delayed or refused to make a payment where there were warning signs that a payment was part of an APP scam.

Customer communications and terms and conditions

Customer communications

Where PSPs have not already done so, they should notify existing customers of their rights under the reimbursement requirement and rules, and of the upcoming contractual changes as soon as possible. PSPs were originally required to do this by 7 October 2024. However, given the last-minute confirmation of the change to the maximum reimbursement limit, the PSR has said that it will adopt a ‘pragmatic and proportionate approach’ to directed PSPs’ compliance with their customer notification obligations.

Whilst the PSR has not specified the form this communication must take, it has said that customers must be informed “in the same manner in which the PSP would notify their customers of other changes to the way in which they provide services”. Given the last-minute nature of the changes to the new rules, PSPs may be tempted to update customers quickly e.g. by email. This is fine where customers are usually notified of changes in this manner. Where they aren’t, for example, where customers do not use digital banking channels, then this process may be challenged by the PSR.

Terms and conditions

Terms and conditions for the customer’s payment account will need to be updated by 9 April 2025. Given that PSPs will have to provide two months’ notice of any changes to a framework contract, follow internal change procedures and meet marketing and print deadlines, PSPs need to be engaging with the updated rules now and working to change their terms.

The guidance published by the PSR in August 2024 is designed to assist PSPs with their customer communications but does not prescribe compulsory content. The PSR takes the view that customers should understand:

• the scope of the reimbursement policy e.g. eligibility criteria, time limits, optional excess, maximum refund limit, exceptions and the application of the rules to vulnerable customers;

• exclusions e.g. fraud, gross negligence and international payments;

• what consumers can expect when making a claim e.g. the standard of care required, how to make a claim and access to FOS.

PSPs should ensure these areas are adequately covered in their terms and conditions.

Approach to out-of-scope payments

The FCA recently published Dear CEO letters to banks and building societies and payment and e-money institutions (PIs and EMIs) outlining its expectations in relation to APP fraud reimbursement. In its letters, the FCA highlighted concerns around “on us” APP fraud reimbursement i.e. internal transfers which are not made through Faster Payments or CHAPS and therefore fall outside the protection of the new scheme. The FCA noted that customers are unlikely to understand that the level of protection available for “on us” APP fraud is lower than for other types of payments which could lead to poor customer outcomes. The FCA also reminded PSPs of Consumer Duty obligations to deliver good outcomes for consumers and invited PSPs to contact the FCA to provide an explanation of the steps taken to meet those obligations where a lower level of protection is provided for “on us” APP fraud.

As a result, PSPs must consider their approach to out-of-scope payments, particularly “on us” payments. Operationally, it may be easier to maintain one standard process for APP fraud payments made via internal transfer, Faster Payments and CHAPS. There is also clearly an expectation from the FCA that “on us” APP fraud should be given the same level of protection. This will be an important point to consider when updating terms and conditions and implementing systems and processes to comply with the new rules.

Reporting

Sending PSPs are currently required to:

• collate and retain data that falls within reporting standard A (rather than all compliance metrics in the relevant Compliance Data Reporting Standard (CDRS));
• report relevant data to Pay.UK and the BoE (where relevant) monthly, on cases closed in the reporting period, to enable the monitoring of compliance from 7 October 2024.

PSPs are also required to comply with record keeping requirements within the relevant CDRS.

The first report under standard A covering the period 7 October to 30 November 2024 must be submitted to Pay. UK by 6 January 2025. For CHAPS, PSPs are not required to submit nil returns to the BoE, where they have not received any APP scam claims in the relevant reporting period. 

The reporting process is currently manual but the PSR is working towards introducing an automated system to manage APP scam claims, communicate in respect of claims and comply with data reporting requirements - the Reimbursement Claim Management System (RCMS).

At this point, PSPs should have already considered the operational steps required to comply with their reporting and record keeping requirements. However, at some point in the future a separate reporting standard (reporting standard B) is likely to be introduced.

In late 2024, the PSR has said it intends to consult on proposals to require use of the RCMS and on whether and when a shift to reporting standard B could take place. PSPs should be ready to respond to this and should be thinking about the practical steps involved in meeting these new requirements.

FOS impact

The maximum reimbursement limit has been set at £85,000 per claim. This level will mean 99.8% of all Faster Payments APP scams by volume, and 90% by value, are fully reimbursed, providing they fall in scope of the regime. It is also expected that this limit will still cover the majority of CHAPS claims based on data received to date on APP scams. The average value of an APP scam sent over CHAPS in 2023 was around £51,000. However, there will still be a proportion of APP scam claims which are not fully covered by the new regime and which may be escalated to the FOS for review.

The FOS has the power to award compensation of up to £430,000 per complaint. The PSR has noted that it is ‘theoretically possible’ for consumers to recover losses up to £945,000 where the consumer makes a complaint against both the sending and receiving PSP. This would be made up of an award up to £85,000 against the sending PSP for any failure to reimburse under the reimbursement requirement and for the FOS to make an award against each PSP (up to the statutory limit of £430,000) for any unrecovered losses if it considers that each PSP was at fault in some way when making the payments.

The FOS has a duty to resolve complaints based on what it thinks is “fair and reasonable” in all the circumstances of the case. This gives the FOS a wide discretion in its decision making and in practice, could mean that PSPs may be on the hook for much higher reimbursement claims than the rules anticipate.

Next steps for PSPs

Where PSPs have not already done so:

• PSPs should notify existing customers of their rights under the reimbursement requirement and rules, and of the upcoming contractual changes as soon as possible. By 9 April 2025, PSPs must review and update payment account terms and conditions to reflect the new rules, informing consumers of their rights as well as the obligations on the consumer and the PSP;
• PSPs should ensure that systems and processes have been updated to provide bespoke interventions to customers;
• Complaints processes should be updated to take account of the new rules and consumer standard of caution;
• Staff must receive appropriate training to help prevent APP fraud, including where personal warnings are provided. Training should also cover the investigation of claims and the decision making process for refunds.

PSPs need to comply with record keeping and reporting requirements within reporting standard A:

• The first report must be submitted by 6 January 2025 (and then monthly from 31 January 2025);
• By 31 March 2025 (and then annually), all indirect access providers must give the PSR a complete list of all of their indirect PSP customers for the previous calendar year;
• By 30 April 2025, and monthly thereafter, all indirect access providers must give the PSR an update containing any changes to that list.

If you would like to discuss any aspect of the new APP fraud reimbursement requirements for Faster Payments and CHAPS, please get in touch with any of the people listed above or your usual Hogan Lovells contact.

Authored by Aine Kelly.