New rules for bank transfer fraud reimbursement from 2024

Which? explains new plans for mandatory redress
Chiara CavaglieriSenior researcher & writer

Banks and other firms using the UK Faster Payments system will be required to split the cost of reimbursing victims of authorised push payment (APP) fraud under new rules outlined today.

Industry figures show victims lost £485.2m to APP fraud – where individuals or businesses are tricked into sending money to an account controlled by a fraudster – in 2022.

In 2016, Which? issued a super-complaint highlighting the glaring gap in fraud protection and redress for APP fraud. The voluntary CRM Code followed in May 2019, intended to give APP fraud victims fairer and more consistent redress. However, Which? successfully campaigned for mandatory reimbursement after raising concerns that victims still face a reimbursement lottery. 

Following consultation, the Payment Systems Regulator (PSR) has now set out how a mandatory scheme will work in practice. 

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

New rules to protect APP fraud victims

The PSR will require all payment service providers (PSPs) using Faster Payments (the payment system across which the vast majority of APP fraud currently takes place) to meet minimum standards for reimbursement. This will apply to over 1,500 PSPs – a big step up from the 10 banks and building society currently signed up to the voluntary CRM Code.

The new rules will be underpinned by several key policies:

  • Require payment firms to reimburse all in-scope customers who fall victim to APP fraud in most cases
  • Share the cost of reimbursing victims 50:50 between sending and receiving payment firms
  • Provide additional protections for vulnerable customers

In 2022, only 59% of APP fraud losses were returned to victims (either direct refunds or recovered by the receiving bank). Under the new rules all fraud losses will be reimbursed, other than in exceptional circumstances.

In line with rules for unauthorised fraud, firms will not reimburse customers who have acted fraudulently (‘first-party fraud’) or with gross negligence (this is a high bar with the burden of proof on the PSP and customers deemed to be vulnerable to a specific type of APP fraud are not subject to the gross negligence test or claim excess). 

The new rules will mean both sending and receiving firms will be incentivised to take action to prevent fraud, and where customers do fall victim to fraud, sending PSPs must reimburse customers within five business days. 

There is also a time limit for claims, as firms can reject fraud claims submitted more than 13 months after the final payment to the fraudster. However, the PSR has removed plans to introduce a £100 minimum threshold, which was originally included to ‘mitigate against potential unintended consequence of increased moral hazard’, where customers take less care when making payments. 

Claim excess and cap to be decided

The PSR has said it intends to consult further on details such as the allowable claim excess that payment providers can charge victims and maximum cap on reimbursement. 

Separately, it will be publishing data on how well firms are protecting customers from APP fraud, promoting intelligence-sharing to spot and prevent fraudulent transactions, and expanding the roll-out of the name-checking service Confirmation of Payee.

There are still gaps in fraud protection

The new reimbursement requirement does not currently apply to:

  • International payments 
  • Payments across other payment systems, for example, card payments, cryptocurrency transfers and CHAPS transactions (high-value transfers such as house purchases)
  • 'On us' payments, where the fraudster uses an account provided by the victim’s own PSP. 

This means many victims will continue to fall through the cracks – a Which? survey of over 1,000 fraud victims last year found that 20% of authorised fraud victims used a cryptocurrency app or website, 19% sent money to a foreign bank account and 17% used a digital wallet such as Apple Pay or Google Pay. 

The PSR said 'work is underway to consider whether the new reimbursement requirement (or equivalent protections) should apply to other payment systems'. 

While it does not regulate 'on us' payments (where the fraudster uses an account provided by the victim’s own PSP), the PSR said firms should reimburse APP fraud in the same way as Faster Payments.

When will the new rules come into force?

The PSR will be able to direct firms to reimburse fraud victims under the Financial Services and Markets Bill currently making its way through Parliament. The Bill is expected to receive Royal Assent in 2023, after which the PSR will be able to enforce its requirements on payment firms.   

  • In July the PSR will consult on the draft legal instruments to put reimbursement requirements in place
  • In August the PSR will consult on the maximum level of reimbursement and claim excess and additional guidance on the customer standard of caution (gross negligence)
  • In October the PSR will give the final legal instruments to Pay.UK and a further consultation on the legal instrument to be given to PSPs
  • By the end of 2023 the PSR will publish the claim excess and maximum level of reimbursement, additional guidance on the customer standard of caution (gross negligence) and publication of all legal instruments
  • In 2024 the new reimbursement requirement will come into force

The voluntary CRM Code requirements are expected to stay in place until the new reimbursement requirement comes into force, though there is nothing to stop PSPs from  voluntarily reimbursing victims of APP fraud now. The Government has said it is also looking at how to enable banks to have the ability to identify and pause suspicious payments inflight where appropriate.

Which? response: 'new rules must be properly monitored'

Rocio Concha, Which? Director of Policy and Advocacy, said: 'APP fraud continues to have a devastating financial and emotional impact on victims, yet they are currently being let down badly by banks when it comes to getting their money back, so it's hugely encouraging to see new rules which should lead to the overwhelming majority of victims getting reimbursed.

'New rules must be properly monitored to ensure firms comply, with tough enforcement action for those that fall below the required standards. With many victims losing life-changing sums of money to increasingly sophisticated scams, it will also be important that the regulator does not set the maximum level of claims too low, or exclude different types of fraud from the reimbursement obligation, which could see some people blocked from getting their money back.'

More on this

Related articles