APP Fraud Reimbursement: One Year On, Is the Scheme Working?

October 2024 was meant to be a watershed moment for British banking customers. The Payment Systems Regulator's mandatory reimbursement scheme for Authorised Push Payment fraud finally went live, forcing banks to pay back victims of scams in most cases within five working days, with a £415,000 cap and a £100 customer excess that institutions could choose to waive. Eighteen months in, the early data is in, and the picture is more complicated than either the regulator or the banking industry expected.

If you have ever transferred money to what you thought was your conveyancer's account, only to discover days later it was an impersonator with a Lithuanian phone number, this scheme matters to you. So does the quieter pushback from banks who argue the rules now incentivise both careless customers and increasingly sophisticated fraud rings. Both sides have a point.

How the scheme works in practice

Under the PSR rules, if a UK consumer is tricked into authorising a Faster Payment to a fraudster, the sending bank and the receiving bank split the reimbursement 50/50. The customer can claim back up to £415,000 (reduced from the originally proposed £85,000 ceiling). Banks have five working days to assess the claim, with one extension to 35 days for genuinely complex cases.

Crucially, the rules apply to consumers and microenterprises, not large businesses. They cover Faster Payments, the dominant rail for retail fraud, but not international transfers, card payments or cash. They also have a "consumer caution" exception: if you are deemed grossly negligent — ignored explicit warnings, fell for an obviously implausible story, sent multiple payments after the bank flagged concerns — reimbursement can be reduced or refused.

What we know from the first year

The PSR's initial monitoring data, supported by figures from UK Finance, paints a mixed picture. Reimbursement rates have risen sharply across the industry, with most major banks now repaying over 80% of claims, up from a previous spread of 50% to 96% under the voluntary CRM Code. The big four (Barclays, HSBC UK, Lloyds, NatWest) and challengers (Monzo, Starling, Chase UK, Revolut) now sit in roughly the same range, which is genuinely new. Before the scheme, Monzo and TSB had notoriously different reimbursement records. The mandatory framework levelled that.

Total fraud losses, however, did not collapse the way some commentators predicted. Reported APP fraud has fallen modestly — UK Finance figures show a drop of around 12% in volume in the first nine months of 2025 — but criminals adapted. Investment scams, romance fraud and impersonation of HMRC or the police are now more elaborate, often spread over weeks of grooming before the actual transfer.

The new battlegrounds

One unintended consequence has been a sharp rise in customer-bank disputes over the "gross negligence" exception. Banks argue that some customers have become noticeably less careful since reimbursement became near-automatic. The Financial Ombudsman Service has reported a marked increase in complaints from customers whose claims were partially refused on negligence grounds, with the FOS frequently siding with consumers.

Another battleground is the £100 excess. The PSR allowed banks to charge it but most major firms — Monzo, Starling, Chase UK, Lloyds and Barclays — have voluntarily waived it for vulnerable customers, and several have waived it entirely as a competitive gesture. Revolut continues to apply it. Whether the excess actually changes customer behaviour is debatable; the more meaningful deterrent is the bank's own warning system at the point of transfer.

Confirmation of Payee, finally taken seriously

The scheme has had one undeniable benefit. Confirmation of Payee, the system that checks whether the name you type matches the account name on file, is now functionally universal across UK banks. Until 2024, several smaller institutions and most fintechs were exempt. The PSR effectively forced everyone onto it. If a CoP check fails — the name does not match — and a customer proceeds anyway, banks can use that as evidence of customer fault. The result is that practically every Faster Payment now carries a CoP check, and customers who ignore mismatches are on far weaker ground.

Where the scheme falls short

Crypto is the obvious gap. Once a victim moves money into a crypto wallet on Binance, Coinbase or a peer-to-peer exchange, traceability collapses. Banks argue, with some justification, that they cannot reasonably reimburse fraud that the customer themselves moved off the regulated rail. The PSR has acknowledged this without yet finding a clean answer.

International transfers are similarly excluded. Wise, Revolut and other multi-currency providers operate partially within and partially outside the scheme, depending on the rail used. A SEPA payment to a fraudulent IBAN in Spain falls largely outside the mandatory reimbursement framework, even though the customer experience feels identical.

The counter-argument banks keep making

Banking industry voices, including UK Finance, have argued the scheme creates moral hazard. Customers are less vigilant, fraudsters are emboldened, and honest banks subsidise the few institutions whose lax onboarding makes them attractive money-laundering destinations. There is some truth here. A small number of challenger banks have been disproportionately on the receiving end of fraudulent funds, raising legitimate questions about Know Your Customer standards. The PSR has signalled that receiving banks with persistently high fraud-receipt rates will face supervisory consequences. Whether that materialises remains to be seen.

The same critics also argue the scheme distracts from the deeper problem: most APP fraud originates on social media platforms, dating apps and messaging services that bear no liability whatsoever. A bank cannot prevent fraud that begins three weeks earlier on Facebook Marketplace. Some redistribution of liability toward the platforms themselves seems both fair and overdue.

What you should actually do

1. Treat every Confirmation of Payee mismatch as a red flag, never override one casually
2. Be especially cautious with large first-time payments — banks now apply additional friction, accept it rather than fighting through it
3. If contacted unexpectedly by your bank, the police or HMRC, hang up and ring back on the number from your card or the official website — never the number on the call
4. If you fall victim, report within 13 months to preserve your right to claim under the scheme
5. If your claim is rejected on grounds of gross negligence and you disagree, escalate to the Financial Ombudsman Service — recent decisions have leaned strongly toward consumers

For business customers, the harder truth

Microenterprises are covered, but anything larger than a 10-person business is not. SMEs with turnover or headcount above the threshold have no equivalent protection, despite being prime targets for invoice redirection fraud. If you run such a business, your protection is largely operational: dual-authorisation on payments, callback verification of any change in supplier bank details, and Faster Payment limits set deliberately low.

How banks have actually changed their behaviour

The clearest visible change since the scheme launched has been at the point of payment. Setting up a new payee on Lloyds, Barclays or NatWest now triggers a multi-step warning flow, with the bank often asking you to categorise the payment (paying a tradesperson, settling an invoice, sending money to family) and surfacing tailored warnings for each category. Monzo and Starling go further, occasionally pausing high-value payments to a brand new payee and prompting a video or in-app conversation with a fraud team member. Customers find this annoying. Customers also fall victim less often. Both can be true.

Behind the scenes, the major banks have invested heavily in real-time transaction monitoring and shared intelligence. UK Finance and Cifas now circulate fraud markers far more rapidly across institutions, meaning a mule account spotted at HSBC UK in the morning often finds itself frozen at Revolut by lunchtime. The systems are imperfect — false positives still inconvenience legitimate customers, particularly small business owners receiving large payments — but the trajectory is clearly improving.

Recovery beyond reimbursement

One underappreciated detail is that banks have a parallel duty under the Contingent Reimbursement Model and the new mandatory scheme to attempt recovery from the receiving end. If your money lands in a fraudster account at another bank and that bank acts quickly, funds can sometimes be clawed back even before reimbursement is processed. Time is everything. If you suspect fraud, ring your bank immediately, do not wait until the next morning, and certainly do not message the fraudster to demand answers, that simply alerts them to move the money on.

The wider international picture

The UK is not alone in this experiment. Australia introduced a similar reimbursement framework in 2024, and the European Union is debating a comparable directive that would harmonise rules across SEPA. Watching how those regimes evolve will be informative. Australia's scheme has produced clearer outcomes than the UK's in some respects, partly because of stricter receiving-bank obligations, but it has also seen sharper rises in regulator-imposed penalties on banks judged slow to reimburse. The British regime sits somewhere in the middle, generous to consumers, demanding of banks, and still finding its operational rhythm. Expect further tweaks from the PSR before the framework settles.

What it means for your bank choice

The mandatory scheme has effectively neutralised reimbursement record as a basis for choosing where to bank. All major firms now sit broadly within the same envelope. Where banks still differ noticeably is the quality of their fraud prevention warnings, the speed of their fraud team response, and the helpfulness of their staff when you ring at 11pm on a Sunday because something has gone wrong. Those soft factors matter more than headline reimbursement rates today.

Direct recommendation

Do not let the scheme make you complacent. Most fraudsters now assume British victims will be reimbursed and have shifted toward longer cons that are harder to retrospectively classify as APP fraud. The strongest protection remains a habit, not a regulation: never act on incoming financial pressure, never bypass a Confirmation of Payee mismatch, and treat any unexpected change in payment details as fraudulent until proven otherwise. The PSR has built a useful safety net, not an excuse to put down your guard.