Authorised Push Payment fraud: an ever-growing problem met by ever-evolving solutions

Making payments by bank transfer, settling invoices, and investing money online are all actions carried out by businesses and individuals every day for completely legitimate purposes. However, they are also tools used by fraudsters when manipulating funds out of individuals and businesses in instances of push payment fraud.

Push payment fraud, commonly referred to as Authorised Push Payment (APP) fraud occurs when businesses or individuals are deceived into transferring funds (such as by internal transfer, CHAPS or Faster Transfer) to accounts controlled by fraudsters.

APP fraud commonly occurs in two situations: (1) the victim intends to transfer funds to a specific individual or business and is deceived into transferring funds into an account controlled by fraudsters; or (2) the victim transfers funds for, what they think is, a legitimate purpose, which is, in reality, fraudulent. 

Increased instances of push payment fraud

Instances of APP fraud have increased in recent years. The trade association “UK Finance” reported a 12% rise in cases of APP Fraud between 2020 and 2023.

232,429 cases of APP in 2023 resulted in the losses suffered by victims totalling £459.7 million. Between 1 April and 30 June 2024, over half of the 8,743 complaints received by the Financial Ombudsman Service related to APP fraud. 

The mainstreaming of crypto currency has led to developments in APP fraud in this space. For example, fraudsters may pose as a crypto provider and convince victims to open a crypto wallet with the promise of receiving free coins or credit. When the victim funds the crypto wallet via internet banking, the fraudster will have full control of the funds in the wallet and can transfer them to their own, separate account.

What explains these ever-ascending APP fraud figures?

Perhaps the most predominant rationale is the exponential adoption, and acceptance, of real-time payment systems. This not only allows monies to be transferred to fraudsters accounts more quickly but also renders it much more difficult to recover lost funds. Rapid developments in generative AI, including improvements in deepfake technology, also risks facilitating more sophisticated APP frauds, especially in cases of impersonation scams where fraudsters deceive victims into thinking they are legitimate bodies such as banks, government bodies, or the boss of their victim’s own organisation. Fraudsters may target individuals with access to a company’s accounts, such as members of finance teams, seeking to convince them to make payments on behalf of the company. 

Recourse schemes

A major development in relation to recourse options for APP fraud victims became effective on 7 October 2024. The UK Payment Systems Regulator (PSR) introduced the new Mandatory Reimbursement Scheme, which requires APP fraud victims be refunded (funded equally by the bank from which money is transferred, and the bank to which money is transferred) up to a value of £85,000. The scheme will only reimburse victims where the payment is made using the Faster Payment Service (FPS) – a system which enables almost instantaneous electronic transfers of funds between bank accounts.

The Bank of England also announced that victims of APP Fraud who have lost money by way of a CHAPS payment will be protected in a similar way, and up to the same value, by way of the CHAPS Reimbursement Rules. There is not yet a similar recourse for victims of crypto APP fraud.  

Both the Mandatory Reimbursement Scheme and the CHAPS Reimbursement Rules allow a maximum reimbursement amount of £85,000. The new scheme was initially set to guarantee reimbursements up to £415,000. This was reduced by the PSR following a consultation in September 2024 in which smaller payment service providers (PSPs) voiced concerns that the £415,000 limit was too high and would have a negative impact on their profitability and capital holdings, and thus their ability to compete with other PSPs.

The new scheme ensures a means of recourse for victims and also incentivises PSPs to actively prevent APP fraud by adopting and improving protective measures. The introduction of the new scheme acknowledges the status of APP fraud as a serious exponentially growing problem, replacing the Contingent Reimbursement Model (CRM) Code, which was retired on 7 October 2024, under which signatory banks committed to reimburse victims of APP fraud in all but exceptional circumstances. The code was not universally applicable but instead could be signed up to voluntarily by PSPs. As the name suggests, the new Mandatory Reimbursement Scheme is not voluntary, but applies automatically to PSPs.

Recourse in the courts

APP fraud victims can also turn to the courts for recourse. Recent case law relates to the “Quincecare duty” – a duty on the part of banks to refuse to execute payment instructions if they are on notice that said instructions may be part of a fraud, unless and until the bank is certain the instruction is valid.

In July 2023, the Supreme Court in Philipp v Barclays Bank UK PLC refused to extend the Quincecare duty to situations where the instructions came directly from the bank’s customer, albeit an unwitting customer. The reasoning for this was that, whilst banks are under a contractual duty to prevent the misappropriation of funds, they are not under a duty to prevent APP fraud. Banks must follow authorised payment instructions given by their customers customer giving the payment instructions. The Supreme Court did not directly address, and therefore did not disallow claims being brought in relation to a “retrieval duty” on banks, which would see banks being under a duty of care to take reasonable steps to retrieve funds paid out by a customer because of APP fraud. 

In 2025, the High Court ruled on appeal that where a bank receives funds that have been transferred as a result of APP fraud, it does not owe the victim, with whom it has no contractual relationship, a duty to take positive steps to unwind harm caused by the APP fraud (Santander UK PLC v CCP Graduate School Ltd).  

New “failure to prevent fraud” offence

Large organisations should also be aware of the new corporate criminal offence of “failure to prevent fraud”, introduced under the Economic Crime and Corporate Transparency Act 2023 and set to come into force on 1 September 2025. This legislation effectively requires in-scope organisations to implement “reasonable procedures” to prevent fraud, which you can read more about in our article on new UK Government guidance on failure to prevent fraud offence. Although a failure to prevent would trigger a liability for banks, it would not necessarily be an avenue of recourse for victims.

Conclusion

Inevitably, given the ever-evolving nature of APP frauds, the courts will be forced to consider these issues, in differing forms, in the future. It is clear from current statistics that the prevalence of APP fraud is an ever-growing problem which needs combatting.

Our content explained