Last updated: October 2023
What are Authorised Push Payment scams?
APP scams happen when someone is tricked into sending money to a fraudster posing as a genuine payee.
Every year thousands of individuals and businesses fall victim to APP scams, which can have a devastating impact on people's lives. The latest figures show £239.3 million was lost to APP scams in the first half of 2023.
The PSR expects to see more action from financial institutions to stop these scams from happening and to better protect people if they do fall victim.
There are various types of APP scams which are either:
- ‘malicious payee’, for example, tricking someone into purchasing goods which don’t exist or are never received.
- ‘malicious redirection’, for example a fraudster impersonating bank staff to get someone to transfer funds out of their bank account and into that of a fraudster.
Getting the right protections for everyone
In May 2022, Treasury announced its intention to legislate to allow the PSR to require victim reimbursement for APP scams and in June 2023, this legislation came into effect with the Financial Services and Markets Bill receiving Royal Assent.
The new requirements will prompt a step change in the culture of payments to improve fraud prevention and focus all firms on protecting people.
- There will be new rules in Faster Payments – the payment system across which the vast majority of APP fraud currently takes place – strengthening Pay.UK’s ability to tackle fraud.
- All payment firms will be incentivised to take action, with both sending and receiving firms splitting the costs of reimbursement 50:50.
- Customers will be more protected under consistent minimum standards, with most APP fraud victims being reimbursed within five business days and additional protections offered for vulnerable customers.
- Industry will have clearer guidance to follow, including around the ability to apply a claim excess and maximum level of reimbursement, which the PSR will consult on later this year.
We are working with Pay.UK - the operator of Faster Payments - and the industry to make sure these requirements can be implemented as quickly as possible. In the meantime, banks and building societies should continue to develop their fraud detection and prevention arrangements to respond to the ongoing risk of fraud to their customers.
The PSR is also leading on a wider set of changes that would:
- Lead to the regular publication of data on how well firms are protecting customers.
- Continue to the widespread rollout of Confirmation of Payee (CoP) – the name checking service designed to help prevent APP scams and misdirected payments. This would see coverage of this service from around 90% of transactions to almost all payments made by FPS and CHAPS.
- Support and encourage improved intelligence sharing to spot fraudulent transactions and stop them from happening.
The Contingent Reimbursement Model (CRM) Code
In 2018, we set up a steering group of industry and consumer representatives, led by an independent chair, to develop a voluntary, industry CRM Code. The final Code came into force in May 2019.
The CRM Code aims to reduce both the occurrence and impact of APP scams, and is designed to give people the confidence that, if they fall victim to an APP scam and have acted appropriately, they will be reimbursed. It sets out standards for signatory Payment Service Providers (PSPs) – a group including the largest banks in the UK – and for customers who are covered by the Code (consumers, micro-businesses and small charities). There are currently ten signatories to the Code.
The Lending Standards Board (LSB) oversees the Code and its members, while we continue to monitor the operation of the Code and the impact it has on the number of APP scams. The Financial Ombudsman Service provides dispute resolution between banks and customers on decisions under the Code as part of its considerations into the individual circumstances of a complaint.
Confirmation of Payee
In August 2019, we gave members of the UK’s six largest banking groups a Specific Direction to implement CoP by the end of March 2020. The PSPs subject to the direction are involved in around 90% of FPS and CHAPS transactions.
In July 2020, we confirmed that the directed PSPs had achieved widespread implementation of CoP, with certain agreed exemptions. This marked a significant milestone in addressing APP scams, but we aren’t stopping there. We want to continue to expand the protection offered by CoP, so in February 2022 we issued a Direction to ensure the transition of CoP to a single technical environment (phase 2), allowing more banks to offer the vital service. Following our May 2022 consultation, we also directed around 400 more financial firms to provide CoP. This will see nearly all transactions made via Faster Payments and CHAPS covered by CoP by October 2024.
With CoP, banks can check the name on a new payee’s account as well as the sort code and account number. Customers setting up a new payee (or changing details of an existing payee) will be able to confirm that the name they have entered matches the one on the account they intend to pay, helping to prevent payments going to the wrong account.
Alerts notify the payer whether there has been a match, a close match, or no match, meaning corrections can be made before the payment is sent. The service is designed to prevent misdirected payments as well as fraudulent ones.
The success of CoP depends on PSPs working together to prevent businesses and consumers from being defrauded. With that in mind, Pay.UK has designed rules and standards for PSPs to follow when launching the service.
Our first APP scams performance data report
On 31 October we published our first APP scams performance data.
The data includes the UK’s 14 largest banking groups (directed firms), along with the data for nine other smaller firms that were in the top 20 highest receivers of fraud (non-directed firms).
Payment firms that we directed will be required to publish this information on their websites within 20 days which will give consumers greater transparency about how they deal with APP scams.
A history of our work to prevent APP scams
We have carried out a significant amount of work to prevent APP scams since 2016. A history of this work can be found below.
We published our first APP scams performance data report showing how well payment firms treat victims of APP scams.
We published a consultation on the proposed specific direction that will underpin the Faster Payments reimbursement rules.
We published a consultation on timings and reporting periods for cycle 2 of APP fraud performance data.
We published a consultation on revised reporting guidance for cycle 2 of APP fraud performance data.
We published two consultations - one on the maximum level of APP fraud reimbursement and claim excess, and the other on the consumer standard of caution.
We published our consultation on two of our draft directions, which are the legal means to put our new APP fraud reimbursement requirements in place.
We confirmed new requirements for banks and payment companies that will ensure more people than ever before will get their money back if they are a victim of APP fraud; prompting more action to prevent these frauds from happening in the first place.
We directed 14 of the largest UK PSP groups to collect and provide us with data on their APP scam performance, which will, for the first time, show how well payment firms are handling APP scams.
We launched a consultation seeking views on guidance for PSPs who will have to publish data on their performance on APP scams. This will be a requirement of the specific direction that we plan to publish in March 2023.
We launched a consultation seeking views on the way data showing how well firms are protecting customers against APP scams will be collected and published.
We directed around 400 more financial firms to provide CoP. This will see nearly all transactions made via Faster Payments (FPS) and CHAPS covered by CoP by October 2024.
We made clear that we're going further in fighting APP fraud, by setting out specific proposals around mandatory reimbursement for victims.
We announced our plans that will see around 400 more financial firms provide Confirmation of Payee (CoP). We also varied SD11 (SD11a), which will require Pay.UK to ensure the closure of the Phase 1 technical environment by 30 June 2022 rather than 31 May 2022.
We confirmed and published a new rule to ensure that the technical and system requirements for the second phase of Confirmation of Payee will be implemented by 31st May 2022. We did this by issuing Specific Direction 11 (SD11).
We outlined our proposal to ease the transition into the second phase of Confirmation of Payee.
We consulted on a package of proposals to tackle APP scams, including publication of fraud data by banks and improving intelligence sharing to enhance scam detection and prevention. HMT also announced that legislative changes would be made by Government to allow us to require banks to provide mandatory reimbursement to victims.
Following our call for views, we outlined our next steps to achieve wider implementation of Confirmation of Payee (CoP). These proposed plans required the transition of CoP to a single technical environment, aiming to extend the benefits of CoP to other account types, i.e. ones that do not use unique sort codes and account numbers, but instead use secondary reference data (for example, building societies using roll numbers).
We also provided an update on our APP scams work.
We published a call for views on the second phase of delivering Confirmation of Payee, to allow more banks and building societies to offer the vital service.
We published a call for views looking at measures to further prevent APP scams and protect customers who do fall victim.
We published a further thought piece from our Head of Policy, Genevieve Marjoribanks, looking at APP scams and the protections available in interbank payments.
We published a thought piece from our Head of Policy, Genevieve Marjoribanks, looking at getting the right outcomes for victims of APP scams.
We confirmed widespread coverage of Confirmation of Payee across the directed parties under Specific Direction 10.
This date marked the end of the forbearance period for implementation of Confirmation of Payee.
This date marked the deadline under Specific Direction 10 by which directed PSPs must be able to send and receive CoP requests.
We held a roundtable with representatives of the payments industry to discuss the progress being made on tackling APP scams and the next steps needed to improve outcomes.
In light of COVID-19, we announced forbearance under Specific Direction 10,
allowing directed PSPs to delay implementation of CoP up to 30 June, as long as they continued to take appropriate steps to implement and ensured victims of APP scams were not disadvantaged by any delay.
We published the response to our January 2020 consultation and the varied Specific Direction 10.
We consulted on our proposal to vary Specific Direction 10 to include an additional clause to allow for exemption applications other than in ‘exceptional circumstances’, as described in the original direction.
This date marked the deadline under Specific Direction 10 by which directed PSPs must respond to CoP requests.
We issued Specific Direction 10, directing members of the UK’s six largest banking groups to fully implement Confirmation of Payee by 31 March 2020.
We welcomed the CRM Code coming into force with eight signatories, representing 17 bank brands improving protection for APP scam victims.
We published our response to the November 2018 consultation, and a further consultation on our draft specific direction for the implementation of Confirmation of Payee.
The final CRM Code was agreed and published by the APP Scams Steering Group, marking a significant step in protecting people from APP scams.
We published our consultation on potential general directions for the implementation of Confirmation of Payee.
The APP Scams Steering Group published the draft CRM Code consultation.
We set up the APP Scams Steering Group, made up of industry and consumer representatives, to develop the Contingent Reimbursement Model (CRM) Code.
We published the outcome of our consultation on the development of a contingent reimbursement model, outlining our intention to set up a steering group to design and implement an industry code for reimbursement of APP scam victims.
We published a paper explaining the work that we, the FCA and the payments industry had done in the last year to reduce the harm to consumers from APP scams. This included a consultation on a contingent reimbursement model.
We issued our Call for Input asking for views from PSPs to help inform our work on authorised push payment scams.
We published our consultation on the draft Terms of Reference explaining how we intended to consider the potential for payment system operators (PSOs) to play a role in minimising consumer harm caused by APP scams.
I’ve fallen victim to an APP scam, what should I do?
If you have fallen victim to an APP scam, you should contact your bank immediately to report it. It is important to do this as soon as possible, as your bank may still be able to stop the transaction or trace the money.
If your bank is a signatory to the Contingent Reimbursement Model (CRM) Code, it should begin the process to investigate your case and look at reimbursing you for your loss, as long as you acted appropriately. Your bank must assess your case under the Code and give you a decision on reimbursement; it should also provide you with its reasoning.
Even if your bank isn’t a signatory to the CRM Code, you should still report any fraud to your bank as soon as you discover it. Your bank may have other policies in place to assist you.
My bank has declined to reimburse the money I’ve lost to an APP scam – what should I do?
If you’re unhappy with your bank’s assessment of your case under the CRM Code, you can lodge a complaint with the Financial Ombudsman Service. The Ombudsman will then assess your complaint and make a decision.
Even if your bank isn’t a Code signatory, you can still lodge a complaint with the Ombudsman if you’re unhappy with how any of the banks involved in the scam have acted.
The Payment Systems Regulator does not consider complaints under the Code. We are the independent regulator of payment systems themselves, and adjudicating on the Code is not within our remit.
Who else can help me?
If you believe that any of the institutions involved have not conducted themselves appropriately according to their obligations under any relevant legislation, you may wish to contact the Financial Conduct Authority.
You can report the fraud to Action Fraud, who will provide you with a crime reference number and will send your report to the National Fraud Investigation Bureau (NCIB) for assessment. Please note, Police Scotland have not signed up to the Action Fraud process; if you are in Scotland you should follow the guidance provided on the Police Scotland website.
Victim Support can provide help after crime; it gives free and confidential support 24 hours a day, seven days a week, 365 days a year.
Citizens Advice can provide support and advice on what further steps to take if you have been a victim of fraud.
What is Confirmation of Payee?
The PSR directed members of the UK’s six largest banking groups to implement Confirmation of Payee to help prevent losses due to accidentally misdirected payments and certain types of APP fraud. In July 2020, we confirmed widespread implementation of CoP by those banks.
We have consistently considered the widespread adoption of CoP in UK payments to be a key priority. In February 2022 we issued a Direction to ensure the transition of CoP to a single technical environment (phase 2), allowing more banks to offer the vital service. Following our May 2022 consultation, we also directed around 400 more financial firms to provide CoP. This will see nearly all transactions made via Faster Payments (FPS) and CHAPS covered by CoP by October 2024.
We will monitor how firms implement the system and will step in where necessary.
Customers should contact their banks with any questions on how CoP works or any issues with CoP when making a payment. If no resolution is offered by the bank, or there are significant issues impacting the CoP service, customers should contact Pay.UK who is responsible for maintaining the rules and standards for CoP. The PSR does not develop the rules, technical standards of operating guidance for CoP.
You can contact the PSR if you believe that the directed banks are not complying with their obligations under the Direction to implement CoP.
We recommend contacting your provider to check if this service is offered.
How does Confirmation of Payee affect me? I’m making payments on my account but Confirmation of Payee hasn’t come up?
Confirmation of Payee checks whether the name matches the account details before you make a new Faster Payments or CHAPS payment.
If you’re paying someone who is already set up as a payee on your bank account (and you are not changing the payee details), you won’t see any difference. Confirmation of Payee is currently offered by members of the UK’s six largest banking groups, as directed by the PSR in 2019, and other institutions who have voluntarily put this system in place.
When setting up a new payee or amending an existing payee’s details, you will be asked to enter the sort code, account number and the name of the person you’re paying. Confirmation of Payee will then confirm whether there is:
- A match: details provided match the account, proceed with payment
- A close match: check the details again or contact the person you’re trying to pay
- No match: possible fraudulent transaction; check the details again or contact the payee before proceeding
There may be some circumstances when you are unable to do a Confirmation of Payee check, for instance because the payee’s account is not available through Confirmation of Payee, whether temporarily or otherwise. You’ll still be able to make the payment but should exercise more caution when sending money to a new payee.