Last updated: November 2021
What are Authorised Push Payment scams?
Authorised Push Payment (APP) scams happen when a person or business is tricked into sending money to a fraudster posing as a genuine payee. These types of scams can have a devastating impact on the people who fall victim to them.
Every year thousands of individuals and businesses fall victim to Authorised Push Payment (APP) scams – where they are tricked into sending money to an account controlled by a fraudster. There are also a significant number of accidentally misdirected payments that are not recovered. The latest figures show that in the first half of 2021, £355 million was lost to APP scams, overtaking card fraud losses.
The PSR expects to see more action from financial institutions to stop these scams from happening and to better protect people if they do fall victim. In its latest consultation, the PSR sets out the next steps.
There are eight types of APP scams which are either:
- ‘malicious payee’, for example, tricking someone into purchasing goods which don’t exist or are never received.
- ‘malicious redirection’, for example a fraudster impersonating bank staff to get someone to transfer funds out of their bank account and into that of a fraudster.
Our work on APP scams
Getting the right protections for everyone
In November 2021, we set out three measures we think would help tackle these devastating crimes. Our consultation on these proposals is open until January 2022.
Those proposals include:
- Publication of fraud data by banks: Banks and building societies in the 12 largest banking groups in Great Britain and two largest banks in Northern Ireland outside those banking groups must publish data on their performance in relation to APP scams, on reimbursement levels for victims, and which banks and building societies’ accounts are being used to receive the fraudulent funds; and
- Improve scam prevention: Industry will improve intelligence sharing to enhance detection and prevention of APP scams.
- Reimbursing victims: Developing how best to make reimbursement mandatory to victims of APP scams once legislative changes have been made.
We intends to require the publication of fraud data and is keen to work with firms to identify the most appropriate ways this will be collected before the requirement comes into effect.
In further steps announced by HM Treasury, legislative changes will be made by the Government to remove the regulatory barriers that currently prevent mandatory reimbursement for scam victims. Our consultation sets out further details about how that can be achieved when legislation is amended.
The Contingent Reimbursement Model (CRM) Code
In 2018, we set up a steering group of industry and consumer representatives, led by an independent chair, to develop a voluntary, industry CRM Code. The final Code came into force in May 2019.
The CRM Code aims to reduce both the occurrence and impact of APP scams, and is designed to give people the confidence that, if they fall victim to an APP scam and have acted appropriately, they will be reimbursed. It sets out standards for signatory Payment Service Providers (PSPs) – a group including the largest banks in the UK – and for customers who are covered by the Code (consumers, micro-businesses and small charities). There are currently nine signatories to the Code.
The Lending Standards Board (LSB) oversees the Code and its members, while we continue to monitor the operation of the Code and the impact it has on the number of APP scams. The Financial Ombudsman Service adjudicates on disputes between banks and customers on decisions under the Code.
Confirmation of Payee
In August 2019, we gave members of the UK’s six largest banking groups a Specific Direction to implement CoP by the end of March 2020. The PSPs subject to the direction are involved in around 90% of FPS and CHAPS transactions. The direction was varied in February 2020 to allow an additional basis under which a directed PSP could apply for an exemption from an obligation under the direction.
In July 2020, we confirmed that the directed PSPs had achieved widespread implementation of CoP, with certain agreed exemptions. This marked a significant milestone in addressing APP scams, but we aren’t stopping there. We want to continue to expand the protection offered by CoP, so we’re encouraging all PSPs, big and small, to implement CoP if and when the rules and standards apply to their accounts.
With Confirmation of Payee (CoP), banks can check the name on a new payee’s account as well as the sort code and account number. Customers setting up a new payee (or changing details of an existing payee) will be able to confirm that the name they have entered matches the one on the account they intend to pay, helping to prevent payments going to the wrong account.
Alerts notify the payer whether there has been a match, a close match, or no match, meaning corrections can be made before the payment is sent. The service is designed to prevent misdirected payments as well as fraudulent ones.
The success of CoP depends on PSPs working together to prevent businesses and consumers from being defrauded. With that in mind, Pay.UK, the operator of the UK’s payment systems, designed rules and standards for PSPs to follow when launching the service.
A history of our work to prevent APP scams
We have carried out a significant amount of work to prevent APP scams since 2016. A history of this work,