For a long time, the PSP view of APP fraud was essentially: the customer authorised it, so it's the customer's problem. That era is over. The PSP Faster Payments reimbursement rules that came into force in October 2023, combined with the FCA's Consumer Duty obligations, mean that payment service providers now sit squarely in the liability chain. This piece is about understanding what that exposure actually looks like in 2024 — not in abstract terms, but as a balance sheet problem.
The Numbers PSPs Are Actually Facing
UK Finance's 2023 annual fraud report documented £459.7 million in APP (Authorised Push Payment) losses across UK consumers and businesses. That figure gets cited often, but context matters: APP now accounts for a larger share of total fraud losses by value than card fraud, which fell for the third consecutive year. The distribution across payment channels is instructive — Faster Payments carries the bulk, as you'd expect, but the proportion of losses via internet banking has grown while telephone-initiated transfers have declined. Scammers follow the frictionless path.
Reimbursement rates tell the more important story. Historically, PSPs voluntarily reimbursed somewhere around 60–65% of APP losses under the Contingent Reimbursement Model (CRM) code, which was a voluntary scheme with wide variation in compliance. The mandatory reimbursement rules that replaced it in October 2023 change the floor, not just the ceiling. Under the new framework, sending and receiving PSPs each bear 50% of the reimbursement cost for eligible claims (subject to a £415,000 per-claim cap and a £100 excess). The practical effect: a PSP that previously disputed a significant fraction of CRM claims now has fewer grounds to refuse, and the disputes are more expensive to administer than paying them would have been.
What the Mandatory Rules Actually Changed
The PSR's October 2023 mandatory reimbursement scheme was not a cosmetic tightening of the voluntary CRM. It shifted the burden-of-proof logic. Previously, a PSP could decline a claim by demonstrating that the consumer acted carelessly or ignored warnings. Now, the default position is that eligible consumers are reimbursed unless the PSP can prove one of a narrow set of exceptions — gross negligence, first-party fraud, or the consumer's failure to respond to a PSP's effective fraud warning.
That last exception is where a lot of PSP compliance teams are currently focused. The phrase "effective fraud warning" is doing a lot of work. A generic screen warning that says "check you know the payee" probably won't qualify as effective if the consumer was mid-conversation with a scammer who had an answer to every possible bank-prompted question. The PSR's published guidance on what counts as "proportionate and effective" friction is deliberately outcome-focused — it won't protect a PSP whose warnings are performative rather than genuinely disruptive to the social engineering chain.
We're not saying PSPs haven't tried. Most of the major UK banks and several mid-tier payment platforms introduced some form of real-time fraud warning UI between 2021 and 2023. But the core weakness of those systems is that they insert friction at the payment confirmation step — which is already the last step in a conversation that might have been running for days or weeks. By the time the customer is at the "confirm payment" screen, they've often been coached by the scammer on precisely what the bank will say and how to respond to it.
The Cost Anatomy of a Single Claim
To understand why APP fraud is a balance sheet problem and not just a regulatory compliance problem, it helps to model the cost of a single claim through the new system. Take a plausible mid-value scenario: a consumer at a growing challenger bank is social-engineered into transferring £18,000 to a scammer controlled account. The scammer has been posing as the consumer's building society for six days, using a WhatsApp conversation with a spoofed logo.
Under the mandatory rules, the sending PSP (the challenger bank) is exposed to 50% of the reimbursement — £9,000 — less the £100 excess, assuming the consumer passes the eligibility tests. The receiving PSP (wherever the scammer's account was) is liable for the other £9,000. The challenger bank now needs to:
- Assess and pay the £8,900 claim within the 5 business-day target (or 35 for complex cases)
- Attempt recovery from the receiving PSP's mule-account chain
- File a SAR and provide evidence to the relevant fraud intelligence body
- Bear the internal ops cost of claim review, which industry estimates put at £200–400 per claim for a lightly automated process
The recovery rate from mule account chains for APP fraud is low — typically under 20% of transferred funds are recovered, and that figure is worse for investment scam cases where the receiving account has already been emptied. So the net cost exposure on our £18,000 example is somewhere between £7,000 and £9,000 after partial recovery, plus ops overhead. Multiply that by claim volumes at scale and the number starts to look structural.
Where Existing Controls Fall Short
The transaction-monitoring stack that PSPs built for card fraud and unauthorised account takeover is genuinely good at what it does. Rules engines and ML models trained on transaction velocity, payee novelty, and account age patterns can identify many high-risk transfers. But APP fraud has a specific characteristic that defeats transaction-layer detection: the customer is genuinely authenticated and genuinely authorising the payment. There's no stolen credential. There's no account takeover indicator. The transaction looks like a large but legitimate transfer, because from the payment system's perspective, it is one.
The signal that distinguishes an APP scam from a legitimate large transfer lives in the conversation that preceded it. A consumer being coached over WhatsApp, or receiving scripted call-back instructions from a "fraud department" that is actually the scammer — that signal is invisible to transaction monitoring. It's invisible to behavioural biometrics on the banking app. It's invisible to Confirmation of Payee, which tells the customer whether the account name matches but says nothing about whether the account owner is a scammer.
That gap is what we built AVIEL around. The conversation layer — the actual channel where APP social engineering happens — is where the pre-transfer signal exists. Deploying honeybots that enter those conversations before the transfer is authorised is a fundamentally different intervention point than anything in the existing stack.
Volume Trajectory and the 2024 Outlook
The 2023 figures were bad. There's reason to expect the 2024 numbers to be worse, or at minimum not substantially better, for several structural reasons. First, scammer infrastructure has become more accessible — the same social engineering scripts that required significant criminal expertise to run in 2019 can now be partially automated and scripted at lower cost. Second, the shift to digital onboarding across UK banking has expanded the attack surface: consumers who ten years ago would have called a branch are now conducting all account activity through apps, which means their entire relationship with their PSP is mediated through digital channels that scammers can mimic. Third, the mandatory reimbursement rules, while protecting consumers, may paradoxically increase scam attempts in the short term if fraudsters calculate that the probability of victim cooperation is higher when the victim believes they'll be reimbursed regardless.
We're not saying that consumer protection was a mistake — it wasn't. But it shifts the incentive calculus in ways that PSP fraud ops teams need to model explicitly. The appropriate response is better interception, not better claims processing.
What This Means for Fraud Ops Teams in Practice
The first thing most PSP fraud ops teams should do with the new cost model is pull their APP claim data from the past 12 months and segment it by scam type — romance, investment, purchase, impersonation — and by the channel through which the social engineering happened. In our conversations with fraud operations professionals at growing payment platforms, the consistent finding is that investment scam losses dominate by value, and that the originating conversation channel is almost always a messaging app or social platform, not the PSP's own banking interface.
That channel analysis matters because it shapes where intervention is feasible. If the scam conversation happens entirely outside the PSP's infrastructure, traditional detection tools have no sight of it. If the PSP can partner with a solution that enters the external conversation — as a honeybot interlocutor — then real-time intelligence becomes possible before the transfer instruction is even formed.
The regulatory cost of not improving detection will compound. Every unreimbursed claim that gets escalated to the PSR, every consumer complaint that reaches the Financial Ombudsman, every fraud ops team that misclassifies a claim under the gross negligence exception — all of those drive up operational cost and regulatory risk simultaneously. The economics of APP fraud prevention in 2024 are clearly on the side of earlier intervention.