There is a version of compliance with the FCA's Consumer Duty that treats it as a documentation exercise — update your policies, run a Consumer Duty training module, file the board attestation. Then there's the version that reckons with what the Duty actually demands: that a financial services firm must be able to demonstrate that outcomes for consumers are good, not just that processes are in place. On APP fraud, those two versions diverge sharply, and the gap is going to become expensive in 2025 and beyond.
Consumer Duty in Plain Terms for Fraud Teams
The FCA's Consumer Duty — formally the Consumer Duty (PS22/9) — came into full force for existing products and services on 31 July 2024. Its core structure is a "Consumer Principle" (firms must act to deliver good outcomes for retail customers) supported by three cross-cutting rules (act in good faith; avoid foreseeable harm; enable and support customers) and four outcome areas: products and services, price and value, consumer understanding, and consumer support.
For PSP fraud operations, the "avoid foreseeable harm" rule and the "consumer support" outcome are the immediate pressure points. APP fraud is foreseeable harm — it is documented, quantified, and well-understood as a harm that customers of payment services face. A PSP that has not taken proportionate steps to reduce foreseeable APP fraud harm is potentially non-compliant with the Consumer Duty even if every individual claim decision is processed correctly.
The FCA has been explicit, in its multi-firm reviews and supervisory communications, that the Consumer Duty is an outcomes framework. It does not prescribe exactly what fraud controls a firm must have. It does require that the firm can evidence that its controls are effective and proportionate to the harm profile. If a PSP's APP fraud loss rate is materially higher than peers with similar customer demographics, the Consumer Duty creates a supervisory basis for the FCA to ask why, and what the firm is doing about it.
Where Mandatory Reimbursement Meets Consumer Duty
The PSR's mandatory APP reimbursement rules, which came into force in October 2023, are a separate regulatory instrument from Consumer Duty but they interact. Reimbursement is the PSR's mechanism for ensuring consumers don't bear losses for fraud the PSP could have prevented. Consumer Duty is the FCA's mechanism for ensuring the PSP is actually trying to prevent the fraud, not just processing claims compliantly.
This creates a two-front compliance requirement. A PSP that pays out all eligible claims promptly is meeting PSR reimbursement obligations. But if its fraud detection capability is demonstrably poor — if it's generating claims at a rate or value that suggests systematic failure to intervene — the FCA's Consumer Duty provides a supervisory pathway to action that is independent of whether individual claim decisions were correct.
In practice, this means PSP compliance functions need to connect fraud ops metrics to Consumer Duty assessments. The APP fraud loss rate per £10M of payment volume, the proportion of claims where effective warning intervention was deployed, the average time between consumer first contact with the scammer and payment execution — these are Consumer Duty metrics, not just fraud ops KPIs. If they trend badly, they're a Consumer Duty problem.
The Gross Negligence Exception: How Narrow It Is
The mandatory reimbursement rules contain a gross negligence exception — a PSP can decline to reimburse if the consumer acted with gross negligence. Understanding the practical scope of this exception matters because some PSP fraud teams have been treating it as a wider defence than it is.
The PSR's position on gross negligence is that it requires a significant and deliberate failure by the consumer to heed specific, clear, and tailored warnings. A consumer who ignores a generic screen message saying "be careful of scams" almost certainly has not met the gross negligence threshold. A consumer who explicitly told the PSP that the payment was to a known contact for a legitimate purpose and that description was false — that's a more defensible gross negligence case. But it requires documentation at the point of the interaction, not a post-hoc reconstruction.
The "effective fraud warning" that Consumer Duty and the reimbursement rules both reference cannot be a static overlay that the consumer clicks through. It needs to be contextually relevant — ideally acknowledging the specific behavioural pattern of the payment — and it needs to be deployed at a point in the process where the consumer can actually respond to it rather than having already committed to the transfer in their own mind. These are high bars. Most payment app friction UIs are nowhere close to meeting them for high-value investment scam scenarios.
The Five Business Day Claims Clock
Under the mandatory reimbursement rules, PSPs have a target of 5 business days to assess and pay eligible claims, with an extension to 35 business days for complex cases. This timeline is operationally significant for PSP fraud ops teams because it forces a decision about how to handle claim assessment.
Five business days is tight for manual investigation of high-value claims. The pressure is toward more standardised assessment. But standardised assessment creates its own risks: over-payment on ineligible claims (first-party fraud, gross negligence cases) increases loss rates, while systematically under-paying eligible claims generates Financial Ombudsman Service (FOS) referrals and the associated case costs — a FOS complaint costs a firm in the region of £500-700 in direct case fees, plus ops overhead, plus the reputational cost of a high FOS complaint rate.
The economics favour reducing claim volume through better pre-transfer interception over optimising the claims workflow. Processing a £12,000 claim costs more in aggregate (reimbursement + ops + potential FOS escalation) than preventing the transfer would have. That's not a novel observation, but it's worth quantifying explicitly when making the business case for pre-transfer intervention investment.
The Receiving PSP Problem
The 50/50 split between sending and receiving PSPs under the mandatory reimbursement rules has created a new operational challenge: receiving PSPs are now liable for losses that they had limited ability to prevent. The consumer's PSP could have intervened at the moment of payment instruction. The receiving PSP is managing an account that looks like a normal account until the mule transaction arrives.
Receiving PSPs — which are disproportionately the smaller challenger banks and payment platforms where scammers prefer to open mule accounts — are developing rapid-freeze capabilities and SAR-triggered account suspension workflows. But the liability exposure is creating pressure to screen account openings more aggressively for mule account characteristics, and to close the loop with sending PSPs on known-bad account details faster than the current intelligence-sharing infrastructure allows.
This is an area where the Consumer Duty's "avoid foreseeable harm" principle creates a shared-responsibility logic. The receiving PSP that knowingly maintained an account that had been flagged as a mule destination in a previous fraud report is in a difficult Consumer Duty position if that account is then used to receive an APP scam transfer. The foreseeable harm was documented.
What Good Consumer Duty Compliance Looks Like for APP Fraud
Working backward from the FCA's outcomes framework, a PSP that could genuinely demonstrate good Consumer Duty compliance on APP fraud would need to show something like the following:
Outcome evidence for products and services: the payment product has fraud controls proportionate to its risk profile, and the PSP has reviewed and updated those controls as the scam landscape has evolved. Not "we have transaction monitoring" but "our transaction monitoring is calibrated to our specific APP fraud loss patterns and we review calibration quarterly."
Outcome evidence for consumer support: customers who report suspicion of fraud mid-interaction receive a response that is materially helpful, not a deflection to the terms and conditions. Customers who call the fraud line while actively engaged in a scammer conversation get a response that can interrupt the scammer's narrative, not a scripted "we can't advise you on where to transfer your own money."
Outcome evidence for avoiding foreseeable harm: the PSP has made a genuine effort to identify the originating channel and pre-transfer context of APP fraud claims, and has deployed interventions that address those channels. Not just friction at the payment confirmation screen.
We're not saying every PSP is failing on Consumer Duty for APP fraud — some have built genuinely thoughtful pre-transfer intervention capabilities. But the gap between "we have a Consumer Duty policy" and "we have Consumer Duty-consistent fraud outcomes" is real and wide at many payment platforms, and the FCA's supervisory focus on outcomes means that gap will surface in reviews.
The 2025 Trajectory
The PSR has already indicated it will review the mandatory reimbursement scheme's operation in 2024-25, and there is active policy discussion about whether the £415,000 per-claim cap should be lowered, whether the consumer excess should be retained, and what further obligations should apply to social media platforms as the primary channel for investment scam contact. None of those policy questions resolve in favour of reduced PSP exposure. The direction of travel is clearly toward more liability, more expectations of proactive intervention, and more scrutiny of whether "effective warnings" are genuinely effective.
The PSPs that are in the best position heading into 2025 are the ones that have built their fraud operations around the question "how do we prevent this transfer from happening" rather than "how do we process this claim efficiently." The regulatory landscape is being architected around that distinction, and the gap between the two approaches is only going to widen.