The Payment Systems Regulator's mandatory reimbursement requirement came into force for Faster Payments and CHAPS in October 2025. The requirement places an obligation on both the sending PSP and the receiving PSP to reimburse victims of APP fraud — with cost-sharing between the two under the PSR's 50/50 liability split framework, subject to the £85,000 cap per claim.
We are now roughly six months into the regime. The PSR itself has indicated it will publish initial data on reimbursement rates and claim volumes in mid-2026. In the absence of that formal data release, we can draw on a combination of publicly available industry reporting, PSR consultation responses that have entered the public record, and what we observe operationally from the PSP environments we work within. This post synthesises what's knowable at this point — and is explicit about where inference ends and observation begins.
The Structural Question the Regime Was Designed to Answer
The PSR's mandatory reimbursement regime was designed on the premise that financial liability changes behaviour. If PSPs bear the cost of APP fraud losses rather than victims, PSPs have a direct financial incentive to invest in fraud prevention that was previously absent or attenuated by the ability to dispute claims. The theory of change is straightforward: internalise the externality, and private investment in prevention follows.
Whether that theory holds in practice is the question six months of data should start to illuminate. It's worth being precise about what we would expect to see if the theory is working, what would constitute evidence it's not working, and what would be ambiguous.
Evidence that the regime is working: PSPs that invested in pre-transfer interception capabilities before October 2025 showing lower reimbursement claim rates than PSPs that didn't; a measurable reduction in first-payment fraud transfers at PSPs with active friction programmes; scammer operator adaptation that reflects awareness that certain PSPs are now harder targets. We'd also expect to see a secondary effect: increased market interest in prevention tooling, because the ROI calculation has changed.
Evidence the regime isn't working as intended: claim rates distributed without correlation to prevention investment; PSPs absorbing losses and passing them through to customers in fee increases rather than reducing fraud volumes; claim mills (fraud recovery specialists gaming the reimbursement process) consuming a disproportionate share of the reimbursement pool.
What the Early Operational Picture Suggests
From what we can observe, the distribution of reimbursement burden is not falling evenly. Smaller PSPs — challenger banks and growing digital payment providers with thinner fraud operations teams — appear to be absorbing disproportionate claim volumes relative to their customer base. This is consistent with a pattern that pre-dates the mandatory regime: scammer operators tend to concentrate activity on PSPs with weaker intervention capability, both because those PSPs' customers are more likely to complete the transfer and because weaker intervention means scammer operators can run more attempts before a fingerprint is flagged.
The mandatory regime has accelerated the financial consequence of that differential without necessarily correcting it. A PSP with limited fraud ops investment is now reimbursing losses it previously disputed; the incentive structure has changed but the capability gap that created the vulnerability persists.
The PSPs where we've heard the most positive early signals are those that had invested in payment friction and warning interventions ahead of the October deadline — not because they anticipated the mandate specifically, but because regulatory pressure had been building for years under Consumer Duty and FCA expectations. These PSPs entered the mandate with a programme already running. Their fraud ops teams were already reviewing flagged transfers; 24-hour cooling-off holds for large first-time payments to new payees were already policy. For them, the mandate formalised an existing practice rather than requiring a new build.
The £85,000 Cap: The Problem Nobody Talks About
The £85,000 maximum reimbursement cap has received less attention in industry commentary than it deserves. The cap was set at the level that covers the majority of individual APP fraud claims by count, but APP fraud losses by value are concentrated in a smaller number of high-value transfers — particularly investment fraud and romance fraud, where individual transfer values frequently exceed £50,000 and can approach or exceed £100,000.
For claims above the cap, the victim receives £85,000 and bears the residual loss personally. For PSPs, the cap limits individual claim exposure but doesn't address the volume of sub-cap claims, which is where most of the reimbursement liability in practice sits. A PSP with high volume in the £5,000–£25,000 range — typical of purchase fraud and impersonation scams — faces substantial aggregate liability even though each individual claim is well within cap.
The cap also interacts oddly with the cost-sharing framework. The 50/50 split between sending and receiving PSP is straightforward in theory. In practice, the receiving PSP — the one whose customer was operating a mule account — often has the harder time disputing liability even when it made reasonable efforts. The mule account landscape has professionalised significantly: accounts registered under genuine or synthetic identities, operated in short bursts, closed before detection, often across multiple PSPs simultaneously. Receiving-side liability under the mandate is driving more PSPs to invest in mule detection capability they previously had little incentive to build.
Claim Mill Risk and What PSPs Are Doing About It
One concern that surfaced prominently in PSR consultation responses and has persisted in industry conversations: the mandatory reimbursement regime creates an incentive structure for claim fabrication or inflation. A "claim mill" in this context refers to third-party recovery services that assist victims in submitting reimbursement claims — sometimes on a no-win-no-fee basis — in ways that may involve marginal or disputed cases being presented more aggressively than a victim would present independently.
We're not saying claim mills are operating fraudulently in the legal sense, and the evidence for systematic abuse of the reimbursement process is not yet clear from public data. The risk is structural: a financial incentive for third parties to maximise claim volumes under a mandatory regime, where the PSP carries the cost burden. The PSP's recourse — demonstrating the customer failed to follow warnings, acted with gross negligence, or was complicit — requires evidence that fraud ops teams need to have gathered contemporaneously.
The practical implication is that PSPs need to be documenting their intervention touchpoints more carefully than before. A PSP that issued a payment warning, offered a hold, and received an explicit customer override needs a record of that interaction that survives a subsequent reimbursement claim and potential escalation to the Financial Ombudsman Service. Fraud ops teams that were previously focused purely on prevention are now doing more case documentation work to support reimbursement decision-making.
Which Prevention Investments Have Moved the Needle
Based on what we observe from the PSP environments we work in, three categories of prevention investment appear to be having the most measurable impact on reimbursement claim rates in the first six months.
Payment friction at high-risk transfer points — particularly large first-time transfers to new payees, with a mandatory confirmation step that includes explicit fraud warning language — appears to be reducing transfer completion rates for in-progress fraud attempts. The psychological effect of a credible pause, even a short one, on a victim who has been coached by a scammer is not negligible. The scammer's urgency manufacturing frays when the PSP introduces a structured 24-hour hold.
Mule account detection upstream at the receiving PSP has become more commercially significant under the mandatory cost-sharing regime. PSPs that can identify mule accounts before they receive APP fraud proceeds — through account registration behaviour patterns, device fingerprint clustering, and early transaction pattern analysis — reduce both the harm to victims and their own reimbursement liability. This was a capability that receiving-side PSPs had limited incentive to invest in before the mandate. That calculus has shifted.
Conversation-layer signals that flag an in-progress fraud engagement before payment initiation remain the highest-leverage intervention point, but also the hardest to deploy at scale. The PSPs where we've seen the most impact are those that had built the integration plumbing to surface these signals to a human fraud analyst in near-real time, rather than relying on automated block decisions. Human review of flagged cases at the payment threshold is slower than automated controls but produces better outcomes for contested cases where the evidence is ambiguous.
What the Next Six Months Will Show
The PSR has committed to publishing regular data on reimbursement rates as part of its monitoring of the regime. When that data comes out — likely Q2 or Q3 2026 — it will allow a more rigorous assessment than inference from operational observation permits.
The questions that data should answer: which PSP categories (by size, by customer segment, by product type) have the highest claim rates? Has the aggregate industry claim rate moved relative to pre-mandate levels? Is there a measurable correlation between documented prevention investment and claim outcome?
The PSR also retains the ability to adjust the regime — the cap level, the cost-sharing split, the categories of claim eligible for mandatory reimbursement — based on what the first year of data shows. If the distribution of burden is significantly inequitable in ways that threaten smaller PSPs' viability, that's a policy lever the PSR has available. Industry bodies have flagged this risk in consultation.
Our working hypothesis going into this data release: the regime is performing as intended in terms of liability internalisation, but the distribution of benefit — reduced fraud rates — is lagging the distribution of cost, because prevention capability investment takes longer to build than the liability clock started. PSPs that have already built prevention capability are seeing benefit. PSPs that are now scrambling to build it are still primarily absorbing cost. The gap will narrow as capability investment catches up — or it won't, in which case the PSR will need to consider whether the regime's design requires adjustment.