Responding to the Rise of APP Fraud

United Kingdom

Last week saw three notable events for those closely following developments in financial transaction fraud:

  • On 24 September 2018, UK Finance published the 2018 half year fraud update. This highlighted continued high levels of fraud and the industry’s ongoing efforts to respond to the evolving threats. The statistic that garnered most headlines was the growth in authorised push payment (“APP”) frauds (to £145.4m) with only around 20% of the value (£30.9m) being returned to customers. It is unsurprising that this fraud type was the focus of attention due to its prevalence and the fact it often targets the most vulnerable customers.
  • On 26 September 2018, the FCA closed its consultation (CP18/16) on extending the jurisdiction of the FOS to APP fraud complaints made to the bank receiving the funds.
  • Finally, and most importantly, on 28 September the Contingent Reimbursement Model (“CRM”) Steering Group - set up in response to the Which? super complaint and subsequent FCA/PSR consultation into APP Fraud - released a draft CRM Code (the “Code”) and opened its consultation on the same (the “Consultation”).

The Code covers APP scams defrauding consumers, microenterprises and small charities. The Code is intended to come into force in early 2019 and whilst voluntary, it is anticipated to be widely adopted by the Payment Service Providers (“PSPs”).

Given the large scale of APP fraud and the threat it poses both to customers and also to trust in the banking system, PSPs (and other interested parties) will be well advised to take note of the draft Code and to respond during the short window the Consultation is open.

Responses to the Consultation must be submitted by 15 November 2018.

What is APP Fraud?

The Code defines APP fraud as:

“Authorised Push Payment Fraud, that is, a transfer of funds executed across Faster Payments, CHAPS or an internal book transfer, authorised by a Customer in accordance with regulation 67 of the PSRs, where:

(i) The Customer intended to transfer funds to another person, but was instead deceived into transferring the funds to a different person; or

(ii) The Customer transferred funds to another person for what they believed were legitimate purposes but which were in fact fraudulent.”

Who is expected to engage with the Consultation and adopt the Code?

PSPs who:

(a) Make payments on behalf of consumers, microenterprises and small charities; and/or

(b) Are 1st tier recipient PSPs who receive payments from customers covered under (a) which turn out to be as a result of an APP fraud.

Further, the handling by PSPs of frauds which do not come under the Code’s regime will inevitably be influenced as parties look to the Code as an industry standard or best practice.

What does the draft Code try to achieve?

In simple terms, the Code proposes offering the customer an opportunity to be refunded swiftly where they have met the “requisite level of care to protect themselves from APP scams” whether or not the PSPs have also met their own “requisite level of care”.

In proposing a model to achieve this, the draft Code is intended to be consistent with the Core Principles and the Operating Principles set out in the CRM Steering Group’s Terms of Reference. As such, these are critical to note when PSPs prepare their responses to the Consultation.

The Core Principles are:

  1. Incentives for those with the ability to effectively prevent APP scams and reduce their impact.
  2. Consistency of outcomes.
  3. Leverage existing and future initiatives that are likely to be effective at preventing and helping respond to APP scams.
  4. Adoption by all PSPs that have an element of control over preventing and responding to APP scams.
  5. No contingency on the recovery of funds.
  6. No adverse impact on PSP ability to make goodwill payments.
  7. No adverse impact on commercial development of further protections.
  8. Capability for becoming part of the relevant considerations that the FOS takes into account.

The Operating Principles are:

  • Simplicity: The rules adopted should be as simple as possible to be effective, for both PSPs and potential Code beneficiaries. The experience for victims seeking reimbursement should be simple and easy to understand.
  • Transparency: The Code should be developed, implemented and operated in an open and transparent manner (to the extent that privacy and security considerations permit).
  • Timeliness: The rules adopted should support timely reimbursement and expedited communication between PSPs and consumers.
  • Fairness: The Code should be developed, implemented and operated in a fair and publicly defensible manner.
  • Costs, benefits and impact: The rules and standards in the Code should be justifiable – both individually and as a whole – on the basis of their costs and benefits, in particular their impact on the harm caused by APP scams.

Key considerations

Each PSP will need to evaluate the full draft Code and the detail of the Consultation in the context of their own business. However, it is worth drawing out some noteworthy issues which we consider PSPs will need to engage with fully to ensure the operation of the Code is effective and maintains industry and public confidence:

  • Whilst the Code is “voluntary” it is clearly intended to be adopted by all relevant PSPs (see Core Principle iv) and all complaints to the FOS will be influenced by it (see Core Principle viii);
  • The “requisite level of care” is a laudable concept which can be universally agreed by both PSPs and customers alike at this conceptual stage. However, in circumstances where both parties have met their “requisite level of care” there is clearly still work to be done in terms of:
    1. whether liability for reimbursement will be accepted by the industry in such a “no fault” context; and
    2. how the cost of reimbursements will be funded across the industry;
  • Furthermore, in practice, whether the parties have met their “requisite level of care” is likely to be a focus of any dispute or complaint. In turn, the FOS will assume a greater importance in setting relevant standards in this area;
  • The ADR mechanism proposed between PSPs expects the sharing of information to assess the apportionment of liability where both have not met the requisite standards. Such information is likely to be confidential and/or commercially sensitive;  and
  • The vulnerability of customers will be a key factor in determining whether or not someone is reimbursed. This is a dynamic and imprecise assessment which is likely to be subject to significant scrutiny.


In light of the size of this issue and the recognition by industry and consumers that more needs to be done, the draft Code is a welcome first step. However, it raises a number of practical and legal consequences for not only those PSPs planning to adopt the Code but also other firms who are not or otherwise would not bound by its terms.

For example, there is often a similarity between a number of fraud typologies and fraudsters do not operate within definitions of customer/fraud type. As such, the first introduction of an industry-wide regime will be an important development of which all PSPs should take note. The final version of the Code and its effectiveness will serve as a benchmark against which PSPs’ handling of APP and similar non-APP frauds will be measured.

Please contact the authors if you would like to discuss any aspect of the draft Code and Consultation.