The UK’s New APP Fraud Rules Are Redefining How Banks Protect Their Customers

From October 2024, a new era began for fraud protection in the UK. Under rules introduced by the Payment Systems Regulator (PSR), banks and payment firms must now reimburse victims of Authorised Push Payment (APP) fraud. If someone is tricked into sending money to a scammer, they can claim back up to £85,000—no matter how convincing the scam.

This isn’t a gesture of goodwill. It’s mandatory. And it’s backed by some of the most ambitious consumer protection regulation in financial services today.

What the new rules mean in practice

The PSR’s rules apply to all transactions made over the Faster Payments system. Reimbursement must happen within five business days of the customer reporting the scam. If more investigation is needed, the final decision must come within 35 business days (PSR).

For victims, it means faster outcomes and greater confidence. For banks, it means rethinking how they detect, prevent and resolve fraud.

The responsibility for reimbursing victims is shared evenly between the sending and receiving banks. This split is important. It gives both sides a financial reason to do more—whether that’s stopping funds from being sent or catching mule accounts early.

There are exceptions. Reimbursement can be declined if the customer was grossly negligent or involved in the scam. But the threshold for this is intentionally high. The rules aim to protect even those who make honest mistakes, especially vulnerable people.

Reimbursement caps, excesses and what’s fair

There’s a cap of £85,000 per claim. This aligns with the Financial Services Compensation Scheme and was designed to cover 99.8% of APP fraud cases by volume, and 90% by value (Freshfields). For losses above this limit, consumers can escalate their complaint to the Financial Ombudsman Service, which has authority to award up to £430,000.

Banks also have the option to apply a £100 excess per claim. Some have chosen to waive it altogether. TSB, Nationwide, Virgin Money and AIB are among those that refund victims from the first pound (PSR). Others still apply the excess, meaning small claims—say, £90—may not be reimbursed at all. It’s a detail that matters, especially for lower-income consumers.

How banks are adapting

Regulation often triggers compliance. But in this case, many UK banks are going further—turning the mandate into a moment to rebuild trust and strengthen their defences.

TSB was already ahead of the curve. In 2019, it introduced its Fraud Refund Guarantee. When the new rules took effect, it confirmed that it wouldn’t apply the optional £100 excess either. In 2022, TSB refunded 94% of all APP fraud claims, and fraud levels didn’t spike as a result (The Guardian).

Starling took a more technical route. It launched a Call Status Indicator, which tells users—right in the app—whether a call claiming to be from Starling is real. If it isn’t, users are told straight away. It’s a clean, fast way to stop impersonation scams. They’ve also introduced Safe Phrases, letting customers use pre-agreed code words to verify bank staff on a call (The Paypers).

Lloyds is tailoring warnings to the risk of the transaction. If something looks off, they prompt users with specific, contextual advice. NatWest uses printed statements and in-branch posters to support less digitally active customers. CoP—Confirmation of Payee—is also becoming more effective, with over 350 firms onboard. It gives users a moment to pause if account details don’t match the recipient’s name (PSR).

Beyond the bank: how regulation is pushing the ecosystem forward

The new rules don’t exist in isolation. The Online Safety Act 2023 gives Ofcom new powers to hold tech platforms accountable when scams appear on their sites. From March 2025, these platforms must assess and mitigate the risk of harmful content, including financial scams. Failing to do so could lead to fines of up to £18 million, or 10% of global revenue (GOV.UK, Kennedys Law).

The UK is also strengthening how banks work with law enforcement. The Banking Protocol lets bank staff call the police if they suspect a customer is being coerced. Since launch, it has prevented over £55 million in fraud and led to more than 1,300 arrests (FCA).

Meanwhile, Mastercard’s Consumer Fraud Risk platform is helping banks spot mule accounts before funds are moved. In 2024, it expanded to include inbound fraud signals, giving receiving banks a better chance to act. Some report up to 60% better fraud detection rates as a result (Mastercard).

What this means for the rest of the world

The UK’s rules are already influencing other jurisdictions.

In the EU, the proposed PSD3 regulation includes mandatory reimbursement for impersonation fraud. Article 59 would require banks to refund consumers deceived by someone impersonating a trusted entity—like a bank or public authority (Better Regulation). The European Parliament wants this expanded to cover impersonation of any public or private actor, not just financial ones.

Australia is also moving forward. Its Scams Prevention Framework, passed in February 2025, applies to banks, telcos and tech platforms. If these companies fail to take reasonable steps to stop scams, they can face penalties of up to AUD $50 million per offence (Parliament of Australia).

In the US, there’s no mandatory reimbursement yet. Regulation E protects against unauthorised payments, but not authorised scams. That may be changing. In December 2024, the CFPB filed a lawsuit against Zelle’s operator and several major banks, accusing them of failing to protect users from widespread fraud (FinTech Futures).

Final thoughts

The UK hasn’t just created a refund system. It’s reshaped how banks think about fraud—making it a shared responsibility, not just a cost of doing business. It’s put consumers back in control. And it’s set a clear standard for other markets to follow.

This is what effective regulation looks like. It protects people, encourages better products, and gives businesses a reason to invest in doing the right thing.

The insights in this post are based on industry research, conversations with banks and fraud prevention experts, as well as our own experience. The content is for general information only and not intended as legal, financial, or technical advice. While Enlace strives for accuracy, the information may not reflect the latest developments.