Understanding APP Fraud: Legal Strategies & Protection

Authorised push payment (APP) fraud is one of the fastest growing scams around, it continues to cause significant headaches for consumers and financial institutions alike. Data published by the Payments System Regulator (PSR) revealed that, in 2023 APP fraud amounted to a loss of £341 million in the UK. Whilst this represented a 12% decrease in the overall value of APP fraud perpetrated in the UK, the volume has, in turn, risen by 12% in comparison to 2022, with 224,603 incidents reported in 2022 versus 252,636 last year. With these troubling figures in mind, we wanted to get back to basics – what is APP fraud, how to prevent APP fraud, and how to seek app fraud reimbursement?

What is APP fraud?

What does APP fraud look like? In short, a fraudster will trick a victim into making a bank transfer to them, for example, by posing as a trusted organisation and encouraging the victim to send money to an account under the fraudster’s control.

Examples of APP Fraud

This is particularly prevalent in conveyancing scenarios: the fraudster typically intercepts legitimate emails between the purchaser and their solicitors, posing as an individual at the solicitor’s firm. This can be as simple as mimicking the solicitor’s firm’s branding in emails and slightly changing the email address so the email appears to be legitimate. For instance, a common tactic is the use of two vs in a domain name to mimic the legitimate domain (such as “@crsblavv.com” rather than “@crsblaw.com”).  The fraudster may also use “.co.uk” rather than “.com” in the email which can be especially difficult to spot, particularly when you’re not looking for it.

The fraudster will then send the victim details of a separate bank account under their control for payment of the completion monies. Often, at this stage, the fraudster will pressurise the victim to make payment quickly, for example by suggesting the purchase of a property could be in jeopardy if the victim were not to act fast. Once the victim pays the monies into this account, the fraudster will quickly move it elsewhere and disappear. The victim often has no idea they have been scammed until the trusted institution they believed they were paying alerts them that they have not received the funds. At that stage, the money stolen from the victims is often long gone.

Fraudsters often pose as trusted institutions or people in order to intimidate and manipulate their victims into acting without thinking, the example detailed above is a common case of APP scams &  fraud, but the same can occur where the victim believes they are speaking to their bank or a government official. Often, there is an element of social manipulation to these frauds, for instance the fraudsters often pose as officials collecting on a fine for a purported wrongdoing committed by the victim, the victim will feel inevitable pressure at the prospect of being fined, which enables the fraudster to better manipulate them.

APP fraud legal advice & solutions 

PSR reimbursement regimes

In 2019 seven payment service providers (PSPs) established a voluntary code for reimbursement of losses caused by APP fraud called the Contingent Reimbursement Model (CRM). This established a system wherein the signatories would reimburse customers who fell victim to APP fraud where their customers acted within the confines of the code. In the first half of 2023, an average of 69% of scam losses were returned to victims under the CRM. 

This system has, clearly, proved helpful for victims, however, as it is voluntary there are many institutions which are not signatories and are not required to reimburse customers. To address this, the government will implement the Mandatory Reimbursement Regime (MRR) on 7 October 2024. This will require all sending PSPs to reimburse victims of APP scams & fraud. The sending PSP will, in turn, be able to seek 50% of the cost of reimbursement from the receiving PSP. 

All APP fraud victims who executed their payment over the Faster Payments system will be covered by the MRR. This will mean most payments between PSPs for sums under £1 million will be covered. There are restrictions on who can be mandatorily reimbursed, you must:

• Not be acting in the course of business;
• Be a (smaller) charity; or
• Have under 10 employees and less than £2 million in annual turnover.

There will be a maximum financial reimbursement level for each claim of £85,000. Reimbursement can be refused if a customer fails to meet the consumer standard of caution through gross negligence on their part, and in that case only where the customer isn’t vulnerable.

The guidance produced by the PSR suggests that the standard of caution will be assessed by reference to the following features:

• Consumers should have regard to warnings and interventions issued by the sending PSP (i.e. bank) before the APP is executed. These interventions must not be “boilerplate” and instead be specific and directed to the particular consumer and transaction. Where a consumer chooses to proceed despite the intervention by the PSP, they are not, however, automatically deemed to be grossly negligent; rather the PSP must conduct an assessment of the degree of negligence including the complexity of the scam to which the consumer has become victim.
• Consumers should notify their PSP of a suspected APP scams / fraud promptly, and in any case no more than 13 months after the last relevant payment was authorised.
• Consumers are subject to an information sharing requirement, whereby they must respond to reasonable and proportionate information requests from their PSP in order for the PSP to assess the circumstances of the claim and any potential vulnerability. Guidance as to “reasonable” and “proportionate” is likely to be required.
• After making a reimbursement claim, consumers must consent to the PSP sharing their details with the police or another prosecutorial authority.

The rules require that, once the consumer has submitted the claim within the requisite timeframe, the sending PSP must reimburse the victim in full within 5 working days. The sending PSP can take a 35 day “pause” to the 5 working days prescribed if they wish to obtain more information and investigate the fraud further.  
All PSPs are required to implement the MRR by 7 October 2024, though they may choose to make voluntary financial reimbursements before this date.

APP fraud prevention

Whilst the remedies offer some reprieve for potential victims of APP fraud, as set out above they are not guaranteed in all circumstances, especially where the victim has been found to be grossly negligent (i.e. they act outside of the consumer standard of caution). The best means of combatting APP fraud will always be preventing it in the first place, with that in mind, what can you do to prevent becoming a victim of APP fraud?

• If asked to move money to another account unexpectedly, or if you receive account details via email – always verify these instructions and the bank details over the phone. Do not rely on any telephone number included in the body of the email you have received, instead look up the particular company online and call their switchboard to either get in touch with your point of contact or confirm their bank details with their accounts team. In circumstances where your emails have been intercepted, this would prevent the fraudsters from successfully impersonating the legitimate business you are trying to send money to.
• Enable two-factor authentication on your banking and payment apps to prevent unauthorised access to your accounts. This could be particularly important in the case of APP frauds perpetrated via cold calls wherein the fraudster will often try to get control of your computer, purportedly to fix an accounting error in your online banking. Whilst the fraudster has access to your device, they will also, often, attempt to transfer your funds to their own accounts. Two factor authentication for payments can help prevent this.
• Report suspected scams immediately to your bank, the police and any relevant anti-fraud organisations (dependent on the type of scam). 

The future of APP fraud protection

The CRM regime has seen most leading PSPs already abide by a version of the MRR, meaning the largest teething issues in adapting to this new regime are likely to be found with institutions who were not previously signatories to the CRM, such as building societies and smaller fintech firms. Indeed it was in part due to pressure from fintech firms that the PSR scaled back the MRR from having a maximum reimbursement level of £415,000 to £85,000.

Nevertheless, it is still thought that the MRR will provide an incentive to these institutions to prevent APP fraud and focus their efforts on protecting their consumers from APP fraud.

Sending and receiving PSPs will also need to report the volume of APP fraud claims they are receiving, information about the fraud and how it was dealt with, enabling the PSR to monitor compliance with the MRR. It is hoped this provides for a more streamlined system for dealing with APP fraud – we will await sight of the data after the implementation of the MRR  to see whether this hope is justified.

As for the impact which the emergence of the MRR may have on the involvement of the judiciary in APP fraud cases, it remains to be seen whether it will (as presumably was intended) reduce the burden on the courts to deal with disputes between bank and customer (disputes which post the Supreme Court’s decision in Philip v Barclays did not bode well for consumers); or whether there will still be an appetite on bank and client side to engage the courts to deal with issues which are not neatly covered by the MRR.

In support of the latter proposition are two High Court cases decided in June 2024 which have further developed the jurisprudence in this sphere and, significantly, do not reach wholly consistent conclusions. Taken together, two factually similar cases were brought with differing causes of action and, further, reached converging conclusions, ironically for the same electronic money institution, Revolut. Further analysis of this convergence can be found here, but it is certainly suggestive that the law (both through regulation and litigation) in APP fraud remains an evolving piece.

With offices in many of the world’s major financial centres, including London, Paris, Geneva, Dubai, Hong Kong and Singapore, we are ideally placed to work with you to prevent, resolve and assist with financial crime disputes and investigations as they arise, whatever the law, language, rules, industry sector, or subject matter of that dispute may be. Our dedicated multicultural and multilingual specialists conduct proceedings under both common law and civil systems and regularly act in fraud-related proceedings. 

Whether you are an individual or a business, our strategically focused specialists will work alongside you through every aspect of any proceedings. Please contact Caroline Greenwell or your usual Charles Russell Speechly LLP contact if you would like to get in touch.