Regulation

UK APP fraud reimbursement rules: what changed for fintechs

Since 7 October 2024, the Payment Systems Regulator's mandatory reimbursement requirement has made UK payment firms directly liable for authorised push payment fraud on Faster Payments and CHAPS, splitting the cost 50/50 between the sending and receiving payment service provider, up to a cap of £85,000. That shifts APP fraud from a customer loss to a direct firm cost, on both sides of the payment, which changes the value of a real-time phone-based risk check before a payment is authorised. This page is not legal advice.

This page summarises publicly available PSR policy material in general terms. It is not legal advice. Confirm your firm's specific obligations with your own compliance and legal teams and against the PSR's current published rules.

What changed on 7 October 2024

Before this requirement, a customer who was tricked into authorising a payment to a fraudster generally bore the loss themselves, since the payment was technically authorised by the account holder. The PSR's reimbursement requirement, covering Faster Payments and CHAPS transactions, changed that: in-scope payment service providers must now reimburse eligible victims of APP fraud, with liability split between the sending PSP and the receiving PSP. Source: PSR, PS25/5 "Consolidated policy statement: APP scams reimbursement requirement", May 2025, and PS24/7, checked July 2026.

The liability mechanics

Source: PSR, PS25/5 and PS24/7 policy statements, checked July 2026.

Why this makes phone signals a direct cost lever, not just a fraud metric

Because liability sits on both the sending and the receiving side, a receiving PSP now has a direct financial reason to screen incoming payment accounts, not only its own outbound customers. A risk signal that reduces the chance of a successful APP scam, on either side of the payment, reduces reimbursement exposure directly, in pounds, rather than only improving a fraud-rate metric reported internally.

Where telecom signals map to this

Before authorising a push payment: SIM swap check

APP fraud increasingly overlaps with account takeover, where an attacker who has taken control of a victim's number via a SIM swap initiates the payment directly, or intercepts the OTP used to authorise it. A pre-authorisation SIM swap check is a direct control against this pattern. See stopping authorised push payment fraud with phone intelligence for the fuller flow.

At receiving-account onboarding: number type and carrier

Accounts that receive APP fraud proceeds are frequently opened with disposable or recently issued numbers. Number type screening at onboarding for a receiving account is a live, low-cost check that does not depend on the sending side at all.

Under review: cross-sector liability

The FCA and PSR have signalled a joint review of the reimbursement framework, examining whether the current model, which places liability solely on payment firms, remains sustainable given the role telecoms and social media platforms play in originating APP fraud. As of the checked date, no outcome has been published and nothing about the current requirement has changed. Source: reporting on the FCA/PSR joint review, checked July 2026; re-verify against the PSR's own publications before treating any outcome as settled.

Signals available today

Live in every response

SIM swap detection is launching. Early access is open now.

The simSwap field is present in every response today and returns UNKNOWN in GB while carrier registration completes. Firms weighing reimbursement exposure against a pre-authorisation check can integrate now and receive live data as carrier registration completes.

$0.03 per query. No contract. No minimum spend. Billed via Paddle.
Request early access