UK’s APP fraud reimbursement scheme: first six months in focus

As the European Union prepares for the implementation of PSD3 and the Payment Services Regulation (PSR), the UK’s recently enforced reimbursement regime for Authorised Push Payment (APP) fraud offers a valuable real-world benchmark. Six months into its deployment, the UK’s approach is already shaping conversations on how financial institutions can respond to fraud—not just reactively, but through systemic, intelligent collaboration.

Shifting liability and expectations

In October 2024, the UK Payment Systems Regulator introduced mandatory reimbursement rules that fundamentally reshaped PSP accountability. Under the new framework, both sending and receiving payment service providers are equally liable for reimbursing fraud victims, with a resolution window capped at five business days. The rules apply to all consumer and micro-business transactions over Faster Payments and CHAPS. Claims are capped at £85,000, with a £100 consumer excess that is waived for vulnerable customers.

This stands in marked contrast to the draft EU regulations, which currently propose narrower coverage—limited to impersonation scams—and assign full reimbursement liability to the sending PSP. However, as legislative discussions continue across Brussels, the UK model is emerging as a potential template for more expansive, balanced reimbursement protocols.

The UK’s results: measurable and meaningful

Over the first six months, UK Finance reported an 11 percent year-on-year drop in online banking fraud losses, alongside a 37 percent reduction in APP fraud cases. While it’s still early, these figures suggest that a shift in liability can yield meaningful changes in detection and prevention outcomes.

Crucially, the speed of resolution has proven feasible. More than 90 percent of claims at major banks were processed and reimbursed within the five-day requirement. Achieving this level of responsiveness has required PSPs to integrate workflows across risk, fraud, and compliance in real time—breaking down operational silos that previously slowed investigations and decision-making.

At the same time, the cost to industry has been substantial. In just six months, UK PSPs reimbursed over £126 million. Rather than viewing this as a financial burden alone, many institutions are using it as a trigger for strategic transformation. Facing increased liability, banks are accelerating investment in collaborative tools, data sharing protocols, and early-warning systems that detect scams before they occur.

A broader shift in institutional behaviour

Perhaps the most important change sparked by the new reimbursement rules is a cultural one. PSPs are starting to treat fraud as a systemic issue, one that cannot be effectively addressed in isolation. The growing adoption of Confirmation of Payee is one clear example of this shift. But equally important is the trend toward establishing shared risk signals, exchanging contextual intelligence, and forming operational alliances with counterpart institutions.

This evolution is also driving technology choices. As real-time collaboration becomes more necessary, institutions are seeking ways to share fraud signals without compromising data privacy or violating regulatory obligations. This is where secure data collaboration has emerged as a strategic enabler.

By using technologies that preserve privacy while enabling shared intelligence, PSPs can detect cross-institutional risks more effectively. Instead of centralizing data or exposing sensitive information, institutions can contribute insights—such as risk scores, alerts, or behavioural patterns, from within their own environment, and receive corroborating intelligence in return. This approach supports faster triage, higher detection accuracy, and reduced false positives, all while staying fully compliant with PSD3, AMLR, and GDPR frameworks.

Implications for EU PSPs

For payment providers operating in Europe, the UK experience offers several important lessons.

First, liability-sharing doesn’t just distribute cost—it reshapes incentives and accelerates innovation in fraud detection. Institutions become more proactive when they have financial responsibility for both ends of the transaction.

Second, the ability to resolve claims quickly is not a pipe dream. With interoperable systems and coordinated intelligence flows, PSPs can deliver speed and precision in fraud response. However, this demands a departure from traditional workflows toward more connected and policy-driven collaboration.

Third, the financial pressure created by reimbursement obligations can be converted into a competitive advantage—if it drives investments in real-time infrastructure. Technologies that support secure, decentralised collaboration across institutions are no longer experimental. They are increasingly fundamental to achieving fraud resilience at scale.

And finally, perhaps the most strategic insight: collaboration doesn’t have to mean compromise. With the right architecture, financial institutions can maintain full data control and autonomy, even as they participate in shared intelligence networks. They can reduce investigation times, surface risks that would otherwise go unnoticed, and make more informed decisions at the speed modern fraud demands.

A strategic opportunity for Europe

The UK’s first six months with mandatory reimbursement show what’s possible when regulation acts as a catalyst—not just for compliance, but for transformation. While the EU may take a different path in terms of liability structures or scope, the underlying direction is clear: fraud prevention is evolving from isolated vigilance to collaborative intelligence.

Institutions that invest now in secure, privacy-preserving coordination capabilities will be better positioned not just to comply with PSD3, but to thrive in its aftermath. As the financial ecosystem becomes more interconnected, so too must our defences.