UK vs EU reimbursement rules: strategic differences fraud and compliance leaders must act on

PSD3 and the revised Payment Services Regulation (PSR) are inching toward finalisation. But already, it’s clear the EU is taking a different path from the UK when it comes to reimbursing victims of APP fraud. These divergences aren’t just legal technicalities—they shape who bears the cost of fraud, how fast institutions must act, and what technology is needed to respond. For EU fraud and compliance leaders, the differences carry both risk and opportunity.

Reimbursement: broad in the UK, narrower in the EU

The UK’s rules apply to all consumer and micro-business payments executed via Faster Payments or CHAPS, covering every form of APP scam. Reimbursement is mandatory, and liability is shared equally between sending and receiving institutions. A five-day resolution window, a capped claim value (£85,000), and a modest excess (£100, waived for vulnerable customers) round out the framework.

In contrast, the EU’s current PSD3/PSR draft is more conservative. It limits mandatory reimbursement to impersonation fraud only—excluding categories like investment scams or social engineering that remain common in practice. And liability sits fully with the sending PSP. The payout timeline is left undefined (“without undue delay”), and there is no EU-wide standard for consumer excess or claim caps, leaving those details to Member States.

The result? A potentially fragmented landscape in which responsibility, speed, and scope differ by jurisdiction—raising implementation challenges for cross-border PSPs and making standardised response infrastructure harder to justify.

Why these differences matter now

On paper, the EU’s approach may seem less burdensome for receiving PSPs or fintechs. But that’s short-term thinking. What the UK model shows is that shared liability unlocks shared investment—in intelligence sharing, early-warning signals, and preventative fraud controls.

When both ends of a transaction are accountable, receiving PSPs become more proactive in identifying suspicious patterns. They are incentivised to invest in systems that screen inbound payments, surface anomalies, and collaborate with sending institutions before funds are gone. This reshapes behaviour across the ecosystem, reducing losses upstream.

By contrast, a sender-only liability model risks reinforcing silos. Without aligned incentives, receiving institutions may remain passive, and cross-PSP intelligence remains sporadic. The result is slower detection, more fraud, and higher reimbursement costs for senders—especially in fast-settling environments where seconds matter.

Coordination, not centralisation

The UK’s approach is also notable for how it encourages ecosystem-wide action without requiring data centralisation. Sending and receiving banks are aligning not because of shared infrastructure, but because of shared exposure.

For EU institutions operating under stricter privacy rules and a fragmented market, this point is critical. The lesson is not that reimbursement frameworks must be identical, but that collaboration must be embedded at the infrastructure level—even if legal frameworks differ.

This is where secure data collaboration offers a path forward. By enabling institutions to contribute and consume fraud signals without exposing raw data or violating GDPR, these systems allow for alignment even in decentralised or liability-asymmetric environments. They offer an operational bridge between regulatory ambition and technical execution.

Don’t wait for harmonisation

Some EU institutions may choose to wait—hoping for clarification, national alignment, or industry standards. But the market won’t wait. APP fraud is already growing. Regulators are watching public sentiment and reacting to pressure. And UK institutions are racing ahead with real-time reimbursement, Confirmation of Payee expansion, and ecosystem-integrated fraud detection.

The longer EU PSPs delay their own preparations, the more difficult it becomes to retrofit real-time intelligence, reimbursement workflows, and collaborative investigations into legacy systems.

More importantly, the gap isn’t just technical. It’s reputational. Customers—already aware of UK protections—may start asking why similar protections don’t apply to them. Market differentiation will increasingly favour those who act early and transparently.

What to prioritise now

For fraud and compliance leaders in Europe, the divergence between UK and EU models should prompt a shift in focus:

• From interpreting liability to preparing for accountability

• From bilateral controls to ecosystem-level coordination

• From policy checklists to operational agility

Even if PSD3 does not mandate shared liability, the benefits of shared intelligence are already clear. Institutions that adopt secure collaboration today will be better equipped to detect networked scams, resolve claims faster, and manage regulatory complexity across borders.

Looking ahead

The UK and EU may differ in policy detail—but they are aligned in direction: fraud prevention must be faster, fairer, and more collaborative. For those willing to lead, that means preparing now for a future where reimbursement is not a dispute—it’s a signal of operational maturity.