What fraud and compliance leaders can learn from the UK’s liability-sharing model

When the UK introduced mandatory reimbursement for Authorised Push Payment (APP) fraud, it did more than impose new rules—it rewired incentives across the financial ecosystem. In particular, the 50/50 liability model and modest consumer excess are reshaping how PSPs detect, escalate, and prevent fraud. For EU institutions preparing for PSD3, these mechanisms are worth close attention.

Rebalancing risk to unlock shared accountability

Under the UK framework, liability for reimbursing APP scam victims is split equally between sending and receiving institutions. This design reflects a clear strategic intent: to motivate both ends of the payment chain to contribute to fraud prevention.

Historically, sending PSPs bore the brunt of compliance responsibility and reputational exposure. Receiving PSPs, by contrast, had limited legal obligations to scrutinize incoming funds. The UK’s 50/50 model upends that dynamic. Now, all parties have skin in the game.

The result is a shift from passive reception to active scrutiny. Receiving institutions are developing new controls to assess the risk of beneficiary accounts before the money lands—engaging earlier in the fraud prevention lifecycle. In parallel, sending PSPs are seeking better intelligence from peers to inform real-time decisions at the point of transfer.

This reciprocity is not just financial. It fosters the kind of operational cooperation that siloed institutions often struggle to achieve: confirming signals, triaging alerts, escalating concerns rapidly, and contributing to fraud detection at the ecosystem level.

The role of consumer excess

Alongside liability-sharing, the UK also introduced a £100 consumer excess—effectively a deductible on each reimbursement claim. While modest, this mechanism serves a dual purpose: to mitigate opportunistic claims and to reinforce individual responsibility without undermining protection for genuine victims.

Importantly, the excess can be waived entirely for vulnerable customers. This flexibility allows institutions to tailor their approach based on need, while maintaining a deterrent against abuse.

From a behavioural standpoint, the presence of a small but visible excess reinforces awareness. It prompts customers to double-check details, question suspicious requests, and engage more critically with fraud warnings. Combined with clear communication and transparency, this mechanism helps to build trust while containing operational exposure.

What the UK got right

The strategic genius of the UK model lies not in any single feature—but in how its parts reinforce one another. Shared liability drives proactive prevention. The consumer excess fosters attentiveness. And together, they reduce both the incidence of fraud and the burden of reimbursement.

Equally important is the cultural signal these choices send. Fraud is no longer treated as an isolated loss event to be resolved after the fact. It is now seen as a shared risk that must be addressed in near real-time, across institutional boundaries.

For this to work, financial institutions need to be able to exchange signals securely and efficiently. That includes patterns of behaviour, previous alerts, and risk indicators related to specific accounts or devices. Doing so while respecting data privacy and regulatory constraints is not a trivial task—but it is increasingly achievable.

Operationalising shared incentives in Europe

As EU PSPs prepare for the final shape of PSD3, the UK model provides a useful template. Even if full liability sharing does not materialise in EU regulation, the principle remains relevant: institutions are more effective when they are jointly responsible for fraud mitigation.

To apply this in practice, EU banks and PSPs will need to go beyond bilateral communication. They will need to invest in systems that support real-time signal exchange without centralising data or compromising confidentiality.

This is where secure data collaboration becomes critical. With the right technical architecture, institutions can participate in collaborative investigations, assess beneficiary risk based on shared—but encrypted—signals, and coordinate fraud prevention strategies without exposing personal or sensitive information. They can also automate workflows to triage risks faster and reduce the volume of false positives that clog investigation queues.

Learning from incentive design

The UK's approach to APP fraud illustrates that regulation does not need to be punitive to be effective. When well-calibrated, rules can activate institutional change, align stakeholder interests, and reduce systemic risk.

For EU PSPs, this means considering how PSD3 compliance can become a lever for strategic alignment. Institutions that move early to implement secure, collaborative infrastructure will not only reduce fraud losses—they will also be better prepared to meet evolving liability standards, serve customers more effectively, and adapt to cross-border fraud threats.

Looking ahead

The UK’s reimbursement model shows that incentives matter—and that when aligned correctly, they produce measurable improvements in speed, efficiency, and fraud resilience.

As EU institutions prepare for PSD3, the challenge is to translate these lessons into infrastructure and governance models that fit the European context. Those who succeed will not just comply—they will lead.