Jonathan Hart
Governments around the world are taking steps to combat rising rates of APP fraud. We provide examples of global action and shed light on how businesses can best protect themselves against APP scams.
- Authorised Push Payments, or APP, describe scams where a fraudster convinces a victim to authorise a payment under false pretences.
- This includes several types of scams including product, service or purchase scams, romance scams, invoice scams and investment scams.
- Responses by governments around the world can include potential compensation to individual victims, proving the seriousness of the threat. Can businesses expect the same kind of safety net?
Why APPs are a Threat
APPs are effective because they take advantage of individuals, whether consumers or key finance people within a business. Scammers use social engineering techniques to deceive or confuse victims into making payment transfers, even if this goes against processes they have been trained to follow or against better judgement. Even worse, the use of instant payments, or other payment tools, such as crypto exchanges, mean the funds are often irretrievable.
For this reason, governments around the world have started to create policy and legislative action to curb APP growth and damage they can cause to consumers, businesses and economies.
Examples of Global Action
In the UK, APPs represent about 40% of payment fraud, which itself represented 40% of all reported crime in the UK in 2023[1]. APP losses for the four years to 2023 equated to almost £2 billion.
In response, from October 7th 2024, the UK Payment Systems Regulator required banks to reimburse consumers who are victims of APP fraud. This will be funded 50% by banks sending funds and 50% by banks receiving funds, to a maximum limit of £85,000.
Businesses (aside from some microbusinesses and smaller charities) will not be eligible for reimbursement.
In addition to being better incentivised to detect patterns of fraud and stop them before they impact customers, the wider deployment of Confirmation of Payee (CoP) technology, which alerts bank users to where the name of a payee and their account details don’t match, and improved data sharing between financial institutions, is expected to dramatically reduce the impact of scams.
The UK is unique in its approach for a 50/50 reimbursement model, but far from the only country taking action against payment fraud.
In the United States, according the FBI’s Internet Crime Report, $9 billion in losses from APPs were related to investment scams, business email compromise and impersonation scams -and this was in 2023 alone[2]. As a result, the Federal Trade Commission is working with law enforcement to prosecute illegal telemarking and investment schemes, and improve its regulatory force in relation to impersonation fraud[3]&[4]. Additionally, the Federal Communications Commission (FCC) has initiated multiple actions in 2024 focusing on reducing the 4 billion robocalls Americans receive per month[5].
Australia, with a population of just 26 million people, experienced over $1.8 billion in APP losses in 2023[6]. It is deploying CoP technology in 2024, adding new rules for financial account openings such as mandatory biometrics, requiring shared intelligence between financial institutions, and increasing regulation on telecommunications and social media companies to crack down on scams[7]&[8].
Singapore is working on implementation of a “shared responsibility framework” that would allocate responsibility between financial institutions, telecommunications companies and consumers, with compensation for losses where a party has breached their duties[9]. Additionally, legislation passed in July 2024 has strengthened the ability for authorities to takedown websites, apps and online accounts suspected to be used for scams and cyber-crime activities[10].
In the European Union, Payment Services Directive 3 (PSD3) and Payment Services Regulation 1 (PSR1) are expected to come into effect in 2026. These will outline liability for fraud between financial institutions, make mandatory the use of CoP technology (known in the EU as Verification of Payee), and require financial institutions to undertake customer education, improvements to secure customer authentication, and share fraud intelligence with other financial institutions[11].
In summary, unless otherwise required by market rules or legislation, liability for APP fraud will continue to primarily lie with victims. Additionally, the compensation schemes presently under review by western economies appear to be focused on consumer, rather than business victims.
Whilst individual financial institutions may provide compensation to customers who are victims of scams, full reimbursement in the absence of rules requiring it tends to be rare, and usually only if the financial institution has identified a fault in its own processes.
How should businesses respond?
Despite effort by governments to reduce the potential for fraud, advancements in technology ensure the threat of Authorised Push Payments remains real.
The reality is that the perpetrators of APP fraud are skilful in exploiting new technology and opportunities to socially engineer diverse types of victims, tightening payment processes and employee training will only go so far.
At the same time, reliance solely on payment infrastructure and financial institutions alone to thwart fraudsters and scammers is a high-risk strategy, especially where businesses as victims have little to no possibility of a refund, reimbursement or compensation.
Therefore, businesses should consider the use of global fraud detection technology to ensure trust throughout all critical points of the customer or supplier lifecycle, including onboarding, during times of change, and pre-transaction. Such technology will include regular KYC/KYB verifications, behavioural analysis, and use of other diverse risk signals, which are critical to ensuring fraud mitigation in a world of generative AI technology.
1. https://www.ukfinance.org.uk/system/files/2024-06/UK%20Finance%20Annual%20Fraud%20report%202024.pdf
2. https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf
3. https://www.ftc.gov/news-events/news/press-releases/2024/02/nationwide-fraud-losses-top-10-billion-2023-ftc-steps-efforts-protect-public
4. https://www.ftc.gov/news-events/news/press-releases/2024/04/ftc-announces-impersonation-rule-goes-effect-today
5. https://www.fcc.gov/spoofed-robocalls
6. https://www.accc.gov.au/media-release/scam-losses-decline-but-more-work-to-do-as-australians-lose-27-billion
7. https://www.ausbanking.org.au/scam-safe-accord/
8. https://ministers.treasury.gov.au/ministers/stephen-jones-2022/speeches/address-national-press-club-canberra
9. https://www.bankingday.com/call-for-australian-scam-reimbursement-plan
10. https://www.channelnewsasia.com/singapore/online-criminal-harms-new-law-passed-scams-malicious-cyber-activity-3607501
11. https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3543
Legal Disclaimer
Republication or redistribution of LSE Group content is prohibited without our prior written consent.
The content of this publication is for informational purposes only and has no legal effect, does not form part of any contract, does not, and does not seek to constitute advice of any nature and no reliance should be placed upon statements contained herein. Whilst reasonable efforts have been taken to ensure that the contents of this publication are accurate and reliable, LSE Group does not guarantee that this document is free from errors or omissions; therefore, you may not rely upon the content of this document under any circumstances and you should seek your own independent legal, investment, tax and other advice. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon.
Copyright © 2024 London Stock Exchange Group. All rights reserved.
The content of this publication is provided by London Stock Exchange Group plc, its applicable group undertakings and/or its affiliates or licensors (the “LSE Group” or “We”) exclusively.
Neither We nor our affiliates guarantee the accuracy of or endorse the views or opinions given by any third party content provider, advertiser, sponsor or other user. We may link to, reference, or promote websites, applications and/or services from third parties. You agree that We are not responsible for, and do not control such non-LSE Group websites, applications or services.
The content of this publication is for informational purposes only. All information and data contained in this publication is obtained by LSE Group from sources believed by it to be accurate and reliable. Because of the possibility of human and mechanical error as well as other factors, however, such information and data are provided "as is" without warranty of any kind. You understand and agree that this publication does not, and does not seek to, constitute advice of any nature. You may not rely upon the content of this document under any circumstances and should seek your own independent legal, tax or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the publication and its content is at your sole risk.
To the fullest extent permitted by applicable law, LSE Group, expressly disclaims any representation or warranties, express or implied, including, without limitation, any representations or warranties of performance, merchantability, fitness for a particular purpose, accuracy, completeness, reliability and non-infringement. LSE Group, its subsidiaries, its affiliates and their respective shareholders, directors, officers employees, agents, advertisers, content providers and licensors (collectively referred to as the “LSE Group Parties”) disclaim all responsibility for any loss, liability or damage of any kind resulting from or related to access, use or the unavailability of the publication (or any part of it); and none of the LSE Group Parties will be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, howsoever arising, even if any member of the LSE Group Parties are advised in advance of the possibility of such damages or could have foreseen any such damages arising or resulting from the use of, or inability to use, the information contained in the publication. For the avoidance of doubt, the LSE Group Parties shall have no liability for any losses, claims, demands, actions, proceedings, damages, costs or expenses arising out of, or in any way connected with, the information contained in this document.
LSE Group is the owner of various intellectual property rights ("IPR”), including but not limited to, numerous trademarks that are used to identify, advertise, and promote LSE Group products, services and activities. Nothing contained herein should be construed as granting any licence or right to use any of the trademarks or any other LSE Group IPR for any purpose whatsoever without the written permission or applicable licence terms.