What is APP fraud? Authorised Push Payment scams explained.

APP fraud is now the largest category of fraud in the UK by value. Since October 2024 it is also the only category where banks must refund you by default. Here is what the term actually means, why it is treated differently from card fraud, and what the law gives you.

What is the difference between APP fraud and unauthorised fraud?

Unauthorised fraud is when someone takes money from your account without your knowledge or consent — for example a stolen card or hacked online banking. APP (Authorised Push Payment) fraud is when you yourself send the payment, but only because you were tricked into doing it. The legal regime is different: unauthorised fraud is covered by the Payment Services Regulations 2017 with near-automatic refunds; APP fraud is now covered by the PSR Mandatory Reimbursement Scheme that came into force on 7 October 2024.

Is APP fraud actually fraud in the criminal sense?

Yes. The criminal offence is committed by the scammer, normally under the Fraud Act 2006 (fraud by false representation). The fact that you authorised the bank transfer does not make the act lawful — your consent was obtained by deception, which is precisely what the Fraud Act criminalises.

Does it matter what kind of scam I fell for?

For the criminal definition, no — APP fraud is a single legal category. For the refund rules, mostly no: investment scams, romance scams, impersonation scams, purchase scams, and invoice redirection are all in scope of the PSR scheme. The exceptions are international payments (the scheme covers Faster Payments and CHAPS within the UK only) and payments made using a credit card, which are usually better routed via Section 75 of the Consumer Credit Act 1974.

Why are banks suddenly refunding APP fraud?

Until October 2024, refunds were governed by the voluntary Contingent Reimbursement Model (CRM) Code — most major banks signed up, but enforcement was patchy. The Payment Systems Regulator made reimbursement mandatory under FSBRA 2013 powers. Banks no longer have a choice: if you were the victim of APP fraud and you meet the customer-standard requirements, the bank that sent the payment must refund you, with the receiving bank paying half the cost.

Can the bank refuse to refund me?

Only on narrow grounds. The bank must prove that you acted with gross negligence, or that the customer-standard requirements were not met (for example you ignored a specific Confirmation of Payee warning or did not report the fraud promptly). Simple negligence — being trusting, being persuaded — is not enough. The burden of proof sits firmly on the bank.

What if my bank does refuse?

You have a free statutory right to escalate the bank's decision to the Financial Ombudsman Service within six months of receiving the bank's final response letter. The Ombudsman reviews the case independently and applies a "fair and reasonable" test. The Ombudsman can order the bank to refund you, pay interest at 8% simple per year, and pay compensation for distress and inconvenience.

Scam Refund · Getting Started

What is APP fraud? Authorised Push Payment scams explained.

The plain-English definition

An Authorised Push Payment (APP) fraud happens when you, the account holder, instruct your bank to send a payment to someone — and that instruction was procured by deception. You pushed the payment yourself; you authorised it. But your authorisation was bought with a lie. The classic examples are paying a fake invoice that looks like it came from your builder, sending money to a "safe account" because someone claiming to be from your bank told you to, paying for an investment that never existed, or transferring funds to a romantic partner you have never met.

The defining feature, and the reason the law had to be re-written, is that authorisation. Under the Payment Services Regulations 2017 a bank that executes a payment you authorised has done its job — there is no unauthorised transaction to refund. For decades that left APP fraud victims in a difficult position: banks could and often did refuse refunds on the basis that the customer had ticked the box, signed the form, or pressed Confirm.

Why it is different from card fraud

When someone clones your debit card and spends £400 in Romania, that is unauthorised fraud. You did not authorise the payment. Under regulation 76 of the Payment Services Regulations 2017 your bank must refund you immediately and then investigate, with very narrow exceptions for gross negligence. Section 75 of the Consumer Credit Act 1974 gives you a separate joint-liability claim against your credit card issuer for purchases between £100 and £30,000.

APP fraud breaks that model because the payment is technically authorised. Until October 2024 victims relied on the voluntary Contingent Reimbursement Model Code — a code most major UK banks signed in 2019 but applied with very different levels of enthusiasm. Refund rates varied wildly. The Payment Systems Regulator concluded that voluntary self-regulation had failed and used its powers under the Financial Services (Banking Reform) Act 2013 to require reimbursement by law.

The categories the PSR scheme covers

The PSR Mandatory Reimbursement Scheme covers any APP fraud where the payment was sent over Faster Payments or CHAPS to a UK-domiciled account, by a consumer, micro-enterprise or charity. That captures the great majority of real-world cases. The major scam types in scope include:

• — fake invoices, fake refunds, fake "safe account" warnings.
• — cloned brokers, crypto trading mentors, pig-butchering schemes.
• — long-grooming relationship scams that end in a payment.
• — calls or texts from fake bank fraud teams, fake police, fake HMRC.
• — fake online shops, marketplace scams, holiday rentals that do not exist.
• — business email compromise where supplier bank details are swapped.
• — paying a fee to release a loan, prize or inheritance that never arrives.

International payments and credit-card payments fall outside the scheme, but they have their own routes. International scams may still be reportable under the bank’s own fraud policy, and credit-card payments often sit better under Section 75 of the Consumer Credit Act 1974.

The refund standard, in one paragraph

If you are an in-scope customer, your sending bank must refund you up to £85,000 per claim within five working days of you reporting the fraud, unless the bank can prove that you acted with gross negligence — a deliberately high bar that does not capture being trusting, busy, or persuaded by a sophisticated story. The receiving bank pays half the bill, which gives both banks a financial incentive to detect fraud earlier. You may have to pay a £100 excess if you are not classed as vulnerable.

What the law expects of you in return

The PSR scheme imposes "consumer-standard" requirements. You must report the fraud to your bank promptly — typically within 13 months of the last fraudulent payment — and you must engage with the bank\'s investigation, including reporting the matter to Action Fraud (or Police Scotland) and providing the crime reference number. You must not have ignored a specific, prominent Confirmation of Payee warning that the account name did not match. None of these are difficult for an honest victim to meet, and the law explicitly excludes vulnerable consumers from the gross-negligence defence altogether.

If the bank still says no

You have a statutory right to a final response letter from the bank that sets out its decision and your right to escalate. You then have six months from that letter to refer the case to the Financial Ombudsman Service, free of charge. The Ombudsman is not bound by the bank’s reasoning — it applies a “fair and reasonable” test under the FCA’s DISP rules and can order full reimbursement, interest at 8% simple, and compensation for distress and inconvenience. Ombudsman decisions are binding on the bank if you accept them.

Ready to start your refund claim?

We assemble a PSR-aligned bank complaint and a Financial Ombudsman escalation pack for a fixed £39. No CMC fee, no percentage of your refund.