Bank transfer fraud protections risk being weakened by regulator

Victims could have to pay a £250 excess under proposals put forward by the PSR
Chiara CavaglieriSenior researcher & writer
Person using credit card and smart phone to make push payment

Plans for vital legal protection against costly bank transfer fraud have taken a major step backwards, Which? has warned, following the latest set of proposals from the Payment Systems Regulator (PSR). 

Authorised push payment (APP) fraud – where victims are tricked into sending money from their bank account to a criminal – can be both financially and emotionally devastating. 

Bank customers lost a total of £485.2m to APP fraud in 2022, though many other incidents go unreported. 

Which? has continually fought for fairer and more consistent redress for APP fraud victims, raising our 2016 super-complaint about the gap in protections, exposing the failings of the subsequent voluntary code of conduct and successfully campaigning for mandatory reimbursement. 

The new rules are due to kick in next year but Which? is concerned that the PSR risks weakening existing protections significantly. 

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

The future of APP fraud redress

Mandatory reimbursement is a milestone protection for consumers, not least because the proposed scheme will apply to more than 1,500 firms offering Faster Payments. Only 10 banks and one building society are currently signed up to the voluntary CRM Code

Although this redress should mean customers who fall victim to APP fraud are reimbursed in all but exceptional cases, the latest plans risk watering down protections. Firstly, the scheme will be delayed by at least six months to October 2024, even though the PSR only announced the original implementation date of 2 April 2024 a few months ago. 

The PSR has also proposed other troubling amendments for a new consumer standard, a claims excess and a maximum reimbursement level, each of which would dilute the current protections. 

Customers to bear the burden of responsibility

Under the voluntary scheme, both banks and customers are expected to meet certain standards of care. For example, banks should provide ‘effective warnings’, tailored to the specific APP scam types identified (typically, instructions or messages when you set up, change or make payments), while consumers should have a reasonable basis for believing that they are paying a legitimate person or business. 

Which? has repeatedly criticised banks for unfairly blaming fraud victims and finding spurious reasons to wriggle out of claims.

The PSR originally called for a ‘consumer caution exception – but one set at a high bar, higher than in the CRM Code’. However, its latest plans would mean victims are not reimbursed if they fail to meet any one of three elements in the newly proposed ‘consumer standard’:

  • a requirement to have regard to specific, directed warnings (such as online notifications warning about a relevant type of fraud from your bank before your make a payment)
  • a prompt notification requirement (you should report fraud quickly and not more than 13 months after the last relevant fraudulent payment was authorised)
  • an information sharing requirement (you should respond to any reasonable requests for information made by their payment provider).

Which? has noted that the PSR has so far made little mention of what will be expected of payment firms. As things stand, the burden appears to fall more heavily on consumers. 

There appears to be no requirement for payment firms to provide evidence that their warnings are effective for different groups of consumers in different circumstances, or to show that this evidence is relevant to a specific scam case. We think this would mark a significant step away from the protections under the CRM Code. 

Victims could pay £250 towards claims

Under the voluntary CRM Code, fraud victims are not required to pay any excess when they make a claim for reimbursement, but the PSR has proposed introducing one to encourage people to be more cautious, suggesting options such as a fixed excess of £100 or £250 (although vulnerable customers would be exempt). 

Back in September 2022, the regulator said that payment firms would be able to impose a fixed excess of ‘no more than £35’. This mirrors the Payment Services Regulations (PSRs), which state that banks can charge victims of unauthorised fraud £35 if they were aware their card was lost or stolen at the time of the fraud (though most providers waive this).

Industry data shows that 32% of APP fraud falls below the value of £100, meaning an excess of £100 would exclude around a third of all APP claims, most of which are likely to be purchase scams. 

Which? has recommended that plans for an excess are scrapped, as this is not justified by the evidence and risks disproportionately affecting lower-income groups. An excess would create a significant gap in efforts to collect data about fraud – since customers may be less likely to report fraud below the excess level if they know their banks aren’t obliged to reimburse them – and firms would not be incentivised to tackle scams below this threshold, putting customers at risk. 

PSR makes U-turn on maximum reimbursement

The regulator has also changed its position on the maximum level of reimbursement. It originally said it had no plans for a claims limit because it would expect firms ‘to have the strongest safeguards in place for the largest payments’. 

Following industry pressure, the PSR has since said it plans to introduce a cap on reimbursement for APP fraud claims and will consult on the appropriate level, explaining that this would align with customer protections such as the Financial Services Compensation Scheme (FSCS) and the Financial Ombudsman Service (FOS), which impose claims limits of £85,000 and £415,000 respectively. 

Which? has pointed out that the FSCS protects temporary high balances of up to £1m for six months (intended to protect customers who have a temporary high balance, such as when selling property, or receiving an inheritance or divorce settlement). We think customers deserve similar levels of protection from APP scams. 

The PSR is set to publish its final position on the consumer standard, claims excess and maximum reimbursement level towards the end of the year.

More on this

Related articles

About Us

Which? Limited is registered in England and Wales to 2 Marylebone Road, London NW1 4DF, company number 00677665  and is an Introducer Appointed Representative (FRN 610689) of the following:


1. Inspop.com Ltd for the introduction of non-investment motor, home, travel and pet insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635). Inspop.com Ltd is authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635) and is registered in England and Wales to Greyfriars House, Greyfriars Road, Cardiff, South Wales, CF10 3AL, company number 03857130. Confused.com is a trading name of Inspop.com Ltd. 


2. LifeSearch Partners Limited (FRN656479), for the introduction of Pure Protection Contracts and Private Health Insurance, who are authorised and regulated by the FCA to provide advice and arrange Pure Protection Contracts and Private Health Insurance Contracts.  LifeSearch Partners Ltd is registered in England and Wales to 3000a Parkway, Whiteley, Hampshire, PO15 7FX, company number 03412386.


3. HUB Financial Solutions, for the introduction of equity release advice and an annuity comparison service, who are authorised and regulated by the Financial Conduct Authority (‘FCA’) to provide advice and guidance on financial products for those who have retired or are approaching retirement (FCA Firm Reference Number: 455713). HUB Financial Solutions is registered in England and Wales to Enterprise House, Bancroft Road, Reigate, Surrey RH12 7RP, company number 05125701.


4. Alan Boswell Insurance Brokers Ltd (FRN 301), for the introduction of non-investment landlord insurances, who are authorised and regulated by the Financial Conduct Authority to provide advice and arrange insurance contracts. Alan Boswell insurance brokers Ltd is registered in England at Prospect House, Rouen Rd, Norwich NR1 1RE, company number 02591252.


Other financial services:

Mortgage service provided by London & Country Mortgages (L&C), Unit 26 (2.06), Newark Works, 2 Foundry Lane, Bath BA2 3GZ. London & Country are authorised and regulated by the Financial Conduct Authority (registered number: 143002). The FCA does not regulate most Buy to Let mortgages. Your home or property may be repossessed if you do not keep up repayments on your mortgage.


We do not make, nor do we seek to make, any recommendations or personalised advice on financial products or services that are regulated by the FCA, as we’re not regulated or authorised by the FCA to advise you in this way. In some cases, however, we have included links to regulated brands or providers with whom we have a commercial relationship and, if you choose to, you can buy a product from our commercial partners. 


If you go ahead and buy a product using our link, we will receive a commission to help fund our not-for-profit mission and our campaigns work as a champion for the UK consumer. Please note that a link alone does not constitute an endorsement by Which?.