The Payment Systems Regulator (PSR) recently published its Authorised Push Payment (APP) scam performance for 2024. Thistle Initiatives' Manager, Elliott Day, expands on the data and what firms should consider.
The Payment Systems Regulator (PSR) has published its final set of Authorised Push Payment (APP) scam performance data for 2024, covering scams that occurred before the mandatory reimbursement requirements came into force in October 2024.
The dataset provides a detailed view of industry performance immediately prior to the reimbursement regime and offers useful insight into where fraud exposure has been concentrated across the payments ecosystem. For UK firms, it provides an external reference point for understanding supervisory focus areas and how expectations around fraud prevention and customer outcomes are evolving.
Key Changes
The data covers APP scam activity between January and 7 October 2024, based on cases closed during the same year. It includes:
- Reimbursement outcomes
- APP scams sent
- APP scams received
The dataset covers the UK’s 14 largest banking groups alongside 11 smaller firms identified as among the highest receivers of fraud.
During the period covered by the dataset, approximately 60% of APP scam losses by value were reimbursed, with around 73% of cases receiving full or partial reimbursement, although outcomes varied materially between firms.
Since the reimbursement requirements took effect in October 2024, industry outcomes have shifted significantly. In the first year of the new regime, approximately 88% of in-scope APP losses by value were reimbursed (representing around £173 million), with 82% of claims closed within five business days. These later figures provide context for how supervisory expectations and customer outcomes have evolved following the rule change.
Why This Matters for UK-Regulated Firms
Outcomes varied significantly prior to mandatory reimbursement
Performance varied materially between firms, meaning customers experiencing similar scams could receive very different outcomes depending on their provider.
From a supervisory perspective, this reinforces expectations that fraud controls and decision-making frameworks should deliver consistent and defensible customer outcomes rather than relying on firm-specific interpretations.
Receiving-side exposure is becoming a stronger supervisory focus
The data indicates a concentration of fraudulent receipts among certain firms. Non-directed firms recorded fraud-receipt rates substantially higher than the largest banking groups, receiving a disproportionate share of fraudulent value relative to their payment volumes.
This pattern helps explain continued regulatory focus on mule activity, onboarding standards and monitoring of receiving accounts.
Typologies highlight distinct risk dynamics
The dataset also illustrates two contrasting fraud patterns:
- Purchase scams represent the majority of cases by volume, but a smaller proportion of total value
- Investment scams represent a small proportion of cases but a significant share of financial loss
This distinction reinforces the need for controls calibrated to different customer behaviours and risk journeys rather than a single fraud-prevention approach.
Practical Implications
The relevance of these findings will vary depending on firms’ business models and exposure. However, several themes are likely to be relevant where firms support Faster Payments or retail payment activity.
Benchmarking supports control justification
Industry data provides firms with an external benchmark when explaining investment decisions in fraud controls to boards, auditors or banking partners. It helps demonstrate alignment between control design and system-wide risk patterns.
Receiving firms may face increased scrutiny of mule risk
Where firms operate accounts capable of receiving Faster Payments, regulators are likely to focus on onboarding quality, behavioural monitoring and the timeliness of account intervention where suspicious activity emerges.
Sending controls should reflect scam typology
High-volume purchase scams may require friction and customer prompts at key payment stages, whereas investment scams may require deeper analysis of behavioural indicators, repeated payments to new beneficiaries and escalation pathways.
Claims handling contributes to supervisory assessment
With industry claims increasingly resolved within short timeframes, firms whose decision-making or processing timelines differ materially may attract closer supervisory attention.
What Firms Should Consider Now
Assess exposure across sending and receiving activity
Firms may wish to map fraud exposure across sending volumes, receiving volumes and scam typologies to identify where control improvements are likely to have the greatest impact.
Sense-check controls against observed typologies
Where purchase scams dominate, firms may consider whether customer prompts and payment friction operate effectively at relevant decision points. Where investment scams feature more prominently, controls around new payees, repeat payments and behavioural indicators may warrant closer review.
Review identification and response to mule activity
For receiving accounts, organisations should be comfortable that early indicators of mule behaviour can be detected and acted upon promptly, particularly where fraud inflows exceed expected levels.
Improve visibility of exposure alongside losses
Metrics reflecting exposure, such as fraud received relative to inbound payment volumes or activity involving new beneficiaries, may provide a more complete risk picture than confirmed loss data alone.
Since the mandatory APP reimbursement scheme came into force in October 2024, applicable firms are required to reimburse eligible customers in defined circumstances, increasing the importance of identifying exposure earlier in the payment journey rather than relying solely on post-event loss analysis. Clear visibility of exposure supports more timely intervention, defensible decision-making and effective oversight under the reimbursement framework.
Our Closing View
The PSR’s APP scam performance data is less about retrospective comparison and more about signalling where fraud risk sits across the payments system. It illustrates how uneven exposure can be between firms and why supervisory expectations increasingly focus on both prevention effectiveness and customer outcomes. Additionally, we have seen with the previous APP performance data that the FCA have taken a close interest in the non-directed firms which make up a significant proportion of receiving APP frauds, and that trend may continue with this latest data.
For firms, the key question is whether fraud controls, governance and supporting evidence align with the areas where exposure genuinely exists, and whether that alignment can be clearly demonstrated.
How Thistle Initiatives Can Help
Our financial crime team supports firms in benchmarking their fraud risk profile against industry data and assessing whether controls remain aligned with evolving regulatory expectations.
We review sending and receiving-side controls, assess mule-risk frameworks and help organisations evidence decision-making, governance and customer outcomes in a clear and defensible manner.
Meet the Expert
Elliott Day, Manager 
Elliott is a manager within Thistle’s Financial Crime team, supporting fintech and financial services clients to strengthen controls, uplift governance, and deliver regulatory remediation. His experience spans AML, sanctions, KYC/KYB, onboarding and risk assessment, with a focus on proportionate, risk-based frameworks and practical assurance.
Before joining Thistle, Elliott held financial crime and compliance roles across payments and fintech, enhancing policies, procedures and monitoring arrangements. Elliott has also contributed to industry publications, including editorials for The Company Lawyer.