The Payment Systems Regulator (PSR) recently published its Authorised Push Payment (APP) scam performance for 2024. Thistle Initiatives' Manager, Elliott Day, expands on the data and what firms should consider.
The Payment Systems Regulator (PSR) has published its final set of Authorised Push Payment (APP) scam performance data for 2024, covering scams that occurred before the mandatory reimbursement requirements came into force in October 2024.
The dataset provides a detailed view of industry performance immediately prior to the reimbursement regime and offers useful insight into where fraud exposure has been concentrated across the payments ecosystem. For UK firms, it provides an external reference point for understanding supervisory focus areas and how expectations around fraud prevention and customer outcomes are evolving.
The data covers APP scam activity between January and 7 October 2024, based on cases closed during the same year. It includes:
The dataset covers the UK’s 14 largest banking groups alongside 11 smaller firms identified as among the highest receivers of fraud.
During the period covered by the dataset, approximately 60% of APP scam losses by value were reimbursed, with around 73% of cases receiving full or partial reimbursement, although outcomes varied materially between firms.
Since the reimbursement requirements took effect in October 2024, industry outcomes have shifted significantly. In the first year of the new regime, approximately 88% of in-scope APP losses by value were reimbursed (representing around £173 million), with 82% of claims closed within five business days. These later figures provide context for how supervisory expectations and customer outcomes have evolved following the rule change.
Performance varied materially between firms, meaning customers experiencing similar scams could receive very different outcomes depending on their provider.
From a supervisory perspective, this reinforces expectations that fraud controls and decision-making frameworks should deliver consistent and defensible customer outcomes rather than relying on firm-specific interpretations.
The data indicates a concentration of fraudulent receipts among certain firms. Non-directed firms recorded fraud-receipt rates substantially higher than the largest banking groups, receiving a disproportionate share of fraudulent value relative to their payment volumes.
This pattern helps explain continued regulatory focus on mule activity, onboarding standards and monitoring of receiving accounts.
The dataset also illustrates two contrasting fraud patterns:
This distinction reinforces the need for controls calibrated to different customer behaviours and risk journeys rather than a single fraud-prevention approach.
The relevance of these findings will vary depending on firms’ business models and exposure. However, several themes are likely to be relevant where firms support Faster Payments or retail payment activity.
Industry data provides firms with an external benchmark when explaining investment decisions in fraud controls to boards, auditors or banking partners. It helps demonstrate alignment between control design and system-wide risk patterns.
Where firms operate accounts capable of receiving Faster Payments, regulators are likely to focus on onboarding quality, behavioural monitoring and the timeliness of account intervention where suspicious activity emerges.
High-volume purchase scams may require friction and customer prompts at key payment stages, whereas investment scams may require deeper analysis of behavioural indicators, repeated payments to new beneficiaries and escalation pathways.
With industry claims increasingly resolved within short timeframes, firms whose decision-making or processing timelines differ materially may attract closer supervisory attention.
Firms may wish to map fraud exposure across sending volumes, receiving volumes and scam typologies to identify where control improvements are likely to have the greatest impact.
Where purchase scams dominate, firms may consider whether customer prompts and payment friction operate effectively at relevant decision points. Where investment scams feature more prominently, controls around new payees, repeat payments and behavioural indicators may warrant closer review.
For receiving accounts, organisations should be comfortable that early indicators of mule behaviour can be detected and acted upon promptly, particularly where fraud inflows exceed expected levels.
Metrics reflecting exposure, such as fraud received relative to inbound payment volumes or activity involving new beneficiaries, may provide a more complete risk picture than confirmed loss data alone.
Since the mandatory APP reimbursement scheme came into force in October 2024, applicable firms are required to reimburse eligible customers in defined circumstances, increasing the importance of identifying exposure earlier in the payment journey rather than relying solely on post-event loss analysis. Clear visibility of exposure supports more timely intervention, defensible decision-making and effective oversight under the reimbursement framework.
The PSR’s APP scam performance data is less about retrospective comparison and more about signalling where fraud risk sits across the payments system. It illustrates how uneven exposure can be between firms and why supervisory expectations increasingly focus on both prevention effectiveness and customer outcomes. Additionally, we have seen with the previous APP performance data that the FCA have taken a close interest in the non-directed firms which make up a significant proportion of receiving APP frauds, and that trend may continue with this latest data.
For firms, the key question is whether fraud controls, governance and supporting evidence align with the areas where exposure genuinely exists, and whether that alignment can be clearly demonstrated.
Our financial crime team supports firms in benchmarking their fraud risk profile against industry data and assessing whether controls remain aligned with evolving regulatory expectations.
We review sending and receiving-side controls, assess mule-risk frameworks and help organisations evidence decision-making, governance and customer outcomes in a clear and defensible manner.
Elliott is a manager within Thistle’s Financial Crime team, supporting fintech and financial services clients to strengthen controls, uplift governance, and deliver regulatory remediation. His experience spans AML, sanctions, KYC/KYB, onboarding and risk assessment, with a focus on proportionate, risk-based frameworks and practical assurance.
Before joining Thistle, Elliott held financial crime and compliance roles across payments and fintech, enhancing policies, procedures and monitoring arrangements. Elliott has also contributed to industry publications, including editorials for The Company Lawyer.