The Global Shift in APP Scam Liability
Authorised Push Payment (APP) scams have become one of the fastest-growing forms of financial crime worldwide. Unlike traditional payment fraud, APP scams exploit trust rather than stolen credentials. Victims are persuaded to authorise payments themselves, often believing they are sending money to a legitimate recipient. Criminals impersonate banks, government agencies, businesses, suppliers, investment firms, or even family members. The payment is genuine, the customer authorises it, and the funds are transferred exactly as instructed. The problem is that the customer has been deceived.
For many years, this distinction influenced who was responsible for the loss. Because the customer authorised the payment, financial institutions often argued that liability rested primarily with the account holder. That position is becoming increasingly difficult to maintain. Around the world, regulators are placing greater responsibility on financial institutions to protect customers from APP scams. While the pace and approach vary significantly between jurisdictions, the overall direction is clear. The question is no longer whether banks should help prevent APP scams, but how much responsibility they should bear when prevention fails.
The United Kingdom has moved furthest and fastest. In October 2024, reimbursement requirements introduced by the Payment Systems Regulator (PSR) fundamentally changed the economics of APP fraud. Under the framework, sending and receiving payment service providers share responsibility for reimbursing victims of qualifying APP scams within the Faster Payments system. Supported by a broader consumer protection agenda championed by the Financial Conduct Authority (FCA), the UK has effectively shifted a significant portion of APP scam liability onto financial institutions.
The significance of this change extends far beyond customer protection. For the first time, APP scams became a direct financial issue for both institutions involved in the transaction. The sending bank now has a financial incentive to identify suspicious payments before funds leave the account, while the receiving institution has a financial incentive to identify and close mule accounts before they are used to receive stolen funds. The fraud no longer impacts only the customer. It impacts the balance sheets of the organisations processing the payment.
The European Union has historically taken a different approach. Under PSD2, strong consumer protections exist for unauthorised payments, but APP scams occupy a more complex position because the customer technically authorised the transaction. The forthcoming PSD3 and Payment Services Regulation reforms begin to address this gap by strengthening fraud prevention obligations and introducing reimbursement requirements in specific scenarios, particularly where fraudsters impersonate financial institutions. However, the EU has not yet adopted a reimbursement framework as comprehensive as the UK’s. As a result, European institutions face increasing regulatory expectations around fraud prevention, but not yet the same level of direct liability exposure.
Singapore has chosen a different path altogether. The Monetary Authority of Singapore introduced a Shared Responsibility Framework that allocates responsibility between banks, telecommunications providers, and consumers depending on where failures occurred. This recognises that modern APP scams often exploit weaknesses across multiple parties rather than a single institution. A fraudulent text message, compromised telecommunications channel, weak customer authentication process, and social engineering attack may all contribute to the same fraud event. Singapore’s framework reflects the belief that responsibility should be distributed according to the role each participant played in enabling the fraud.
Australia is also moving toward stronger protections. Historically, reimbursement has largely been governed through industry codes and voluntary arrangements. However, rising scam losses have increased pressure on both regulators and financial institutions. Recent reforms and proposed legislation place greater obligations on banks, telecommunications providers, and digital platforms to detect and prevent scams. While Australia’s framework continues to evolve, the trajectory is clear. Institutions are expected to take a more active role in protecting consumers, and the consequences of failing to do so are becoming increasingly significant.
Brazil presents an especially interesting case because of the success of Pix, the country’s instant payments platform. Pix has transformed how money moves throughout the Brazilian economy, delivering convenience and near-instant settlement at massive scale. However, the same characteristics that make Pix attractive to consumers also make it attractive to criminals. Rather than focusing primarily on reimbursement, Brazilian regulators have emphasised operational controls, transaction limits, behavioural monitoring, suspicious transaction reporting, and mechanisms that allow institutions additional time to investigate potentially fraudulent payments. The emphasis is on preventing fraud before funds disappear rather than compensating victims after the fact.
The United States remains one of the most fragmented environments. Consumer protections exist under various regulatory frameworks, but APP scams often fall into a grey area because the customer authorised the payment. While many financial institutions voluntarily reimburse victims in certain circumstances, reimbursement is frequently driven by customer experience, competitive positioning, or reputational concerns rather than a consistent regulatory requirement. As APP scam losses continue to grow, pressure is increasing on regulators and legislators to revisit whether existing consumer protections remain adequate for the modern payments landscape.
Despite their differences, these jurisdictions all point toward the same long-term trend. Financial institutions are increasingly expected to prevent fraud rather than simply process payments and investigate complaints afterwards. The pace varies from market to market, but responsibility is gradually moving closer to the organisations that control the payment infrastructure.
Liability Changes Investment Priorities
The most important consequence of APP scam regulation may not be reimbursement itself. It may be the investment decisions that reimbursement drives.
Historically, APP scams were often viewed as a customer protection issue. Banks invested in awareness campaigns, fraud operations teams, customer communications, and post-event investigations. These activities remain important, but reimbursement obligations fundamentally change the economics. Every successful APP scam that results in reimbursement becomes a direct financial loss to the institution.
When losses move onto a bank’s balance sheet, prevention becomes easier to justify than remediation.
As a result, institutions begin investing earlier in the fraud lifecycle. Rather than focusing exclusively on investigating scams after funds have left the account, attention shifts toward identifying risk before the payment is executed. The business case for mule account detection, behavioural analytics, payment intervention, beneficiary risk scoring, transaction monitoring, and real-time decisioning becomes significantly stronger.
This is perhaps the most important lesson from the UK’s experience. The reimbursement framework did not simply change liability. It changed investment priorities. Once APP fraud became a measurable financial cost to the institution, technologies capable of reducing that cost became easier to fund.
In this sense, APP scam regulation is not simply a regulatory story. It is an economic story.
From Fraud Detection to Liability Prevention
This shift has profound implications for how institutions think about fraud prevention.
Traditional fraud systems often focus on known fraud patterns, static rules, and historical thresholds. These approaches remain valuable, but APP scams are inherently different because the transaction itself often appears legitimate. The customer has authenticated successfully, the payment instruction is valid, and there may be no obvious indication that fraud has occurred. The challenge is not simply identifying a fraudulent transaction. The challenge is identifying fraudulent intent.
This is where Transactional AI becomes particularly relevant.
The institutions that succeed in the next phase of fraud prevention will be those capable of evaluating behavioural patterns, contextual signals, customer activity, beneficiary relationships, and emerging risks while the transaction is still in flight. Rather than asking whether a transaction is fraudulent after it has occurred, they will increasingly focus on whether the transaction should be allowed to proceed at all.
Mule account detection, beneficiary risk analysis, behavioural profiling, velocity monitoring, graph analytics, and payment intervention strategies all become more valuable when institutions bear greater responsibility for fraud outcomes. The objective shifts from detecting fraud after losses occur to preventing losses from occurring in the first place.
Ultimately, the future of APP fraud may be shaped less by reimbursement rules themselves and more by the incentives those rules create. As liability moves closer to financial institutions, investment naturally shifts toward prevention, intelligence, and decision quality. The organisations that adapt first may discover that the greatest value of fraud prevention is not reducing customer complaints or streamlining reimbursement processes.
It is avoiding the liability altogether.
The real story behind APP scam regulation is therefore not regulation. It is the growing recognition that better decisions made before a payment is executed are worth far more than investigations conducted after the money has already gone.