Download the PDF version
Regulation

Strengthening consumer protection: new PSR rules on APP fraud

Published:
29/10/2024
Table of contents

On October 7th, 2024, the Payment Systems Regulator (PSR) introduced new rules aimed at tackling the rising threat of Authorised Push Payment (APP) fraud. For banks and financial institutions, this regulatory shift is more than just an obligation—it’s a moment to lead, innovate, and enhance customer trust. 

In the fight against online banking fraud, this regulatory update highlights the critical need for financial institutions to harness shared threat intelligence, fostering a unified and stronger defence against emerging threats.

This article seeks to provide you with key insights into the new PSR rules, focusing specifically on their implications for banks and financial institutions. It highlights the implications of fraud prevention measures and how to enhance consumer protection moving forward.

Authorised Push Payment fraud: a growing threat

APP fraud occurs when scammers pose as trusted individuals or organisations to deceive consumers into authorising payments to criminal accounts. In 2023, APP fraud losses amounted to nearly £500 million in the UK alone, placing significant financial and reputational pressure on banks and payment service providers (PSPs). Victims often struggle to recover lost funds, eroding trust in digital banking channels.

Get a deep dive into what’s APP fraud and how financial institutions can protect customers while minimising the impact on their online experience in our blog article “How to fight APP fraud without affecting your online banking experience”.

The PSR’s new regulations aim to change this dynamic by ensuring faster reimbursement for victims and fostering more effective fraud prevention. But beyond just compliance, these new rules represent an opportunity for financial institutions to embrace collaborative solutions, such as shared threat intelligence, to protect against this growing form of fraud.

How APP Fraud works | Cleafy

Key changes under the new PSR rules


From October 7th, the PSR introduced several critical changes:

1. Mandatory reimbursement for APP fraud victims: Banks will now be required to reimburse victims of APP fraud promptly unless the customer acted with gross negligence. This shift ensures that consumers aren’t left to shoulder the burden alone, creating a safer environment for both individual and business customers.

2. Shared liability between sending and receiving banks: In a notable shift, both sending and receiving banks will now share liability for APP fraud cases. This encourages collaboration between institutions, ensuring that fraud detection efforts extend across the entire transaction chain.

3. Enhanced fraud detection: Banks will need to invest more in fraud monitoring systems, leveraging advanced technologies such as machine learning and real-time transaction analysis to identify suspicious activities before they cause harm.

4. Transparency and Accountability: The PSR will publish performance data on how well institutions comply with the new rules, providing consumers with greater visibility into how their banks are handling fraud and reimbursement.

How shared threat intelligence and Fraud Extended Detection and Response systems are paving the way to stronger fraud defences


The Payment Services Regulation plays a key role in shaping how financial institutions address security, particularly around threat intelligence sharing and systems like Fraud Extended Detection and Response (FxDR). Let’s see why this matters so much now. 

Enhance security through threat intelligence sharing

Under PSR, particularly with regulations like PSD2 (the EU’s Revised Payment Services Directive), financial institutions are required to strengthen their security protocols and cooperate more extensively to prevent fraud. 

One way they can do this is through threat intelligence sharing—the exchange of information on emerging cyber threats, fraud patterns, and vulnerabilities. But why is this important?

Threat intelligence sharing enables banks and financial institutions to better anticipate and defend against new fraud tactics by leveraging collective knowledge. This collaborative approach can enhance the effectiveness of fraud detection systems like FxDR by feeding them real-time data about emerging threats.

PSR requires firms to demonstrate they have taken appropriate measures to mitigate risks, and being part of an intelligence-sharing network helps demonstrate compliance with these regulations.

Support for real-time fraud detection

FxDR, which combines cybersecurity with advanced fraud management, aligns with the security goals of PSR by actively monitoring transactions and responding to threats in real-time. The regulation emphasises customer protection and secure payment processes, which fraud detection systems are designed to ensure.

PSR and PSD2 require Strong Customer Authentication (SCA), which involves verifying users' identities to prevent fraud. FxDR can work in tandem with SCA by identifying patterns of fraud and adapting security measures dynamically.

Real-time detection and response, as provided by systems like FxDR, are crucial to meeting PSR requirements for minimising fraudulent transactions and safeguarding customers’ funds. They offer an added layer of security, especially in cases of more sophisticated fraud like Account Takeovers or Authorised Push Payment fraud.

Compliance with reporting requirements

PSR mandates that financial institutions report security incidents and fraud attempts to the relevant authorities. Tools like FxDR, which offer real-time visibility into fraud attempts, help institutions comply with this by ensuring they are aware of and can document every attempted fraud.

Regulatory push for more transparency and accountability

The regulatory framework around PSR pushes financial institutions to improve transparency in how they detect and respond to fraud. Systems like FxDR offer clear, actionable insights into fraud attempts, helping banks maintain transparency with regulators by showing exactly what actions were taken to prevent fraud and sharing threat intelligence with others in the financial ecosystem.

How banks can lead through collaboration


For CTOs and senior leaders, the PSR’s rules present a pivotal opportunity to drive innovation in fraud prevention by integrating shared threat intelligence into your institution’s overall strategy. 

Building or partnering with shared intelligence platforms enables your team to collaborate with other financial institutions and industry bodies, amplifying your ability to detect, respond to, and ultimately prevent fraud. This not only meets the regulatory expectations but also enhances your institution’s reputation as a leader in the fight against financial crime.

Furthermore, sharing intelligence between institutions supports a more resilient payment system overall. By ensuring that every player in the network is equipped with the latest knowledge of fraud threats, banks can collaboratively raise the bar on security standards. Ultimately, this benefits customers fosters trust, and enhances the industry's collective strength against evolving threats.

Conclusion

The PSR’s new rules on APP fraud mark a critical turning point for the banking sector. With mandatory reimbursement, shared liability, and enhanced transparency, financial institutions are now tasked with creating safer, more resilient systems for their customers. But beyond compliance, the real opportunity lies in using this moment to lead—with shared threat intelligence playing a central role in staying ahead of fraudsters.

By adopting these proactive measures, banks and financial institutions can demonstrate their commitment to protecting customers, boosting confidence, and paving the way for a more secure financial landscape.

Together, we can transform how we combat fraud—building not just compliance, but trust and leadership in the face of evolving threats.

Read more articles