APP Fraud Meets AI: A Smarter Threat Needs a Smarter Response

Authorised Push Payment (“APP”) fraud is where an account holder, often a consumer, is tricked into authorising a bank transfer to a fraudulent recipient. Unlike other forms of fraud, it is the victim themselves that authorises the payment, usually as a result of the fraudster’s social engineering tactics. Common examples include impersonating trusted individuals in desperate need of funds, sending false invoices or advertising sham investment opportunities. 

AI-facilitated APP fraud

With rapid technological advances and developments in AI, fraudsters have been handed new, immensely capable tools to help them commit APP fraud at scale. 

Figures published by the Payment Systems Regulator (“PSR”) indicate that 252,626 APP fraud cases were reported in 2023, a 12% increase from the previous year. Huge numbers likely go un-reported. 

By quickly scanning public records, company websites, and social profiles, AI can not only swiftly and automatically identify target victims, but crucially can tailor APP fraud attacks to each individual. Once identified, AI can execute the attack with a level of extreme sophistication, composing accurate impersonations of trusted bodies via thorough data harvesting and even voice cloning. 

What protections are there for victims of APP fraud?

Currently, a combination of technological safeguards, regulations, and victim reimbursement policies are in place to protect and support victims of APP fraud. Key examples include the implementation of payment holds on atypical payments, two-factor authentication, and Confirmation of Payee systems. 

Of note, on 7 October 2024 the UK became the first country globally to implement a mandatory reimbursement scheme. Introduced by the PSR, this scheme requires payment service providers (“PSPs”) processing payments via the Faster Payment System or the Clearing House Automated Payment System ("CHAPS") to reimburse customers who fall the victim to APP fraud. While there is no minimum claim threshold, reimbursement is capped at £85,000. The cost of the reimbursement is shared equally between the paying and receiving PSPs, thereby placing equal financial responsibility on receiving banks as on paying banks under the scheme.

However, the recent ruling in CCP Graduate School Ltd v Santander UK Plc [2025] EWHC 667 (KB), underscores the limitations of legal recourse for victims. The Court found that PSPs are not legally obligated to intervene in APP fraud cases unless a clear and immediate risk of fraud is evident at the time of the transaction. The judge dismissed claims asserting that banks owe a duty of care to third parties with whom they lack a contractual relationship to take proactive measures, namely retrieving payments made under valid customer instructions.

The judgment is a salient reminder that whilst banks have an important role to play in implementing robust technical safeguards (a role that largely goes unseen), account holders must take ultimate responsibility for transactions.

What does the future hold for victims? 

Despite the recent judgment, data collected by the PSR and published on 15 May 2025, demonstrates that the reimbursement scheme has had a positive impact for APP fraud victims. With 86% of money lost to APP scams being returned to victims during the first three months of the scheme’s introduction, the PSR have confirmed they are pleased with the high reimbursement rates thus far.

Nonetheless, the PSR, alongside the Financial Conduct Authority (“FCA”), has committed to monitoring progress, with an independent review scheduled for October 2025 to assess progress and identify problem areas.

In addition, the UK government announced in March 2025 its plans to abolish the PSR and merge its responsibilities into the FCA as part of broader strategic initiatives aimed at strengthening protections for individuals and organisations affected by APP fraud. Effective from 1 May 2025, the PSR has also implemented enhanced data reporting obligations for PSPs. These measures aim to streamline the regulatory environment and promote economic growth.

As with any new protective measure, the overall effectiveness depends on its implementation and victims’ ability to meet eligibility criteria. Victims of APP fraud are encouraged to stay informed of their legal rights and available remedies, including potential legal actions and regulatory protections.

The smart response - data sharing

Ultimately, preventing AI-facilitated APP fraud requires more than reactive reimbursement. 

Effective, proactive prevention depends on timely and meaningful data sharing between financial institutions. Rapid communication between paying and receiving PSPs, such as real-time alerts on suspect transactions or account behaviour, can and does halt fraud in its tracks. 

The current reimbursement scheme has introduced financial incentives for PSPs to engage more closely, but broader systemic change is needed. The PSR's enhanced data reporting obligations are a step forward, but questions remain about how insights are operationalised. 

Standardised data formats, automated fraud flags, and trusted interbank intelligence-sharing platforms could significantly improve the speed and accuracy of intervention. Without greater structured data collaboration, technical measures alone will struggle to address the increasing scale and sophistication of AI-facilitated APP fraud.

For now, the account holder remains the first and best line of defence.

If you would like any further information, please contact Nikki Bowker.