A big challenge currently in the financial industry is the rise of authorised push payment fraud (APP). The Payment Systems Regulator (PSR) recently introduced new legislation on 7 October to combat this. How will this legislation impact fraud in authorised push payments?
According to Taavi Tamkivi, CEO and co-founder of Estonian RegTech Salv, the new legislation won’t impact fraud directly – as in his words, ‘fraudsters don’t care about regulations, and they certainly aren’t reading the legislation’. Despite this, it will affect companies, as they will now have to take fraud prevention more seriously – a pressure Tamkivi hopes will prompt firms to start making an impact on fraud itself.
“One potential downside, though, is the risk of “friendly fraud”, claims Tamkivi. “This happens when individuals falsely claim they’ve been scammed to get their money back, even though they knowingly made the payment. This could become a new form of fraud as people realise it’s a quick way to get reimbursed, at least until banks can strengthen their controls against it.”
Overall, however, the Salv CEO believes the new legislation won’t tackle fraud directly, but by creating a financial incentive for banks and FinTechs to act, it should motivate them to take more proactive measures.
“Back in my days at Skype and Wise, for instance, chargeback fraud drove us to invest heavily in tech, personnel, and cross-industry collaboration to control these losses. The same thing could happen here, with financial liability motivating financial institutions to reduce fraud,” said Tamkivi.
Financial responsibility can be a key part of the armour when protecting yourself from financial crime and fraud. Tamkivi gave the example of chargebacks as a previous example of where financial responsibility has helped to control fraud.
He explained, “In the early days of e-commerce, fraud liability wasn’t clearly defined—merchants, issuers, and e-commerce providers didn’t have clear rules on who was responsible for losses. But once financial liability was established, it drove merchants to take control of fraud prevention, leading to new technologies and procedures that reduced losses significantly.
“Today, banks and FinTechs haven’t had this same liability for instant payments, so they’ve had the luxury of not dealing with these costs. But when institutions have to cover fraud losses, the market tends to self-organise and get more efficient at fraud prevention,” he detailed.
With the APP Fraud legislation in mind, how could FinTechs recover stolen funds under these new protections?
Tamkivi detailed, “Recovering stolen funds is a complex issue, and I’m not sure this legislation fully addresses it. Recovery between financial institutions isn’t clearly outlined—it’s unclear why one bank would be obligated to return funds to another on request, especially when these funds have already moved through customer transactions. There’s a need for a structured recovery protocol, similar to what we see with chargebacks, where rules and processes are clearly defined.”
In the absence of specific regulations, Tamkivi remarked, financial institutions may need to self-regulate and create a recovery process, possibly with guidance from faster payment scheme operators. Operators, he added, could help to define when and why refunds should happen. However, this at the moment remains ‘murky’ claims Tamkivi.
Does Tamkivi see potential to encourage more collaboration between institutions? On this, he believes this is absolutely crucial.
He explained, “The faster fraud cases are identified and communicated across institutions, the higher the chances of containing the funds before they disappear. For instance, when fraud alerts are triggered in one bank, sharing this information with other institutions can help prevent those funds from moving further down the line to additional accounts.
“Picture this: Bank A holds the victim’s account, Fintech B is used by the fraudster as a mule account, and Fintech C is a secondary layer. If Bank A alerts Fintech B quickly enough, B might freeze the funds before they reach Fintech C. Even if the funds reach C, timely involvement of C’s fraud team might still allow recovery. But once funds reach decentralised or crypto spaces, recovery becomes far more challenging,” said Tamkivi.
This collaboration between institutions, he continues, is different from the formal recovery process – but it helps minimise the need for recovery in the first place by stopping fraud early. “In other words, strong collaboration in fraud detection directly increases the chances of successful recovery,” he said.
There are still some key challenges and opportunities that exist for real-time AML compliance with the rise of digital bad actors – what are some of the roadblocks and possibilities for firms implementing these technologies?
“As an entrepreneur, I find it difficult to imagine a world without real-time AML—our product and most of our customers operate in real-time. We’re doing transaction monitoring and customer behaviour monitoring on-the-spot, passing real-time information between banks to catch suspicious activity. This real-time approach is already business as usual for us,” said Tamkivi.
He went on, “Interestingly, real-time AML can be a huge challenge for larger institutions, especially those with legacy systems. Many of these institutions store transaction data in central databases, where it might not be accessible until a day or two later. These systems require data harmonisation, meaning AML processes often run offline, sometimes days after the transactions. So, while real-time AML is easily possible for those with real-time data access, it’s a bigger hurdle for firms with older infrastructure.”
Tamkivi also outlined that the real challenge is in upgrading that infrastructure so it can support real-time data use. “AML software that runs in real-time exists, but the data accessibility just isn’t there for some institutions. Older AML providers, built for legacy systems, haven’t pushed for real-time processing, but newer firms like ours are designed with real-time compliance at the core,” he said.
Does this mean that many institutions are held back by outdated technology that doesn’t support the speed needed for real-time AML?
Tamkivi stated, “Regardless of existing infrastructure, financial technologies themselves are evolving, with real-time payments, e-wallets, and open banking APIs becoming more common. There’s also the new SEPA directive for instant payments coming out, which will require institutions to adopt real-time sanction screening. Technology is moving towards real-time capability, and institutions that can’t process their data in real-time will find it hard to keep up.”
Does this mean the SEPA payment legislation will be a challenge? This is something Tamkivi agrees with heartily.
He explained, “More modern institutions can easily adapt their systems to screen SEPA payments in real-time. However, older institutions, whose infrastructure doesn’t support real-time data processing, will find it much harder to comply.
The instant SEPA directive requires payments to be processed in under 10 seconds, and if institutions fail to meet this speed, they face significant penalties.
“What’s more, they are also required to complete sanction screening checks within that time. This requirement is forcing institutions to make tough decisions. Some banks may decide not to offer instant SEPA at all, because while it allows faster payments, it brings the risk of fines if the process doesn’t meet the new speed standards or if screening protocols aren’t followed exactly.
“The dilemma is similar to what happened with PSD2, where larger institutions had to overhaul parts of their technology to meet stringent requirements. But unlike PSD2, this SEPA directive includes direct financial penalties, which makes the need for compliance even more pressing. It’s especially challenging for banks whose data is often delayed in reaching centralised databases, causing a lag in AML processes. Many institutions will need to address this infrastructural lag if they want to stay competitive in an increasingly real-time, compliance-driven financial environment,” Tamkivi explained.
A dramatically changed landscape
In the opinion of Joseph Ibitola, growth manager at Flagright, with the introduction of the protections, the landscape for both fraudsters and financial institutions is set to change dramatically.
He explained, “APP fraud has been a thorn in the side of the financial ecosystem, especially as digital banking becomes more popular. These new protections will add much-needed layers of accountability to an area that has long been underregulated.”
Ibitola explained that one of the most significant impacts of this legislation is that banks will now bear more responsibility for reimbursing victims of APP fraud.
“This shift from “buyer beware” to more institution-driven accountability will force financial institutions, including FinTechs, to bolster their fraud prevention measures. It’s a clear message: banks and payment providers must prioritize customer protection, not just their bottom line.”
This in the view of the Flagright growth manager presents both a challenge and an opportunity. The challenge for firms is to meet the heightened regulatory requirements without disrupting user experience or increased operational costs. However, the opportunity is that FinTechs that invest in advanced fraud detection tools such as AI-driven transaction monitoring and enhanced behavioural analytics will not only meet regulatory expectations but will also strengthen customer trust.
He continued, “As for recovering stolen funds, speed is the name of the game. With these new protections, FinTechs must enhance their real-time transaction monitoring systems to detect fraudulent activities before funds are fully transferred. Collaboration across the financial ecosystem will also be crucial. Shared databases and cross-institutional cooperation can help flag suspicious activities early, increasing the chances of recovering stolen money.
Ibitola concluded, “Ultimately, the new APP scam protections mark a pivotal shift in the responsibility of fraud prevention. For FinTechs, it’s about staying ahead of the curve—not just with compliance but with technology that can thwart fraud before it occurs.”
Defence against fraud
According to Harry Weber-Brown, commercial advisor at DLT Apps, the aim of the new protections – to reduce the impact of APP fraud and motivate the payment industry to invest further in fraud prevention – was based on the analysis that almost all high value scams are made up of multiple smaller transactions, reducing the effectiveness of transaction limits as a tool to manage exposure. PSR believes this will maintain market competition and innovation.
He said, “Although, the real impacts will be certainly be visible over time, this should hopefully drive better innovation and prevention measures from Banks/PSPs and awareness amongst consumers. The updates will also bring in more clarity and reduce the ambiguity that led to disparities in the past.”
How can FinTechs recover the stolen funds? In the view of Weber-Brown, the PSR protections make it easier for FinTechs to retrieve their money in they are subject to an APP scam, with a guaranteed minimum level of protection in place.
“It requires the FinTech to report the APP payment it to their account provider within 13 months of making the fraudulent payment and vast majority can expect to be reimbursed within five business days. The payment provider will support the FinTech through the process,” he explained.
Weber-Brown continued, “If a FinTech is unhappy with the way the payment provider deals with their claim, they have recourse to raise their case with the Financial Ombudsman Service, who are able to make rulings up to £430,000. The protections are a significant enhancement on the previous regime. Both sending and receiving firms splitting the costs of reimbursement 50:50.”
The DLT Apps commercial advisor added that the firm welcomes this as a FinTech using APP and believes a reusable digital identity offers further defence against fraud by verifying account ownership.
“DLT Apps’s Qkvin solution creates a unified digital profile for clients across organisations. This reduces the duplication of work and processes for operations and compliance teams as well as reducing fraud,” he remarked.
The bigger picture
Bryan Chapman, director of managed services at ACA Group, explained that APP fraud schemes skyrocketed during COVID as criminals looked for new ways to fraud users.
He said, “Within the United States, regulators and state authorities have issued several warnings for these types of fraud. Legislation is to help combat and provide support for any type of fraud. Though many times criminals are 1-2 steps ahead of everyone else.”
In the opinion of Chapman, FinTechs and FIs will need to educate themselves on these new schemes and be vigilant when happening.
“It will be important to collect key data points such as IP addresses, emails, phones numbers, online log ins, when filing a Suspicious Activity Report (SAR) with one’s country. This information will help law enforcement when looking at the larger picture and connecting the dots with these bad actors. It will also be important to act quickly as several of these schemes are fast in nature, and criminals are looking to empty a victim’s account as quickly as possible,” he finished.
More accountability
In the words of Emil Kongelys, CTO at Muinmos, one key part of the legislation is that it will introduce accountability.
He said, “The biggest change is turning the compensation scheme from voluntary to mandatory. The new APP Scam protection legislation requires PSPs to implement measures to prevent or significantly reduce APP scams. The legislation mandates that both the sending and receiving PSPs share the victim’s loss equally, incentivizing all parties to prevent scams. This creates an incentive to apply effective countermeasures, such as advanced KYC/AML transactional monitoring and intervention systems – which are expected to decrease the number of scams.”
Despite this, Kongelys explained that the new legislation does not change the process for recovering stolen funds. For this, PSPs will need to reimburse victims and then attempt to recover the funds from the recipient. This, he states, means more effort will be required before completing the actual transfer to ensure the legitimacy of transactions.