1. Home /
  2. For businesses /
  3. Complaints we deal with /
  4. Fraud and scams /

APP fraud and other scams involving authorised payments or withdrawals

Do you deal with consumer complaints about how your firm dealt with matters after:

  • an authorised push payment (APP) scam – otherwise known as a 'bank transfer' scam?
  • any other type of authorised scam, such as a withdrawal of cash or payment using a debit or credit card?  

This page will give you an overview of the complaints we see and how we approach them.

On this page

  1. Complaints we deal with
  2. Rules on APP fraud and other scams involving authorised payments or withdrawals
  3. Handling complaints about scams that involve authorised payments before they come to us
  4. How we resolve complaints about APP and other scams that involve authorised payments
  5. Case studies
  6. Business Support Hub

Are a consumer with a complaint?

See our guidance for consumers on scams where you've been tricked into making a payment

Complaints we deal with

  • ‘Authorised push payment’ (APP) fraud – when someone is persuaded to transfer money from their own account to the scammer
  • Scams involving other authorised payments, for example, when the scammer tricks someone into making a card payment or withdrawing cash
  • Complaints against receiving banks from scam victims, who believe the receiving bank should have spotted the fraud and done more to stop it

Rules on APP fraud and other scams involving authorised payments or withdrawals

The Payment Services Regulations 2017 govern payment services in the UK.

These regulations state that a bank, payment service provider (PSP) or electronic money institution (EMI) should process payments and withdrawals that a customer authorises. That’s the starting position.

You will find guidance on these regulations in Chapter 15 of the Perimeter Guidance Manual to the FCA Handbook.

But the rules and regulations differ according to whether your customer:

  • made a bank transfer to someone else’s account in the UK on or after 7 October 2024, when the Faster Payments Scheme (FPS) and the CHAPS reimbursement rules came into force
  • made a bank transfer to someone else’s account in the UK on or after 28 May 2019 but before 7 October 2024, and you’re a signatory to the Contingent Reimbursement Model (CRM) Code
  • paid money into an account that was in their own name
  • made a card payment
  • or another scenario where your customer was tricked into making a payment or withdrawal

No matter which rules apply, we will look into the complaint – and how you handled it.

  • The Faster Payments Scheme (FPS) and the CHAPS reimbursement rules came into force on 7 October 2024. The rules cover:

    • faster payments and CHAPS transfers – the PSR has also said that it expects PSPs to consider payments made between accounts at the same PSP under the new rules
    • consumers, micro-enterprises and charities with an annual income of less than £1 million.

    The rules don’t cover:

    • larger companies and charities
    • international payments, card payments and cash withdrawals
    • civil disputes
    • payments in cryptocurrency
    • payments to an account under the consumer’s control
    • claims made more than 13 months after the last scam payment

    Under these rules, you must reimburse your customer up to a maximum of £85,000 for each scam if they:

    • are vulnerable to the specific APP scam, and
    • in all other cases, unless they don't meet one or more of the 'requirements' set out in the PSR's guidance with ‘gross negligence’

    See more about APP reimbursement and the Consumer Standard of Caution Exception Guidance on the PSR's website

    Find policy clarifications for the new rules on the PSR website

  • The Contingent Reimbursement Model (CRM) Code is a voluntary scheme. Several firms, including most high street banks have signed up to it because of the rise of APP fraud.

    If your firm has signed up to the CRM Code – and the Code covers the payment made in this case – we expect you to reimburse the customer in most cases.  The CRM covers:

    • faster payments, CHAPS transfers and payments made between a PSP’s own accounts – known as ‘internal book transfers’
    • consumers, micro-enterprises and charities with an annual income of less than £1 million

    It doesn’t cover:

    • larger companies and charities
    • international payments, card payments and cash withdrawals
    • private civil disputes
    • payments in cryptocurrency
    • payments that weren’t made to a person other than the consumer

    Find out more about CRM code on the Lending Standard Board’s website.

Handling complaints about scams that involve authorised payments before they come to us

Scams cause both financial and emotional damage, and you should take that into account when investigating a complaint.

Good complaint handling can repair a relationship, help build trust and confidence in financial services, and give customers a better understanding of your financial products.

You should ensure your complaint handling teams fully understand:

Our decisions database holds all the final decisions we’ve published since 1 April 2013. They’re anonymised to protect the identity of complainants but are based on real-life complaints, so will give you a good picture of how we resolve disputes.

Our complaints data will give you an idea of the volume of complaints we receive and resolve, and the proportion that we have upheld in consumers’ favour.

Before we get involved

How we resolve complaints about APP and other scams that involve authorised payments

Each case is different, so what we require will vary. But we’ll look at the facts and evidence from both you and your customer as well as:

  • the law
  • regulator’s rules and guidance
  • relevant codes of practice, and
  • good industry practice

You will also need to fill out our business response form (XLSX 59KB) for all scam cases involving authorised payments where you are the sending payment service provider. This will help you check you’ve given us everything we need to investigate the case.

If the transaction involves a vulnerable customer, we’ll consider the best-practice principles set out in the FCA's Guidance for firms on the fair treatment of vulnerable customers.

We follow the FCA’s dispute resolution rules (DISP) and will take into account how you’ve tried to put things right. 

  • It’s likely that your customer will be covered by the Faster Payments Scheme or CHAPS reimbursement rules. And, if your customer was particularly vulnerable to the specific type of APP scam, you must reimburse them.

    In all other cases, if you turn down their claim for reimbursement, you must demonstrate that they acted with ‘gross negligence’.

    The PSR’s guidance states that – to have acted with ‘gross negligence’ in this context – “the consumer needs to have shown a significant degree of carelessness”.

    To prove ‘gross negligence’, you will have to show that your customer failed to do one or more of the ‘requirements’ set out in the PSR’s guidance.

    If you believe your customer "failed to have regard for an intervention with gross negligence", we’ll look at what happened.

    We’ll assess both the nature and quality of the intervention. And we’ll consider why the customer moved past it.

    Each case is unique, so we’ll need to look at what happened to decide whether a consumer’s actions were grossly negligent. You need to ensure you give us all the relevant information we need so we can make that decision.

    The maximum amount you must reimburse your customer under these rules is £85,000 for each scam claim. If you do reimburse your customer, you may deduct an excess of up to £100 for each scam claim.

    If neither the Faster Payments Scheme (FPS) or the CHAPS reimbursement rules apply to their case, we’ll tell your customer why not.  

    However, we’ll still investigate whether your firm is in any way responsible for allowing the scam payments to leave your customer’s account.

  • If your firm has signed up to the CRM Code – and the Code covers the payment made in this case – we expect you to reimburse the customer in most cases.

    If you’ve declined, or only partially reimbursed a claim under the CRM Code, we'll want to know your reasons and to see any relevant evidence.

    We’ll look at whether any of the exceptions to reimbursement apply. For example, whether your customer:

    • didn’t pay attention to effective warnings
    • had reason to suspect they were falling victim to a scam

    We'll want to understand why the consumer took the actions they did – whether that was moving past a warning or making a particular payment. So you will have to provide enough evidence to demonstrate any exception that you wish to rely on.

    If the CRM Code doesn’t apply in your customer’s case, we’ll tell them why not.

    However, we’ll still check whether your firm is responsible for allowing the scam payments to leave their account.

    Find out more about CRM code on the Lending Standard Board’s website.

  • In these cases, we’ll investigate whether you could have done more to prevent your customer from falling victim to a scam – even if your customer made a:

    • payment to their own account – including payments to cryptocurrency providers
    • card payment to a genuine merchant – for example, for the purchase of cryptocurrency
    • payment to a payee overseas
    • a withdrawal of cash from one of your branches

    In practice, that means we’ll consider whether the payments your customer made should have alerted you, because they were suspicious or unusual. If they did, we'll want to know what steps you took to warn your customer that the payments might be part of a scam.

    We’ll also consider what you did to try and recover your customer’s money once you were made aware of the scam.

    If we find that you could – and should – have prevented your customer’s loss but didn’t, we may ask you to reimburse your customer.

    We’ll also look at:

    • the role of the customer in what happened, and
    • the part played by any other firms that were involved in the scam – for example, another of the customer’s account providers

    If you’ve decided not to reimburse your customer, you’ll need to tell us:

    • the specific exception you’ve relied on, and
    • why you don’t think your customer is eligible for reimbursement

  • You may receive a complaint from someone who isn’t your customer, because your firm received money as part of an APP scam. We can consider these complaints and will investigate:

    • the steps you took when you were made aware of the scam
    • whether there was anything that might have alerted you, or given you concern about, your customer or the activity on their account  

If we uphold a consumer's complaint, we'll tell you what you need to do to put things right. 

We may also award interest – usually calculated at 8% per year simple – and a distress and inconvenience payment depending on the circumstances.

What to send us

Case studies

How we helped with a complaint about an intercepted invoice scam

Bilal thought he was paying a supplier, but a fraudster had intercepted the email chain. Unhappy with his bank's response after the scam, he came to us. Find out what happened and what we said.

Fraud and scams

Read more 

Consumer contacts us to complain after a cryptocurrency investment scam

Marta invested into a cryptocurrency trading account but, after trying to withdraw money, suspected she'd been scammed. Find out what her bank told her and how we were able to help.

Fraud and scams

Read more 

Business Support Hub

Businesses and consumer advisers can contact our Business Support Hub on 020 7964 1400 for information on how we might look at a particular complaint, or for guidance on our rules and how we work.

We also work with businesses and other organisations to help prevent complaints.

How we work with businesses