APP Fraud Reimbursement UK: How to Get Your Money Back After a Bank Transfer Scam
You got a message from someone you'd been chatting to online for weeks. Or an email from what looked exactly like your solicitor, giving you the updated bank details for your property completion. Or a call from "HMRC" threatening immediate arrest unless you transferred £3,000 to clear an unpaid tax bill. You transferred the money. And then you realised.
The conventional wisdom — and what banks told victims for years — was that because you authorised the payment yourself, you bore the loss. The bank didn't send the money to a fraudster. You did. That was their defence, and for a long time, it worked.
That defence is no longer available. Since 7 October 2024, the rules changed fundamentally. Banks are now legally required to reimburse victims of authorised push payment fraud — and most victims still don't know it.
What Is Authorised Push Payment Fraud?
Authorised Push Payment (APP) fraud happens when a scammer tricks you into voluntarily transferring money to an account they control. You authorise the payment — that's the "authorised push" part. The bank processes it correctly. But you were deceived about where the money was going, who was receiving it, or why the transfer was necessary.
This is distinct from unauthorised fraud — where someone hacks into your account and moves money without your knowledge. For decades, banks argued that because APP fraud involved a payment the customer authorised, they had no liability. The customer clicked "confirm." The customer bore the risk.
That argument ignored a simple reality: the customer was deceived. And as of October 2024, the law agrees.
The Old World: Voluntary Codes and Easy Refusals
Before October 2024, the main protection available to APP fraud victims was the Contingent Reimbursement Model (CRM) code, introduced in 2019. Banks signed up voluntarily. They were supposed to reimburse victims who hadn't been "grossly negligent" — but because the code was voluntary and the standards were self-assessed, banks routinely refused claims. The same institution that failed to flag an obvious fraudulent transaction was also judging whether the customer had been careful enough.
Not all banks had even signed up. Refusal rates were high. Victims — often elderly people who had lost life savings, or first-time buyers who had lost their deposits — were left with no recourse beyond the Financial Ombudsman, a process that could take over a year.
The Payment Systems Regulator spent years building the evidence base, consulting, and designing a mandatory replacement. On 7 October 2024, it came into force.
What the New Rules Actually Require
Under PSR Policy Statement PS23/3 and the Payment Services Regulations 2017 (as amended), all Payment Service Providers (PSPs) that process Faster Payments — which means virtually every UK bank and building society — are now subject to mandatory APP fraud reimbursement obligations. The key points:
Mandatory reimbursement up to £85,000
Victims of APP fraud sent via Faster Payments are entitled to reimbursement of up to £85,000. This is not discretionary. It is a legal obligation. The limit matches the FSCS deposit protection limit — not a coincidence.
Both sending and receiving banks are liable
The PSR introduced a 50/50 cost-sharing rule between the sending PSP (your bank) and the receiving PSP (the bank that received the fraudulent transfer). As a victim, this is irrelevant to your claim — you simply claim from your own bank, and the two banks sort the cost split between themselves.
Covers Faster Payments
The mandatory rules apply to Faster Payments transactions — the system used for the vast majority of UK bank transfers. CHAPS, international transfers, and card payments have different rules.
Gross negligence is the only standard that can defeat a claim
Banks can only refuse to reimburse if they can prove the victim was grossly negligent. Being deceived — even having ignored warnings — does not automatically meet this standard. Gross negligence requires something significantly beyond ordinary carelessness. A convincing scam, by definition, is designed to deceive.
The Consumer Duty (FCA, 2023) reinforces this further: banks have an obligation to act in customers' best interests, deliver good outcomes, and provide fair treatment. A bank that processes an obviously fraudulent transaction without flagging it, then refuses to reimburse the victim, is on shaky ground against both the PSR rules and the Consumer Duty.
What to Do Immediately After a Bank Transfer Scam
Speed matters. The faster money is reported as fraudulent, the higher the chance some or all of it can be recovered at the receiving end before the scammer moves it on. Here's the sequence:
Call your bank immediately
Use the number on the back of your card or the bank's official website — not any number provided in the suspicious message. Tell them you believe you have been the victim of APP fraud and want to report it under the mandatory reimbursement scheme. Ask for a reference number. Most banks have a dedicated fraud line that can trigger urgent recalls.
Report to Action Fraud
File a report at actionfraud.police.uk or call 0300 123 2040. You will receive a police reference number. This reference number is important — it is evidence that you reported the fraud to the relevant authority and strengthens your reimbursement claim.
Get everything in writing
Follow up your phone call to the bank with a written message (email or secure message through their app) confirming the details: the date and amount of the transfer, the account you sent it to, and that you are making a formal APP fraud reimbursement claim under PS23/3. Paper trails matter.
Preserve all evidence
Screenshot every message, email, and call log related to the scam. Do not delete anything — even messages that feel embarrassing or that you think harm your case. The full picture of how you were deceived is your strongest argument.
Under the PSR rules, banks have 35 business days to resolve an APP fraud claim from the point of notification. In cases involving complex investigations, this can be extended — but they must tell you why and when they expect to conclude. If they go silent, that is a reason to escalate.
If Your Bank Refuses or Delays
A bank that refuses your APP fraud reimbursement claim must give you its reasons in writing. At that point, you have two paths: the Financial Ombudsman Service (FOS) and a pre-action enforcement letter.
The FOS has jurisdiction over payment disputes under the Financial Services and Markets Act 2000 and can award compensation of up to £430,000. Since October 2024, the FOS has consistently upheld APP fraud complaints where banks have refused valid claims. A bank that refuses a claim it was legally required to honour faces a high probability of an FOS ruling against it.
Before going to the FOS, a formal pre-action letter to the bank citing its obligations under PS23/3 and the Payment Services Regulations 2017 — and setting out the FOS escalation path — is often the most effective single step. Banks have compliance teams. A letter that demonstrates the customer knows the law tends to be treated differently from a general complaint.
You cannot take a complaint to the FOS until you have a "final response" from the bank, or eight weeks have passed since you first complained. The pre-action letter starts that clock and creates the formal record you need.
What Fight My Corner Writes for You
Fight My Corner generates a formal enforcement letter to your bank citing:
- ✓PSR Policy Statement PS23/3 and the mandatory reimbursement obligation
- ✓The Payment Services Regulations 2017 (as amended) — the statutory framework
- ✓Consumer Duty (FCA, 2023) — the bank's obligation to act in your best interests
- ✓The 35-business-day resolution deadline
- ✓The Financial Ombudsman route if they fail to resolve — citing FOS jurisdiction under FSMA 2000
- ✓A clear demand for full reimbursement with a specified response deadline
The letter is legally precise, professionally formatted, and ready within 5 minutes. From £9.99.
Write your APP fraud letter now →Common Scam Types Covered by the PSR Rules
The mandatory reimbursement scheme covers APP fraud regardless of which scam type was used to deceive you. The most common categories:
Romance scams
A fraudster builds an online relationship over weeks or months, then asks for money for an emergency, travel, or investment. Victims are often targeted over months and transfers can run to tens of thousands of pounds.
Investment and cryptocurrency scams
Fake investment platforms, cryptocurrency trading schemes, or "managed portfolio" offers that show convincing returns until you try to withdraw. Often involves multiple transfers over time.
Impersonation of HMRC, police, or your bank
You receive a call or message that appears to come from HMRC, the police, or your own bank — often claiming your account is under investigation and that you need to move your money to a "safe account." A bank will never ask you to do this.
CEO fraud and invoice scams
Businesses receive emails impersonating a senior executive instructing urgent payment to a new supplier, or supplier payment details are changed via a compromised email account. Both personal and business accounts covered.
Conveyancing fraud (property solicitor scams)
A fraudster intercepts communications between buyer and solicitor and substitutes fraudulent bank details at completion. This is covered by the PSR rules, though there are additional complexities where CHAPS rather than Faster Payments was used — worth confirming your transfer method when making the claim.
What the Letter Cannot Do
It is worth being honest about the limits of the new rules and what a formal letter can achieve.
If you knowingly sent money to someone you suspected was a scammer — which is genuinely rare but does occur — a reimbursement claim is unlikely to succeed. The PSR framework is designed to protect people who were deceived, not people who took a known risk.
If a bank can demonstrate gross negligence — meaning you were warned explicitly about the specific risk and ignored those warnings, or your conduct was so far below a reasonable standard that it went beyond being deceived — they may be entitled to reduce or refuse reimbursement. This standard is deliberately high, and the FOS has scrutinised bank refusals on this basis carefully. Being deceived by a convincing scam does not, on its own, constitute gross negligence.
The letter also cannot recover money that has already been moved and dissipated beyond recall — but it can create the legal record that forces the bank to make good on its statutory obligation regardless.
Your bank owes you this money. Make them pay it.
Fight My Corner writes the enforcement letter citing PS23/3, the Payment Services Regulations 2017, the Consumer Duty, and the FOS escalation route. Legally grounded, professionally formatted, ready in 60 seconds. From £9.99.
Write your letter now →Fight My Corner provides dispute letter generation tools and guidance — not legal advice. For complex fraud matters or if significant sums are involved, consider seeking advice from a solicitor or contacting Citizens Advice.