What is APP fraud?
Quick answer
APP fraud (Authorised Push Payment fraud) occurs when a victim is manipulated into authorizing a bank transfer to a fraudster's account. The victim initiates the payment themselves. In the UK, the Payment Systems Regulator mandated reimbursement of up to £85,000 per claim from October 2024. ---
The full answer
APP fraud is Authorised Push Payment fraud. A fraudster manipulates a victim into approving a bank transfer to an account the criminal controls. What makes it distinct from most payment fraud is that the customer consented: they authenticated the transaction and pressed confirm. There was no account takeover, no stolen card. The victim did it themselves, because they believed a lie.
The Payment Systems Regulator defines it as losses occurring when customers are "deceived into authorising a payment to an account controlled by a criminal." That definition matters for liability. The entire legal framework for payment fraud historically assumed the customer hadn't authorized anything. APP fraud broke that assumption.
In the UK, the legal gap closed on 7 October 2024. The PSR's mandatory reimbursement scheme now requires both the sending and receiving payment service providers to cover losses up to £85,000 per claim, split 50/50. The rules apply to Faster Payments and CHAPS transactions. A receiving bank that doesn't screen for mule accounts is now 50% liable for every APP fraud claim paid by the sending bank. That's a structural shift in how the industry thinks about the receiving side of a transaction.
The US has no equivalent. The CFPB's Regulation E covers unauthorized electronic fund transfers. APP fraud, because the customer authorized the transfer, falls outside that definition. A 2023 Senate Permanent Subcommittee on Investigations report on Zelle found $490 million in fraud and scam losses between 2021 and 2022, with reimbursement rates varying from 47% to 62% across major banks. No federal floor exists.
The most common types:
- Impersonation fraud: Bank staff, police, HMRC, or IRS impersonation. The victim is told their account is compromised and guided to transfer funds to a "safe" account the fraudster controls.
- Investment scams: Fake platforms, fabricated returns. Victims wire larger sums over months before realizing the platform doesn't exist. Average loss per victim is the highest of any category.
- Romance scams: Months of relationship building before any money request. The emotional commitment is the mechanism.
- Invoice and mandate fraud: Fraudsters intercept business email and spoof supplier invoices to redirect legitimate payments.
- Purchase fraud: Payment by bank transfer for goods that don't arrive.
Scale, per UK Finance's 2024 Annual Fraud Report: £459.7 million in losses across 232,429 cases in 2023. Down slightly from 2022, but well above pre-pandemic levels.
Why this matters for compliance teams
The detection problem is real. Rule-based monitoring sees a normal transfer to a new payee. Nothing fires. The signal that something's wrong is behavioral: this account hasn't made a payment this large before, the payee was created yesterday, the customer called twice in the last hour, or the receiving account swept 14 inbound wires within 20 minutes of arrival.
Mule account detection on the receiving side is now a compliance requirement, not a best practice. Under the PSR scheme, receiving banks share liability. A bank that can't show it screens for mule account patterns will absorb 50% of every reimbursed claim on its books.
AI-based transaction monitoring has changed what's detectable. Behavioral analytics can flag a customer who visited an unfamiliar domain, then immediately initiated a first-time high-value transfer. Static rules can't do that. This adds latency to some legitimate payments, but the accuracy gain is worth it.
When an institution identifies that APP fraud proceeds passed through its books, SAR filing obligations apply. FinCEN's definition of suspicious activity explicitly covers cases where a bank knows or suspects funds are proceeds of a crime. The authorized nature of the original transfer doesn't eliminate that obligation. The MLRO or compliance officer owns the filing decision.
Regulatory scrutiny follows weak controls. We've seen banks trigger regulatory exams because their fraud controls didn't extend to the receiving side. "We're the sending bank" is no longer a defensible position in the UK, and US examiners are watching the PSR model closely.
Alert false positive rates matter here too. Indiscriminate friction applied to all first-time payee transfers produces an unmanageable queue and degrades customer experience. The goal is targeted friction when behavioral signals suggest coaching or manipulation, not blanket delays.
Customer due diligence rounds out the picture. Enhanced due diligence on high-risk segments, combined with ongoing customer risk rating updates, can surface accounts that show patterns consistent with compromise or mule use before a large transfer leaves.
Related questions
- How do mule accounts get detected?
- Can AI be used for AML transaction monitoring?
- Who files a SAR: the MLRO or the compliance officer?
- How long do banks have to file a SAR?
- How does FinCEN define suspicious activity?
Related concepts and regulations
- What triggers a regulatory exam?
- What percentage of AML alerts are false positives?
- What is the difference between CDD and EDD?
- How often should customer risk ratings be refreshed?