What is APP fraud?
Quick answer
APP fraud (Authorized Push Payment fraud) is when a fraudster tricks someone into authorizing a payment to an account they control. The victim sends the money themselves, so standard fraud controls don't flag it. In the UK, the Payment Systems Regulator requires banks to reimburse most victims.
What is APP fraud?
APP fraud is Authorized Push Payment fraud. The victim authorizes the transfer themselves. That's what makes it different from card fraud or account takeover: the payment instruction comes from the legitimate account holder, authenticated through the bank's own systems. The fraud is in the social engineering, not the technical execution.
The attack always follows the same basic pattern. A fraudster creates urgency or trust, convinces the victim to send money to a fraudster-controlled account, and moves the funds before the victim realizes anything is wrong.
Common types:
- Safe account scams: The fraudster poses as a bank fraud investigator and tells the customer their account is under attack. The customer is instructed to move funds to a "safe account," which the fraudster controls.
- Investment scams: Fabricated trading platforms show realistic returns. Victims transfer funds repeatedly, sometimes over months, before the platform vanishes.
- Invoice and CEO fraud: A spoofed email from a known supplier or a company executive instructs a business to update payment details before the next transfer. The revised account belongs to the fraudster.
- Romance scams: A long-running fabricated relationship ends with a financial request.
The destination in almost every case is a mule account: an account opened specifically to receive fraudulent funds and disperse them before the bank or the victim responds. Detecting mule accounts at the receiving bank is one of the most tractable interventions available, and is now a regulatory obligation in the UK.
In the UK, UK Finance reported £459.7 million in APP losses in 2023, across more than 230,000 cases. The Payment Systems Regulator responded with mandatory reimbursement rules that took effect on 7 October 2024. Sending and receiving firms each bear 50% of reimbursement costs, up to £85,000 per claim. The 50/50 liability split is intentional policy: it gives receiving banks a direct financial reason to catch mule accounts before they're used.
In the US, there's no equivalent mandatory reimbursement framework. Regulation E applies to unauthorized transfers. Because APP fraud involves a payment the customer authorizes, even under false pretenses, it sits outside Regulation E's core scope. FinCEN has issued advisories on business email compromise, which is the business-facing version of APP fraud, and expects institutions to file SARs when they detect patterns consistent with APP schemes. Which team files the SAR, whether it's the MLRO or the compliance function, depends on your institution's structure.
Why this matters for compliance teams
The PSR's reimbursement rules changed the economics of APP fraud for UK banks. Before October 2024, losses sat with victims. Now they sit with the sending and receiving institutions. A bank that fails to detect outgoing APP fraud pays half the claim. A bank that lets mule accounts open and operate pays the other half. That's not a theoretical risk; it's a balance sheet line.
Detection is genuinely difficult. The customer authenticates the payment. Rule-based AML transaction monitoring wasn't designed for this pattern. Effective models need behavioral signals: first payment to a new payee, amount outside the customer's segment norms, account age under 90 days, a call center contact in the hour before the transfer, rapid balance drawdown at the receiving account. Traditional monitoring looks at individual transactions; APP fraud detection requires the full context.
Banks are also revisiting CDD and EDD protocols for account opening. The mule account is the receiving end of every APP fraud. If you catch it at onboarding, you break the chain before the first victim transfer arrives. That means sharper document verification, device fingerprinting, behavioral signals during the account-opening journey, and network analysis against known mule account patterns.
Perpetual KYC approaches add a layer beyond onboarding. An account that looks clean at opening can turn into a mule weeks later: sudden inflows from multiple senders, rapid outbound transfers to crypto or overseas accounts, atypical activity for the customer profile. Continuous monitoring catches these behavioral shifts; periodic review misses them.
One operational tension is alert volume. A high percentage of AML alerts are already false positives, and adding APP fraud detection signals without careful calibration makes that worse. The goal is signal accuracy, not signal volume. An alert on every first-time payee is useless. An alert on a first-time payee combined with a call center contact and an account opened in the last 60 days is actionable.
Related questions
- How do mule accounts get detected?
- How long do banks have to file a SAR?
- Can AI be used for AML transaction monitoring?
- What percentage of AML alerts are false positives?
- Who files a SAR: the MLRO or the compliance officer?