Authorized Push Payment Fraud (APP Fraud): Definition and Use in Compliance

What is Authorized Push Payment Fraud (APP Fraud)?

APP fraud is payment fraud in which a victim authorizes a bank transfer to a fraudster's account, believing the recipient is legitimate. The authorization is genuine. The deception is entirely social.

This separates APP fraud from most other fraud types. In account takeover (ATO), a criminal accesses an account without the owner's knowledge. In card fraud, payment details are stolen and used without consent. In APP fraud, the victim logs in, enters the payee details, and confirms the transfer themselves. Every authentication check passes. The bank's fraud controls see a normal transaction.

Fraudsters reach authorization through several methods. Purchase scams, the most common by case count, involve fake marketplace listings where victims pay for goods that never arrive. Invoice fraud involves intercepting email between a buyer and supplier, then substituting the supplier's bank details with the fraudster's account. Impersonation attacks involve a fraudster posing as a bank fraud team, HMRC, or the police, instructing the victim to move money to a "safe account" (a mule account). Investment scams promise returns on fabricated opportunities. Romance scams build long-term emotional relationships over weeks before the first payment request.

Once authorized, the payment settles in seconds. Faster Payments in the UK, FedNow in the US, and UPI in India complete transfers before any recall mechanism can engage. By the time a victim reports the fraud, funds have typically moved through at least one additional account.

The numbers are large. UK Finance's 2024 Annual Fraud Report recorded £459.7 million in APP losses across 232,429 cases in 2023. The FBI's IC3 reported $2.9 billion in Business Email Compromise losses that same year, most of which are APP fraud by structure. Both figures undercount total exposure due to reporting gaps across retail and commercial segments.

How is Authorized Push Payment Fraud (APP Fraud) used in practice?

Sending and receiving institutions have distinct responsibilities, and fraud teams need to understand both sides.

On the sending side, pre-authorization controls are the main focus. Confirmation of payee (CoP) checks verify that an account holder name matches the sort code and account number before a new payee is created. CoP catches account substitution fraud (where a fraudster replaces a supplier's bank details in intercepted emails) but doesn't stop impersonation scams where the victim is told to pay a "new" account. Behavioral anomaly detection layers on top: first-time high-value payees, round-number transfers, and payments made within minutes of an inbound call from an unknown number are all scored for APP risk.

When a customer reports a loss, the investigation team confirms no system compromise first, ruling out account takeover. If the account was intact, the team assesses victim conduct against the gross negligence standard. Under UK PSR mandatory rules, this determines how much of the loss is reimbursable. The sending bank then issues a recall request to the receiving institution through interbank messaging.

On the receiving side, behavioral analytics is the primary tool for catching money mule accounts. High-velocity pass-through, multiple different inbound senders, and rapid outflows to cryptocurrency exchanges or cash withdrawal points are the core indicators. Most UK clearing banks now run continuous monitoring on newly opened accounts, with heightened scrutiny in the first 90 days.

When fraud patterns are confirmed, a Suspicious Activity Report (SAR) goes to the relevant financial intelligence unit. In the UK, that's the NCA's UKFIU. SAR quality matters: the narrative should capture the full transfer chain and social engineering vector, giving investigators something actionable rather than just the immediate mule account details.

Customer due diligence (CDD) at account opening remains the upstream control. Weak identity verification at onboarding creates the accounts that APP fraud proceeds flow through. This is where the fraud chain starts, even if detection only happens weeks later.

Authorized Push Payment Fraud (APP Fraud) in regulatory context

The UK has moved furthest on mandatory reimbursement, and other jurisdictions are watching closely.

The Payment Systems Regulator published Policy Statement PS23/3 in June 2023, finalizing the APP Fraud Reimbursement Requirement. The rules came into force on October 7, 2024, covering Faster Payments and CHAPS transactions. Sending and receiving payment service providers each bear 50% of reimbursement costs for valid claims, up to £85,000 per claim. Gross negligence by the claimant removes the obligation, as does first-party fraud: a claimant who is complicit in the scheme receives no reimbursement.

Before mandatory rules, the Contingent Reimbursement Model (CRM) Code, introduced in May 2019, created a voluntary framework. Signatory banks committed to reimbursing victims who had acted reasonably. Application was inconsistent: reimbursement rates ranged from under 40% to over 80% across signatories. The mandatory scheme eliminated that variance and introduced a shared-cost model giving receiving banks a direct financial incentive to block mule accounts at onboarding.

In the EU, PSD3 and the Payment Services Regulation are expected to introduce equivalent liability provisions. The European Banking Authority's fraud reporting standards will include explicit APP fraud categories.

In the US, there's no mandatory reimbursement. FinCEN has issued SAR guidance on social engineering and impersonation schemes that overlap with APP fraud, but reimbursement remains voluntary. Zelle expanded its consumer protections in 2022 under Congressional pressure, though coverage is narrower than the UK model.

Globally, FATF classifies APP fraud proceeds as predicate offense funds, triggering full anti-money laundering (AML) reporting obligations when banks identify the fraud through monitoring systems. FATF's 2023 typologies work on social engineering fraud provides specific guidance on mule network patterns and cross-border layering, which is relevant for any institution processing international APP fraud flows.

Common challenges and how to address them

Pre-authorization detection is the core problem. The sending bank sees an authenticated transaction by a legitimate customer. No rule fires. The challenge is distinguishing "person paying their supplier" from "person being manipulated into paying a fraudster," and the signals are often identical.

The most effective controls in current use:

Confirmation of payee (CoP): Name-matching at payee creation catches account substitution fraud directly. UK banks completed full CoP deployment by 2024. Adoption is partial in the US and EU, which leaves invoice fraud largely unchecked. A business paying a supplier for the first time after receiving a "new banking details" email has no system prompt warning them the details changed.

Friction at high-risk payments: A 24-hour delay on first-time payees above a threshold, combined with an in-app prompt asking whether the victim has spoken to the payee, has cut APP losses by 25-35% in UK pilot programs. The tradeoff is real: some customers complain about delays on legitimate urgent transfers. The PSR has made clear that appropriate friction is consistent with reimbursement obligations, which removes one institutional reason banks previously avoided it.

Cross-bank intelligence sharing: UK banks share mule account data through CIFAS and the Mule Insights Tactical Solution (MITS). When a payee account appears in fraud feeds before the transfer, the sending bank can delay or block. Network analysis surfaces connected mule account clusters that individual account review misses entirely.

Upstream mule prevention: Enhanced due diligence (EDD) on newly opened personal accounts with early high-velocity activity reduces how long mule accounts stay active. UK Finance data shows most mule accounts used in APP fraud were opened within six months of the fraud event, meaning tighter onboarding scrutiny on new accounts has a direct effect.

SAR quality is a persistent gap. Many APP fraud SARs contain only the immediate receiving account. The SAR narrative should document the full payee chain, the social engineering vector, and any cross-bank intelligence, so the FIU can disrupt the mule network rather than just log the event.

Related terms and concepts

APP fraud sits at the intersection of fraud, financial crime, and payment system risk. Several adjacent concepts shape how teams handle it.

Business email compromise (BEC) is a direct APP fraud variant targeting corporate payments. The FBI's IC3 reported $2.9 billion in BEC losses in the US in 2023. Every wire transfer triggered by a BEC attack is an APP fraud event: an authorized payment to a fraudster's account, initiated by the victim after being deceived. The distinguishing features are the target (business finance teams) and the attack vector (email impersonation of executives or suppliers).

Investment scams are the highest-value APP fraud variant by average loss per case. The "pig butchering" scheme, originating from fraud compounds in Southeast Asia, builds fake investment relationships over weeks and extracts transfers often exceeding £50,000 before detection. UK Finance identified investment scams as the largest APP category by total value in 2023, at £107 million.

The post-payment flow maps directly onto money laundering typologies. Funds enter a money mule account and then move through a mule network in the layering phase before the fraudster integrates the proceeds. Recovery probability drops sharply after the first mule hop. Most instant payment rails settle within 15 seconds, which is why receiving-side detection speed matters as much as sending-side prevention.

Deepfake fraud and voice cloning fraud are now active APP fraud vectors. In a documented 2024 case in Hong Kong, a deepfake video conference call impersonating company executives triggered a HK$200 million (approximately US$25 million) corporate wire transfer. These attacks defeat the verbal authorization checks that banks use as a last line of defense against impersonation, and they're becoming faster and cheaper to execute.