KIS Bridging Loans
Presented by KIS Finance
Complete Guide to Protection Against Authorised Push Payment Scams

Authorised Push Payment (APP) scams resulted in £354m worth of losses last year, with only £83m being refunded back to customers, according to trade body UK Finance.

APP scams occur when a fraudster tricks you into authorising a payment to their account. They will often do this by convincing you they are someone else – perhaps a company you have done business with before, a friend or even a solicitor (some victims have even lost house deposits this way). Alternatively, they could be someone trying to sell fake products (e.g. tickets to concerts which have sold out).

Until now, it has been almost impossible for victims to claim reimbursement from their bank, unless there was a clear fault in the way the bank handled the payment.

This guide will explain all the different ways you are now protected against authorised push payment scams.

Bank Voluntary Code – ‘Contingent Reimbursement Model Code’

As of 28th May 2019, a new voluntary code for banks has been introduced by The Authorised Push Payments Scam Steering Group (established by the Payment Systems Regulator in 2018). Eight major financial providers (representing 17 brands) – Barclays, HSBC, Lloyds, Metro Bank, Nationwide, RBS, Santander and Starling Bank – have already committed to implementing the new code immediately.

Which banks are implementing the voluntary code?

The Bank Voluntary Code
Payment Service ProviderBrand
Barclays Barclays
First Direct
M&S Bank
Lloyds Banking Group Lloyds Bank
Bank of Scotland
Intelligent Finance
Metro Bank Metro Bank
Nationwide Nationwide
RBS Royal Bank of Scotland
Ulster Bank
Santander Santander
Carter Allen
Starling Bank Starling Bank

How will the voluntary code work?

As soon as you realise you have been a victim of an authorised push payment scam, you need to report it to your bank as normal – the quicker you do this, the better.

Under the new code, banks will have a new set of criteria to assess whether a customer is eligible to have their money reimbursed. Previously, banks would only refund the customer if there was an obvious fault in the way the bank handled the transaction. Now, any customer who has been defrauded in this way and has taken reasonable care, or has any element of vulnerability, should be reimbursed under the new scheme.

How will I be reimbursed after an APP scam?

As it stands currently, the financial providers involved have established a ‘central pot’ of money which can be withdrawn from by the banks to refund victims in cases where neither the customer or the bank are to blame. A long-term funding solution for this is currently in the works and should be established in early 2020.

How long will it take to be reimbursed after an APP scam?

It has been said that a decision as to whether a customer should be reimbursed will be made within three weeks of receiving the report. This could take up to seven weeks for complicated cases and, if the case is disputed and goes to the Financial Ombudsman Service, it could take much longer (an exact amount of time for this has not currently been stated).

Who won’t be protected under the voluntary code?

Anyone who has been a victim of an APP scam before 28th May 2019, when the code was introduced, won’t be able to have their case reconsidered under the new rules as they will not be applied retrospectively.

Also, any customer that the bank decides has been ‘grossly negligent’ and hasn’t taken the appropriate levels of care towards their own safety will not be reimbursed.

Customers of any bank who has not signed up to the code, currently including Co-op bank and Virgin, will also not be protected. These banks, however, have said they may sign up in the future.

Confirmation of Payee

A new system called ‘confirmation of payee’, developed by Pay.UK,  is due to be implemented next year as another level of protection against authorised push payment scams.

How will confirmation of payee work?

When you make an electronic payment, you give your bank the sort code, account number and name of the person or business you want to pay. Currently, only the sort code and account number are used to determine where the money is being sent and banks are not able to check the account holder’s name.

Under the new ‘confirmation of payee’ rules, the name you provide will be checked against the name on the account you are sending money to. This will be checked by the recipient’s bank who holds this information. When you try to make a payment, you will be given one of three answers:

  • ‘Yes’ - If the names match then you can proceed with the payment.  
  • ‘No, check the name’ - If you enter a similar name to the account holder’s, perhaps you misspelled it or entered a shortened version or nickname by mistake, you will be given the actual account holder’s name to check. You can then check that the name is correct and proceed with the payment, or you will be given the opportunity to cancel the payment and contact the payee to check their details.
  • ‘No, names don’t match’ - If the names don’t match at all, the bank will advise you to cancel the payment and contact the payee. If you wish, you can still continue with the payment but you will be warned that this is at your own risk.

What payment types will use confirmation of payee?

At the moment, confirmation of payee is being focused on protecting ‘push payment’ transactions, which are payments that you initiate and authorise from your account, such as one-off bank transfers and some standing order payments. Payments like direct debits are not included under the scheme at the moment but may be in the future.

How will I be protected by confirmation of payee?

Confirmation of payee adds another hurdle for fraudsters to overcome. You will receive an alert if the names don’t match which gives you the opportunity to cancel the transaction before the payment is made if you are concerned you are sending money to the wrong account.

If you received a ‘yes’ that the names match before you proceed with the transaction, then it later transpires that the payment was in fact made to a fraudster, you will have proof that you acted with care and responsibility so will be much more likely to get your money back.

TSB’s Refund Guarantee

TSB have taken their customers’ protection against scams to another level by introducing their ‘refund guarantee’ earlier this year. In April 2018, TSB suffered an IT meltdown which left millions of customers unable to access their money or log in to their online banking accounts. The announcement of the new guarantee forms part of TSB’s mission to rebuild their image with Chief Executive, Richard Meddings, saying this is about “giving peace of mind to our customers and doing the right thing.”

How does the TSB refund guarantee work?

The refund guarantee will protect victims against all types of financial fraud, even when the payment was authorised by the customer or an “honest mistake” was made. Basically, if you’re an innocent victim of fraud, even if you clicked on something you shouldn’t or shared personal information without thinking, you will be compensated by the bank.

TSB say that you should report the fraud as soon as possible after you become aware of it. They will investigate the claim quickly and refund the money as soon as possible. They will also provide you with any suitable advice to make sure you don’t fall for the same scam again and may help you in resetting your log-in details.

Claims against this guarantee will be capped at £1,000,000.

Who won’t be protected under the guarantee?

TSB will not refund customers if they were involved in committing fraud in any way – as you’d expect. Customers that abuse the guarantee, for example by repeatedly ignoring safety, will also be unlikely to gain compensation. Any cases where a decision was reached on reimbursement before 14th April 2019, when the guarantee was implemented, will not be able to have their case overturned under the new rules as they have not bee applied retrospectively.

How to protect yourself from authorised push payment scams

Scammers will often make contact through phishing emails, and gain the valuable information they need to defraud their victims through hacking email accounts.

Once they have access to an email account, they will often be able to find information about the companies and organisations you do business with or anything currently going on which may require payments to be made.

Top tips to follow if you want to avoid falling victim to an APP scam

  • If you receive a payment request via email, the first thing you should do is check the sender’s email address. If they are someone you have done business with before then you should check it against the email address you have on record. If it is not one you recognise at all, or it is made up of a random mix of numbers and letters, then it is best to assume the worst and contact the person they are claiming to be by another method.
  • Check the contents of the email and whether it contains any threatening or urgent language. If you are dealing with a legitimate business, they should be polite and won’t mind waiting – scammers will give you short time limits to make payments to make you panic and act without thinking.
  • Don’t be fooled just because an invoice looks legitimate. Scammers can easily get hold of company invoices and create their own to look identical.
  • If you are still unsure as to whether the email is genuine, look up the company through your normal search engine. Never reply to the email or use the contact details they have provided. Contact the company using the details on their official website and ask whether the payment request is real.
  • If the scammer is trying to trick you by posing as a company you have made payments to before, go back through your banking accounts and check the account details you used previously. This way you will see if the account is the same. If they are different but you are still unsure, contact the company directly.
  • Remember that your bank will never ask for your details or to perform a transaction over the phone or via email.


Find it useful? Please share!