KIS Bridging Loans
Presented by KIS Finance
Complete Guide to Protection Against Authorised Push Payment Scams

According to trade body UK Finance, £583.2 million was lost to authorised push payment (APP) scams in 2021. This is a 39% increase compared to the number of APP scam reports in 2020.

An APP scam is when a scammer persuades somebody to transfer money to them by posing as a trusted contact. This could be someone that you know, your bank, or a well-known company or organisation.

An APP scam can come in many forms as scammers use hundreds, if not thousands, of different tactics to trick consumers into sending them money. A common method is when the scammers pose as someone you know and sends an email or text message saying that they’re in trouble and need you to send them money. Scammers also impersonate organisations such as the NHS, banks, HMRC, charities and also companies like Amazon, PayPal, and Royal Mail.

Scammers can get in touch via email, phone call, text message, Whatsapp, and social media so it’s important to always stay vigilant and know the warning signs of a scam.

APP scams are particularly dangerous as victims are led to make payments via bank transfer rather than a credit or debit card. However, there have been huge steps forward in the banking industry over the last couple of years to do more to protect victims of APP fraud.

This guide will explain all the different ways you are now protected against authorised push payment scams, and steps you can take to protect yourself.

Bank Voluntary Code – ‘Contingent Reimbursement Model Code’

In May 2019, a voluntary code was introduced by The Authorised Push Payments Scam Steering Group (established by the Payment Systems Regulator in 2018). Eight major financial providers (representing 17 brands) – Barclays, HSBC, Lloyds, Metro Bank, Nationwide, RBS, Santander and Starling Bank – committed to implementing the new code immediately.

Which banks are implementing the voluntary code?

The Bank Voluntary Code
Payment Service ProviderBrand
Barclays Barclays
First Direct
M&S Bank
Lloyds Banking Group Lloyds Bank
Bank of Scotland
Intelligent Finance
Metro Bank Metro Bank
Nationwide Nationwide
RBS Royal Bank of Scotland
Ulster Bank
Santander Santander
Carter Allen
Starling Bank Starling Bank

How does the voluntary code work?

As soon as you realise you have been a victim of an authorised push payment scam, you need to report it to your bank as normal – the quicker you do this, the better.

Under the new code, banks will have a new set of criteria to assess whether a customer is eligible to have their money reimbursed. Previously, banks would only refund the customer if there was an obvious fault in the way the bank handled the transaction. Now, any customer who has been defrauded in this way and has taken reasonable care, or has any element of vulnerability, should be reimbursed under the new scheme.

How will I be reimbursed after an APP scam?

As it stands currently, the financial providers involved have established a ‘central pot’ of money which can be withdrawn from by the banks to refund victims in cases where neither the customer or the bank are to blame.

How long will it take to be reimbursed after an APP scam?

It has been said that a decision as to whether a customer should be reimbursed will be made within three weeks of receiving the report. This could take up to seven weeks for complicated cases and, if the case is disputed and goes to the Financial Ombudsman Service, it could take much longer (an exact amount of time for this has not currently been stated).

Who won’t be protected under the voluntary code?

Anyone who has been a victim of an APP scam before 28th May 2019, when the code was introduced, won’t be able to have their case reconsidered under the new rules as they will not be applied retrospectively.

Also, any customer that the bank decides has been ‘grossly negligent’ and hasn’t taken the appropriate levels of care towards their own safety will not be reimbursed.

Customers of any bank who has not signed up to the code, currently including Co-op bank and Virgin, will also not be protected. These banks, however, have said they may sign up in the future.

Confirmation of Payee

A new system called ‘confirmation of payee’, developed by Pay.UK, was implemented in June 2020 as another level of protection against authorised push payment scams.

How does confirmation of payee work?

When you make an electronic payment, you give your bank the sort code, account number and name of the person or business you want to pay. Currently, only the sort code and account number are used to determine where the money is being sent and banks are not able to check the account holder’s name.

Under the new ‘confirmation of payee’ rules, the name you provide will be checked against the name on the account you are sending money to. This will be checked by the recipient’s bank who holds this information. When you try to make a payment, you will be given one of three answers:

  • ‘Yes’ - If the names match then you can proceed with the payment.  
  • ‘No, check the name’ - If you enter a similar name to the account holder’s, perhaps you misspelled it or entered a shortened version or nickname by mistake, you will be given the actual account holder’s name to check. You can then check that the name is correct and proceed with the payment, or you will be given the opportunity to cancel the payment and contact the payee to check their details.
  • ‘No, names don’t match’ - If the names don’t match at all, the bank will advise you to cancel the payment and contact the payee. If you wish, you can still continue with the payment but you will be warned that this is at your own risk.

What payment types will use confirmation of payee?

At the moment, confirmation of payee is being focused on protecting ‘push payment’ transactions, which are payments that you initiate and authorise from your account, such as one-off bank transfers and some standing order payments. Payments like direct debits are not included under the scheme at the moment but may be in the future.

How will I be protected by confirmation of payee?

Confirmation of payee adds another hurdle for fraudsters to overcome. You will receive an alert if the names don’t match which gives you the opportunity to cancel the transaction before the payment is made if you are concerned you are sending money to the wrong account.

If you received a ‘yes’ that the names match before you proceed with the transaction, then it later transpires that the payment was in fact made to a fraudster, you will have proof that you acted with care and responsibility so will be much more likely to get your money back.

TSB’s Refund Guarantee

TSB have taken their customers’ protection against scams to another level by introducing their ‘refund guarantee’ earlier this year. In April 2018, TSB suffered an IT meltdown which left millions of customers unable to access their money or log in to their online banking accounts. The announcement of the new guarantee forms part of TSB’s mission to rebuild their image with Chief Executive, Richard Meddings, saying this is about “giving peace of mind to our customers and doing the right thing.”

How does the TSB refund guarantee work?

The refund guarantee will protect victims against all types of financial fraud, even when the payment was authorised by the customer or an “honest mistake” was made. Basically, if you’re an innocent victim of fraud, even if you clicked on something you shouldn’t or shared personal information without thinking, you will be compensated by the bank.

TSB say that you should report the fraud as soon as possible after you become aware of it. They will investigate the claim quickly and refund the money as soon as possible. They will also provide you with any suitable advice to make sure you don’t fall for the same scam again and may help you in resetting your log-in details.

Claims against this guarantee will be capped at £1,000,000.

Who won’t be protected under the guarantee?

TSB will not refund customers if they were involved in committing fraud in any way – as you’d expect. Customers that abuse the guarantee, for example by repeatedly ignoring safety, will also be unlikely to gain compensation. Any cases where a decision was reached on reimbursement before 14th April 2019, when the guarantee was implemented, will not be able to have their case overturned under the new rules as they have not bee applied retrospectively.

How to protect yourself from authorised push payment scams

Scammers will often make contact through phishing emails, and gain the valuable information they need to defraud their victims through hacking email accounts.

Once they have access to an email account, they will often be able to find information about the companies and organisations you do business with or anything currently going on which may require payments to be made.

How to protect yourself from authorised push payment (APP) scams

  • Never act upon any request for money that you receive via an unsolicited email, text, Whatsapp message, social media message, or phone call. If it appears to be someone you know, perhaps a close relative or friend, and this is a very out of character request, then get in touch with that person via your usual contact method and speak to them. Scammers often used hacked social media accounts and make contact with that person’s friends list or followers, or they will spoof their phone number or email address. Never respond to the email or message that you’ve received and never send them money without checking first.

  • One of the most important things to remember is that your bank will never get in touch with you asking you to make a payment or move money – this is an immediate red flag. This rule also applies to organisations such as HMRC and the NHS; they will never get in touch to ask for personal information or bank details.

  • When you are purchasing goods and/or services online, never make a payment via bank transfer. Using a credit or debit card will give you far greater protection if things were to go wrong. Once you’ve authorised a bank transfer then it will become much more difficult to get your money back if you haven’t taken the proper precautions.

  • Since the end of June 2020, every major bank in the UK has been implementing Confirmation of Payee. This means that when you set up a new payee or try to make a bank transfer, your bank will check that the person’s name and the bank details match. If a warning message pops up saying the details don’t match then do not send the payment as it’s very likely that you are not sending money to who you think you are. Also, if you ignore this message and continue with the payment then you may find it very difficult to get your money back if things go wrong.

  • Scammers will often try to trick people by sending out fake invoices via email. They may pose as a well-known company or organisation, but sometimes scammers pretend to be someone that they know you have contact with. This could be through hacking your email account or by information that they’ve found online, for example on social media. In most cases you should simply ignore any invoice that has been sent to you unexpectedly, but if it does appear to be from someone that you have done business with and you are expecting an invoice, then make sure you check the details thoroughly. Make sure that it has been sent from a recognised email address and also that the bank details match the payee when you make the payment. If anything looks suspicious, then contact them using the details you already have on file (don’t respond to the email).”


Find it useful? Please share!

Subscribe for Updates

We will email you monthly details of our latest:

  • Business and consumer guides
  • Finance news
  • Information and awareness about the latest frauds and scams, to help you avoid them.  
I want to receive email updates

By submitting your email, you agree to our Terms and Privacy Notice. You can opt out at any time.