Authorized Push Payment Fraud: Why Real-Time Payments Created a New Liability Problem

Card fraud is an authorization problem. The fraudster uses stolen credentials to make a transaction the legitimate cardholder never approved. The dispute mechanism exists precisely to reverse unauthorized transactions.

Authorized push payment fraud is different in a way that makes it structurally harder to address. The victim sends the money themselves — they open their banking app, enter the account details, and approve the transfer. The payment is authorized. The rail treats it as valid. By the time the victim realizes they were deceived, the funds have been swept from the destination account and the trail goes cold.

This is why real-time payment rails have created a new liability problem. Irrevocability — the property that makes instant payments valuable — is the same property that makes APP fraud recoveries so difficult.

How APP Fraud Works

The attack is social engineering that ends in a payment instruction. The mechanics vary by scam type, but the structure is consistent: establish false context, create urgency, direct the victim to send funds to a controlled account.

Impersonation fraud: the fraudster poses as the victim’s bank, HMRC, a government agency, or law enforcement. They claim the victim’s account is compromised and must be “secured” by moving funds to a “safe account.” The safe account belongs to the fraudster.

Invoice fraud: a fraudster intercepts or spoofs a legitimate vendor’s communications and redirects a pending payment. The victim thinks they are paying their supplier; they are paying the fraudster. Most common in B2B contexts — construction, legal, property.

Investment scams: a fraudulent investment platform shows convincing gains on a small initial deposit. The victim increases investment over weeks or months. Withdrawal requests are met with fees, taxes, or technical delays until the platform disappears.

Purchase scams: goods or services advertised (often on social platforms or classifieds) that never arrive. The payment is push rather than card.

Romance scams: long-term relationship built online, financial emergency manufactured, funds transferred.

What these have in common: the victim makes a voluntary payment instruction. Standard fraud models — which look for transaction patterns inconsistent with the cardholder’s history — do not fire, because the payment behavior is entirely consistent with a genuine transfer.

Why Real-Time Rails Amplify the Problem

UK Finance’s 2025 Annual Fraud Report is specific: Faster Payments was used in 96% of fraudulent APP scam payments in the UK. The mechanism is clear. Once the victim makes the transfer, funds reach the destination account within seconds and can be immediately forwarded through a chain of mule accounts. By the time the victim contacts their bank, the money has moved multiple hops.

Card fraud allows chargebacks precisely because card clearing is not instantaneous — there is a settlement window during which reversals are possible. Irrevocable real-time rails eliminate that window.

SEPA Instant Credit Transfer, PIX, UPI, PayNow, and Australia’s New Payments Platform all share this characteristic. As real-time rail adoption grows globally, the APP fraud surface area grows with it.

The UK’s Reimbursement Framework

The UK Payment Systems Regulator’s mandatory APP reimbursement scheme came into force on 7 October 2024, making the UK the first jurisdiction to mandate reimbursement for APP fraud at scale.

Key parameters:

• Coverage: applies to transactions over Faster Payments
• Maximum reimbursement: £85,000 per claim
• Liability split: 50% sending PSP, 50% receiving PSP
• Consumer exclusions: no reimbursement if the consumer acted fraudulently or with gross negligence (a deliberate high bar — mere carelessness does not disqualify)
• Cooling-off provision: PSPs may delay payments by up to 4 business days where there are reasonable grounds to suspect APP fraud, without incurring liability for the delay

A note on trends: UK Finance data shows APP fraud cases and total losses actually declined in 2024 compared to 2023, before H1 2025 losses rose year-on-year. The framing that APP fraud is universally accelerating requires market and time-period specificity — the UK trajectory is not linear.

The Receiving PSP Problem

The 50/50 liability split is the structurally novel element of the UK scheme. Before October 2024, reimbursement responsibility fell almost entirely on the sending PSP. The receiving PSP — whose account received fraudulently obtained funds — bore no direct financial liability.

The 50/50 split changes the incentive structure. Receiving PSPs, including challenger banks and neobanks that have grown partly through frictionless onboarding, now have a direct financial stake in detecting mule accounts on their platform.

Mule account signals: accounts that receive a large inbound transfer and immediately forward most of it elsewhere; accounts opened very recently; accounts with onboarding patterns inconsistent with stated purpose; accounts linked to device or IP patterns associated with known fraud rings.

This is where account takeover detection tooling and merchant risk monitoring intersect — the same behavioral ML stack that detects compromised consumer accounts can identify newly created mule accounts before they are used.

Pre-Payment Controls

Confirmation of Payee (CoP): the primary pre-payment control. Before a payment is sent, the sending bank checks whether the account name entered by the payer matches the name on the account at the receiving bank. A name mismatch generates a warning — not a block, but a friction point that reduces impersonation fraud where the victim believes they are sending to “Barclays Safe Account” but the account is held in a different name.

CoP has been mandatory for the UK’s largest banks since 2020. The SEPA Instant equivalent is the IBAN name check — the CIPA (Check of IBAN-Name Consistency) service, now being rolled out under the EU Instant Payments Regulation.

Behavioral analytics: anomaly signals in the payment session — first time paying this payee, payment amount significantly above typical for this customer, session patterns suggesting external instruction (copying account numbers from a chat window, browser switching), late-night timing. These signals can trigger additional friction (confirmation screen, delay, call-back) without blocking the payment outright.

Friction calibration: the challenge for payment operators is calibrating friction to risk without degrading experience for the majority of legitimate payments. The PSR cooling-off provision provides legal cover for delays on high-risk transactions — but applying it to every large payment would destroy the user experience that makes instant payment rails valuable.

Implications for Global Operators

The PSD3 framework in the EU has provisions on fraud liability but does not mandate reimbursement in the same way as the UK PSR. Operators expanding into EU markets should track whether mandatory reimbursement provisions emerge in national implementations.

For operators building real-time payment products in any market — whether on SEPA Instant, PIX, UPI, or PayNow — the APP fraud risk profile should be assessed at product design stage, not retrofitted post-launch. The questions are:

• What pre-payment name-matching capability is available on this rail?
• What is the irrevocability window — is there any grace period for recall?
• What mule account detection capability does the receiving bank ecosystem support?
• What is the regulatory liability framework if a customer is defrauded?

The irrevocability that makes real-time payment rails valuable to legitimate users is the same property that makes them the preferred channel for social engineering fraud. Building payment products on these rails without a coherent APP fraud control framework is building on a known structural risk.