Assessing the pressing risk of authorised push payments (APP) fraud for UK firms

There’s no dismissing the fact that all UK payments will soon need to be instant. This is not a rising need limited to the British Isles either, considering the EU’s Instant Payment scheme and the fact that more than 100 jurisdictions have access to fast payments systems. The low costs, speed, and safety of account-to-account (A2A) transfers are already proclaimed (and used in over 80 economies), with open banking fund flows also on the rise. But it’s not all happy news; fraudsters will always find a way to bend digitalised financial methods to their whims. In particular, the rise of instant payments has increased the risk of authorised push payments (APP) fraud, making vigilance essential for UK firms.

Authorised push payments help businesses and their consumers transact easily in legitimate circumstances, but APP-based criminals have created a wealth of hazards – utilising multiple accounts and cross-border tactics to tempt money mules through romance and investment scams, and even lost pet ransom schemes. They’re so successful that authorised push payments (APP) fraud is now the UK’s most common financial scam.

What does it mean for banks, fintechs, and payment providers? A lot of the buck for identifying scams (and recuperating funds lost to it) lies with them. And with authorised push payments (APP) fraud fuelling laundering and other heinous organised crime activity, its actors must be found and prosecuted using a steadfast AML strategy – with the same breakneck speed expected to keep international money movements flowing.

Exposing the hidden criminality in instant payments

Payment infrastructures have evolved plenty in recent decades to accommodate new payment rails, digital assets, online banking, and APIs: all hallmarks of A2A transactions that save processing fees, and connect financial institutions for real-time payments to reach their destinations. In the dark reaches of the web however, scammers target vulnerable people and SMEs with lax data security or platforms that fail to meet the sophistication of the modern payments world.

A common trope of authorised push payments (APP) fraud involves criminals posing as a bank or legitimate organisation to demand sensitive information, often very quickly, luring the victim to transfer money to different accounts. In romance or investment scams, repeated exploitation is a growing concern, with victims groomed as mules to transfer funds on criminals’ behalf. This activity is extremely tough to spot, even in advanced AML systems.

Given that fraudsters and financial institutions represent two warring factions trying to exploit the others vulnerabilities’, those acting on the consumers’ side now have to be aware of their shortcomings to bolster themselves against real-time payment risk:

• Instant payments grant less time for detection and response, which is near impossible for traditional rules-based interventions. This delays transactions and allows launderers to proliferate, with layering often taking place in minutes.
• When the proceeds of fraud can be smurfed and processed through multiple accounts and regions at once, the fraud chain becomes more opaque, lowering the launderers’ detection rate profusely. 
• Open banking and ultra-fast payments rely on cross-platform AML to be up to scratch; if one institutions’ verification and review protocols are insubstantial, the end-to-end visibility of the A2A payment is lessened.

The pressure of industry-wide compliance

Clearly, today’s payment services providers (PSPs), banks, and fintechs must be able to verify and authenticate their users’ transfers, made more voluminous due to the nature of the interconnected world. What’s also troubling is the scrutiny of UK regulations. Firms are mandated to protect victims of the fraud typologies that they try to mitigate, and expectations from savvy digital users and regulatory bodies are getting ever stricter.

Already many institutions are regulated by the Payment Systems Regulator (PSR) to increase interbank activity, and must facilitate e-payment transfers via Pay.UK’s Faster Payment System (FPS) rail. In 2024, the PSR also introduced a rule requiring PSPs to refund victims of authorised push payments (APP) fraud – where the levels of transparency surrounding reimbursements from the largest banking groups can be identified on their website – which is, evidently, a wide spectrum.

The PSR will soon be consolidated by the UK’s leading regulator the FCA. The watchdogs’ expectations to adapt payment infrastructure are seemingly exacerbating the current compliance culture that deems AML too costly, complex, and shifting too quickly. Fraudsters know this, however, exploiting lax fraud awareness and defenses (particularly at third-party providers) to compromise the sensitive data of UK customers. This highlights a severe roadblock for plans to roll out open banking risk-free.

If authorised push payments (APP) fraud is still treated as an inconvenient customer service issue and not a high-risk typology, that’s an open door to other implications – further manipulation, coercion and organised crime – integrity across the financial world will be lost and hard to recover. This ultimately lets the scammers and their international overlords win, when legitimate customers should be able to conduct swift cross-border payments without delay.

Quick paths to instant payment AML

It’s not all doom and gloom. Payment digitalisation is fast, but so too is the rate with which regulatory technology can enhance existing AML workflows. Real-time biometric verification and advanced fincrime detection methods can achieve the inter-institution collaboration encouraged by the PSR and the instant payment scheme.

Such processes have traditionally been siloed, wherein lies the difficulty for institutions to audit transactions according to entities’ specific risk profiles. Instead, a single source of truth draws together fraud and AML teams to detect any high risk activity (including small, repeated transactions, and muling activity such as KYC evasion), as well as build accurately tracked reports for actionable financial crime investigations by the National Crime Agency (NCA).

AI-driven transaction monitoring does not rely on fixed risk thresholds, but identifies and raises any anomalies in customers’ normal payment behaviours for enhanced due diligence. Elsewhere, risk scoring can adjust in line with any new fraud patterns that emerge in a business’ data – something that teams under cost and time pressures cannot account for manually, resulting in fewer false positives and raised efficiency. 

While there may be greater transactional data available, the goal of a strategic RegTech partnership is to bolster AML systems that produce meaningful alerts now, and for the future. AML and fraud teams can be better aligned to intervene in authorised push payments (APP) fraud signals earlier and focus on only the riskiest payments, allowing genuine customer payments to be processed swiftly and safely.

The time to evolve AML frameworks is now

Authorised push payments (APP) fraud has already had such a damaging effect on UK financial crime that it cannot be avoided. Its coupling with instant payment regulation may feel like a cruel double-header, but with AML systems and workflows attuned to the verifiable risk of real-time payments, PSPs, banks and fintechs can operate with real-time monitoring in an environment that demands it.

Investing in adaptive compliance technology is a strategy that’s fit for the future. With greater uptake, it can enable the entire UK market of innovative financial companies to appeal to new customers as trusted, secure institutions that facilitate A2A across borders, quickly, and without the hassle. Authorised push payments (APP) fraud is no mere side issue, but a key evolution within digital finance that, when detected in line with other serious crime, can limit criminal opportunity and provide a bright outlook for firms on the right side of UK regulation.