Welcome to our UK site – choose your Jurisdiction

Get a Quote

APP Fraud Scope Without Surprises: Proving Who’s In (and Who Isn’t) 

Author: Joel Bailey, Consultant 

Why Firms Get This Wrong 

We often see Payment Service Providers (“PSPs”) assume they are ‘out of scope’ for the Payment Systems Regulator’s Authorised Push Payment (“APP”) fraud reimbursement scheme based on their licence type or how they describe themselves contractually (e.g. “we’re just the programme manager” or “we’re only the front-end”). The issue is that the mandatory reimbursement regime is not driven by labels; it is driven by how the payment is made (which rails are you using, FPS/CHAPS), and how do you access them (direct/indirect), and your role in the payment chain (i.e. who is the sending PSP and who is the receiving PSP in practice). 

In other words, it is not enough to say “we’re not a bank” or “it is not our account being operated”. If you participate in the relevant payment system (directly or indirectly) and perform a sending/receiving PSP role in the flow, you can quickly find yourself treated as in-scope. 

The “Shared Responsibility” Reality 

The reimbursement framework is designed so that liability and cost are typically shared across the chain (sending and receiving side), and the practical obligations are implemented through scheme rules. 

So, when a bank tells you’re in scope (or expects shared liability), it is usually because either: 

  • the scheme rules treat your model as participation in the payment system (direct or indirect); or  
  • the bank is ensuring it can allocate/recover its exposure contractually where, operationally, you are effectively the PSP to the end customer (or you influence controls, onboarding, comms, transaction limits etc.).  

Even where you may have a defensible legal argument that you are out of scope, the commercial reality is that larger institutions will often push for you to operate as if you are in scope unless you can clearly evidence your position. 

What “Being Sure” Looks Like: A Defensible Scope Assessment  

If you are going to say “we are out of scope”, you need more than a view, you need a short, board-usable scope assessment you can stand behind (and share with partners if needed). It should answer: 

  1. Which rails are you using (FPS/CHAPS/etc), and how do you access them (direct/indirect)?
    Scope is often rail- and participation-dependent, not solely based on authorisation type.  
  2. For each key flow, who is the sending PSP and who is the receiving PSP in reality?
    Map customer journeys, contractual responsibilities, and operational execution, not just your marketing description.  
  3. Which customers are actually in scope?
    Be clear on your customer base (consumer, microenterprise/charity where relevant), product types and edge cases.  
  4. What do the scheme rules require of you (directly or through your bank relationship)?
    Pull out the obligations your sponsor bank is relying on, and check whether they attach to your role.  
  5. Do your contracts align with your scope position?
    If a bank believes you are in scope, check whether your agreements already reflect this (explicitly or implicitly) or create reimbursement obligations regardless.  
  6. If you are wrong, what operationally fails?
    Could you meet reimbursement timelines, evidence requirements and “slow down” interventions (e.g. delaying outbound payments where there are grounds to suspect fraud)?  
A Practical Approach for Firms 

If a sponsor bank (or major PSP in your chain) asserts you are in scope, there are usually three routes: 

  • Accept and operationalise: build the processes and controls on the basis you are in scope (often fastest and lowest friction with partners).  
  • Disagree, but evidence it: produce a written scope analysis linked to scheme rules, your access model (direct/indirect) and your role in the flow.  
  • Hybrid: maintain an “out of scope” position but still implement the key controls/MI so you can respond credibly to partner and regulatory scrutiny.  

The key point: ‘we think we’re out of scope’ isn’t a control. A documented, rail-by-rail, flow-by-flow scope determination is. 

How Complyport Can Help 

Complyport supports firms in assessing their regulatory perimeter and operational obligations under evolving payment and fraud frameworks. We can assist with: 

  • Conducting robust APP fraud scope assessments; 
  • Reviewing payment flows and PSP role classifications;  
  • Designing and supporting with implementing compliant reimbursement processes; and 
  • Supporting engagement with sponsor banks and regulators. 

If you would like to discuss your firm’s position or require assistance with a scope assessment, please contact us to arrange a meeting with one of our Subject Matter Experts. 

Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat 

 

Why Choose Complyport?

Extensive Regulatory Expertise

With over 25 years of experience in the financial services industry, Complyport offers unparalleled expertise in regulatory compliance, ensuring your firm stays ahead of evolving regulations.

Comprehensive Service Offering

From AML audits to risk management and regulatory reporting, Complyport provides a full spectrum of compliance services, allowing you to streamline your compliance processes and focus on your core business activities.

Tailored Compliance Solutions

We provide bespoke compliance solutions that are specifically designed to meet the unique needs of your business, ensuring that all regulatory requirements are met efficiently and effectively.

Client-Centric Approach

We provide bespoke compliance solutions that are specifically designed to meet the unique needs of your business, ensuring that all regulatory requirements are met efficiently and effectively.

Senior-Level Guidance

Our team of seasoned professionals, including former regulators and industry experts, leads all engagements, offering deep insights and practical advice to help you manage compliance risks effectively.

Innovative Fintech, Regtech and AI Solutions

Leveraging cutting-edge fintech, regtech and AI tools, Complyport enhances your compliance processes with advanced technology, ensuring accuracy, efficiency, and real-time regulatory updates. Our innovative solutions empower your firm to stay compliant while maximising operational efficiency.

Key Figures

Over 25 Years

Providing Compliance Excellence

Over 1,500

Successful FCA, EU and UAE Authorisations

Over 1,000

Active Firms Receiving
Regulatory Support

8 Lots

FCA/PRA Skilled Person
& Consultancy Panel

Get In Touch