Tackling financial crime through enhanced data sharing: The key to preventing APP scams

The rise of authorised push payment (APP) scams presents a growing challenge to financial institutions, payment service providers (PSPs) and regulators. The Payment Systems Regulator (PSR) has recently implemented new rules aimed at reducing fraud, including a mandatory reimbursement of all victims up to the value of £85,000. This change marks a positive step forward in providing greater protection for consumers, but the industry continues to face significant hurdles, particularly around data sharing and tackling fraud at its source.

APP fraud is growing

The APP fraud landscape is evolving. According to recent data, APP fraud is growing by 12% annually in both value and volume. This growth, ahead of the new regulations, highlights the pressing need for a more collaborative approach across industries. The PSR’s new rules are designed to encourage payment firms to invest more in preventive measures, knowing they will be financially accountable for any fraud.

There is a concern, however, that a mandatory reimbursement policy could also be exploited by fraudsters as an opportunity. The reduction of the reimbursement cap to £85,000 (from £415,000) is an essential step and is more proportionate to the average scam (£12,000 for businesses and less than £2,000 for individuals), but more must be done to prevent fraud at its source.

One concern is that although APP fraud volumes may decrease due to enhanced preventive measures, the average cost per scam could rise. Criminals may increasingly target larger-value transactions, given the reassurance of reimbursement. Therefore, even as fraud volumes drop, the total cost of fraud could rise as scammers focus on bigger wins.

The approach to data sharing is fragmented

One of the primary concerns is the limited and ineffective data-sharing practices between PSPs and other critical sectors, such as social media and telecommunications (telco) firms, which is crucial in preventing APP scams from occurring.

Currently, data sharing between PSPs is fragmented and largely ineffective. While organisations such as Pay.UK and Cifas facilitate a level of data sharing, many smaller PSPs are often excluded from these efforts. Despite driving much of the innovation in the payments industry, these smaller firms suffer disproportionately from financial crime losses. Their lack of inclusion in broader data-sharing frameworks leaves them more vulnerable to fraud.

Every regulated entity is only required to carry out “proportionate measures” in fraud prevention, which leaves ambiguity around what data should be shared and how risk assessments should be conducted. This uncertainty is particularly challenging for newer PSPs, as they may struggle to identify reliable data partners and suppliers.

The critical role of social media and telco data

Improving data sharing between financial institutions is vital, but many in the payment space argue that access to social media and telco data is an even higher priority. Alarmingly, 60% of all APP scams originate on social media platforms owned by Meta, including Facebook, Instagram, and WhatsApp. Currently, there is little cooperation between these platforms and financial institutions, making it difficult for PSPs to trace the origins of fraudulent accounts and transactions.

The UK government has taken initial steps to address this with the voluntary Online Fraud Charter, which asks tech companies like Facebook, Amazon, eBay, and Google to commit to certain data-sharing principles. However, this is a voluntary measure and lacks the binding legal force necessary to compel tech giants to collaborate effectively with financial services firms.

Meta has also extended its Fraud Intelligence Reciprocal Exchange (FIRE) programme – initially launched with NatWest and Metro Bank – to additional UK banks. While that’s positive in that it suggests increased collaboration between social media platforms and financial services firms, it excludes smaller PSPs. A Government-led,coordinated approach would be far more effective. It could also promise the possibility of shared liabilities and reimbursement – not just data sharing – encouraging and incentivising all stakeholders to work together to tackle fraud at its source.

Legislative momentum: The Smart Data Bill

Before the general election interrupted proceedings, the Economic Crime and Corporate Transparency (ECCT) Act and the Data Protection and Digital Information (DPDI) Bill were key legislative efforts aimed at encouraging cross-industry data sharing. These bills had the potential to unite tech companies, telcos, law enforcement, and financial institutions in the fight against APP scams and organised financial crime. However, their progress stalled due to the election.

The good news is that a new Smart Data Bill is expected to be presented to Parliament in the coming months. This legislation could provide the legal framework needed to compel social media and telco firms to share critical fraud-related data with PSPs. If implemented as previously envisaged, the Smart Data Bill could significantly enhance fraud prevention by enabling timely access to social media and telco data rather than relying on post-fraud reimbursement measures.

Conclusion: A unified front against APP fraud

APP fraud presents a growing challenge, and tackling it requires a unified, cross-industry approach. Improved data-sharing practices between PSPs, combined with access to social media and telco data, will be essential in preventing fraud. Initiatives like the Smart Data Bill promise to create the legal framework necessary for this cooperation.

With the right legislation and collaboration, the fight against APP fraud can shift from a reactive to a preventive approach. By focusing on data sharing, regulators, financial services, and tech companies can work together to create a safer financial ecosystem. The Payments Association welcomes these developments and is committed to playing an active role in fostering collaboration across the industry.

Cifas provides products and services to help organisations tackle emerging fraud threats and trends. Our APP Victim Check and Beneficiary Checks solutions, together with the real-time customer monitoring tool Vision, not only help firms comply with the PSR rule changes, but they also enable access to fraud-risk data from more than 750 organisations to protect the bottom line.