APP fraud rules for UK accountants — the mandatory reimbursement regime.

The short answer

Since 7 October 2024, UK banks must reimburse APP- fraud victims up to £85,000 per case within 5 business days. The cost is split 50/50 between sending and receiving banks.When a client is a victim, speed matters — report to the bank within hours, file with Action Fraud, preserve evidence, and put controls in place to prevent repeat. Accountants’ role: trigger the right process fast, document accurately, and tighten the client’s fraud-prevention controls in the post- incident review.

1. What APP fraud actually looks like

Authorised Push Payment fraud is when a victim genuinely authorises a payment, but to a fraudster who has tricked them into believing the recipient is legitimate. The patterns most common in the accountancy world:

• Invoice redirection. A fraudster intercepts or impersonates a supplier email. The invoice that arrives looks legitimate but has the fraudster’s bank details. The client’s finance team pays it.
• CEO / director impersonation. An impersonator emails the finance team posing as the director, requesting an urgent payment with no time to verify. Often timed for end-of-week pressure.
• Supplier-impersonation in mid-flight email threads. Fraudster has compromised the supplier’s mailbox or the client’s. Replies to an existing thread with new bank details — “please use these for this invoice, we’ve switched bank”.
• Purchase fraud. Sometimes hits clients on a one-off basis — pay for goods or services that never arrive, or never existed.
• Romance / investment fraud. Less common in business contexts but worth knowing — some directors / owners get targeted on a personal basis and end up using business funds.

2. What changed on 7 October 2024

The Payment Systems Regulator (PSR) introduced a statutory mandatory reimbursement regime, replacing the previous voluntary CRM (Contingent Reimbursement Model) Code. The key terms:

• Mandatory reimbursement for in-scope APP fraud cases, subject to the consumer standard of caution.
• £85,000 maximum claim per case (not per transaction).
• 50/50 cost split between the sending bank and the receiving bank.
• 5 business days for the sending bank to investigate and reimburse, extendable to 35 days in complex cases.
• Scope: Faster Payments and CHAPS. Card payments and direct debits have separate consumer protection regimes (chargebacks, indemnity).
• Banks recover from fraudster accounts where possible — the receiving bank’s share is partially offset by recoveries.

The regime is supervised by the PSR; the UK Finance Code of Practice for invoice and APP fraud sits alongside as best-practice guidance.

3. The consumer standard of caution

Reimbursement is not unconditional. The PSR rules set a standard of caution victims are expected to meet. Failing to meet it can reduce or remove the reimbursement entitlement. The main elements:

• Ignored bank warnings. If the bank’s app or website displayed a clear warning that the payment looked suspicious and the victim proceeded anyway, this affects the claim.
• Gross negligence. The threshold is high — ordinary mistakes don’t count, but reckless disregard does.
• Failure to act on suspicious indicators. If the victim noticed something off and didn’t act, this counts against them.
• Vulnerability. The standard is applied more leniently for vulnerable victims (elderly, recently bereaved, etc.). Most business clients won’t qualify as “vulnerable” under this definition.

For business clients, banks tend to scrutinise claims more carefully because the amounts are larger and the victims are expected to have stronger controls. Standard payment- processing controls (dual approval, callback verification of new bank details) are the practical defence against both the fraud itself and any reimbursement-claim challenge later.

4. The immediate response — five steps

When a client tells you they’ve been hit by APP fraud, the response is time-critical. Five steps, in order:

1. Phone the bank immediately. Faster Payments are processed within seconds; recall is only possible if the funds haven’t already been forwarded from the fraudster’s account. Every minute matters.
2. File the formal claim through the bank’s fraud channel within 24 hours. This starts the 5-business-day investigation clock. Most banks have a dedicated fraud team; don’t use the general customer service number.
3. Report to Action Fraud at actionfraud.police.uk or 0300 123 2040. Required by some bank claim processes. Generates a police reference number useful for insurance and legal follow-up.
4. Preserve evidence. Original emails (don’t reply, don’t forward in ways that strip headers), payment instructions, screenshots of the fraudulent invoice, any communication trail. The bank’s fraud team will request this; having it ready accelerates the investigation.
5. Put a hold on related processes. If it was invoice redirection, the actual supplier still needs paying — but verify their bank details through a different channel first. If it was CEO fraud, set up a verbal callback protocol for any future urgent-payment requests.

5. The accountant’s broader role

Beyond the immediate response, the firm has three jobs:

Post-incident review

Work out how the fraud happened. Was the client’s email compromised? Was the supplier’s email compromised? Was it social engineering through a phone call? Was there a missing internal control (dual approval, callback verification)? The review should produce a short written summary with three concrete process changes the client agrees to implement.

Bookkeeping documentation

Reflect the fraud accurately in the client’s books:

• The original payment goes to a “Fraud loss — under investigation” suspense or holding account, not to the originally-intended supplier’s ledger.
• The recall (if successful) reverses the payment.
• The reimbursement (if and when received from the bank) credits the holding account.
• If reimbursement is partial or refused, the net loss moves to the appropriate expense line, usually a “Fraud loss” nominal.
• Document the bank’s investigation reference, the Action Fraud reference, and the PSR/UK-Finance correspondence in a dedicated client file.

Tax treatment

Generally:

• Reimbursement received is not taxable income — it restores the original position. Treat as a contra to the original fraud-loss entry.
• Net loss after reimbursement is generally not deductible against trading profits unless the loss was incurred in the course of the trade and there’s a strong argument it’s a normal commercial risk. HMRC’s view on this is narrow; specific cases need careful handling and possibly a consultation with a specialist tax adviser.
• VAT on the fraudulent payment is generally not reclaimable — there was no supply.
• Insurance proceeds covering the loss, if relevant, may be taxable depending on policy structure.

6. Prevention controls firms should recommend

Five practical controls that materially reduce the probability of successful APP fraud:

1. Dual approval on payments above £X. Most accounting software supports this. Set the threshold based on client size — for a typical SME, anything above £1,000 should require two approvers.
2. Callback verification for new bank details. When a supplier’s bank details change, verify by phone to a previously-known number for that supplier — not the number in the email. This catches the majority of invoice-redirection attempts.
3. Confirmation of Payee. UK banks now check whether the account name matches before processing payments. If the screen says “account name doesn’t match”, stop the payment — that’s the bank telling you something is wrong.
4. Email-domain monitoring. Pay attention to small variations — “supplier-Itd.com” with a capital I instead of “supplier-ltd.com”, or “.co” instead of “.com”.
5. CEO-impersonation protocol. Train the finance team that no urgent payment instruction from the director will ever come by email alone — there is always a verbal confirmation through a known phone number or in person.

7. Where SmartBooks fits

SmartBooks ships three product-level controls that materially reduce the attack surface:

• Bookkeeper-in-the-loop approval — no payment can fire from SmartBooks without explicit named approval by an authorised user. Insider-style and pure-social-engineering attacks that bypass the finance team get caught at this gate.
• Bank-account-detail change alerts — when a supplier’s bank details change inside the system, the change is flagged for confirmation through a second channel before any payment uses the new details. Directly defeats invoice-redirection patterns.
• Audit-trail replay — every payment instruction stored with who approved it, when, from which device, with the relevant fraud-prevention headers. Investigating a fraud incident is one click of replay rather than days of forensic work.

Combined with the firm-level controls above, these reduce the probability of successful APP fraud materially. They don’t eliminate it — sophisticated fraud defeats good controls sometimes — but they shift the economics in your favour.

Related guides

• Open banking & PSD2 for UK accountants — the regulatory framework around payments.
• Strong Customer Authentication (SCA) explained
• Receipt-data quality for firms — the broader 80/20 of firm operations.
• Trust & security — SmartBooks’ security posture.
• For accountancy and bookkeeping firms

FAQ

A note on advice

This guide is general operational guidance for UK accountancy firms. It is not legal, regulatory or fraud-investigation advice for a specific case. Suspected APP fraud should be reported immediately to the client’s bank’s fraud team and to Action Fraud. Tax treatment of fraud losses requires careful case-by-case analysis — consult a specialist tax adviser. The statutory framework (PSR mandatory reimbursement regime, the £85,000 cap, the 5-business-day window) is current at the time of writing — the PSR reviews these annually and the cap may increase; verify against current PSR publications.