top of page

The Hidden Threat: Why APP Fraud is Slipping Through the Cracks in Fraud Security

Updated: May 29

Authorised Push Payment (APP) fraud is a growing menace in the financial world, costing victims billions each year globally. Despite the sophisticated fraud detection systems employed by banks and payment service providers, a critical gap remains: the failure to adequately screen payment counterparties. This blog post delves into how current fraud detection solutions work, their limitations, and the urgent steps needed to close this gap.

Understanding APP Fraud


APP fraud occurs when a fraudster tricks a victim into authorising a payment to an account controlled by the fraudster.

Unlike other types of fraud, where the criminal gains unauthorised access to an account or card, APP fraud involves the victim willingly transferring money under false pretences. Common scenarios include impersonation of bank officials, fake invoices, and investment scams.

Because the payment was authorised by the real account holder, it's incredibly difficult for banks and payment providers to detect if the transaction is a scam.

How Current Fraud Detection Solutions Work


In their attempt to do so, leading fraud detection providers employ advanced AI and machine learning (ML) technologies to monitor transactions and detect anomalies. These systems analyse vast amounts of data in real-time, identifying patterns that deviate from normal behaviour.

Key capabilities include:

  • Real-Time Monitoring: Systems analyse transaction data to detect and prevent fraud before it occurs. This works behind the scenes to instantly deliver risk scores.

  • Pattern and Anomaly Detection: AI models identify unusual transaction patterns that may indicate fraud, such as sudden large transfers or transactions from new locations.

  • Biometrics: Face, fingerprint, haptic feedback, typing speeds, and device usage are tracked and measured to register any deviations.

  • Machine Learning: These systems continuously learn from new data, improving their ability to detect emerging fraud tactics.

The Limitations of Current Solutions


Despite their impressive sophistication, these systems have significant limitations when it comes to APP fraud:


  1. Focus on Customer Transactions: Most fraud detection systems primarily monitor the transactions of their own customers. They do not extend their scrutiny to the counterparties involved in these transactions. This makes sense because historically there's never been an obligation on banks and payment providers to do so or forced liability if the transaction turned out to be a scam.

  2. Adaptability: Most systems are governed by a rules-based approach (even those driven by AI and ML models), meaning the system is design to catch pre-determined attributes deemed as suspicious or risky. As fraud typologies change and scammers use new tactics to evade system rules, the ability of these systems to effectively catch changing attributes and maintain accuracy is challenged.

  3. Generic Warnings: a majority of providers flag risk on the basis of a risk score. While highly efficient in triaging risk, it is insufficient for the purposes of intervening in a customer's payment. Under the new UK regulations, stating to a customer "payment is likely a fraud; strongly advised not to proceed" is not enough. Banks and PSPs need give specific and tailored reasons as to why they think this particular transaction and recipient is a fraud. Generic risks do not afford the data needed to make this kinds of idiosyncratic statements of risk.

  4. False Positives and Negatives: AI and ML models can generate false positives, flagging legitimate transactions as fraudulent, and false negatives, missing actual fraud, particularly if the system is set up to accommodate a low-risk policy. This can lead to huge operational inefficiencies and customer dissatisfaction.

The Risks of Ignoring Counterparty Monitoring


The new reimbursement rules of APP fraud in the UK mark a watershed moment in the fight against APP fraud. Mandatory reimbursement means it's no longer business as usual when it comes to fraud. The failure to monitor payment counterparties exposes banks and payment providers to several risks:


  1. Increased Fraud Losses: Without counterparty monitoring, fraudsters can exploit the system by using fake, recently opened accounts and/or unsuspecting third parties (i.e. mules) to facilitate fraud. For lower-margin operators, these losses pose a potentially existential threat.

  2. Regulatory Non-Compliance: Regulatory bodies are increasingly focusing on comprehensive fraud prevention measures (e.g. tailored and specific internventions and Consumer Duty). Failure to monitor counterparties could result in non-compliance and hefty fines.

  3. Reputational Damage: High-profile fraud cases can severely damage a bank’s reputation, leading to loss of customer trust and business.

Urgent Actions Needed


To address these gaps, banks and payment providers can take a number of steps:


  1. Implement Counterparty Monitoring: Extend fraud detection systems to monitor the activities of payment counterparties. This involves analysing the transaction activity of the recipient in a transaction. Lucra is a provider of such solution.

  2. Enhance Data Sharing: Improve data sharing between banks and payment providers to create a holistic view of transactions. This can help identify suspicious patterns that span multiple institutions. Doing so remains a practical challenge hampered by technology, data protection and security hurdles. Lucra is currently working to overcome these to create the UK's most comprehensive fraud data network.

  3. Adopt Advanced AI Models: Invest in AI models that can handle large datasets and adapt to new fraud patterns quickly. These models should be capable of real-time analysis and decision-making. Of course, training such models takes time and a large amount of high quality data.

  4. Regularly Update Detection Rules: Continuously update fraud detection rules to keep pace with evolving fraud tactics. This requires a dynamic approach to rule creation and machine learning model training. Easier said than done.

  5. Educate Customers and Staff: Increase awareness about APP fraud among customers and staff. Training programs can help individuals recognize and report suspicious activities.


Most banks and payment providers already do all of the above, save for no. 1 (counterparty screening). By addressing all these critical areas, banks and payment providers can significantly improve their fraud detection capabilities and protect themselves and their customers from the growing threat of APP fraud.


Alan is the founder and CEO of Lucra. Previously he was a lawyer at Kirkland & Ellis LLP.


bottom of page