Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

APP fraud and authorised push payments: what controls actually work?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: APP fraud in the UK reached £583 million in losses last year, with fraud up 39% year on year and scams accounting for more than half of all UK scams in 2021, according to Prove Identity. The control gap is not payment mechanics alone but the trust, timing, and verification assumptions built into push-payment journeys.

NHIMG editorial — based on content published by Prove Identity: What is APP Fraud and How Can UK Companies Combat It?

By the numbers:

Questions worth separating out

Q: What breaks when APP fraud controls rely only on OTPs?

A: OTP-only controls break because they verify a message or device, not the legitimacy of the payment request.

Q: Why do authorised push payments increase fraud risk compared with pull payments?

A: Authorised push payments increase fraud risk because the customer initiates the transfer, which makes the transaction look legitimate even when the intent was manipulated.

Q: How can financial institutions detect APP fraud before money leaves the account?

A: They should look for risk combinations rather than a single red flag.

Practitioner guidance

  • Implement transaction-risk prompts Trigger warnings only on high-risk transfers, based on recipient novelty, value, device signals, and behavioural anomalies.
  • Replace OTP-only step-up flows Use proof-of-possession and transaction-aware verification that ties the second factor to the payment context, not just message delivery.
  • Correlate fraud and identity signals Fuse identity verification, device intelligence, payee history, and behavioural analytics before authorising a push payment.

What's in the full article

Prove Identity's full article covers the operational detail this post intentionally leaves for the source:

  • The breakdown of common APP scam types, including romance, purchase, impersonation, and investment fraud.
  • The discussion of why generic transaction warnings lose effectiveness when they are shown on every payment.
  • The explanation of how Instant Links differ from OTPs as a proof-of-possession check in fraud prevention.
  • The webinar context with NatWest Group that expands on the UK fraud response discussion.

👉 Read Prove Identity's analysis of APP fraud and scam prevention →

APP fraud and authorised push payments: what controls actually work?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

APP fraud is an identity assurance failure before it is a payment failure. The article correctly shows that the decisive moment is not settlement, but the point at which a user can be persuaded that a transfer is legitimate. That means fraud and identity teams must treat payment approval as an identity event with behavioural risk, not a simple authorisation signal. The governance implication is clear: if trust is not challenged before the push, the control surface is already too late.

A question worth separating out:

Q: Who is accountable when an authorised fraud payment is not blocked?

A: Accountability depends on where the control failure occurred. Under the PSR model described in the article, a PSP can be liable if it failed to apply verification of payee, perform transaction monitoring, or block a suspicious transaction. That makes evidence quality and control execution part of accountability.

👉 Read our full editorial: APP fraud is a trust exploitation problem, not a payment problem



   
ReplyQuote
Share: