PSR Mandatory Reimbursement Scheme UK 2026

What changed in October 2024

Before October 2024, UK scam-victim refunds were governed by the voluntary Contingent Reimbursement Model (CRM) Code. Signatory banks (most major UK banks) agreed to a set of rules, but non-signatories had no obligation and even signatories had broad discretion to refuse. Uphold rates varied wildly between banks — some refunded 80% of claims, others under 30%.

On 7 October 2024, the Payment Systems Regulator (PSR) replaced this voluntary system with a mandatory reimbursement requirement binding on all UK Payment Service Providers (PSPs) participating in Faster Payments and CHAPS. The legal authority comes from the Financial Services and Markets Act 2023, Schedule 4, which gave the PSR power to mandate APP scam reimbursement.

Key shifts from the old voluntary code to the new mandatory scheme:

• Default position flipped. Under CRM, the bank could refuse if it could argue the customer wasn't "vigilant". Under PSR mandatory, the bank must refund unless it can prove gross negligence on the customer's part. Burden of proof moved from victim to bank.
• 50/50 liability split. Losses are split between the sending bank (where the victim's money came from) and the receiving bank (where the fraudster's account was). This incentivises receiving banks to detect mule accounts faster — historically they ignored them.
• 5-working-day decision window. Banks have 5 working days from claim to make a decision, with extensions possible only in specific complex cases (max 35 working days total).
• £85,000 cap per claim. Up from the £415 CRM voluntary cap that some banks applied. Aligns with the FSCS protection limit.
• £100 excess only when justified. A "consumer standard of caution" excess can be applied — but only when the bank proves the customer didn't take reasonable care, and never to vulnerable customers.

Are you eligible?

You qualify for PSR mandatory reimbursement if all of the following are true:

1. You're an individual consumer, microenterprise, or charity. Microenterprises have fewer than 10 employees and under £1.4M turnover. Charities have income under £1M.
2. The payment was sent via Faster Payments or CHAPS. These are the two UK payment rails covered. Most everyday bank-to-bank transfers in the UK use Faster Payments (including all mobile-banking-app transfers under £1M). Direct debits, standing orders, and card payments use other rails and are covered by separate rules.
3. The payment was between two UK accounts. Both your sending bank and the fraudster's receiving bank must be UK PSPs. International payments (cross-border SEPA, SWIFT, etc.) are NOT covered.
4. You authorised the payment. APP fraud means you made the payment yourself, believing the recipient was legitimate — you weren't impersonated, your account wasn't taken over, your card details weren't used without your knowledge. (Those scenarios are already covered by separate unauthorised-payment rules, with even stronger protection.)
5. You were deceived. You sent the payment because of a scam: romance scam, pig-butchering investment, purchase fraud, impersonation (HMRC / bank / courier / police), invoice redirection, advance-fee fraud, fake job, fake charity. Any deception-based scam pattern qualifies.
6. You reported it within 13 months. Claims must be made within 13 months of the last fraudulent payment. Earlier reporting is strongly preferred but the cliff is at 13 months.

Things that disqualify you

• You knowingly participated in the fraud (e.g. acted as a money mule).
• The "scam" was actually a private dispute (e.g. you paid for goods and the buyer didn't deliver — that's not APP fraud, it's a civil contract dispute).
• The payment was to your own account at another bank (genuine first-party transfers are excluded).
• The scam is currently subject to court proceedings where you're a co-defendant.

How to claim — step by step

Step 1: Report to your bank immediately

The 5-working-day decision clock starts when the bank receives your claim. Phone is fastest — most banks have dedicated fraud lines that bypass the general queue. Quote the phrase "I'm reporting an Authorised Push Payment scam under the PSR Mandatory Reimbursement Scheme" — this triggers the specific case-handling track. If you contact via app or chat, use the exact same phrase.

Banks must give you a case reference number immediately. Note it down. Time-stamp it.

Step 2: File with Report Fraud

The PSR scheme doesn't strictly require an Report Fraud report, but most banks expect one as standard evidence. File at reportfraud.police.uk or call 0300 123 2040 (England, Wales, Northern Ireland) / 101 (Scotland — Police Scotland handles fraud reports). You'll get an NF crime reference number. Use the ScamSupport Report Fraud filing assistant for a guided wizard.

Step 3: Evidence pack

Within the first 5 working days, give your bank:

• The payment(s) — date, time, amount, recipient sort code + account number for each.
• The scammer's communications — screenshots of WhatsApp / Telegram / email / SMS / dating-app messages showing the deception. Don't crop or redact; banks need the full thread for context. If the scammer asked you to delete messages, your screenshots from before that request are still admissible — explicitly note what you remember was said.
• Any phone-call recordings or notes — if you took notes during a "bank security team" call, the notes count. If you recorded the call (legal in the UK without consent for personal-use records), the recording counts.
• How you discovered it was a scam — usually one of: the promised "investment returns" never appeared; the romance partner kept asking for more money; a friend / family member pointed it out; you noticed an unexpected charge; news coverage flagged the pattern.
• Your Report Fraud crime reference number (from Step 2).

Step 4: Bank investigation (5 working days)

The bank assesses whether the claim qualifies, whether you took reasonable care, and whether they need more information. They can extend to 35 working days for complex cases but must tell you so.

Outcomes:

• Full refund. Amount paid back into your account, typically within 24 hours of decision. No excess, no deductions.
• Refund minus £100 excess. The bank's claim is that you didn't take reasonable care (didn't heed bank warnings, didn't verify recipient via independent channel). They must explain in writing why the excess applies.
• Refusal — gross negligence. Rare. The bank must prove you acted with "gross negligence" — a high legal threshold. Things like sharing security details, ignoring multiple bank warnings about the same transaction, or making rapid repeat payments to the same suspicious recipient might justify a refusal. The bank must give a written reason citing the specific PSR criteria.
• Partial refund. Sometimes a bank refunds part — e.g. accepting fault for the first payment but not subsequent ones where they say warnings should have stopped you.

Step 5 (if refused): Formal complaint to the bank

Send a written complaint by email or the bank's formal complaints process. Reference: "Formal complaint — PSR Mandatory Reimbursement Scheme refusal — case ref [number]". Include:

• Why you believe the refusal is wrong (point-by-point response to their stated reasons)
• Any vulnerability factors that apply (recent bereavement, health condition, financial difficulty, age) — vulnerability triggers stronger protection
• Specific PSR criteria you believe were misapplied
• A request for a "final response" letter within 8 weeks (this is the formal escalation gateway)

Step 6 (if still refused): Financial Ombudsman Service

After 8 weeks from your formal complaint (or sooner if the bank issues a final response), escalate to the Financial Ombudsman Service free of charge. FOS uphold rates on APP fraud cases ran at ~78% in favour of consumers in 2024 — roughly four in five.

Use the ScamSupport FOS complaint letter generator for a guided template. Or read the full FOS complaint guide for what to include.

The vulnerability carve-out

The PSR scheme protects "vulnerable customers" more strongly. The £100 excess cannot be applied. Bank arguments around "reasonable care" face a higher bar. Vulnerability is defined broadly under FCA FG21/1 and includes any of:

• Health — physical or mental health condition, cognitive impairment, recent diagnosis, ongoing treatment
• Life events — recent bereavement, divorce, relationship breakdown, job loss, retirement
• Resilience — financial difficulty, debt, low income, lack of savings buffer
• Capability — limited financial / digital literacy, language barrier, learning difficulty
• Age — older customers (often defined as 65+ for fraud-vulnerability purposes, though there's no fixed cliff)

You don't need a medical certificate or formal proof. Stating the relevant circumstance in your claim is sufficient to trigger vulnerability protection — the bank then has to either accept it or specifically rebut it. Flag any applicable vulnerability factor in your first claim communication; don't save it for the escalation.

What falls outside the scheme

Several scam patterns are excluded — but they still have routes to refund through other mechanisms:

• Card payments to fraudsters — covered by the chargeback scheme (Visa, Mastercard) or Section 75 of the Consumer Credit Act for purchases over £100 on a credit card. Often more generous than PSR for high-value scams.
• International payments — outside PSR jurisdiction. Your only routes are bank goodwill (rare), civil litigation (expensive), or international fraud-prevention networks. Consider whether Report Fraud + a parallel report to the receiving country's financial regulator might prompt asset freezing.
• Crypto purchase scams — if you bought crypto via a UK exchange and then sent it to a fraudster, the initial GBP-to-crypto purchase isn't APP fraud (you got what you paid for). The crypto transfer to the fraudster isn't a regulated payment. Crypto scam recovery routes are limited; check that page for what exists.
• Investment scams where you "knew" it was high-risk — pig-butchering and fake-broker scams ARE covered (you were deceived about the legitimacy of the broker, not the inherent investment risk). But pure speculative gambling losses are not APP fraud.
• Purchase scams under £100 — covered by chargeback but PSR's £100 excess effectively eats the whole refund for small purchase scams. Use chargeback instead.
• Losses over £85,000 — the per-claim cap. For losses above this, the additional amount falls outside PSR but can still be recovered via FOS (which has a separate £430,000 cap) or civil action.

Tracking the receiving bank's role

One of the most important changes under PSR is that the receiving bank (where the fraudster's account was) is now financially liable for 50% of any refund. This is significant because:

• Receiving banks historically had little incentive to detect mule accounts — the money flowed through them and out, with no cost to them.
• Mule accounts are typically opened with limited KYC, used for a few weeks of money laundering, then closed. PSR liability incentivises receiving banks to detect new-account fraud patterns earlier.
• When you make your claim, your bank will identify the receiving bank and contact them. You don't typically need to interact with the receiving bank directly — but if you have direct evidence (e.g. the recipient name on a fraudulent invoice doesn't match the actual account holder name returned by Confirmation of Payee), submit it.
• If the receiving bank refuses their 50% share, that's between the banks; you should still get your full refund from the sending bank, who then chases the receiving bank for their portion.

Frequently asked questions

Does PSR cover business accounts?

Microenterprises (fewer than 10 employees, under £1.4M turnover) and small charities (income under £1M) are covered. Larger businesses are not — they're expected to have commercial-grade fraud controls and access to commercial banking fraud teams.

What if the scam involved multiple payments over weeks?

Each payment counts as a separate APP fraud event but they're usually consolidated into a single claim. The £85,000 cap applies to the total claim, not per payment. The 13-month reporting deadline runs from the most recent payment, not the first.

Can I claim if I sent money to a "friend" who turned out to be a scammer?

Yes — romance-scam reimbursement is one of the most common claim categories under PSR. The deception is what matters: you believed you were sending money to someone you had a relationship with; the recipient was deliberately misrepresenting themselves. FOS data shows romance and pig-butchering scams have above-average uphold rates because the deception is so clearly documented in messaging history.

What if I gave the scammer my online banking password?

This is the most common "gross negligence" argument banks try. The PSR criteria for gross negligence are narrower than they sound — sharing security details under duress, threat, or sophisticated social engineering does not automatically equal gross negligence. If the scammer impersonated a bank security team or law enforcement convincingly (the "safe account" scam pattern), most FOS rulings find this is not gross negligence on the customer's part. Don't accept a "gross negligence" refusal at face value.

Will claiming under PSR hurt my credit score?

No. PSR claims are not reported to credit reference agencies. However, if you become an APP-fraud victim, you may want to consider a CIFAS protective registration — a formal marker that tells lenders to apply extra verification when your identity is used for credit applications. CIFAS markers are a defensive measure, not a negative one.

What if my bank claims a Confirmation of Payee warning was shown?

Confirmation of Payee (CoP) warnings during a payment — "the name you've entered doesn't match the account holder" — are evidence the bank tried to alert you. But CoP warnings alone don't constitute the bank's full duty of care. If the bank claims you "ignored" a CoP warning, they need to show the warning was clear, specific, and not buried in legalese, and that the circumstances around your payment didn't include other factors (urgency pressure, scammer-prepared explanations) that explain why you proceeded.

Can I sue the scammer directly?

Legally yes, practically rarely worth it. Scammers operating UK mule accounts usually empty them within hours. Even with a court judgement, enforcement against an empty or closed account is futile. Civil action makes sense only when the scammer is known, has UK assets, and the loss is well above the £85,000 cap. For most cases, PSR + FOS is the practical route.

Frequently asked questions

What is the PSR Mandatory Reimbursement Scheme?

The PSR Mandatory Reimbursement Scheme is a UK Payment Systems Regulator policy that, since 7 October 2024, requires UK banks and payment service providers to refund victims of Authorised Push Payment (APP) fraud — scams where the victim was tricked into authorising a payment to a fraudster. Banks have 5 working days to investigate. The default position is reimbursement; banks must prove gross negligence to refuse.

How much can I claim under the PSR scheme?

Up to £85,000 per claim. The losses are split 50/50 between the sending and receiving bank — meaning both banks are incentivised to reduce fraud on the receiving side too. A £100 'consumer standard of caution' excess may be applied, but vulnerable customers are exempt. Losses above £85,000 fall outside the scheme but can still be claimed via FOS or civil action.

Who is eligible for PSR reimbursement?

Individual consumers, microenterprises (under 10 employees and £1.4M turnover), and charities (income under £1M) who made an APP fraud payment via Faster Payments or CHAPS to a UK account. The scheme covers scams where the victim authorised the payment under deception (not unauthorised account takeovers, which are already covered by separate fraud rules).

What scams qualify for PSR reimbursement?

Any scam where you were deceived into authorising a UK payment: romance scams, pig-butchering investment scams, purchase scams (fake goods/services), impersonation scams (HMRC, bank security team, courier), invoice redirection scams, advance-fee fraud, fake job/employment scams. Excluded: international (non-UK-to-UK) payments, payments to your own account at another bank, payments made through international card networks (different rules apply via chargeback).

What if my bank refuses my PSR claim?

Three escalation steps. First, request the bank's written reason for refusal under the PSR Code (banks must provide this in writing). Second, file a formal complaint with the bank citing PSR CP23/12 and giving 8 weeks to resolve. Third, after 8 weeks (or a final response, whichever first), escalate to the Financial Ombudsman Service free of charge. FOS uphold rates on APP fraud are around 78% in the consumer's favour.

When does the £100 excess apply?

Banks may apply a £100 'consumer standard of caution' excess only when the customer didn't take reasonable care — e.g. ignored explicit bank warnings shown during the payment, didn't verify the recipient against an independent source, or shared their security details. The excess does NOT apply to vulnerable customers (vulnerability is broadly defined and includes age, health, financial difficulty, or recent bereavement). Banks must prove the customer's lack of caution; the default is no excess.

Related scam guides

• Report Fraud Filing Assistant — guided wizard for filing your Report Fraud crime report
• FOS Complaint Letter Generator — guided wizard for the Financial Ombudsman escalation if your bank refuses
• Where to Report — Decision Tree — which UK channels apply to your specific scam
• Financial Ombudsman Complaint Guide UK — full long-form FOS process explainer
• Bank Refund After a Scam UK — broader bank-refund overview including older incidents
• Section 75 Credit Card Refund Claim Guide — alternative route for credit-card-funded scams
• Chargeback UK How To 2026 — for debit/credit card scam payments
• CIFAS Protective Registration UK — defensive credit-file marker after fraud
• I've Been Scammed UK — Next Steps — broader recovery overview