The PSR's Five-Year Strategy: What It Covers
The Payment Systems Regulator published its five-year strategy for 2024 to 2029 in mid-2024, structured around four objectives: reducing fraud, enabling competition, delivering value for money, and promoting access and inclusion. Each of these objectives has translated into specific regulatory requirements with direct financial implications for CFOs of payment firms.
This article focuses on the two most financially significant elements: the APP fraud reimbursement rules and the implications for competitive positioning of the Variable Recurring Payments roll-out. The interchange fee reviews and access pricing transparency requirements are also covered at a summary level.
APP Fraud Reimbursement: The Financial Modelling Imperative
Authorised push payment fraud, where consumers are tricked into sending money to a fraudster's account, has been the fastest-growing fraud type in the UK payments landscape. The PSR's mandatory reimbursement regime, which took effect from 7 October 2024, fundamentally changes the financial liability structure for payment service providers in three ways.
First, reimbursement is mandatory rather than discretionary. Prior to October 2024, many firms operated a voluntary reimbursement code (the Contingent Reimbursement Model) with inconsistent application. Under the new regime, eligible victims must be reimbursed within 5 business days of a claim being submitted, subject to the firm's fraud and gross negligence defences.
Second, the liability is split 50/50 between the sending PSP and the receiving PSP. This is a significant structural change: previously, all liability fell on the sending firm. The 50/50 split means that firms which receive funds into accounts on their platform bear half the cost of reimbursement claims arising from payments into those accounts, even if their own controls were adequate. This has substantial implications for challenger banks and e-money institutions whose account infrastructure is frequently targeted by fraud rings.
Third, the maximum reimbursement level is £85,000 per claim. This aligns with the FSCS deposit protection limit, which the PSR chose deliberately to create a consistent consumer expectation. Claims above £85,000 can still be pursued through other channels, but the statutory floor is at this level.
Financial Modelling: How to Model APP Fraud Cost
Every PSP that processes Faster Payments transactions must now include an APP fraud reimbursement cost line in its financial model. The model should be built as follows:
Step 1 is to determine your fraud exposure basis. Sending PSPs bear liability on payments originating from their customers' accounts. Receiving PSPs bear liability on funds received into accounts on their platform that are subsequently the subject of a reimbursement claim by the sending firm. A firm that both sends and receives Faster Payments (which includes most account-issuing fintechs) has bilateral exposure.
Step 2 is to estimate APP fraud volumes as a percentage of Faster Payments transaction volume. UK Finance data for 2024 suggests APP fraud cases represent approximately 0.004 to 0.008 per cent of Faster Payments transaction count for a typical retail payment platform, though the rate is highly dependent on customer base and fraud controls. However, because APP fraud losses are highly skewed (a small number of large claims dominate total losses), modelling by transaction count alone understates tail risk. The model should include both a frequency component (number of claims per month) and a severity component (average claim size).
Step 3 is to model the net reimbursement cost: gross claims received, less recoveries from the counterparty PSP (the 50 per cent recovery where the receiving firm is identified), less successful fraud defences applied. UK Finance data suggests that recovery rates through the PSR's reimbursement mechanism average approximately 30 to 40 per cent of gross claims paid, primarily through the 50/50 split recovery from the receiving PSP.
Variable Recurring Payments: Competitive Implications
The PSR has mandated that the six largest UK banks roll out Variable Recurring Payments for sweeping (moving funds between a consumer's own accounts) by a mandated deadline, and the consultation on extending VRP to third-party payment use cases (commercial VRP) is well advanced as of November 2025.
Commercial VRP, when fully implemented, allows regulated third parties to initiate recurring payments from a consumer's bank account with variable amounts and timing, subject to consumer consent. This is operationally more flexible than direct debit (which requires a fixed amount or fixed frequency) and more cost-effective than card-based recurring payments (which carry interchange fees).
For payment firms, the competitive implications depend on which side of the market they occupy. Firms that currently earn interchange revenue from card-based recurring payments (issuers, especially consumer-facing challenger banks) face revenue erosion as merchants and payment orchestration platforms migrate recurring payment flows to commercial VRP. Firms that build or integrate VRP initiation capability gain a lower-cost payment rail that improves their margin on each payment transaction. The net effect on any given firm's P&L depends entirely on the composition of its payment flows.
Interchange Fee Reviews: Issuer Revenue Implications
The PSR's programme of interchange fee reviews covers both domestic card interchange and the cross-border interchange fees applied by Visa and Mastercard on transactions involving EEA-issued cards. These reviews have been a continuing source of revenue pressure for card issuers since Brexit resulted in the removal of EU interchange fee caps from UK-EU transactions.
"The CFO of a payment firm cannot afford to treat the PSR strategy as a compliance matter. The APP fraud reimbursement regime is a new P&L cost line that, for some firms, will represent 1 to 3 per cent of net revenue. Model it, provision for it, and present the sensitivity to your board."
Open Banking Mandate and Bank-Owned Infrastructure
The PSR's open banking requirements, delivered in conjunction with the FCA and CMA, have matured significantly since the original PSD2-derived mandate. The current focus is on the commercial model for open banking: how API access is priced between banks and third-party providers, and how the governance of open banking infrastructure evolves beyond the current Joint Regulatory Oversight Committee framework.
For CFOs of payment firms that rely on open banking data (account information services) or initiation (payment initiation services), the commercial model uncertainty is a material input to the business plan. The risk is that banks, facing declining interchange revenue from the VRP roll-out, seek to recover revenue through API access fees. The JROC has been clear that premium access tiers may be permissible, but the pricing must be proportionate and non-discriminatory. The CFO should model a scenario in which API access costs increase by 20 to 30 per cent over the next two years as the commercial model is established.
Key Takeaways
- The APP fraud mandatory reimbursement regime (effective October 2024) is a new P&L cost line for every UK PSP processing Faster Payments. Model it as: (fraud claim frequency × average claim size × PSP liability share × (1 minus recovery rate)).
- The 50/50 liability split between sending and receiving PSP is a structural change. Receiving PSPs (account issuers whose accounts are used as mule accounts) bear meaningful liability even where their own fraud controls are adequate.
- Stress-test APP fraud costs at 3 times the base rate for one quarter. The tail risk is correlated and can be material: a firm processing £500m of annual Faster Payments volume could face £150,000 to £400,000 of quarterly gross APP fraud cost in a stress scenario.
- Commercial VRP, when fully rolled out, will erode card-based recurring payment interchange revenue for issuers and reduce payment costs for merchants and payment firms using it as a rail. Model the revenue and cost impact specifically for your payment flow mix.
- Open banking API access costs may increase as the commercial model is established. Model a 20 to 30 per cent increase as a downside assumption if your business relies materially on third-party API access to bank account data.
- PSR access pricing transparency requirements mean that payment system access pricing (Faster Payments, CHAPS) must be publicly justified by operators. This is supportive of challengers accessing infrastructure on equivalent terms to incumbents.
