By November 2025, the UK financial services sector had operated under the Payment Systems Regulator’s (PSR’s) mandatory reimbursement regime for over a year. While the “reimbursement requirement” has successfully shifted the financial burden of Authorized Push Payment (APP) fraud away from consumers, it has exposed significant operational vulnerabilities within firms.
The 2025 threat landscape
Romance fraud has mutated from a niche social engineering threat into a systemic conduct and prudential risk. Recent City of London Police data from the 2024/25 financial year reveals that UK victims lost over £106m ($141m) to these scams, a 9% year-on-year increase.
Barclays data from Q1 2025 indicates a 20% rise in reports and a continued focus on older demographics. However, the profile of the threat has also shifted somewhat, with a marked increase in male victims (now 60% of reports), for whom the average loss climbs to £19,000 ($25,300).
For risk managers, the “romance” label is increasingly a misnomer; these are sophisticated, multi-stage investment scams (often “pig butchering” schemes) that leverage long-term psychological grooming to bypass traditional anti-money-laundering (AML) and fraud controls.
The reimbursement regime: one year on
The defining regulatory event remains the implementation of the PSR’s mandatory reimbursement requirement on October 7, 2024. This regime fundamentally altered the liability model for APP fraud within the Faster Payments System (FPS) and Clearing House Automated Payment System (CHAPS).
Crucially, following intense industry consultation, the maximum reimbursement limit was set at £85,000 ($112,000), aligned with the Financial Services Compensation Scheme (FSCS) limit, rather than the £415,000 ($554,000) initially proposed. While this reduction mitigated the catastrophic tail risk for smaller payment firms and challengers, it has created a complex “dual-track” complaints environment. With losses in romance fraud frequently exceeding £100,000 ($133,500) – and sometimes reaching millions – victims with losses above the cap are increasingly turning to the Financial Ombudsman Service (FOS) to claim the shortfall, keeping legal and compliance teams at all firms under pressure.
Finally, the 50:50 liability split between sending and receiving PSPs has operationalized the risk of “mule accounts.” Receiving banks are now directly financially liable for half of the fraud losses facilitated by accounts they onboard. This has transformed onboarding from a tick-box AML exercise into a critical profit and loss defense line.
Regulatory expectations: The “missed opportunities”
The FCA continues to scrutinize how firms are meeting these reimbursement obligations. A recent multi-firm review highlighted systemic failings that constitute missed opportunities to prevent harm.
For risk and compliance officers, the FCA’s findings serve as a gap analysis for internal controls:
- Inadequate monitoring: Firms are failing to aggregate data across payment types. Systems often flag Faster Payments but miss the “warm-up” transactions occurring via cash withdrawals or card payments.
- The “coach” factor: In 42% of reviewed cases, victims did not disclose the true reason for payment because they had been coached by fraudsters. Standard security scripts are failing against this psychological manipulation.
- Prudential implications: The Prudential Regulation Authority (PRA) expects firms to hold adequate capital against these reimbursement liabilities. For smaller EMIs and PSPs with high mule activity, the 50:50 liability split poses a genuine solvency risk.
To mitigate these escalating risks, PSP firms should move beyond conventional compliance mitigations to more strategic and behavioral interventions:
- Deploy “positive friction”: The payment delays legislation (allowing up to four business days’ delay) must be used aggressively but judicially to break the “spell” of the fraudster.
- Behavioral biometrics: Authentication must shift from validating identity (passwords/devices) to validating intent. AI-driven behavioral analysis can detect the hesitation or “guided” keystrokes typical of a victim under coercion.
- Vulnerability calibration: The consumer standard of caution (gross negligence) does not apply to vulnerable customers. Firms must ensure their definition of vulnerability includes the temporary cognitive impairment caused by emotional manipulation.
The defense ecosystem – tech, telcos, and global divergence
The financial sector cannot solve romance fraud in isolation. While banks bear the liability, the crime is engineered on social media, dating apps, and encrypted messaging platforms. Addressing this challenge requires a whole-system response, bridging the growing regulatory gap between finance and big tech, and how the UK’s approach compares to emerging frameworks in the EU, Australia, and Singapore.
The regulatory asymmetry: Finance vs tech
There is a stark “pacing problem” in UK regulation. Financial firms have been subject to mandatory reimbursement since October 2024. In contrast, the full weight of the Online Safety Act 2023 (OSA), supervised by Ofcom, is still being operationalized.
While the OSA designates fraud as illegal content and imposes duties on platforms to prevent it, the enforcement mechanisms are lagging behind the immediate financial penalties hitting banks. Ofcom has begun enforcing illegal content codes, investigating platforms for non-compliance regarding child safety and terrorism, but the “fraud” component – specifically the proactive detection of romance scams – remains a developing battleground.
For financial services leaders, this asymmetry is critical. Banks are essentially insuring the risk generated by platforms that do not yet face equivalent financial consequences for failing to remove fraudulent profiles. The strategic goal for the financial lobby must be to accelerate the “polluter pays” principle, pushing for online platforms to share the reimbursement liability where the fraud originated on their site.
International divergence: The UK as a test case
The UK’s mandatory 50:50 reimbursement model is globally unique. Comparing it with other jurisdictions highlights the “gold plating” of UK consumer protection and the associated cost of doing business in the UK for PSPs.
| Jurisdiction | Regulatory Approach | Liability Model |
| United Kingdom | Mandatory reimbursement | 50:50 split between sending / receiving PSPs. Broad scope (APP fraud). Claim cap £85,000 ($112,000), no consumer excess. |
| European Union | PSD3 / PSR | Sending PSP has entire liability. Liability is focused on Impersonation Fraud (spoofing), with no blanket refund for all APP fraud, so typologies such as investment scams and social engineering are not covered. Claim caps / consumer excess devolved to individual member states. Mandates IBAN and Name checks. |
| Singapore | Shared Responsibility Framework (SRF) | Assigns specific duties to FIs and Telcos. Full payout required only if duties are breached. Implementation Dec 2024. |
| Australia | Scams Prevention Framework | Principles-based. Includes banks, telcos, and digital platforms. Fines for non-compliance, but no mandatory reimbursement scheme yet. |
The EU’s PSD3 approach is notably more conservative, focusing on technical failures (such as bank impersonation) rather than social engineering. Singapore’s model is perhaps the most equitable, explicitly pulling Telcos into the liability framework if they fail to block malicious SMSs and calls – a model the UK industry should study closely.
The tech arms race: AI as sword and shield
The industrialization of romance fraud is being driven by Generative AI. Fraudsters now use Large Language Models (LLMs) to script personalized and progressive grooming messages in any language and Deepfakes to simulate video calls, overcoming the potential “I can’t meet” red flag.
The regulatory defense must match the sophistication of this attack:
- Inbound transaction analysis: Receiving banks must use AI to analyze inbound flows for “mule” behavior (such as rapid velocity of funds or dormant accounts suddenly active).
- Data sharing is non-negotiable: The “single view” of the customer is insufficient. Initiatives like Stop Scams UK and the National Crime Agency’s data-sharing pilots are proving that sharing intelligence on mule accounts is the only way to dismantle the networks.
Conclusion: The path forward
For the UK financial sector, the immediate priority is protecting the balance sheet from reimbursement costs through robust “receiving end” controls. However, the long-term strategy must focus on correcting the regulatory imbalance. Until social media platforms and Telcos bear a statutory share of the financial liability – as seen emerging in Singapore – banks will remain the de facto insurers of the internet’s safety failures.
The whole-system approach is currently imbalanced. Redressing this requires not just better technology, but also sustained advocacy to align the incentives of the digital platforms with the financial reality of the fraud they facilitate.
John Higgins is a partner at Pathlight Associates. He is an experienced financial services consultant and advisor working across many areas of regulation, compliance, and reporting (financial accounts and regulatory reporting). John regularly advises boards and senior executives on business critical issues.
