You Got Tricked Into Paying. Can You Get Your Money Back? The Global Scam-Reimbursement Divide

You found the charge on your statement, reported it to your bank, and were told: "You authorized the payment." Three words that, until recently, ended the conversation in almost every country on earth. Yet the payment you authorized was to a fraudster who impersonated your bank, a government official, or a family member in crisis. The law has spent the past decade catching up to this reality, and depending on where you live, the outcome is dramatically different. This pillar maps the global split between countries that now require banks to refund victims of authorized push payment (APP) fraud and those that still leave the loss with the person who was deceived.

The legal distinction that decides everything

Before examining what each country's law says, you need to understand the line that regulators draw between two fundamentally different fraud events. The distinction determines whether a refund is automatic, contested, or simply unavailable.

Unauthorized fraud occurs when a criminal takes money from your account without your knowledge or consent. A thief steals your card number and makes purchases. A hacker intercepts your banking session and wires money abroad. You did nothing to initiate or approve the transaction. Almost every country with a consumer protection framework mandates that the bank absorbs this loss, provided you report it within the required timeframe.

Authorized Push Payment (APP) fraud, sometimes called "authorized fraud," is structurally different. You receive a convincing call from someone claiming to be your bank's fraud team. They tell you your account is under attack and instruct you to move your savings to a "safe" account they control. You make the payment yourself, using your own credentials, after what appears to be a legitimate security process. The bank's systems register an authorized customer-initiated transaction. The payment rails record exactly what happened: you sent the money. This is the mechanism behind romance scams, impersonation scams, investment fraud, and purchase scams. Under the original legal frameworks built around unauthorized fraud, the bank had no obligation to refund you, because you were the one who pressed send.

The scale of this category is enormous. The FBI's IC3 2024 Annual Report recorded $16.6 billion in total internet crime losses. Investment fraud alone, the category that includes many APP-style scams, accounted for more than $6.5 billion of that total. Meanwhile, the GASA and Feedzai 2024 Global State of Scams report estimated $1.03 trillion in global consumer scam losses across the year, spanning 58,239 survey respondents worldwide.

How the protection gap formed

Consumer payment protection law grew up around card fraud and unauthorized account access. In the United States, the Electronic Fund Transfer Act (EFTA) and its implementing regulation, Regulation E, were designed when the dominant risk was a stolen card number or a fraudulent ATM withdrawal. In India, the Reserve Bank of India's customer protection framework addressed forged instructions and compromised credentials. In Europe, successive Payment Services Directives built strong protections for unauthorized transactions while treating a payment you initiated as your own responsibility.

When digital payment rails made it possible to move money in seconds to any account anywhere, criminals adapted their methods. Rather than trying to break into a system, they found it simpler to manipulate the account holder into doing the transaction themselves. Banks, insurers, and regulators were slow to name this as a distinct category of harm. Banking trade bodies in several countries argued, successfully for years, that if you authorized a payment the loss should rest with you, not the institution that processed it.

The UK documented this problem publicly earlier than most. A 2016 super-complaint to the PSR by consumer group Which? named APP fraud as a systemic gap in the regulatory framework. The UK's Financial Conduct Authority and later the Payment Systems Regulator spent years consulting on mandatory remedies before a statutory solution arrived. Other jurisdictions watched that process and drew their own conclusions at different speeds.

The global reimbursement divide: country by country

The table below compares six major economies across the critical variables: the legal basis for unauthorized fraud protection (the baseline all six share), what protection, if any, exists for authorized push payment fraud, and whether that protection is currently active law or a proposal.

The United Kingdom: a mandatory reimbursement model

The UK arrived at mandatory APP fraud reimbursement through a decade of incremental pressure. After the voluntary Contingent Reimbursement Model (CRM) code that came into force in May 2019 proved inconsistent, the PSR was directed by Parliament under section 72 of the Financial Services and Markets Act 2023, which amended the Payment Services Regulations 2017, to make reimbursement a regulatory requirement. The rules came into force on 7 October 2024, embedded in a revised version of the Payment Services Regulations.

The PSR's final policy sets the reimbursement cap at £85,000 per claim, aligned with the Financial Services Compensation Scheme limit. The PSR had originally proposed a higher cap of £415,000, but confirmed the £85,000 figure on 25 September 2024, eleven days before the rules went live. The regulator noted that 99.8% of APP fraud cases by volume and 90% by value fall within this lower cap, so most victims remain fully protected.

The cost is divided equally between the sending payment service provider (PSP) and the receiving PSP. Both institutions therefore have a financial incentive to prevent fraud at their end. A PSP that consistently receives fraudulent inbound transfers faces costs proportional to that failure. The rules apply to payments made through the Faster Payments scheme and CHAPS on or after 7 October 2024.

The claim window is 13 months from the date of the payment. PSPs are expected to process claims within five business days. Sending PSPs may apply an excess of up to £100 per claim, except for claims from vulnerable consumers, who cannot have the excess applied.

One consumer-facing exception matters: the "consumer standard of caution." Where a victim failed to take reasonable care in one of four specific areas (paying attention to PSP-issued warnings, reporting the fraud promptly, responding to information requests from the PSP, or reporting to the police when asked), the PSP can argue gross negligence and reduce or reject the claim. The standard requires "a significant degree of carelessness," not merely any failure of attention, meaning casual mistakes will not ordinarily defeat a claim. Vulnerable consumers are excluded from this exception entirely.

Early results are striking. The PSR's data covering the first full year of the scheme (7 October 2024 to 30 September 2025) showed that 88% of in-scope money lost to APP fraud was returned to victims, with 84% of claims resolved within the five-business-day target. The PSR's reimbursement dashboard recorded £173 million returned to APP fraud victims over those twelve months. In the scheme's first three months alone, 60 firms had received claims, compared with around ten under the old voluntary code.

Singapore and Australia: duty-based frameworks

Singapore took a different structural route. Rather than placing the refund obligation squarely on the bank, the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) introduced a Shared Responsibility Framework (SRF), effective 16 December 2024, that assigns duties across the payment chain using a "waterfall" structure.

Financial institutions (FIs) must maintain specific controls: a 12-hour cooling-off period when a digital security token is activated or login occurs on a new device, real-time notification alerts for high-risk account activity, and real-time fraud surveillance capable of blocking or holding suspicious outbound transfers for up to 24 hours while the FI contacts the customer. Telecom operators must enforce the SMS Sender ID Registry and anti-scam SMS filters, which the IMDA reports have blocked over 20 million fraudulent messages since 2023.

Where a fraud loss occurred because an FI or telco breached one of its assigned duties, that entity bears the loss. Where both the FI and telco fulfilled their duties and the victim was simply deceived, the loss remains with the victim. A critical limitation: the SRF currently applies only to phishing-type scams (where the criminal intercepts a communication channel or impersonates a trusted institution) and does not cover the full spectrum of APP fraud, including investment scams and romance fraud where the victim willingly transacts over an extended period.

Australia passed the Scams Prevention Framework Act 2025, which received parliamentary approval on 13 February 2025 and commenced on 21 February 2025. The legislation amends the Competition and Consumer Act 2010 and imposes a prevention-first obligation: banks, telecommunications providers, and designated digital platforms must each take "reasonable steps to prevent, detect, disrupt, respond to, and report scams." This is a duty-of-care model rather than a strict liability refund model.

The penalties are substantial: civil penalties of up to A$50 million per contravention, enforceable by multiple regulators including the ACCC and ASIC. Victims also gain a private right of action for damages where an entity breached its scam-prevention duty. Mandatory sector-specific codes of conduct, which will set the granular standards for each industry, are targeted to take effect from 1 July 2026 for the banking, telecommunications, and digital platform sectors. Australia's combined scam losses fell by almost 26% in 2024, to a combined A$2.03 billion across multiple reporting agencies, a trend regulators attribute partly to industry disruption efforts ahead of the new legislation.

The United States: an unresolved gap

The United States provides the clearest illustration of the APP fraud protection gap. The Electronic Fund Transfer Act (EFTA) and its implementing Regulation E require banks to investigate and reimburse customers for unauthorized electronic fund transfers. The key word is "unauthorized." A transfer you instructed, regardless of how you came to instruct it, falls outside Regulation E's coverage under current regulatory interpretation.

Zelle, operated by Early Warning Services (a consortium owned by seven major banks including Bank of America, JPMorgan Chase, and Wells Fargo), became the focal point of this debate. Because Zelle transfers are real-time, free, and irreversible, they are frequently exploited in APP fraud. In December 2024, the CFPB under the Biden administration filed suit against Early Warning Services and three of its owner banks, alleging the companies had failed to adequately protect customers from fraud. The complaint cited more than $870 million in Zelle losses suffered by customers of those three banks over the seven years the platform had been active.

In March 2025, the Trump administration's CFPB dismissed the lawsuit with prejudice, meaning the agency cannot refile the same case. The result is that no federal law currently requires US banks to reimburse victims of APP fraud conducted through Zelle or any other payment platform. Reimbursement depends entirely on the individual bank's voluntary policy, which varies significantly. State-level proposals exist in several jurisdictions but have not yet resulted in enacted law that matches the UK's model.

The European Union: verification before reimbursement

The EU's approach operates on two tracks running in parallel. The first is already live. Under the Instant Payments Regulation (EU) 2024/886, payment service providers in euro-area member states were required to offer a Verification of Payee (VoP) service from 9 October 2025. Before executing a credit transfer, the PSP must check that the payee name the payer has entered matches the IBAN. If there is a mismatch, the PSP must alert the payer and may refuse the payment. Non-euro-area PSPs have until 9 July 2027 to comply. The European Payments Council's VoP scheme rulebook entered into force on 5 October 2025.

VoP is a preventive tool, not a reimbursement mechanism. It catches payments where the destination account name does not match the IBAN the payer was given. This covers a meaningful portion of APP fraud, particularly impersonation scams where a criminal provides a false IBAN paired with a false name. It does not, however, protect against scams where the criminal controls both the name and the IBAN (for example, romance scams where the victim builds a relationship before transferring to an account the criminal has opened legitimately).

The second track is the PSD3/PSR legislative package. On 27 November 2025, the European Parliament and the Council of the EU reached provisional political agreement on the new Payment Services Directive 3 (PSD3) and an accompanying Payment Services Regulation (PSR). The package includes a provision making PSPs liable for covering customer losses where the PSP failed to implement appropriate fraud-prevention mechanisms. This is not blanket APP fraud coverage, but it creates liability for institutional failures in fraud prevention. The formal adoption and transposition process means these provisions are not yet in force as of mid-2026.

India: administrative speed and a draft proposal

India's framework for unauthorized fraud rests on RBI Circular DBR.No.Leg.BC.78/09.07.005/2017-18, issued on 6 July 2017. The circular establishes a tiered customer liability structure based on how quickly a victim reports an unauthorized electronic banking transaction. If the fraud is reported within three working days, the customer bears zero liability and the bank must credit the amount within ten working days. Reports made four to seven days after the event carry limited liability of between Rs 5,000 and Rs 25,000 depending on account type. Reports made after seven working days are handled under each bank's board-approved policy.

This framework, however, covers only unauthorized transactions. India has no statutory law that mandates reimbursement for APP fraud, where the account holder authorized the payment under social engineering. The primary administrative response is the Indian Cyber Crime Coordination Centre (I4C) and its national helpline, 1930. When a victim calls 1930, trained operators register the complaint on the Crime and Financial Cyber Frauds Reporting and Management System (CFCFRMS) and issue a lien request to the beneficiary bank. The beneficiary bank places a temporary hold on funds still in the recipient account for up to seven working days. If the money has already moved to a secondary mule account, the lien can follow the trail, but only if the initial hold was placed before the second transfer cleared. Time is the controlling variable: calls placed within minutes of a transfer significantly improve recovery odds.

The scale of the problem is growing sharply. Cybercrime complaints registered on India's National Cyber Crime Reporting Portal rose from about 2.6 lakh in 2021 to roughly 28 lakh in 2025, with reported financial losses climbing from Rs 551 crore to around Rs 22,495 crore over the same period (these are all-category cybercrime figures, not payment fraud alone, but a large share involves financial fraud).

In March 2026, the Reserve Bank of India released a draft framework for digital fraud compensation that, if finalized, would represent the first partial APP fraud protection in India. The draft proposes that victims of digital fraud involving gross losses up to Rs 50,000 receive 85% of the net loss or Rs 25,000, whichever is lower. The RBI would fund 65% of the compensation from the Depositor Education and Awareness (DEA) Fund, with the remainder split between the sending and receiving banks. The benefit would be available only once per customer lifetime, and timely reporting (within five days) would remain a condition. Public consultation closed in April 2026, with a possible effective date of 1 July 2026 if the proposal is finalized in its current form. As of June 2026, it remains a draft.

Where this is heading

The global pattern is one of convergence toward mandatory frameworks, but at very different speeds and with different models. The UK has demonstrated that a mandatory split-liability rule can produce rapid improvement in reimbursement rates without eliminating all victim responsibility. Australia has bet on a prevention-first duty-of-care model that makes the sector-wide obligation clear but defers the granular standards to codes not yet in force. Singapore has built a narrow, duty-based waterfall that creates precise accountability for specific failures. The EU is layering prevention technology (VoP) ahead of the broader legislative package. The United States, after the CFPB action was withdrawn, has no federal momentum toward mandatory APP fraud coverage as of mid-2026. India is testing a limited, partial, one-time compensation mechanism that sits well below the statutory frameworks elsewhere.

Technology is also a factor. Banks in several markets are deploying AI-based transaction monitoring that can pause a transfer if behavioral signals suggest the customer is acting under duress or at the instruction of a third party. In the UK, the Payment Services (Amendment) Regulations 2024 came into force on 30 October 2024, and the FCA's finalised guidance FG24/6 (published 22 November 2024) lets PSPs delay a payment for up to four business days where there is reasonable suspicion of fraud, giving investigators time to intervene. Regulators in several markets, including India, have floated short cooling-off delays on first-time or high-value digital payments for the same reason. These tools address the problem at the point of initiation rather than after the fact.

The common thread in every jurisdiction that has moved toward mandatory protection is that the financial institution's countermeasures, not just the victim's behaviour, have become part of the liability calculation. The question regulators are answering, in different ways, is: what fraud-prevention measures should a reasonable bank have had in place, and who should pay when those measures were absent?

How to maximize your chance of a refund

1. Act within minutes, not hours. The single most important variable in every country's system is reporting speed. In India, the 1930 helpline needs to place a lien on the destination account before funds move on. In the UK, calling your bank's fraud line immediately is required to meet the "prompt notification" element of the consumer standard of caution. In Singapore, the SRF's protections depend on whether the FI's real-time surveillance was operational and whether you reported the fraud quickly. Speed preserves evidence, freezes accounts, and is often a legal condition for eligibility.
2. Document everything before contacting the bank. Screenshot the fraudulent message, call log, email, or social media interaction. Note the exact amount, the time, the account details you were given, and any reference numbers. This evidence supports your claim and is required when filing a police report. Banks and regulators have the right to request it and may treat an unexplained gap in documentation as a red flag.
3. File a written claim with your bank's fraud team, not the general customer service line. Ask specifically for your bank's "authorised push payment fraud" team in the UK, or the fraud disputes team elsewhere. Get a reference number and a named contact. Written evidence of your claim date matters if your case reaches an ombudsman or regulator later.
4. File a police report immediately. This is a legal requirement in the UK for PSPs to request and, if you refuse without good reason, can affect your claim. It is also necessary evidence for IC3 (US), cybercrime.gov.in (India), and the Singapore Police Force's anti-scam reporting portal. A crime reference number demonstrates you treated the event with appropriate seriousness.
5. Escalate to the ombudsman or regulator if the bank rejects your claim. In the UK, the Financial Ombudsman Service has jurisdiction over APP fraud claims rejected by banks. In Australia, AFCA (Australian Financial Complaints Authority) handles disputes involving SPF obligations. In India, escalate to the RBI Banking Ombudsman at cms.rbi.org.in after exhausting the bank's internal process. In Singapore, escalate to MAS via their consumer complaint portal. In the US, file with the CFPB (consumerfinance.gov/complaint) and the FTC (reportfraud.ftc.gov).
6. Check whether a card payment is involved, separately. If any part of the transaction used a credit card, the rules change significantly. In the UK, Section 75 of the Consumer Credit Act 1974 gives you a claim against the card issuer for purchases between £100 and £30,000 where the supplier misrepresented the goods or services. In the US, chargeback rights under Regulation Z (for credit cards) are broader than Regulation E. In Australia, the card scheme chargeback rules operate independently of the SPF. These are parallel remedies worth checking before giving up on a recovery.
7. Know the time limits. UK PSR: 13 months from the payment. RBI unauthorized framework: 3 working days for zero liability. Singapore SRF: report to the FI without delay. Australia AFCA: generally within six years of the event. US IC3: no formal limit but recovery odds fall sharply within the first 72 hours. Delay makes every system harder to use.

How and where to report by country

Watch: how impersonation scams trick you into paying

Almost all authorized push payment fraud begins with impersonation: a call or message that appears to come from your bank, a government office, a delivery company, or someone you trust, engineered to make you move money yourself. This short explainer from the United States Federal Trade Commission walks through how that manipulation works.

Frequently asked questions

My bank says I authorized the payment. Does that automatically end my claim in the UK?

No. The PSR's mandatory reimbursement rules, active from 7 October 2024, specifically address payments you authorized while being deceived. The bank must assess your claim against the consumer standard of caution (prompt reporting, attention to warnings, police cooperation, and responding to requests for information). Only gross negligence in one of these areas allows the bank to reduce or reject the claim. A refusal should be escalated to the Financial Ombudsman Service.

What does Singapore's SRF cover and what does it not cover?

The SRF covers phishing-type scams: cases where a criminal hijacks a legitimate communication channel, typically SMS, to intercept a victim's banking credentials or trick them into a fraudulent transaction. It does not currently cover investment scams, romance scams, or job scams where the victim is gradually convinced over time to transfer money voluntarily. MAS and IMDA have indicated they will review the SRF's scope after the initial implementation phase.

Can I do anything if I was defrauded via Zelle in the US?

Federal law (Regulation E) does not require your bank to refund an authorized Zelle transfer made under fraudulent pretenses. The CFPB lawsuit that sought to expand liability was dropped in March 2025. Your options are: (1) ask your bank whether its voluntary policy covers your situation, as some banks have begun offering partial reimbursement; (2) file with the IC3 and FTC to create a record; (3) if the scam involved a false product or service represented in writing, explore whether any credit card element creates a chargeback claim; (4) monitor your state legislature for emerging consumer protection proposals.

India's RBI proposal sounds good. Is it law yet?

As of June 2026, the draft framework released in March 2026 is not finalized law. It is a consultation document. Even if finalized on the proposed 1 July 2026 timeline, it covers only losses up to Rs 50,000, reimburses at most 85% of the net loss or Rs 25,000 (whichever is lower), and is a one-time lifetime benefit. It does not create the continuous, uncapped reimbursement obligation the UK PSR rules provide. The 1930 helpline and immediate lien mechanism remain the most effective tools available to Indian victims right now.

Does the EU's Verification of Payee system mean I'm protected from APP fraud in Europe?

VoP significantly reduces the risk of misdirected payments and impersonation attacks that involve a false IBAN. If the name you enter does not match the account, your PSP must warn you before the transfer proceeds. However, VoP does not protect you if you are deceived by a criminal who controls a legitimately opened account, or in long-running confidence scams where you trust the criminal and transfer to their real account. VoP is a preventive layer, not a reimbursement right. The broader liability provisions under the PSD3/PSR package are still going through the legislative process.

Sources

1. FBI Internet Crime Complaint Center (IC3), 2024 Annual Report (2025)
2. Feedzai & GASA, Global State of Scams Report 2024: over US$1 trillion lost to scams
3. UK Finance, Annual Fraud Report 2025 press release (covering 2024 data)
4. UK Finance, Annual Fraud Report 2025 (full report)
5. Payment Systems Regulator, APP Scams Reimbursement requirement overview
6. Fox Williams, The UK's APP fraud mandatory reimbursement framework (7 October 2024)
7. Freshfields, Authorised Push Payment fraud: a new mandatory reimbursement regime for UK PSPs (September 2024)
8. Hogan Lovells, APP fraud mandatory reimbursement: UK PSR publishes final policy (2024)
9. Payment Systems Regulator, One year on: the impact of APP reimbursement on victims (2025)
10. Payment Systems Regulator, APP Scams Reimbursement Dashboard
11. Financial Conduct Authority, FG24/6: guidance enabling a risk-based approach to payments (November 2024)
12. MAS and IMDA, Announcement of Shared Responsibility Framework from 16 December 2024
13. Monetary Authority of Singapore, Guidelines on Shared Responsibility Framework
14. IMDA, Implementation of Shared Responsibility Framework (press release, 2024)
15. Jones Day, Australia Passes Landmark Scam Prevention Legislation (March 2025)
16. Gilbert + Tobin, The Scams Prevention Framework legislation passes Parliament (2025)
17. Scamwatch / National Anti-Scam Centre, Australians better protected as scam losses fell by almost 26% (2025)
18. NPR, The CFPB drops its case against payment app Zelle (March 2025)
19. American Banker, CFPB dismisses lawsuit against Zelle and three big banks (2025)
20. European Parliament, Payment services deal: more protection from online fraud and hidden fees (November 2025)
21. European Central Bank, Instant Payments Regulation overview
22. Taylor Wessing, Instant Payments Regulation: Verification of Payee (VOP) requirements start to apply (October 2025)
23. Reserve Bank of India, Circular DBR.No.Leg.BC.78/09.07.005/2017-18: Limiting Liability of Customers in Unauthorised Electronic Banking Transactions (July 2017)
24. Press Information Bureau (Government of India), Curbing Cyber Frauds in Digital India (October 2025)
25. The Print, RBI is going out of its way to compensate fraud victims. It doesn't have the mandate (2026)
26. The420.in, RBI Proposes Compensation Plan For Victims Of Digital Fraud (2026)
27. Business Standard, Draft digital fraud compensation norm: payout one-time, vigilance still key (2026)
28. Singapore Police Force, Annual Scams and Cybercrime Brief 2024 (February 2025)
29. European Banking Authority, National Competent Authorities for Consumer Protection
30. Payment Systems Regulator, The Contingent Reimbursement Model (CRM) Code
31. Payment Systems Regulator, Super-complaint from Which? on payment scams (2016)
32. US Federal Trade Commission, Let's Talk About How Impersonation Scams Work (video)