What You Need to Know About Fraud Liability in 2025

Over the past year, significant changes have reshaped the landscape of fraud liability. What drove these shifts, and what developments should we anticipate in fraud liability for 2025?

The online fraud protection landscape is evolving rapidly. Fraudsters are shifting their focus to scams and leveraging artificial intelligence to develop new tactics. At the same time, banks are investing in advanced fraud detection technologies, while regulators are stepping up, increasingly requiring banks to bear greater financial responsibility for fraud losses.

The latter has had profound implications for the financial landscape. For an in-depth exploration, download our comprehensive whitepaper on the topic. However, 2024 also brought other major changes and milestones. Let’s take a closer look.

New APP fraud compensation rules in the UK

The UK is undoubtedly setting a new standard in compensation policy. On 7 October, long-anticipated rules came into effect, requiring banks to compensate victims of APP fraud up to £85,000 per case (though individual banks and PSPs may choose to reimburse more). Victims—including individuals, microenterprises, and charities—who have not acted with gross negligence must be compensated within five business days of filing their claim.

Read more about the UK PSR liability shift

However, the new rules come with a few “buts.” For one, consumers are not fully informed about them. A survey of 2,000 UK adults found that fewer than three in ten (29%) are aware of the new regulations.

Another potential issue is the optional £100 excess that firms can apply to a claim (though it cannot be imposed on vulnerable consumers). This means victims who lose £100 or less to fraud may not receive any compensation. At the same time, a recent study by the Payment Systems Regulator (PSR) found that purchase scams under £200 are the most common type of fraud affecting UK citizens. The same study revealed that compensation is the top priority for Brits, with 67% stating that reimbursement was their main concern after falling victim to APP scams.

Still, the rules are significantly easing the burden on APP fraud victims in the UK, who lost £213.7 million in the first half of 2024 alone.

While compensation is a positive step for customers, UK institutions recognize the importance of preventing fraud rather than solely reimbursing victims. One such initiative is the expansion of the Confirmation of Payee, a name-checking service operated by Pay.UK. This expansion is expected to boost daily check volumes by 7%, adding to the 2.1 million checks already performed each day.

Another important development is Scam Signal, a collaborative framework between the UK’s leading mobile network operators and banks. This API-based solution enables banks to better detect and prevent fraudulent transfers by analyzing real-time network data and identifying patterns that link phone calls to fraudulent transactions.

Banks are facing increased scrutiny in the US

Existing laws in the United States do not explicitly require banks to reimburse customers for transactions authorized under fraudulent inducement. While no new regulations have been introduced yet, liability for fraud is becoming an increasingly pressing issue. According to John Breyault, who manages the National Consumers League’s Fraud Center, the UK’s fraud reimbursement process could influence future changes to US banking laws.

The first indication of this shift was the introduction of compensation for victims of impersonation scams by the peer-to-peer payment platform Zelle, following pressure from lawmakers in 2023. However, as it turned out, this compensation is far from universally accessible.

An investigation by the Homeland Security & Governmental Affairs Permanent Subcommittee on Investigations, released in July 2024, revealed that only 12% of consumers were reimbursed for Zelle payments disputed as scams last year. Additionally, reimbursements from three banks for disputed transactions on the app dropped significantly—from 62% in 2019 to 38% in 2023. The investigation also found that these banks collectively rejected $560 million worth of scam disputes between 2021 and 2023.

As a result, the Consumer Financial Protection Bureau initiated an investigation into JPMorgan Chase, Bank of America, and Wells Fargo, all of which are part owners of Zelle.

Protecting Consumers from Payment Scams Act: The first step toward change

In August 2024, three Democratic senators introduced the Protecting Consumers from Payment Scams Act. The bill aims to amend the 1978 Electronic Fund Transfer Act, mandating financial institutions to take on more responsibility when consumers fall victim to scams.

A proposed amendment to the law would require banks to share financial liability for “fraudulently induced” transfers, such as phishing or social engineering, addressing loopholes in the current law, which only covers unauthorized fraud.

The proposed legislation would apply to all peer-to-peer payment platforms. However, recent hearings and reports have primarily focused on Zelle, the largest player in this rapidly growing sector.

Although the proposed law has already met opposition from banks and its legislative path is likely to be challenging, it is evident that the tide is beginning to turn in the United States. Whether the liability changes come sooner or later, banks will be driven to invest in advanced fraud detection systems (such as behavioral intelligence) to minimize compensation costs. The urgency is clear, as the problem of scams continues to grow: Nearly one in three Americans fell victim to a scam in the past year, with an average loss of $1,600 per person, according to a study by IPX, a financial analysis firm.

The European Union and the road to PSD3

The highly anticipated PSD3 is set to bring significant changes in fraud liability within the European Union. While the Commission’s original proposal, published in June 2023, limited compensation to bank impersonation fraud (provided it was sufficiently convincing and involved spoofing), the European Parliament has gone a step further in addressing liability.

The European Parliament’s amendment broadens the right to compensation, extending it to impersonation of any relevant public or private entity, not just banks or PSPs. The reimbursement obligation applies when the fraudster unlawfully uses the name, email address, or telephone number associated with such an entity, and this manipulation results in subsequent fraudulent authorized payment transactions (APTs).

Additionally, the European Parliament has proposed a “shared liability model” under Article 59 of the PSR. This model extends liability for impersonation fraud beyond Payment Service Providers (PSPs) to include Electronic Communications Service Providers (ECSPs) and online platforms. This broad definition encompasses e-commerce businesses, telecoms, social media firms, and more. Under this model, ECSPs may be held liable and required to reimburse the PSP for the amount of a fraudulent authorized payment transaction (APT) if they fail to remove fraudulent content from their platform.

Critics argue that, unlike banks and PSPs, ECSPs and online platforms have minimal control over financial transactions. This has raised concerns about the proposal’s proportionality, compliance costs, and legal ambiguities. Additionally, critics warn that it could inadvertently reduce consumer caution and weaken PSPs’ fraud prevention efforts.

Singapore’s effort to mitigate phishing damage

In response to recent phishing waves, Singapore has also stepped up efforts to protect consumers. On 24 October 2024, the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) announced the implementation of the Shared Responsibility Framework (SRF) for phishing scams.

Starting 16 December 2024, financial institutions and telecommunications providers must adhere to specific guidelines to avoid financial liability for phishing scams. For financial institutions, these responsibilities include:

• imposing a 12-hour cooling-off period after the activation of a digital security token, during which “high-risk” activities cannot be performed,
• providing real-time notifications to alert customers to potentially unauthorized high-risk activities; sending outgoing transaction notifications,
• maintaining a 24/7 reporting channel and self-service feature (kill switch) to report and block unauthorized access to accounts,
• and implementing real-time fraud surveillance to detect unauthorized transactions resulting from phishing scams.

However, banks have a bit more time to roll out fraud surveillance, with the requirement kicking in on 16 June 2025.

The responsibilities of telecommunications providers include connecting only with authorized aggregators for delivering Sender ID SMSs, blocking Sender ID SMSs not originating from authorized aggregators, and implementing an anti-scam filter for all SMS traffic passing through their network.

The SRF applies only to unauthorized payment transactions where a consumer is deceived into clicking on a phishing link and entering their credentials on a fake digital platform. Additionally, the impersonated entities must either be based in Singapore or overseas entities offering services to Singapore residents. This excludes authorized push payment scams, such as investment and romance scams, as well as malware-enabled scams, which do not qualify for reimbursement. On a positive note for phishing scam victims, the new rules do not impose a liability cap on losses.

What to expect in 2025?

More big changes in fraud liability are on the horizon for 2025. The final version of PSD3, set to reshape the financial and fraud prevention landscape across Europe, is expected to be formally adopted this year. Meanwhile, the United States may see further legal developments aimed at addressing fraud liability, potentially influencing global trends. Additionally, other countries will likely follow suit, adopting measures that reflect the growing emphasis on accountability and consumer protection in combating fraud.

Download the full whitepaper for detailed insight on the global fraud liability shifts.