BioCatch blog channel

Browse topics

Will others follow Nigeria’s evolving approach to APP fraud?

Written by:

Jonathan Frost

Will others follow Nigeria’s evolving approach to APP fraud? featured image

During the decade or so I spent working in law enforcement, we often disagreed with banks over how to define fraud. From a policing perspective, any act of deception that caused someone to lose money was treated as fraud. Banks, however, applied a narrower definition, typically reserving the term for cases where they themselves took the loss. When customers were deceived into sending money, banks labeled those cases as “scams,” arguing that the payments were authorized.

That was many years ago. Since then, a lot has changed, and not just in one market. The U.K. has taken the lead in addressing the harm from authorized push payment fraud (APP), regardless of customer involvement. Now Nigeria is stepping forward as well.

In November 2025, the Central Bank of Nigeria (CBN) issued draft guidelines that frame APP fraud not just as misconduct but as a systemic risk to economic security and public confidence.

At the center of this shift is a growing recognition of the role social engineering plays in many of these crimes. It also raises a broader question: Who should bear responsibility for APP fraud: banks, customers, or both?

Below, I compare Nigeria’s proposal with the U.K.’s reimbursement regime, highlighting two approaches that are beginning to converge in practice but remain philosophically distinct. One prioritizes clear rules for consumer reimbursement. The other emphasizes shared responsibility, prevention, and supervisory oversight.

The distinction matters as fraud losses continue to rise globally, regulators face growing pressure to define accountability, and jurisdictions increasingly search for models that work.

The legal and regulatory approach

The contrast between these two approaches begins with their structures, reflecting different views on how responsibility for fraud should be allocated.

In the U.K., the framework is anchored in the Financial Services and Markets Act, which empowers the Payment Systems Regulator to mandate reimbursement for authorized push payment fraud. The rules apply to payments made through Faster Payments and CHAPS, the country’s high-value, time-critical system.

The U.K. model rests on three core elements:

  1. Reimbursement is the default.
  2. Liability is split evenly between sending and receiving payment service providers.
  3. Consumers are protected if they meet a defined standard of caution.

Together, these provisions formalize earlier voluntary arrangements and mark a significant shift in how liability is allocated.

Nigeria’s approach starts from a different premise, with the Central Bank using its authority under the CBN Act and the Banks and Other Financial Institutions Act to embed reimbursement within a broader governance framework.

The Nigerian model centers on:

  • Board-level oversight
  • Data sharing through an early warning system (EWS) platform
  • Red-flagging and strengthened monitoring
  • Joint investigations between sending and receiving financial institutions
  • Escalation to the central bank when liability is disputed

The U.K. makes reimbursement the default. Nigeria treats it as the outcome of governance and investigation.

Scope and coverage

The U.K. framework applies to Faster Payments and CHAPS and covers consumers, microenterprises, and charities. Liability sits with the institution that holds the customer account, rather than the one providing system access. As a result, firms with indirect access to Faster Payments are not responsible for failures in their customers’ controls.

In practice, the model captures most domestic payments, while cross-border transactions fall outside its scope.

Nigeria’s proposal is broader and is less prescriptive on reimbursement limits. It applies to all CBN-regulated institutions and channels, including mobile and internet banking, unstructured supplementary service data (USSD), and payment gateways, and extends to banks, other financial institutions, payment service providers, and mobile money operators.

Reimbursement and liability allocation

We find further divergence between the two models continues in how reimbursement works in practice.

In the U.K., where reimbursement is the default, PSPs must reimburse within five business days, subject to limited exceptions. Liability is split evenly, and firms may apply an excess to filter out low-value claims. In practice, the “consumer standard of caution” is rarely used to deny claims.

This approach aligns incentives across the ecosystem by placing financial responsibility on both sending and receiving PSPs when fraud occurs. As a result, firms are pushed to improve onboarding, detect mule accounts, and strengthen transaction monitoring. Confirmation of payee is also required across Faster Payments.

Nigeria takes a more conditional approach, requiring customers to report fraud within 72 hours (with 24 hours as the expected standard) and to demonstrate both a lack of negligence and deficiencies in institutional controls.

Claims are investigated within 14 working days. If upheld, reimbursement is issued within 48 hours. Claims may be denied where reporting is delayed without justification, customer negligence is established, or controls are deemed sufficient.

These differences carry through to how liability is allocated.

In the U.K., liability is split evenly between sending and receiving PSPs, addressing a long-standing imbalance in accountability. The model pushes both sides to monitor transactions and detect suspicious activity.

Nigeria assigns liability based on fault. Institutions with inadequate controls bear the loss. If neither is at fault, costs are shared. Joint investigations are required, with escalation to the central bank for unresolved disputes. This sharpens accountability but may also lead to more disputes over fault.

Governance and accountability

The models also diverge in their approach to governance and accountability. Nigeria places governance at the center of its framework, with explicit requirements for board oversight, risk and audit committee involvement, system testing, fraud analytics, and regulatory reporting.

The U.K., by contrast, focuses on outcomes, tracking APP fraud sent, received, and reimbursed, while relying on existing supervisory structures for governance.

These approaches reflect different mechanisms for driving behavior. The U.K. relies on financial incentives, while Nigeria embeds APP fraud within formal risk governance.

This distinction extends to prevention and detection. Nigeria mandates structured controls, including red-flagging, behavioral monitoring, and regular testing of detection systems.

The U.K. expects firms to maintain strong controls but enforces this indirectly through reimbursement: If fraud occurs, firms bear the financial cost, creating an incentive to improve controls. Nigeria, by contrast, requires firms to demonstrate the effectiveness of those controls upfront through governance, monitoring and oversight.

Consumer standards

A final point of divergence is how each model defines customer responsibility. The U.K. applies a narrow standard of customer responsibility, rarely used to deny claims.

Nigeria applies broader conditions, requiring timely reporting, lack of negligence, and no reasonable cause to suspect fraud. The stricter reporting window may reduce successful claims if applied rigidly.

Both frameworks recognize vulnerability and require additional protections for at-risk customers.

Market impact and strategic implications

The U.K.’s reimbursement rules are already reshaping market behavior by shifting the cost of fraud onto the payment’s ecosystem. Banks have added friction to outbound payments, while receiving PSPs face greater scrutiny. By splitting liability, the model forces both sides of a transaction to take responsibility, rather than leaving losses primarily with the sending bank or the customer. Early data, however, suggests this shift has not yet fully translated into preemptive control improvements.

Nigeria’s framework could drive change in different ways. Rather than mandating reimbursement, it embeds fraud within governance and supervisory expectations. This raises the bar for institutions to demonstrate effective controls, particularly for mobile money operators and smaller PSPs, and requires greater coordination across the system through shared data and joint investigations. The focus is less on redistributing losses after the fact and more on strengthening controls and accountability upfront. Without a statutory presumption of reimbursement, however, its redistributive impact may be less pronounced.

Converging models, different paths

The U.K. and Nigeria share core principles, including shared responsibility, timely detection, consumer protection, and strong oversight. But they diverge on a central question: Is reimbursement a right or a conditional outcome?

The U.K. treats reimbursement largely as a customer right, except in cases of gross negligence. Nigeria treats it as contingent on fault, reporting, and the adequacy of controls.

As more countries develop their own approaches, I expect to see this debate continue to shift from whether reimbursement should occur to how responsibility should be allocated and which model best balances consumer protection with incentives for prevention.

Recent Posts

The value of precision in combating account takeover Fraud
March 27, 2026 The value of precision in combating account takeover
Read article
UN Global Fraud Summit: BioCatch pledges to launch two new Trust networks Fraud
March 23, 2026 UN Global Fraud Summit: BioCatch pledges to launch two new Trust networks
Read article
Refund first, argue later: EU court opinion supports case for behavioral intelligence in ATO detection Fraud
March 19, 2026 Refund first, argue later: EU court opinion supports case for behavioral intelligence in ATO detection
Read article