.svg)
The industry body has called for new regulations that would impose strengthened fraud prevention standards across social media, online marketplace and instant messaging platforms operating in the UK.
In a white paper published in March 2026, the Payments Association (PA) argues that responsibility for tackling authorised push payment (APP) fraud must “extend beyond banks” to target the digital platforms where “many scams begin”.
This position is part of a wave of calls for increasing scrutiny of the role of digital platforms in facilitating fraud origination.
The white paper calls for regulators to introduce new standards that would aim to eliminate scam advertising while also mandating “platform accountability” and “cross-sector intelligence sharing”. Collectively, these measures would represent a shift from reimbursement-led frameworks to prevention-focused, ecosystem-wide obligations.
“This paper supports a shift from voluntary platform commitments to mandatory, enforceable standards for fraud prevention, with credible regulatory oversight and penalties for systemic non-compliance,” says PA. This means a move away from industry-led initiatives towards formal regulatory intervention.
“This is not proposed as retrospective punishment. It is proposed as a mechanism to create real incentives to tackle fraud at source, thereby protecting consumers worldwide.”
The white paper singles out Meta-owned platforms as the greatest source of APP fraud in the UK, based on data from UK Finance, the Payment Systems Regulator (PSR) and Lloyds Banking Group. This concentration of fraud origination may inform future regulatory focus and enforcement priorities.
Outside the UK, other private datasets also indicate that Meta-owned platforms are the largest single source of APP fraud cases, suggesting that the issue is systemic and not confined to the UK market.
According to Revolut’s 2025 Consumer Security and Financial Crime Report, for example, 44 percent of reported APP fraud cases globally during that year originated on Meta-owned platforms.
At the same time, however, PA points out that scam advertising continues to be a significant revenue source for platform owners such as Meta, creating a potential tension between platform monetisation models and fraud prevention expectations.
In 2024, according to internal documents seen by Reuters, Meta projected that 10 percent of its annual revenue would come from ads for scams and banned goods. If accurate, this raises material regulatory and reputational questions for platform operators.
The white paper also provides estimates of the scale and value of scam advertising across the UK and Europe, which underscore the industrial nature of scam ecosystems.
In 2025, according to Juniper Research, scam advertising generated 95bn impressions among social media users in the UK, a figure that could rise to 137bn impressions by 2030.
In Europe, scam advertising generated almost one trillion impressions (993bn) among social media users in 2025, and this is set to rise to 1.4trn impressions by 2030 if current trends continue. The scale highlights the cross-border nature of the issue, reinforcing the need for coordinated regulatory responses.
Limits of UK’s current regulatory approach
Despite recent reforms, structural gaps remain in how liability is allocated across the fraud chain.
Although PA praises the UK government for its recognition that a “substantial proportion” of fraud now originates online, it argues that its regulatory response to date has been “misaligned” and insufficient. In particular, liability remains concentrated on financial institutions, despite fraud increasingly originating outside their control.
PA believes that mandatory reimbursement requirements, introduced in October 2024, have strengthened consumer protection at the point of payment, but have placed liability solely with banks and payment service providers (PSPs), where it is often not warranted. This creates a disconnect between where fraud risk originates and where financial responsibility sits.
Between October 2024 and September 2025, around 88 percent of APP fraud losses (£173m) were reimbursed to victims, a significant increase on the 65 percent reimbursement rate reported by UK Finance in 2024, before the mandatory reimbursement regime was introduced.
However, as PA notes, while a significantly higher proportion of losses are now reimbursed, these figures do not indicate that fraud is being “reduced at source”. This highlights a key limitation of reimbursement-led regulatory models.
“Since these reforms came into force, a significant share of fraud losses have shifted onto financial institutions, even where the scam originated outside the banking system,” says PA, meaning we have seen a redistribution of financial burden rather than a reduction in fraud risk
The UK’s Online Safety Act, passed in 2023, requires in-scope platforms to assess and mitigate the risk of harm arising from priority illegal content, including fraud and financial services offences. Although this brings platforms within scope, its impact on fraud prevention remains limited in the near term.
Ofcom’s Codes of Practice for user-to-user platforms came into force in March 2026, but its regime for fraudulent paid advertising remains under development. This creates a regulatory gap in addressing one of the primary vectors of APP fraud
Codes governing paid-for advertising are expected to be introduced on a later timeline, and will likely not be fully operational until 2027. As a result, PSPs are likely to remain exposed to reimbursement obligations in the interim.
Against this backdrop, PA has urged regulators to address what it describes as a “significant gap” in the regulation of scam advertising, both during the interim period and in the nature of what is expected from firms. Its proposals therefore position platform regulation as a necessary complement to existing reimbursement frameworks.
International models suggest shift towards shared responsibility
To align fraud prevention incentives across the digital ecosystem, PA urges UK regulators to consider a phased, multi-sector regulatory approach, similar to that of Singapore’s Shared Responsibility Framework (SRF) and Australia’s Scams Prevention Framework.
Both of these frameworks impose liability and penalties on a range of actors, including digital platforms, telcos and financial institutions, for specific failures to prevent fraud and protect users. They also impose mandatory information-sharing practices on regulated firms, in contrast with the UK’s current PSP-centric liability model
During Phase 1, as per PA’s proposals, regulators would establish minimum requirements for digital platforms that offer paid advertising, marketplace or messaging services.
These could include advertiser identity verification, repeat-offender detection and scam-ad screening systems.
During Phase 2, large platforms may be required to publish regular transparency reports covering scam-advertisement volumes, removal timelines, advertiser verification outcomes and repeat-offender activity.
Phase 3 would see regulators mandate participation in cross-sector intelligence-sharing frameworks that connect large platforms with financial institutions, telcos and law enforcement.
In Phase 4, where systemic prevention failures are identified, regulators would be empowered to impose “proportionate penalties” or “corrective measures” to ensure future compliance.
Collectively, these phases outline a transition towards system-wide accountability rather than sector-specific obligations.
‘Shared liability’, but not mandatory reimbursement
Notably, PA stops short of explicitly calling for digital platforms to contribute directly to mandatory reimbursement of APP fraud victims. This suggests sensitivity around extending financial liability beyond the banking sector.
Instead, it introduces the concept of “proportionate liability triggered by clear failures”, where accountability would be linked to identifiable operational breakdowns.
This could include, for example, where a platform fails to remove fraudulent content within defined timeframes, or allows repeat offenders to continue operating despite prior enforcement action.
These provisions are framed explicitly as an alternative to “blanket or automatic cost transfer mechanisms”. This positions the proposal as a middle ground between no liability and full reimbursement obligations.
PA’s proposals are at some distance from the UK’s existing mandatory reimbursement regime, which imposes liability on PSPs regardless of fault in most cases. It also highlights divergence between current and potential future models.
However, it also leaves open a key question: what would “proportionate liability” look like in practice? This is likely to become a key issue in future policy design.
For legal and compliance professionals, the ambiguity is likely to be a central concern, given that uncertainty around evidential thresholds and enforcement will create operational challenges for firms.
A failure-based model of liability may be more politically and operationally feasible than extending reimbursement obligations to platforms. However, its effectiveness will depend on how clearly responsibilities are defined and enforced.
In addition, the absence of clear parameters raises further questions around calibration, enforcement and evidential thresholds that could delay implementation or lead to inconsistent application across the market.
Much will depend on how Ofcom ultimately implements the Online Safety Act’s advertising-related provisions, and whether future reforms move beyond prevention towards a more explicit allocation of financial liability across the fraud chain.
Overall, the direction of travel suggests a gradual shift towards shared accountability across the fraud ecosystem, although timing and design remain uncertain.
