Answers / Risk & Compliance

What is authorized push payment (APP) fraud, and how does it differ from traditional first- and third-party fraud?

A core Risk & Compliance interview question — asked in analyst and associate interviews across IB, PE, and the Big 4.

THE SHORT ANSWER

Traditional third-party fraud is an unauthorized transaction — a criminal uses stolen cards/credentials without the customer's involvement; first-party fraud is the customer themselves acting dishonestly (e.g., false chargeback claims, application fraud). APP fraud is different and growing: the genuine customer is tricked into authorizing the payment themselves — they're socially engineered (impersonation of a bank/official, purchase scams, romance/investment scams, invoice redirection) into pushing money to a fraudster's account. Because the customer authorized it, it bypasses traditional unauthorized-transaction controls and historically left victims with weak redress. The response shifted: real-time payment-scam detection (anomalous beneficiary, behavioral signals, Confirmation of Payee name-checking), customer warnings/friction at the point of payment, and in some jurisdictions mandatory reimbursement frameworks (e.g., UK rules requiring sending and receiving banks to share liability for reimbursing APP-scam victims). It matters because instant payments and social engineering made APP the dominant scam type, requiring controls aimed at the customer's decision moment rather than just blocking unauthorized access.

WHAT INTERVIEWERS LISTEN FOR

  • APP: genuine customer is tricked into authorizing the payment
  • Differs from unauthorized third-party fraud and dishonest first-party fraud
  • Bypasses unauthorized-transaction controls; weak historic redress
  • Response: scam detection, Confirmation of Payee, warnings, mandatory reimbursement rules

COMMON MISTAKES

  • Confusing APP with unauthorized third-party fraud
  • Thinking standard fraud controls catch it
  • Unaware of reimbursement/Confirmation-of-Payee responses

Reading isn't the same as answering under pressure.

Interviewers don't hand you the model answer — you deliver yours on a clock. Practice this and 1,000+ questions with AI feedback on every answer.

TRY QUICKFIRE →Or train full Risk & Compliance case simulations →

RELATED QUESTIONS