Regulation 75 states that where a payment service user denies having authorised an executed payment transaction, or claims that a payment transaction has not been correctly executed, the payment service provider must prove authentication, accurate recording, and proper entry in its accounts. It also states that if the provider claims the payer acted fraudulently or failed with intent or gross negligence to comply with regulation 72, the provider must provide supporting evidence to the payer.

The Payment Services Regulations 2017 are up to date with all changes known to be in force on or before 12 June 2026. This is the official consolidated text of the instrument that includes regulation 75.

Regulation 67 provides that a payment transaction is authorised only if the payer has given consent to execute it. This is the statutory consent rule used by the FCA’s guidance when discussing whether a transaction is unauthorised.

Regulation 74 requires the payment service provider to provide or make available the terms and conditions and information specified in Part 6, and it is one of the adjacent provisions governing notice and information duties around payment transactions. It does not state the deception/inducement rule described in the claim.

Regulation 76 is the provision dealing with the payment service provider’s liability for unauthorised payment transactions, including the obligation to refund unauthorised transactions. It is the adjacent liability provision to regulation 75, which is the evidential burden rule.

Regulation 72 sets out the user’s obligations in relation to payment instruments and personalised security credentials, including requirements to use the instrument in accordance with the terms governing its issue and to notify the provider without undue delay on becoming aware of loss, theft, misappropriation, or unauthorised use. Regulation 75 refers to this provision when the provider alleges fraud, intent, or gross negligence.

Regulation 83 concerns the revocation of consent and the effect of withdrawal of consent on payment transactions. The FCA guidance contrasts this with unauthorised and misdirected transactions when interpreting regulation 75.

The FCA explains that regulation 75 of the PSRs 2017 applies where a customer denies having authorised a transaction, and that a transaction should be treated as unauthorised unless the payment service provider has the customer’s consent under regulation 67. The guidance distinguishes unauthorised transactions from misdirected transactions, where the customer authorised the transaction but the money went to the wrong recipient.

Regulation 75 is headed "Payer’s liability for unauthorised payment transactions where a payment service is provided in relation to a credit line" and provides that, except in certain cases, "the payer’s liability is limited to £35" for losses relating to unauthorised payment transactions before notification.[...] It also states that the payer is not liable for any financial loss if the payment transaction was unauthorised and occurred after notification, or if the loss was due to acts or omissions of the payment service provider or its agent. The regulation does not refer to situations where the payer was deceived into authorising a payment; it addresses liability for "unauthorised payment transactions" in the context of credit lines.

The made version of SI 2017/752 confirms the structure of Part 7 "Authorisation of payment transactions" and includes regulation 75 under the heading "Evidence on authentication and execution of payment transactions". The text in regulation 75 deals with who must prove that a transaction was authenticated and correctly executed, and with evidential burdens where a user denies having authorised a transaction; it does not contain wording about protection where a payer was deceived or induced into making a payment.

Regulation 67 defines "Consent and withdrawal of consent" for payment transactions. It provides that "A payment transaction is to be considered to be authorised only if the payer has given its consent to execute the payment transaction" and that consent may be given for a single or for a series of payment transactions. It does not contain any provision that consent is negated merely because the payer was deceived or induced; the focus is on whether consent was given in accordance with the framework contract or as agreed with the payer.

Regulation 76, titled "Payer’s liability for unauthorised payment transactions," sets out the general rules for a payer’s liability where payment instruments are lost, stolen, or misappropriated. It provides that, subject to certain conditions, "the payer is liable up to a maximum of £35" for losses before notification and is not liable for unauthorised payment transactions after proper notification or where the loss was due to acts or omissions of the payment service provider. The text treats these as "unauthorised payment transactions" under regulation 67; it does not classify payments that the payer was deceived into authorising as unauthorised by reason of that deception.

Part 7 of the Regulations is titled "Authorisation of payment transactions" and includes regulations 67 to 80. Regulation 75 within this Part is explicitly labelled "Evidence on authentication and execution of payment transactions". The surrounding provisions (regulations 72–79) distinguish between "authorised" and "unauthorised" transactions and set out liability and refund rules; they do not state that an authorised payment induced by deception is treated as protected in the same way as an unauthorised payment.

The FCA’s tracked‑changes approach document reiterates that "Regulation 75 of the PSRs 2017 applies in circumstances where a payment service is provided in relation to payment transactions that consist of the placing, transferring or withdrawal of funds covered by a credit line provided under a regulated agreement." It also states that a transaction should be treated as unauthorised unless the PSP has the payer’s consent as set out in Regulation 67, and that amounts deducted in error, without consent, are to be treated as unauthorised transactions. The guidance does not describe Regulation 75 as covering authorised push payments where the payer was deceived or induced into making the payment.

The FCA explains that the Payment Services Regulations 2017 implement the revised Payment Services Directive (PSD2) and sets rules on topics including "authorisation of payment transactions, liability and refunds". In its consumer-facing guidance on scams, the FCA distinguishes between unauthorised payment fraud (where a payment is made without the customer’s authorisation) and authorised push payment (APP) fraud, where "you are tricked into authorising a payment to an account controlled by a criminal" and notes that separate voluntary reimbursement codes and regulatory expectations apply; the text does not state that regulation 75 itself grants protection for authorised payments induced by deception.

HM Treasury’s review of the Payment Services Regulations notes that the PSRs 2017 implemented PSD2 and that the framework "distinguishes between unauthorised transactions and authorised push payment (APP) fraud, where the payer has consented to the payment but has been deceived." The document discusses separate policy work and industry initiatives to address APP scams, acknowledging that the current PSRs regime (including provisions on unauthorised transactions) does not automatically cover authorised payments made under deception in the same way.

The Payment Systems Regulator describes authorised push payment (APP) scams as situations where "people are tricked into sending money to a fraudster" and notes that these are payments that the victim has authorised. It explains that historically "the law and the Payment Services Regulations focus on unauthorised transactions" and that this left a gap in protection for APP scams, which the PSR and industry have sought to address through new reimbursement requirements. This implies that the existing Payment Services Regulations, including regulation 75, did not already treat authorised but induced payments as protected in the same way as unauthorised transactions.

The Supreme Court in Philipp v Barclays explained that in APP fraud cases the customer "has authorised the payment instruction and the bank has executed that instruction" even though the customer was deceived. The Court distinguished between unauthorised payment transactions within the meaning of the Payment Services Regulations and authorised transactions procured by fraud, and did not interpret Regulation 75 as creating an automatic protection for customers whenever they were deceived or induced into making a payment.

A commentary in the Law Quarterly Review explains that under the Payment Services Regulations 2017, "the core refund right in regulations 73–77 is confined to ‘unauthorised payment transactions’." It further states that in authorised push payment fraud cases, "the customer has authorised the transaction, albeit under a misapprehension induced by the fraudster, and therefore does not fall within the statutory refund regime". The article observes that this legal structure has prompted separate regulatory and industry responses to APP fraud rather than reliance on regulation 75.

Skadden explains that APP fraud involves cases "where the customer has been deceived into granting authorisation for the payment." It notes that the new Reimbursement Rules from October 2024 will require reimbursement of consumers who are victims of APP fraud because, under the existing PSR 2017 framework, such transactions are treated as authorised and so fall outside the unauthorised-payment refund provisions (including Regulation 75). The article contrasts these new rules with the existing PSR 2017 regime, under which the main statutory refund right arises where the transaction was unauthorised, not merely induced by fraud.

In its discussion of fraud and payment systems, the Law Commission observes that under the Payment Services Regulations 2017, "the core statutory protections for users relate to unauthorised transactions" and that in authorised push payment frauds victims have usually "given a valid payment order, albeit as a result of being deceived." The report explains that this distinction has led to calls for additional protections and regulatory interventions (for example by the Payment Systems Regulator) because the existing PSR 2017 regime does not automatically treat deceit‑induced but authorised payments as unauthorised.

An academic commentary from City, University of London explains that under the PSRs 2017 "authorised push payments (APP) – payments which the customer themselves instructs – are generally outside the scope of the ‘unauthorised transaction’ provisions in Regulations 74–77." It highlights that in APP fraud the consumer’s consent is vitiated by deception, but "the statutory framework treats consent as present for the purposes of Regulation 67," so the payment is not classed as unauthorised. As a result, protection for victims of APP fraud has had to be developed through voluntary codes and new PSR‑led reimbursement rules rather than through Regulation 75.

This legal update describes the PSRs 2017 as the main piece of legislation regulating payment services in the UK and discusses the regime for unauthorized payment transactions and compliance issues. It is secondary commentary, not the statutory text itself.

This practice note explains the UK framework for payment services regulation and the liability rules for unauthorized transactions. It is a secondary legal guide and should be read alongside the statutory provisions in the Payment Services Regulations 2017.

An academic commentary from City, University of London notes that under the Payment Services Regulations 2017, a customer who denies authorising a payment benefits from statutory protections requiring the bank to refund unauthorised transactions. However, it explains that "where the customer has been deceived into instructing the bank to make a payment (authorised push payment fraud), the payment is generally treated as authorised for the purposes of the PSRs" and that protection in such cases comes, if at all, from other sources (such as voluntary reimbursement schemes or common law duties) rather than from Regulation 75 alone.

This article explains that the Payment Services Regulations 2017 govern payment services in the UK, including authorization, customer rights, execution timelines, transparency, and liability for unauthorized transactions. It is general compliance commentary rather than primary legal authority.

Practitioner commentary often notes confusion between section 75 of the Consumer Credit Act 1974 and regulation 75 of the Payment Services Regulations 2017. Section 75 CCA creates joint and several liability of credit card issuers with suppliers in cases of misrepresentation or breach of contract, including some situations where a consumer is deceived. Regulation 75 PSRs, by contrast, is an evidential rule about proving authentication and execution of payment transactions and does not create a general protection for any authorised payment induced by deception.