The Payment Systems Regulator has fined Bank of Ireland over GBP 3.7 million for missing the Confirmation of Payee implementation deadline by 14 months.
Following this announcement, the UK's Payment Systems Regulator (PSR) has issued a fine of over GBP 3.7 million to Bank of Ireland UK (BOIUK) after the institution failed to implement Confirmation of Payee (CoP) by the regulatory deadline of 31 October 2023. The delay, which stretched 14 months beyond that deadline, left over 1.14 million new payees without the fraud protection mechanism, covering payments totalling approximately GBP 6.9 billion.
A delayed compliance with significant exposure
According to the official press release, CoP is a name-checking service that allows payers to verify that the account name matches the sort code and account number before a payment is made. It was introduced as a direct response to the rise in authorised push payment (APP) fraud, where individuals are tricked into sending money to accounts controlled by fraudsters. The mechanism also helps prevent misdirected payments caused by human error.
The PSR first established CoP obligations under Specific Direction 10 in 2019, targeting the six largest banking groups. Specific Direction 17 (SD17), published on 11 October 2022 and entering into force on 24 October 2022, broadened the scope significantly. It established two cohorts — Group 1 and Group 2 payment service providers — with different compliance timescales. Group 1 providers, classified based on their size, complexity, and likely impact on reducing APP fraud, were required to have systems capable of both sending and receiving CoP requests in place by 31 October 2023.
BOIUK, classified as a Group 1 provider, was the last institution in that cohort to reach compliance. The PSR opened a formal investigation on 10 July 2024.
Penalty calculation and settlement
The regulator's decision notice confirms that BOIUK agreed to settle at an early stage of the enforcement process, qualifying for a 30% discount under the PSR's settlement procedures. Without that discount, the financial penalty would have been GBP 5.4 million.
The PSR confirmed that BOIUK failed to comply specifically with the send requirements under paragraph 3.1 of SD17 — meaning the institution did not have an operational system to send CoP requests within the required timeframe. A PSR official also noted that payment service providers had been given ample time to prepare, with the direction confirmed in October 2022, and emphasised that the regulator would continue to use its enforcement powers where firms fail to meet CoP requirements and leave customers without this protection.
Regulatory context
The fine arrives against a backdrop of continued regulatory focus on fraud prevention infrastructure in the UK. The PSR has maintained that CoP is a critical layer in the wider effort to reduce APP scams, which have caused substantial financial harm to consumers and businesses alike. The UK government has also signalled that payment systems regulation will remain active until any forthcoming legislative changes take effect, with the PSR continuing to carry out its statutory functions in the interim.
The full decision notice and details of the penalty have been published by the PSR alongside its broader register of enforcement cases.
