On February 19th, 2026, the UK’s Payment Systems Regulator (PSR) fined Bank of Ireland UK £3,779,300 for failing to implement Confirmation of Payee (CoP) by its regulatory deadline. The bank was 14 months late, leaving 1.14 million new payees without fraud protection on payments totaling approximately £6.9 billion.
Key Highlights
- The PSR fined Bank of Ireland UK £3,779,300 under Specific Direction 17, which required Group 1 payment service providers to implement Confirmation of Payee by October 31, 2023.
- The bank missed that deadline by 14 months, only becoming compliant in January 2025, making it the last Group 1 provider to do so.
- During the non-compliant period, 1.14 million new payees were processed without CoP checks on payments worth approximately £6.9 billion.
- The original penalty was £5.4 million, reduced by 30% to £3.78 million after the bank agreed to settle early.
- The case highlights the compliance cost of delayed implementation for controls designed to protect customers from authorised push payment fraud.
- Institutions can reduce exposure by maintaining robust AML and fraud compliance frameworks with clear ownership over implementation timelines.
What Is Confirmation of Payee and Why Does It Matter?
Confirmation of Payee is a name-checking service that verifies whether the account name entered by a payer matches the details held by the receiving bank before a transfer is processed. It targets two specific problems: authorized push payment (APP) fraud, where victims are manipulated into sending money to fraudsters, and misdirected payments caused by simple errors.
APP fraud losses reached £450.7 million in 2024, and in the first half of 2025 alone accounted for £257.5 million in losses across the UK, representing 41% of all fraud losses during that period. The PSR directed nearly 400 payment service providers to implement CoP in October 2022. Group 1 firms, the largest and most systemically significant, were required to comply by October 31, 2023. Group 2 had until October 31, 2024.
What Went Wrong at Bank of Ireland UK
Bank of Ireland UK did not activate CoP send functionality until January 2025, fourteen months after its Group 1 deadline. During that window, 1.14 million new payees were onboarded without the name-checking safeguard on payments worth approximately £6.9 billion. The PSR opened a formal investigation in July 2024.
The original penalty was £5.4 million, reduced by 30% to £3,779,300 after the bank agreed to settle early. Bank of Ireland UK was the last Group 1 provider to achieve compliance.
In a public statement, the bank acknowledged the delay and apologized, noting that CoP has been active for all customers since January 2025 and that it continues to invest in fraud prevention through enhanced monitoring, AI-based controls, and strengthened system processes.
The Broader Regulatory Context
This action does not sit in isolation. The UK’s mandatory APP fraud reimbursement scheme, which came into force on October 7, 2024, requires banks to reimburse eligible victims up to £85,000, with costs shared equally between sending and receiving institutions. That obligation makes CoP implementation even more consequential: without effective name-checking, institutions face both the risk of facilitating fraud and the direct cost of reimbursing victims.
The PSR is also in the process of being wound down, with its functions transitioning to the FCA as part of the government’s regulatory simplification agenda. That consolidation does not reduce enforcement risk for payment service providers; it concentrates it under a regulator with a broader remit and an established enforcement track record.
What Compliance Teams Should Take Away
The Bank of Ireland UK case offers three clear lessons.
- Regulatory lead time is not a buffer. The bank received notice of the CoP requirement in October 2022 and still missed its deadline by more than a year. Awareness without structured implementation tracking and internal ownership does not produce compliance.
- The cost of non-compliance compounds. The £3.78 million fine already reflects a 30% early-settlement discount from the original £5.4 million figure, and that is before reputational damage is considered.
- Customer exposure during the gap is its own liability. Over 1.14 million payees were processed without CoP verification, each carrying elevated fraud risk that the institution’s controls failed to address.
Effective transaction monitoring and fraud compliance programs depend on the same thing CoP does: timely implementation, documented controls, and clear accountability. When those elements are missing, the consequences tend to follow.
