On 19 February 2026, the Payment Systems Regulator (PSR) fined Bank of Ireland UK plc (BOIUK) £3.78 million for failing to implement the “send” requirements of Confirmation of Payee (CoP) by the required 31 October 2023 deadline.
CoP is a name‑checking service used by UK banks to help prevent misdirected and fraudulent payments by checking whether the account name entered by the payer matches the account details held by the receiving bank.
BOIUK’s CoP functionality went live approximately 14 months late, meaning CoP checks were not applied to payments involving more than 1.14 million new payees, covering around £6.9 billion in transactions.
While CoP itself is well-established, the enforcement action is notable for what it signals about regulatory expectations. The PSR has framed the delayed implementation of a recognised fraud prevention control as a failure that materially increased customer harm exposure, rather than a purely operational or delivery issue.
For UK firms, the case sits within a broader supervisory focus on authorised push payment (APP) fraud prevention, control effectiveness and evidence-based governance.
This blog outlines the key elements of the PSR’s enforcement action, why the case is significant for firms involved in Faster Payments and the regulatory themes it signals for APP fraud prevention. It also highlights the practical implications for firms, the considerations that risk and financial‑crime teams may want to revisit, and our closing view on how expectations around fraud‑prevention controls and delivery governance are evolving.
Key Changes
Specific Direction 17 required Group 1 payment service providers (PSPs) to implement the ability to send and receive CoP requests by 31 October 2023. The requirement followed a phased rollout intended to embed CoP protections more broadly across Faster Payments.
In BOIUK’s case:
- The CoP “send” capability was implemented approximately 14 months after the deadline
- CoP checks were not applied to transactions involving more than 1.14 million new payees during the period of non-compliance
- Those payments totalled approximately £6.9 billion in value
- BOIUK was the final Group 1 PSP to achieve compliance
The enforcement outcome reflects both the duration of the delay and the scale of customer exposure during that period.
Why This Matters for UK-Regulated Firms
CoP is increasingly viewed as a baseline fraud prevention control
CoP helps mitigate APP fraud by allowing customers to confirm whether a payee name aligns with the receiving account before funds are sent. Regulators increasingly treat such controls as foundational safeguards rather than optional customer protection features.
Absence of a control can constitute harm in itself
The PSR did not need to demonstrate that individual payments resulted in fraud. The key issue was that customers were exposed to elevated risk for a sustained period where a recognised mitigating control should have been operating.
This reinforces a supervisory approach focused on exposure and control effectiveness, not solely confirmed loss outcomes.
Delivery governance forms part of fraud risk management
Where mandated fraud controls are delayed, regulators are likely to consider how associated risks were assessed, escalated and managed during the interim period. Delivery challenges do not remove the expectation that fraud risk remains actively governed.
Practical Implications
The relevance of this enforcement action will vary depending on firms’ payment activity and exposure to retail payment journeys. However, several themes are likely to be relevant where firms support Faster Payments or high volumes of new-payee activity.
New-payee journeys remain a supervisory focus
New payees represent a consistent pressure point for APP fraud. Firms with significant volumes of first-time payments or customer-initiated beneficiary changes may face increased scrutiny regarding how those risks are mitigated.
Compensating controls must be demonstrable
Where implementation timelines slip, interim controls should be proportionate to the risk and clearly evidenced. Reliance on customer messaging alone may not be considered sufficient mitigation.
Third-party or group dependencies do not remove accountability
Where delivery relies on vendors, group platforms or indirect access arrangements, UK entities remain responsible for managing resulting fraud risk and escalation processes.
Fraud prevention and customer protection expectations are converging
Regulatory focus increasingly links fraud controls to customer outcomes. Preventive measures are expected to reduce real-world harm rather than operate solely as compliance safeguards.
What Firms Should Consider Now
Assess how CoP operates across payment journeys
Firms may wish to confirm that CoP functionality operates consistently across channels and that exception handling does not introduce unintended gaps.
Review governance arrangements for delayed controls
Organisations should be able to evidence how fraud risk would be assessed and managed if implementation timelines for critical controls were extended.
Monitor exposure as well as confirmed losses
Metrics capturing transaction exposure during control gaps can provide a clearer risk picture than loss data alone.
Reassess reliance on behavioural warnings
Customer education and warnings remain valuable but may not substitute for objective verification controls in higher-risk payment scenarios.
Our Closing View
The PSR’s enforcement action should be viewed as a signal of evolving fraud risk expectations rather than a narrow compliance outcome. Regulators increasingly expect firms to deliver preventive controls on time, supported by governance capable of identifying, escalating and managing risk where implementation challenges arise.
For firms, the emphasis is shifting from whether controls exist in principle to whether they are operational, evidenced and aligned with customer harm prevention objectives.
How Thistle Initiatives Can Help
Our financial crime team supports firms in assessing whether fraud prevention frameworks remain aligned with evolving regulatory expectations.
We can conduct independent reviews of APP fraud controls, including CoP implementation, new-payee risk management and governance over fraud-critical change delivery. Our approach focuses on practical, proportionate improvements that help firms demonstrate effective oversight, robust decision-making and defensible control environments under regulatory scrutiny.
Meet the Expert
Elliott Day, Manager 
Elliott is a manager within Thistle’s Financial Crime team, supporting fintech and financial services clients to strengthen controls, uplift governance, and deliver regulatory remediation. His experience spans AML, sanctions, KYC/KYB, onboarding and risk assessment, with a focus on proportionate, risk-based frameworks and practical assurance.
Before joining Thistle, Elliott held financial crime and compliance roles across payments and fintech, enhancing policies, procedures and monitoring arrangements. Elliott has also contributed to industry publications, including editorials for The Company Lawyer.