The UK’s Payment Systems Regulator (PSR) has fined Bank of Ireland UK £3,779,300 after the lender failed to implement Confirmation of Payee (CoP) by its mandated deadline, leaving over a million customers exposed to fraud risk for more than a year.
According to Alessa, the regulator issued the penalty on 19 February 2026, having opened a formal investigation into the bank in July 2024.
Alessa recently discussed how the Bank of Ireland UK was fined £3.78m for missing an anti-fraud deadline.
Bank of Ireland UK did not activate CoP send functionality until January 2025 — fourteen months after its Group 1 deadline of 31 October 2023, making it the last of the largest payment service providers to achieve compliance.
During the period of non-compliance, 1.14 million new payees were processed without the name-checking safeguard in place, on payments totalling approximately £6.9bn. The original penalty stood at £5.4m but was reduced by 30% to £3,779,300 after the bank agreed to an early settlement.
What is Confirmation of Payee?
CoP is a name-checking mechanism that verifies whether the account name entered by a payer matches the details held by the receiving institution before a transfer is processed. It is designed to combat two distinct problems: authorised push payment (APP) fraud, in which victims are manipulated into sending money to fraudsters, and misdirected payments arising from simple errors.
The PSR directed nearly 400 payment service providers to implement CoP in October 2022. The largest and most systemically significant firms — classified as Group 1 — were required to comply by 31 October 2023, while Group 2 firms were given until 31 October 2024.
The scale of the problem CoP is intended to address is significant. APP fraud losses reached £450.7m in 2024, and in the first half of 2025 alone accounted for £257.5m in losses across the UK — representing 41% of all fraud losses during that period.
The bank’s response
In a public statement, Bank of Ireland UK acknowledged the delay and apologised to customers, noting that CoP has been active for all customers since January 2025 and that it continues to invest in fraud prevention through enhanced monitoring, AI-based controls, and strengthened system processes.
The broader regulatory context
This enforcement action does not sit in isolation. The UK’s mandatory APP fraud reimbursement scheme, which came into force on 7 October 2024, requires banks to reimburse eligible victims up to £85,000, with costs split equally between sending and receiving institutions. That obligation makes CoP implementation considerably more consequential: without effective name-checking, institutions face both the risk of facilitating fraud and the direct financial cost of reimbursing victims.
The PSR itself is in the process of being wound down, with its functions set to transfer to the Financial Conduct Authority (FCA) as part of the government’s regulatory simplification agenda. That consolidation does not reduce enforcement risk for payment service providers — it concentrates it under a regulator with a broader remit and a well-established track record on enforcement.
Lessons for compliance teams
The Bank of Ireland UK case carries clear implications for compliance functions across the sector.
Regulatory lead time is not a buffer. The bank received notice of the CoP requirement in October 2022 and still missed its deadline by more than a year. Awareness without structured implementation tracking and internal accountability does not produce compliance.
The cost of non-compliance compounds quickly. The £3.78m fine already reflects a 30% early-settlement discount from the original £5.4m figure, and that is before any reputational damage is factored in.
Customer exposure during the gap creates its own liability. Over 1.14 million payees were processed without CoP verification during the period of non-compliance, each carrying elevated fraud risk that the institution’s controls failed to address.
Effective transaction monitoring and fraud compliance programmes depend on the same foundations that CoP does: timely implementation, documented controls, and clear lines of accountability. When those elements are absent, the consequences tend to follow.
Read the full Alessa post here.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
