The Price of Silence: What the Bank of Ireland CoP Penalty Exposes

In October 2022, the Payment Systems Regulator (PSR) published Specific Direction 17 (SD17). Its purpose was straightforward: the UK’s largest payment service providers were to implement Confirmation of Payee (CoP), an account name-checking safeguard designed to intercept authorised push payment (APP) fraud and misdirected transfers, by 31 October 2023. The directive built on the PSR’s earlier Specific Direction 10, which had required the six biggest banking groups to adopt the service by early 2020. SD17 extended that obligation to a broader cohort classified as Group 1, prioritised by complexity and transaction volume. The deadline was clear. The infrastructure existed. Every other Group 1 firm complied.

Yet on 19 February 2026, the PSR published a Decision Notice confirming that Bank of Ireland UK (BOIUK) had missed that deadline by fourteen months. Approximately £6.9 billion in payments involving more than 1.14 million new payees had been processed without the protections the rest of the market was already providing. The penalty was £3,779,300. That figure is financially modest for a subsidiary of a major banking group. The questions it raises about how the industry treats interconnected compliance obligations are not.

CoP serves more than one regulatory purpose

CoP is typically discussed as a fraud prevention tool. It is one. It allows a sending institution to verify, in real time, whether the name entered by the payer matches the name held on the recipient’s account. Where there is a mismatch, the payer receives an alert before the payment is executed. The mechanism is administered by Pay.UK and operates across Faster Payments and CHAPS. It creates a friction point between intent and execution: a final opportunity for the customer to reconsider before funds leave their account.

Yet the significance of CoP extends well beyond fraud. At its core, it performs a function that sits at the heart of an entirely separate regulatory regime: it verifies beneficiary identity at the point of payment. That function is precisely what the Financial Action Task Force (FATF) has been progressively strengthening through Recommendation 16 (R16), the international standard governing payment transparency.

The FATF’s June 2025 revision of R16, agreed at its Plenary, explicitly expanded the standard to require beneficiary institutions to verify beneficiary information and to ensure that accurate, structured originator and beneficiary data accompanies every qualifying transfer. Crucially, the FATF framed these requirements not solely as anti-money laundering measures but as mechanisms to eliminate fraud and error in the payment chain. The convergence is not coincidental. The data requirements underpinning fraud prevention, AML compliance and sanctions screening are not separate obligations operating in parallel. They are interdependent controls drawing on the same foundational asset: accurate, verified payment data.

Fourteen months of degraded data is not a technicality

The Decision Notice sets out the facts with precision. BOIUK operates two domestic payment channels: the B365 platform and the Business On Line (BOL) channel. Neither was capable of sending CoP requests by the deadline. CoP send functionality was introduced on B365 on 10 February 2024, three and a half months late. On BOL, it did not arrive until 7 January 2025. The period of non-compliance ran from 31 October 2023 to 7 January 2025. BOIUK was the last Group 1 firm to achieve compliance.

The scale of exposure is significant. During that window, approximately £6.9 billion in transactions were processed without the CoP coverage required under SD17, involving more than 1.14 million new payees. Each of those customers was denied the name-checking safeguard that every other Group 1 institution was already providing. In a year when UK Finance’s Annual Fraud Report 2025 recorded APP fraud losses of £450.7 million and total fraud losses exceeding £1.17 billion across more than 3.3 million cases, a gap of that magnitude is not administrative. It is material.

The point is often missed because CoP is categorised as a fraud control. In practice, the beneficiary name verification it performs is the same verification that strengthens sanctions screening, improves transaction monitoring and enhances the quality of data available for suspicious activity reporting. When CoP is absent, it is not only fraud defences that weaken. The entire chain of downstream compliance controls operating on beneficiary data is degraded.

Programme dependency is not a defence

The Decision Notice is instructive not only for what BOIUK failed to do, but for how it failed. The PSR acknowledged that the root causes of the delay predated SD17. The bank’s CoP implementation on BOL became entangled with a broader internal technology improvement programme. A discrete compliance workstream was absorbed into a larger transformation initiative. Its delivery timeline became hostage to dependencies beyond the compliance function’s control.

The regulator’s assessment is sharp. The PSR concluded that BOIUK failed to sufficiently assess interim mitigation options. At least two alternatives existed: contracting a third-party provider to deliver CoP send capability on an interim basis, or directing eligible customers toward B365 once that platform achieved compliance in February 2024. Neither was adequately explored. The bank treated the delay as an unavoidable consequence of programme sequencing. The regulator treated it as a failure of risk management.

This pattern is not unique to BOIUK. Across financial services, regulatory obligations are routinely absorbed into broader technology programmes, where they compete for resources and governance attention with commercially driven workstreams. Regulatory deadlines become subordinate to internal timelines. Interim mitigations are deprioritised because the full solution is always imminent. The PSR’s decision sends a pointed message: programme dependency is not a defence for non-compliance, and regulators expect firms to pursue proportionate alternatives when primary delivery is at risk.

The silo between fraud and financial crime compliance is no longer defensible

The BOIUK case is framed as a fraud enforcement action. Yet the underlying lesson is about data. Data does not respect organisational silos.

The beneficiary name verification performed by CoP serves the same analytical function as the data requirements imposed by FATF R16 and its domestic implementations: the UK’s Money Laundering Regulations and, in the EU, the Transfer of Funds Regulation. When a payment service provider confirms that the beneficiary name matches the account before a payment is sent, it simultaneously strengthens the data flowing into sanctions screening engines, transaction monitoring systems and suspicious activity reporting. When that verification is absent, every downstream control depending on reliable beneficiary data is compromised.

The FATF’s June 2025 revision of R16 makes this convergence explicit. The updated standard requires beneficiary institutions to verify beneficiary information and to ensure the accuracy of data accompanying each transfer. The explanatory note frames these obligations as mechanisms to build a clearer picture of who is sending and receiving money and to eliminate fraud and error. The Global Legal Entity Identifier Foundation (GLEIF), in its analysis of the revised standard, noted that precise matching using identifiers such as the Legal Entity Identifier (LEI) is being positioned as an alternative to error-prone algorithmic name matching. That is a direct parallel to the verification function CoP performs domestically.

The implication is clear. Institutions that treat CoP as a standalone fraud obligation, managed by a fraud team, governed by fraud metrics, funded from a fraud budget, are missing the broader regulatory trajectory. Payment data accuracy is the thread that connects fraud prevention, AML compliance, sanctions screening and wire transfer regulation. Control effectiveness, not control existence, is what regulators are now measuring. A delay in implementing CoP is not merely a failure of fraud controls. It is a degradation of the data on which the entire financial crime framework depends.

Late notification erodes the supervisory relationship

The penalty does not rest solely on the implementation delay. The PSR also found that BOIUK breached paragraph 3.7 of SD17, which requires directed firms to notify the regulator within 28 days of forming the view that they will be unable to meet the deadline. SD17 was published in October 2022. BOIUK did not inform the PSR of its likely non-compliance until April 2023: six months after the direction came into force.

The bank’s position was that it interpreted the notification requirement as applying only once a detailed explanation and remediation plan were available. The PSR rejected that interpretation. The obligation to notify is triggered by the firm’s own assessment of risk, not by the readiness of a response. Waiting until the plan is complete before raising the alarm defeats the purpose of early notification. The principle is consistent across every supervisory relationship, whether with the PSR, the FCA, the PRA or OFSI: early, candid engagement almost always produces a better outcome than delayed disclosure.

What firms should reassess

The enforcement action carries implications beyond CoP and beyond the PSR’s immediate jurisdiction. First, regulatory compliance deadlines are not subordinate to internal programme timelines. Where a directed obligation cannot be met through the primary delivery route, firms must pursue interim alternatives. The expectation is not perfection. It is active, proportionate risk management.

Second, payment data accuracy must be governed as a cross-cutting control, not as a series of isolated obligations. The data that supports CoP verification is the same data that supports wire transfer regulation compliance, sanctions screening and transaction monitoring. Firms that invest in data accuracy for one purpose and neglect it for another are building frameworks with structural contradictions at their core. The FATF’s revised R16, with its emphasis on structured, verified originator and beneficiary data, reinforces this at the international level. Domestic obligations and international standards are converging on the same principle: the integrity of the payment system depends on the integrity of the data within it.

Third, the enforcement landscape is tightening. The PSR’s penalty should be read alongside its introduction, in October 2024, of mandatory reimbursement rules for APP fraud victims. Those rules shifted the financial burden of fraud losses directly onto payment service providers. Firms that treat anti-fraud and anti-money laundering controls as secondary to commercial priorities will find the cost of that choice is rising.

The price of silence is paid in intelligence that never existed

The PSR’s penalty against BOIUK is, in financial terms, measured. In regulatory terms, it is a declaration of intent. The direction was clear. The deadline was generous. Every other Group 1 firm managed to comply.

Yet the deeper lesson is not about one institution or one deadline. It is about the persistent tendency within financial services to treat fraud, AML and sanctions as separate compliance verticals when they are, in practice, different expressions of the same foundational requirement: accurate, verified, transparent payment data.

CoP verifies the beneficiary at the point of payment initiation. FATF R16 requires that verified beneficiary data accompanies the payment through the chain. Sanctions screening depends on the reliability of that data to produce credible matches. Transaction monitoring depends on it to generate defensible alerts. These are not parallel obligations. They are sequential dependencies. A failure in one weakens all.

If the industry continues to treat payment transparency as three separate problems with three separate budgets and three separate governance structures, the gaps that enforcement actions like this expose will persist. The cost of delay is not measured only in penalties. It is measured in the sanctions matches that were never made, the suspicious patterns that were never visible, and the compliance intelligence that, because the data was never verified, never existed at all.

Do you need to build a unified approach to payment transparency?

At OpusDatum, we work with financial institutions and payment service providers to build compliance frameworks that treat payment data accuracy as the cross-cutting control it is. Our advisory and intelligence services bridge the gap between fraud prevention, AML compliance, sanctions screening and wire transfer regulation, ensuring that obligations are met in practice, not merely in parallel.

Contact us to discuss how we can support your approach to integrated payment data governance.