PSR fines Bank of Ireland (UK) GBP3.8m for delayed implementation of Confirmation of Payee

Background

CoP is an account name-checking functionality that protects customers making electronic payments by verifying that the name on a receiving account matches the intended recipient’s details. It is intended to reduce fraud and mis-directed payments. The PSR published Specific Direction 17 (SD17) in October 2022, requiring “Group 1” payment service providers – the largest and most complex, which included BOIUK – to implement CoP send and respond capability by 31 October 2023. 

BOIUK operates two relevant payment channels relevant to SD17. Banking 365 (B365) is its primary retail channel. Business On Line (BOL) is a business-focused platform with approximately 9,000 users. BOIUK implemented CoP respond functionality ahead of schedule, but failed to implement CoP send functionality on either channel on time. The functionality was not in place on B365 until 10 February 2024 and on BOL until 7 January 2025. BOIUK was the last Group 1 firm to comply with SD17. The failings impacted transactions involving over 1.14 million new payees and GBP6.9 billion.

The root cause of the BOL delay was a dependency on a pre-existing BOL improvement programme, which had been initiated in 2019 to address legacy platform vulnerabilities and vendor support gaps. Prioritisation and funding decisions led to key workstreams being paused in 2021 and, by the time SD17 was published, the improvement programme was still incomplete. BOIUK concluded that CoP could not be safely built on BOL until the enhanced architecture was in place, creating a dependency that delayed implementation. 

The B365 delay arose from a Group-wide mainframe incident in August 2023, which triggered an extended change freeze and delayed BOIUK’s release schedule, including the deployment of CoP send for B365. The PSR accepted that BOIUK was on track to meet the B365 deadline before this incident occurred. 

Findings

The PSR found that BOIUK breached SD17’s regulatory deadline for CoP implementation. It found that this breach was not deliberate or reckless, and noted that BOIUK implemented fraud reimbursement arrangements during the period of non-compliance. 

The PSR made the following key findings:

• The delays to the completion of the BOL improvement programme were avoidable and resulted from decisions within BOIUK’s own control; earlier and sustained remediation would have avoided the dependency and enabled timely CoP implementation. 
• More robust preventative measures would likely have prevented the Group-wide mainframe incident and so avoided impacting CoP delivery for B365.
• BOIUK insufficiently considered implementing interim measures to protect customers before it completed its CoP implementation, for example by engaging a third-party CoP provider or directing BOL customers to use B365’s CoP functionality once available. 
• BOIUK did not notify the PSR that it was unlikely to meet the BOL deadline until six months after the PSR published SD17. This was despite BOIUK having low confidence in its ability to meet the deadline from the outset. SD17 required notification within 28 days of forming such a view whereas BOIUK interpreted this as requiring it to formulate a detailed explanation and project plan for remediation before making a notification. 

The penalty was calculated by applying 7% to BOIUK’s relevant revenue of GBP77,130,004. This is at the bottom of the 7 – 13% range applied to breaches assessed as “moderate seriousness”.  

However, the PSR emphasised that firms are expected to maintain systems capable of implementing regulatory changes within prescribed timeframes and to manage dependencies proactively. 

Comment

The root cause of the BOL non-compliance illustrates the risks arising from delayed remediation of legacy systems where there are dependencies for regulatory implementation projects. Early identification and management of these dependencies is needed when a new regulatory change programme arises, with acceleration of the remediation if possible to allow regulatory deadlines to be met, including via appropriate resourcing decisions.

Similarly, the PSR’s response to the Group-wide mainframe incident that impacted CoP delivery for B365 shows that firms can expect little sympathy if avoidable weaknesses in their resilience impact their ability to implement a regulatory change programme on time.

The PSR in this decision stresses that firms should take risk mitigation steps if they anticipate not being in a position to complete implementation in time. Tactical mitigations, including possible third-party solutions, should be actively explored to minimise customer harm.

The PSR decided that the notification requirement under SD17 was triggered when BOIUK formed the view that it was unlikely to meet its obligations, not when it had fully diagnosed the cause or developed a remediation plan. Regulators expect early and transparent engagement when compliance with a regulatory deadline is at risk, even if the firm does not yet have all the answers. Regulators value the opportunity to engage constructively at the earliest possible stage.