Bank of Ireland UK fined for late security system implementation

The UK payments regulator has fined the UK arm of the Bank of Ireland for failing to put a system in place to check payee details by the deadline it was given.

The £3.78m fine from the Payments Systems Regulator (PSR) comes after the bank was 14 months late to implement the system, meaning the checks were not applied to 1.14 million new payees and payments worth almost £7m.

Known as Confirmation of Payee (CoP), the service, which is designed to reduce fraud and misdirected payments, compares new payee names against account details. It enables people to check that they send money to the correct account. The bank should have had the CoP system in place in October 2023 under PSR’s rules, but was over a year late to do so.

David Geale, managing director at the PSR, said CoP is a vital tool to combat fraud and misdirected payments. “Bank of Ireland UK had plenty of time to put the system in place, missing the deadline by more than a year put its customers at increased risk of fraud,” he added.

The bank was the last of what are known as Group 1 payment service providers to be compliant. This group includes the UK’s largest banks.

Geale fired a warning to banks. “Where we see firms failing to comply with the CoP requirements and leaving customers without this critical protection, we will use our powers to intervene to make sure this important direction is followed,” he said.  

The Bank of Ireland UK fine would have been set at £5.4m had it not agreed to settle early and received a 30% early settlement discount. A statement from the sanctioned band said it “fully acknowledges and sincerely apologises for the delay in implementing send requests for confirmation of payee”. The system has now been in place for all its customers since January 2025, according to the bank.

“The bank takes its regulatory obligations extremely seriously and regrets that this issue arose. Protecting customers from financial harm is of critical importance to us and we are investing more than ever to do this,” it added. “From enhanced monitoring, the use of AI and strengthening our controls, we are continually improving our systems and processes to stay ahead of emerging threats and ensure customers can bank with confidence.”

The government has announced that it is terminating the PSR to reduce red tape as part of its Plan for Change. PSR activities will be transitioned to the Financial Conduct Authority (FCA), which will provide “one port of call” to payments system providers rather having to deal with multiple regulators.

The government said that this “does not result in any immediate changes to the PSRs remit or ongoing programme of work. The regulator will continue to have access to its statutory powers until legislation is passed by Parliament to enact these changes.”

Speaking to Computer Weekly last year, fintech industry expert and CEO at The Finanser, Chris Skinner, said the PSR was often on a collision course with the FCA and things got confusing. “Therefore, the National Payments Vision determined that the FCA would take precedent on any regulatory matters, which begged the question, ‘Why would you need another regulator with no power?’”