Search
Choose a style
Dark
Light
Time to read: 4 min

Bank of Ireland hit with £3.8m PSR fine

Dublin, Ireland - February 13, 2019: View of the front of a branch of the Bank of Ireland in the historic city centre on a winter day.
Editorial credit: Pierre-Olivier / Shutterstock.com

The regulator found the lender failed to meet Confirmation of Payee deadlines, exposing £6.9bn of transactions to heightened fraud and misdirection risk.

The UK’s Payment Systems Regulator has fined Bank of Ireland (UK) £3.78m ($5.09m) for failing to implement Confirmation of Payee (CoP) send functionality by the October 2023 regulatory deadline, concluding the breach exposed customers to avoidable fraud and payment error risks.

In a Decision Notice published on 19 February, the PSR found that BOIUK failed to comply with Specific Direction 17 (SD17), which requires Group 1 payment service providers to have and use a system capable of both sending and responding to CoP requests by 31 October 2023.

BOIUK did not meet the said deadline on either of its UK domestic payment channels. CoP send was introduced on its B365 platform on 10 February 2024 and on its Business On Line (BOL) channel on 7 January 2025. The Relevant Period of non-compliance therefore ran from 31 October 2023 to 7 January 2025.

During this period, the regulator found that approximately £6.9bn of transactions were sent without the CoP coverage required under SD17, affecting payments to more than 1.14 million new payees. Customers setting up new payees or amending payee details did not benefit from account name-checking safeguards designed to reduce authorised push payment fraud and accidental misdirection.

The PSR stated that BOIUK “failed to put in place and use a CoP system when sending payments for customers by the Group 1 deadline of 31 October 2023” and concluded that the failings undermined the policy objective of reducing fraud risk and strengthening trust in digital payments.

Failure to mitigate and notify

Confirmation of Payee, overseen by Pay.UK, is a core component of the UK’s anti-fraud framework across Faster Payments and CHAPS. SD17 expanded mandatory CoP coverage to hundreds of additional payment service providers, reflecting the regulator’s view that name-checking safeguards are central to reducing APP fraud and improving payment accuracy.

While the root causes of delay predated SD17, the PSR found decisions taken after publication of the direction contributed materially to the breach.

The bank’s CoP send implementation on BOL became dependent on a broader internal improvement programme. The regulator concluded that BOIUK failed to sufficiently assess interim mitigation options while those dependencies were resolved. These included the potential use of a third-party solution to offer CoP send access, or directing eligible customers toward compliant channels once B365 functionality was live.

The PSR also determined that BOIUK breached paragraph 3.7 of SD17 by failing to notify the regulator within 28 days of forming the view that it would miss the deadline. Although SD17 was published in October 2022, BOIUK did not inform the PSR of its likely non-compliance until April 2023.

The bank had interpreted the notification requirement as applying only once a detailed explanation and fully developed remediation plan were available, an interpretation the regulator rejected.

BOIUK cited a major Group-wide mainframe incident in August 2023 and the invocation of Service Protection Periods as contributing factors. However, the PSR stated that more robust preventative measures would likely have avoided disruption to CoP delivery.

The regulator noted that BOIUK was the last Group 1 firm to achieve compliance.

Seriousness and penalty

In assessing seriousness, the PSR classified the breach within the “moderate” range. It cited the volume and value of affected transactions, the prolonged nature of non-compliance and the increased fraud and misdirection risk faced by customers.

However, it concluded that the failings were not deliberate or reckless. Group-level resilience issues and prioritisation decisions contributed to delay, but the regulator stopped short of characterising the breach as intentional misconduct.

Applying its four-step penalty framework, the PSR set an initial figure of £5.4m, reflecting a 7% seriousness factor applied to relevant revenue. It found no material aggravating or mitigating factors warranting adjustment and did not increase the amount for deterrence.

A 30% discount was then applied to reflect early settlement, resulting in a final penalty of £3,779,300. The sum must be paid by 5 March 2026.

The PSR confirmed it will publish details of the compliance failure and the penalty under its statutory powers.

Subscribe to our newsletter