Reeling from a digital crime wave like the rest of the world, first the UK and next the European Union (EU) are opening new fronts in the war on payments cybertheft, rolling out two separate systems to push back against push payment fraud.
It’s all about ensuring that the party receiving payment is the intended person or business.
To combat the UK’s authorised push payment (APP) fraud epidemic and ensure payments integrity, UK PSPs (payment service providers) and financial institutions (FIs) continue working intently to support the UK Payment Systems Regulator (PSR) and its Confirmation of Payee (CoP) initiative.
Following CoP adoption by the six main banks during Phase I in 2020, CoP Phase II aimed to activate hundreds of financial institutions by the PSR’s October 31, 2024, deadline. PSPs UK-wide have now met the PSRs Specific Direction 17, adding 400 new PSPs to the service.
During Phase II, Bottomline, among others, supported banks and businesses migrating existing customers to the CoP name-checking service, and by enrolling new users. With the capacity to onboard at global scale, Bottomline activated the highest number of organisations on the CoP service, according to Pay.UK. They estimate that more than 99% of the UK’s CHAPS & FPS transactions can now be put through CoP identity checks.
Effectiveness over time remains to be seen. According to the British government’s ‘National Payments Vision’ policy paper issued November 14, 2024, while CoP “provides a critical safety net for consumers, it introduces new risks for firms to manage.” For that reason, the PSR “has confirmed it will commission an independent post implementation review of its policy after 12 months of the policy being in force,” per that document.
This effort to protect payments is paying off. On October 31, Kate Fitzgerald, head of policy at the PSR, told Finextra: “Confirmation of Payee has quickly become an essential anti-fraud tool. Since its launch in 2020, more than 2.5 billion checks have been completed."
Erez Nounou, Head of Product for Risk Solutions, Financial Messaging, at Bottomline, called CoP “a gold standard in payments security,” pointing out that across The Channel in the EU there’s a similar effort unfolding with the same essential function.
Verification of Payee (VoP) Secures Eurozone Payments
Within the Single Euro Payments Area (SEPA), CoP’s job is being done by Verification of Payee (VoP), a program operated by the European Payments Council (EPC).
“The scheme allows the PSP of the payer [the Requesting PSP] to instantly send to the PSP of the payee [the Responding PSP], a request to verify the IBAN and the name of the payee as given by the payer [the Requester], and potentially in addition, an unambiguous identification code [for example] Value-Added Tax (VAT) number, a Legal Entity Identifier (LEI, social security code) about that payee,” in the case of SEPA Credit Transfers (SCT) or a SEPA Instant Credit Transfer (SCT Inst), according to the EPC.
Trading in either the UK or the EU will require foreign companies to adhere to the standards as they solidify, and ideally, start creating a noticeable drop in APP fraud. But when?
Being VoP-ready is mandatory, with an October 5, 2025, deadline. While the systems are separate, "We expect to see independent schemes converge and interoperate over the next few years," said Bottomline’s Erez Nounou. And while CoP was gradually rolled out, VOP will be a ‘big bang’ with more than 2000 PSPs mandated to join in October 2025.
On November 15, 2024, the EPC published final API specifications, allowing organisations to begin design and build phases for the 2025 go-live date. However, solutions can’t be ready before the EPC Directory Specification is shared by the EPC early next year, according to recent EPC board minutes.
"We're proud of the contribution we’ve made in the UK with CoP, we’re optimistic that VOP will be as successful, and excited about the future of fraud prevention,” Nounou said. “CoP/VOP are just examples of the innovation that's coming through to protect the whole payment lifecycle.”
