A clear guide to Confirmation of Payee (CoP): what it is, how match responses work, PSR expansion to fintechs, and what it means for APP fraud reimbursement.

Authorised push payment (APP) fraud cost UK consumers and businesses more than £213 million in the first half of 2024 alone. In most cases the victim was tricked into sending money willingly, leaving traditional card-fraud controls useless. Confirmation of Payee (CoP) is the primary line of defence: a name-checking service that runs before a Faster Payment or CHAPS transfer is sent, alerting the payer when the account name does not match the destination account.
CoP is run under the rules and standards set by Pay.UK, the recognised payment systems operator for Faster Payments and Bacs. The service launched in 2020, initially covering the six largest UK banking groups. By the end of October 2024, following a regulatory expansion directed by the Payment Systems Regulator (PSR), more than 300 financial institutions had joined, and over 99 per cent of Faster Payments and CHAPS transactions are now covered. More than 2.5 billion CoP checks have been completed since launch.
For fintech founders and compliance teams, CoP is no longer background infrastructure owned by the large banks. Specific Direction 17 from the PSR has drawn a wide range of payment service providers (PSPs) into the scheme, with binding send and respond obligations. This article explains how CoP works, what the four match responses mean for payers, how the PSR drove the expansion, and what any firm offering UK payment accounts needs to do.
Confirmation of Payee is an account-name verification service for UK domestic payments. When a payer sets up a new payee or amends existing payee details, their bank or payment app queries the destination account holder's name in real time, before the payment instruction is submitted to the payment system. The query goes directly to the receiving PSP via a secure API, with a response typically returned within seconds.
CoP addresses two distinct problems. The first is APP fraud, where a criminal poses as a legitimate payee, such as a solicitor, HMRC or a supplier, and persuades the payer to send money to a fraudulent account. The second is misdirected payments, where the payer enters the wrong sort code or account number, perhaps a single-digit error, and funds reach an unintended recipient. Neither scenario was well-served by legacy payment controls, which only validated the account number format, not the name behind it.
The service covers Faster Payments and CHAPS transfers, as well as new standing orders. Bacs and Direct Debit payments are currently outside the mandatory scope but may be included in future phases. CoP does not apply to cross-border transactions where either the payer or payee account is outside the UK.
Every CoP query returns one of four responses. Each carries a different implication for the payer, and presenting these responses clearly to customers is itself a compliance obligation under the Pay.UK CoP rules and standards.
It is important to understand that CoP returns a name-matching result, not a fraud verdict. A match does not guarantee the payment is safe. A close match or no match does not guarantee fraud is occurring. The response is a signal that prompts further verification, not a block on the payment.
| Response | What it means | Recommended action for the payer |
|---|---|---|
| Match | The name entered matches the name held on the destination account. | Proceed with confidence. The account details are consistent with the intended payee. |
| Close match | The name is similar but not identical, for example 'J Smith' versus 'John Smith', or a company trading name versus its registered name. | Pause and contact the payee through a trusted, independent channel to confirm the correct account name before sending. |
| No match | The name entered does not correspond to the name held on the account. | Do not proceed without speaking directly to the payee. Verify account details through a method not provided in the original message. Treat an unexpected no match as a potential fraud indicator. |
| Unable to check | The system cannot return a result. This can occur due to a timeout, an opt-out by the account holder, the destination PSP not yet participating, or the account not existing. | Treat this similarly to a close match. Verify details with the payee independently before sending. Do not assume the absence of a check confirms the payment is safe. |
CoP is an API-based, peer-to-peer service. There is no central processing hub that validates names. Instead, the sending PSP's system queries the receiving PSP directly, using the Open Banking directory to locate the correct endpoint for the destination sort code. The directory acts as a routing layer, identifying which CoP-enabled institution holds a given sort code.
When a payer enters a payee's sort code, account number and name, the sending PSP constructs a CoP request and sends it to the receiving PSP's API endpoint. The receiving PSP runs the name entered against the name held in its own records, applying fuzzy matching logic to account for common abbreviations, initials and trading-name variations. It then returns one of the four standardised response codes. The end-to-end check typically completes in under two seconds.
PSPs that own their own unique sort code implement CoP directly. Those without a sort code, or with limited technical resource, can join as indirect participants through one of eight Pay.UK-accredited aggregator partners. The aggregator model was introduced specifically to enable the October 2024 expansion, allowing smaller fintechs, e-money institutions and building societies to access the service without building full API infrastructure from scratch.
Under the rules, account holders can opt out of having their name verified, which triggers an 'unable to check' response to the querying PSP. PSPs must allow this opt-out but must also ensure they are not inadvertently encouraging customers to exercise it, as widespread opt-outs would undermine the service's effectiveness.
CoP launched in 2020 under PSR Specific Direction 10, which required the six largest UK banking groups to implement send and respond capability. This initial phase covered approximately 90 per cent of Faster Payments and CHAPS transaction volumes by value, but left a significant gap for smaller firms.
In October 2022, the PSR issued Specific Direction 17, which extended CoP obligations to nearly 400 additional PSPs. The direction divides firms into two implementation groups.
Group 1 named 32 large financial institutions explicitly. They were required to have CoP operational by 31 October 2023.
Group 2 covers any PSP not in Group 1 that meets any of the following criteria: it holds a unique sort code listed on the Extended Industry Sort Code Database (EISCD), it is a building society, or it facilitates CHAPS or Faster Payments for customers with accounts from which they can send and receive payments. Group 2 firms were required to comply by 31 October 2024.
The practical effect is that a wide range of fintech firms, e-money institutions, challenger banks and specialist payment providers are now within scope, provided they meet the sort-code and payment-account criteria. Firms that are indirect PSPs, meaning they send payments via a sponsor bank using that bank's sort code rather than their own, may fall outside the direct scope of SD17 for send obligations, but they should seek their own legal assessment as the rules around secondary reference data are nuanced.
All directed firms must provide both send and respond capability, unless they operate accounts that only receive payments, in which case a respond-only obligation applies. Once a firm has implemented CoP, it must notify the PSR in writing within 28 days.

CoP does not operate in isolation. The PSR's mandatory APP fraud reimbursement requirement took effect on 7 October 2024, just weeks before the Group 2 CoP deadline. Under the reimbursement rules, PSPs participating in Faster Payments are required to reimburse in-scope customers who fall victim to APP fraud in most circumstances, subject to a cap of £85,000 per claim. The Bank of England set a matching cap for CHAPS.
The two regimes are designed to work together. CoP reduces the incidence of APP fraud by giving payers a name-verification prompt at the point of payment. The reimbursement rules create a financial incentive for PSPs to make CoP work well: a PSP that implements CoP poorly, or that presents match responses in a way that does not actually prompt customers to pause and check, may find its fraud losses, and therefore reimbursement liability, remain elevated.
The PSR has been explicit that CoP alone is not sufficient. It forms part of a wider approach that includes reimbursement obligations, improved fraud data sharing between firms, and consumer vulnerability monitoring. But for any firm processing UK push payments, a functioning CoP system is both a regulatory requirement and a practical first control.
If your firm has its own sort code and offers payment accounts from which customers send Faster Payments or CHAPS transfers, you are almost certainly within scope of Specific Direction 17. The starting point is to confirm your classification and, if in Group 2, check whether you have notified the PSR of your implementation as required.
For firms that have not yet implemented CoP, the aggregator route is the most practical path. Eight Pay.UK-accredited technology partners can provide access to the CoP service without requiring you to build a direct API integration from scratch. Implementation timelines for cloud-based solutions have been quoted at approximately six weeks, though scoping, testing and PSR notification add to the total project timeline.
On the customer-facing side, the presentation of CoP responses matters as much as the underlying check. Regulators and consumer bodies have highlighted cases where banks presented match responses in ways that minimised the warning, reducing the chance that customers would pause before sending. Firms should design their CoP journeys so that close-match and no-match responses are genuinely prominent, require an active confirmation from the customer, and direct customers to verify details through an independent channel rather than relying on the contact information that may itself have been provided by a fraudster.
Firms processing batch or bulk payments, for example payroll runs or supplier payment files, should assess whether their batch flows are in scope and whether any of the exemptions, such as payments to loan repayment accounts or to accounts with pre-nominated recipients, apply to specific payment types in their product set.
Confirmation of Payee has moved from a large-bank initiative to a near-universal feature of UK retail and business payments in the space of four years. The combination of PSR Specific Direction 17 and the mandatory APP fraud reimbursement rules that both arrived in late 2024 means that CoP is now a compliance obligation for most UK payment account providers, not an optional enhancement. More than 2.5 billion checks and coverage of over 99 per cent of Faster Payments and CHAPS transactions demonstrate that the infrastructure is mature and working at scale.
For fintech and payment firms, the practical priorities are confirming scope, implementing correctly via either direct or aggregator routes, and getting the customer journey right. A name-check that is technically live but presented in a way that customers ignore does not fulfil the spirit or the letter of the regulatory expectation. Done well, CoP is one of the most direct fraud-prevention controls a payment firm can offer its customers.
It depends on whether your firm holds its own unique sort code listed on the EISCD and offers accounts from which customers send Faster Payments or CHAPS. If it does, Specific Direction 17 almost certainly applies. If you operate via a sponsor bank's sort code without your own, your obligations are more nuanced and you should take a specific legal view on whether the indirect-PSP exemptions apply to your model.
Under the PSR's mandatory APP fraud reimbursement rules, a PSP may be able to argue that the customer proceeded despite a clear warning, which could affect reimbursement. However, the framework requires PSPs to present warnings in a way that genuinely gives customers a meaningful opportunity to stop. Simply displaying a warning banner is unlikely to be sufficient if it can be easily dismissed.
Yes. Account holders can opt out, which means queries about their account return an 'unable to check' response to the sending PSP. PSPs must permit this opt-out but should not encourage it, as doing so would undermine the service and could create regulatory risk.
No. CoP applies to domestic UK payments only. Where either the payer or payee account is outside the UK, the CoP obligation does not apply. The EU's Instant Payments Regulation introduces a separate payee-verification requirement for euro-denominated credit transfers, which is a distinct regime.
The aggregator model allows PSPs to access CoP indirectly through one of eight Pay.UK-accredited technology partners, rather than building a direct API integration. It was introduced specifically to make the October 2024 expansion feasible for smaller firms. It is well-suited to fintechs and challenger firms that meet the SD17 criteria but lack the resources for a full direct integration. Cloud-based aggregator implementations have been quoted at approximately six weeks for the technical build.
Nasara Pay helps UK firms send and control payments with lower fees, better rates and full visibility.
Practical guides and updates for UK firms, straight to your inbox.