Confirmation of Payee (CoP)

What Is Confirmation of Payee?

Confirmation of Payee (CoP) is a pre-transaction verification service that checks whether the name a sender enters for a bank transfer matches the name registered to the recipient's account. Operated by Pay.UK in the United Kingdom, CoP applies to payments made via Faster Payments and CHAPS. The goal is simple: catch mistakes and fraud before money leaves the sender's account, not after.

Before CoP, sending a bank transfer required only a sort code and account number. The recipient's name was a label for the sender's convenience: banks never checked it. This meant a single digit error in an account number could route funds to a stranger, and a fraudster posing as a trusted business could collect payments undetected. CoP closes that gap by making the name a verified field rather than a decorative one.

The UK's Payment Systems Regulator (PSR) mandated CoP adoption through Specific Direction 10 in 2019, initially targeting the six largest banking groups. By October 2024, Specific Direction 17 extended the requirement to all payment service providers handling Faster Payments and CHAPS, bringing coverage to approximately 99% of domestic transfers.

How It Works

CoP operates as an API-driven check that runs in real time when a payer sets up a new payee or modifies payment details. The target response time is under one second, with a maximum of three seconds.

1. The sender enters the recipient's name, sort code, and account number into their banking app or online banking portal
2. The sender's bank (the sending PSP) submits a CoP request to the recipient's bank (the receiving PSP) via the CoP service
3. The receiving bank compares the submitted name against the name registered to the account
4. The receiving bank returns one of four standardized responses to the sending bank
5. The sending bank presents the result to the sender, who decides whether to proceed

The Four Response Types

Every CoP check returns one of these standardized results:

• Match: the name provided aligns with the account holder's name at the receiving bank. The payment can proceed with confidence.
• Close match: the name is similar but not exact (for example, "J Smith" instead of "John Smith", or the account type does not match). The bank may suggest a correction and ask the sender to verify before continuing.
• No match: the name entered does not correspond to the account holder's name. The sender receives a warning not to proceed without verifying the details independently.
• Unable to check: the receiving bank does not support CoP, the service is temporarily unavailable, the customer has opted out, or the account does not exist. The sender is informed that verification was not possible.

Technical Flow

The CoP request follows a standardized API pattern. Below is a simplified representation of the request and response structure:

// Sending PSP submits CoP check
POST /cop/verify
{
  "sortCode": "040004",
  "accountNumber": "12345678",
  "accountName": "John Smith",
  "accountType": "personal"
}

// Receiving PSP responds
{
  "result": "CLOSE_MATCH",
  "matchedName": "Jonathan Smith",
  "reasonCode": "PARTIAL_NAME_MATCH",
  "accountTypeMatch": true
}

For joint accounts, only one account holder's name needs to match, and the order does not matter. Business accounts are checked against the registered entity name, which may differ from a company's trading name.

Why It Matters

Authorized push payment fraud has been one of the fastest-growing categories of payment fraud in the UK. In 2024, APP fraud losses totaled approximately 450.7 million GBP across the UK banking system, according to UK Finance. Unlike chargebacks on card payments, push payments are initiated by the payer and historically offered no built-in reversal mechanism: once funds were sent, recovery depended entirely on the receiving bank's cooperation.

CoP addresses this by shifting verification upstream. Rather than chasing funds after fraud occurs, the system prevents many fraudulent and misdirected payments from executing in the first place. Lloyds Banking Group reported that CoP reduced bank transfer scams by over 30% within months of its introduction. Since launch, more than 2.5 billion CoP checks have been completed across the UK, with over 2 million checks running daily.

For businesses and fintech developers, CoP represents a broader industry shift toward embedded verification in payment rails. Traditional banking relied on post-transaction dispute resolution; CoP introduces pre-transaction trust checks that reduce friction for legitimate payments and create obstacles for fraud. This pattern is now expanding globally, as detailed in the fraud prevention in digital payments research.

Global Adoption

United Kingdom

The UK pioneered mandatory CoP adoption. The initial rollout in mid-2020 covered the six largest banking groups: Barclays, HSBC, Lloyds Banking Group, Nationwide Building Society, NatWest Group, and Santander. These institutions accounted for roughly 90% of Faster Payments and CHAPS volume.

Specific Direction 17, issued by the PSR in February 2022, expanded the mandate in two phases. Group 1 institutions complied by October 2023, and Group 2 (approximately 400 additional payment service providers) complied by October 2024. The result is near-universal coverage of domestic GBP transfers.

In October 2024, the PSR also introduced mandatory APP fraud reimbursement rules, splitting liability 50/50 between sending and receiving banks. CoP and mandatory reimbursement together create a two-layered defense: prevention at the point of payment and compensation when prevention fails.

European Union

The EU equivalent is called Verification of Payee (VoP), mandated under EU Instant Payment Regulation 2024/886, which entered into force in April 2024. Eurozone payment service providers were required to implement VoP by October 9, 2025. Non-Euro Area EU member states have until July 2027.

VoP applies to SEPA Credit Transfers and SEPA Instant Credit Transfers. Like CoP, it returns match, close match, no match, or unavailable results within a one-to-three-second window. The service must be provided free of charge to end users. The European Central Bank announced in March 2025 that the Eurosystem would offer a VoP service directly to participating PSPs.

Other Jurisdictions

The pattern is spreading. The Netherlands launched an IBAN name-check service in 2017 through Rabobank, achieving an 81% reduction in domestic transfer fraud. Belgium followed in 2022. Australia launched CoP in July 2025 as part of its Scam-Safe Accord, backed by a 100 million AUD industry investment. By March 2026, 82 Australian institutions were live, covering 143 million bank accounts with over 100 million checks completed. New Zealand launched its own service in 2024.

Use Cases

• Preventing misdirected payments: catching account number typos before funds are sent to the wrong recipient, eliminating the need for time-consuming recovery processes
• Stopping APP fraud: alerting senders when the account name does not match the entity they believe they are paying, providing a critical moment for the payer to pause and verify
• Business payment verification: confirming that supplier account details match the company name before executing invoice payments, reducing susceptibility to invoice redirection fraud
• Payroll protection: validating employee account details before salary disbursement to avoid payments landing in incorrect accounts
• Enhanced open banking flows: integrating CoP into payment initiation services alongside strong customer authentication for multi-layered payer protection
• Request to Pay verification: cross-referencing payee details in request-to-pay flows to confirm the requesting party controls the named account

Risks and Considerations

Social Engineering Bypass

CoP verifies name-to-account matching, not the legitimacy of the person or business behind the account. A fraudster who opens an account in the "correct" name (or provides the victim with the actual account holder's name alongside a convincing narrative) will produce a "Match" result. CoP reduces fraud but does not eliminate it: sophisticated social engineering can work around the check.

Business Name Complexity

Business accounts are registered under legal entity names, which often differ from trading names. A company trading as "Quick Plumbing" might have the registered account name "QP Services Ltd." This discrepancy generates false "No Match" results for legitimate payments, creating friction and potentially training users to ignore warnings.

Advisory Nature

CoP is advisory, not blocking. Senders can override "No Match" warnings and proceed with the payment. While warnings create a pause that deters many fraudulent transfers, determined or pressured senders may ignore them. The effectiveness of CoP depends partly on warning design and customer behavior.

Domestic Limitation

UK CoP only covers domestic Faster Payments and CHAPS transactions. Cross-border payments, including SWIFT transfers, fall outside CoP's scope. Fraudsters have begun pivoting toward international payment channels to circumvent CoP protections.

Recurring Payment Gaps

CoP typically checks names when a new payee is set up, not on every subsequent payment. If a fraudster gains access to an existing payee record and alters the account number, the modified payment may bypass CoP. This gap leaves recurring push payments partially exposed.

CoP and Cryptocurrency Payments

CoP highlights a fundamental difference between traditional banking and cryptocurrency: the presence of pre-transaction identity verification. In traditional real-time payment systems, the payer at least has the opportunity to verify who they are paying. In cryptocurrency, transactions are addressed to pseudonymous public keys or wallet addresses with no built-in name resolution.

This irreversibility is both a feature (censorship resistance, payment finality) and a risk (no recourse for mistakes or fraud). As stablecoin payment rails mature and compete with traditional banking for everyday transfers, the question of payer protection becomes pressing. Some stablecoin infrastructure providers are exploring identity verification layers that could offer CoP-like assurance without sacrificing the speed and programmability of blockchain-based settlement.

Protocols building on Bitcoin's layer-2 ecosystem, including Spark, sit at this intersection. While the base protocol preserves pseudonymous transfers, application-layer services can integrate name verification, transaction monitoring, and risk scoring before a payment is broadcast, offering a middle ground between CoP's banking-style protection and crypto's self-custodial flexibility. The stablecoin fraud prevention research explores how these verification patterns may evolve.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.