Share this post
CoP / VoP
Tick tock, tick tock, rather than being Tick Tock, the croc coming for Captain Hook is the sound of the impending timeline closing in for the implementation of Confirmation of Payee (CoP). The timeline for tranche two of the institutions mandated by the PSR to join the CoP service in the UK is imminent (SD 17 requires that named organisations have implemented solutions by 31st October 2024), with the EU releasing their draft Verification of Payee (VoP) rule book for consultation (which closes 19th May 2024), and is expected to enter publication in September 2024 to take effect by September 2025…
One of the measures that will be used to prevent fraudulent (such as Authorised Push Payment scams / APP) or incorrect payments being made to the wrong account or that of a fraudulent actor. CoP/VoP is a mechanism in the first and last name of an individual or the registered business name (in the case of A2B/B2B) associated to that account along with an account number and sort code (IBAN outside of the UK) is used as a check to make sure the payment is being sent to the correct payee. This works by way of a look-up; once a new payment is initiated, the Payment Service Provider (PSP) that is leveraging CoP / VoP verifies these details against the payee account record and returns an outcome back to the payment initiator.
Four outcomes are expected following the implementation of CoP / VoP (this is true for both the UK and the EU versions of the solution)
Match
- On using the correct name for the account, positive confirmation is provided that all of the details match as expected, and the payment initiator continues
Close match
- If the details are similar to those on the account (think, for example, the different ways to spell Aaron), the initiator will be given the details from the account to allow a manual “four eyes” check, either rekeying the details or able to contact the account holder to discuss
No match
- If the details entered do not match those held on file, the initiator is advised this is the case, and they should contact the individual or organisation for clarity
Unavailable
- For a varying number of reasons, an initiator may receive this: the service has timed out, the account does not exist, or potentially the FI holding this account has not yet enabled the CoP / VoP service/functionality on their side
The key outcomes for an initiator to heed are those for a No Match or Unavailable response, where additional investigation on their part will be required. The aim is that this layer of “double-check” will help to reduce the impact of certain frauds, misdirected payments, or miss-keyed payments. This is timely given the mandate from the PSR for APP fraud reimbursement, which comes into force on 7th October 2024 in the UK and outlines repayment against this type of fraud.
In the UK, there are two methods for an institution to leverage CoP / VoP, either as a direct participant or via an aggregator. To be a direct participant as an institution requires that, at a minimum, the PSP be FCA or NCA regulated & authorised to perform payment service activities, to have customers (either individuals or business(es) that are reachable by sort code and accounts number(s), be part of the named set of organisations that are referenced in the PSR’s SD17 and offer accounts addressable by Secondary Reference Data “SRD” (i.e. not the account number and sort code only) and possesses a unique sort code listed on the Extended Industry Sort Code Database (EISCD). Upon meeting the criteria, an institution can either engage with a third party to leverage their CoP / VoP modules, capability & functionality or develop an in-house solution. The alternate method via an aggregator simplifies the process somewhat by allowing a third party to join and use their certificates to identify with other institutions, streamlining the connection process, the aggregator model will not be made ready until Spring 2024.