CoP / VoP
Tick tock, tick tock, rather than being Tick Tock, the croc coming for Captain Hook is the sound of the impending timeline closing in for the implementation of Confirmation of Payee (CoP). The timeline for tranche two of the institutions mandated by the PSR to join the CoP service in the UK is imminent (SD 17 requires that named organisations have implemented solutions by 31st October 2024), with the EU releasing their draft Verification of Payee (VoP) rule book for consultation (which closes 19th May 2024), and is expected to enter publication in September 2024 to take effect by September 2025…
One of the measures that will be used to prevent fraudulent (such as Authorised Push Payment scams / APP) or incorrect payments being made to the wrong account or that of a fraudulent actor. CoP/VoP is a mechanism in the first and last name of an individual or the registered business name (in the case of A2B/B2B) associated to that account along with an account number and sort code (IBAN outside of the UK) is used as a check to make sure the payment is being sent to the correct payee. This works by way of a look-up; once a new payment is initiated, the Payment Service Provider (PSP) that is leveraging CoP / VoP verifies these details against the payee account record and returns an outcome back to the payment initiator.
Four outcomes are expected following the implementation of CoP / VoP (this is true for both the UK and the EU versions of the solution)
Match
Close match
No match
Unavailable
The key outcomes for an initiator to heed are those for a No Match or Unavailable response, where additional investigation on their part will be required. The aim is that this layer of “double-check” will help to reduce the impact of certain frauds, misdirected payments, or miss-keyed payments. This is timely given the mandate from the PSR for APP fraud reimbursement, which comes into force on 7th October 2024 in the UK and outlines repayment against this type of fraud.
In the UK, there are two methods for an institution to leverage CoP / VoP, either as a direct participant or via an aggregator. To be a direct participant as an institution requires that, at a minimum, the PSP be FCA or NCA regulated & authorised to perform payment service activities, to have customers (either individuals or business(es) that are reachable by sort code and accounts number(s), be part of the named set of organisations that are referenced in the PSR’s SD17 and offer accounts addressable by Secondary Reference Data “SRD” (i.e. not the account number and sort code only) and possesses a unique sort code listed on the Extended Industry Sort Code Database (EISCD). Upon meeting the criteria, an institution can either engage with a third party to leverage their CoP / VoP modules, capability & functionality or develop an in-house solution. The alternate method via an aggregator simplifies the process somewhat by allowing a third party to join and use their certificates to identify with other institutions, streamlining the connection process, the aggregator model will not be made ready until Spring 2024.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
