top of page
Search

Confirmation of Payee 2.0: The Last Defence Before APP Reimbursement Bites

  • Writer: TrustSphere Network
    TrustSphere Network
  • 4 hours ago
  • 4 min read
Confirmation of Payee 2.0 mobile banking transfer

The UK's mandatory APP-scam reimbursement regime has been in force since October 2024, and the scheme data is finally giving us a clean picture of what works at the point of payment and what does not. The headline finding is straightforward — Confirmation of Payee, in its first-generation form, was a useful but porous control, and the 50/50 reimbursement liability split between sending and receiving PSPs has placed real economic pressure on both sides to do better. Confirmation of Payee 2.0 is the response.


The PSR's 2026 reimbursement-regime review, opened in February and reporting in October, is examining whether the existing CoP design is fit for purpose at the volumes and attack types now seen. Pay.UK and OBL have published technical specifications for an enhanced CoP model that supports legal-entity name resolution, multi-name account matching and richer mismatch metadata returned to the originator's screen. Several PSPs are already in pilot.


The strategic framing for boards is that CoP 2.0 is not a tweak — it is the next defensive line under a reimbursement regime that has materially raised the cost of getting this wrong. Sending PSPs that under-invest will pay it in liability. Receiving PSPs that under-invest will pay it in scheme penalties and de-risking by their counterparties.


Regulatory and Market Context


The PSR's published Q4 2025 scheme statistics show APP fraud losses reimbursed under the mandatory regime running at GBP 480 million annualised — within the model envelope, but with a notable concentration of losses on a small set of receiving PSPs that the regulator has named in its supervisory communication. Several smaller PSPs have already had their participation in Faster Payments restricted or paused.


Internationally, the direction of travel is converging. Singapore's Shared Responsibility Framework, Australia's Scams Prevention Framework and the European Commission's PSD3 / Payment Services Regulation proposal all incorporate elements of mandatory pre-payment beneficiary verification and scheme-level liability sharing. CoP-equivalent obligations are likely to be the global norm by 2028.


What the Data Is Showing


Where CoP 2.0 has been piloted, false-positive name-mismatch rates have fallen by around 35-45%, and end-customer ignore-the-warning rates have fallen meaningfully when the friction is genuinely informative rather than generic. The biggest gains come not from improved name-matching algorithms but from richer return metadata that lets the originating bank surface a context-appropriate warning rather than a binary mismatch.


On the receiving side, the standout finding is the relationship between mule-account enrolment quality and scheme losses. Receiving PSPs with strong onboarding, behavioural enrolment and ongoing-monitoring practices show APP-related reimbursement claims at less than half the per-account rate of weaker peers. The PSR has been explicit in its 2026 work programme that this will become an enforcement priority.


Implications for Financial Institutions


For sending PSPs, CoP 2.0 is the most cost-effective per-pound prevention investment on the table in 2026, and the design choice that matters most is what to surface to the customer in the warning UI. Generic warnings have measurable habituation effects; contextual ones do not. Behavioural and journey-level testing should be a non-negotiable part of the build.


For receiving PSPs, the regulatory focus is moving fast from inbound transaction monitoring to onboarding and mule-detection at enrolment. The next 18 months are likely to see significantly more targeted PSR engagement with PSPs whose mule-account population looks anomalous against their peer group, and a higher-evidence bar for participation in the central scheme.


Conclusion


Confirmation of Payee 2.0 is arriving at the right moment — the reimbursement regime has changed the cost structure of getting APP scams wrong, and the next generation of pre-payment controls finally has a serious commercial reason to exist. The institutions that treat 2.0 as a CX problem as well as a fraud problem are going to land it best.


Suggested Next Steps

  • Confirm your CoP 2.0 implementation roadmap against Pay.UK's technical specification and the PSR 2026 review timeline.

  • Run a behavioural-testing exercise on your mismatch-warning UI to validate it does not exhibit habituation effects.

  • Stress-test your mule-account enrolment and behavioural-monitoring controls against peer-group reimbursement rates.

  • If you are a receiving PSP, prepare a defensible evidence pack on inbound mule controls now — supervisors will ask for it.


Sources: PSR APP Scams Reimbursement Regime Q4 2025 Statistics; Pay.UK Confirmation of Payee 2.0 Technical Specification (2025); PSR 2026 Reimbursement Regime Review (Feb 2026); MAS Shared Responsibility Framework; Australia Scams Prevention Framework; European Commission PSD3 / PSR proposal.


TrustSphere Risk Index — Vendor Spotlight: Bottomline


The TrustSphere Risk Index is a quarterly assessment of 221 financial-crime vendors across 8 categories and 11 capability dimensions including data coverage, real-time performance, network analytics, model-risk transparency and integration depth. The March 2026 index update is now available to TrustSphere clients.


In the Payment Fraud & APP Prevention category, Bottomline scored 55% in the March 2026 index — strong on Faster Payments inline screening, mule-account behavioural detection, and CoP and CoP-equivalent integrations. Bottomline's depth on UK and European payment-rail integration is a particular differentiator for institutions with material exposure to those schemes.


For institutions evaluating providers in this space, Bottomline is one of several credible options — vendor fit depends heavily on existing architecture, deployment model and downstream tooling. Contact TrustSphere for a comprehensive vendor suitability assessment tailored to your institution.


TrustSphere helps financial institutions design and deploy intelligent fraud and financial crime detection solutions. Visit www.trustsphere.ai

Comments

Recommended by TrustSphere

Atfinity


 

Izengard


 

Trefis


 

Noto360



 

Thetaray


 


Regulation Asia


 


FCC Analytics

 

Futurum



 



Darwinium


 

Arkose Labs


 

SumSub



 

FinanceX



 

FullArmor



 

Clari5



 

© 2024 TrustSphere.ai. All Rights Reserved.

hello@trustsphere.ai

  • LinkedIn

AML Watcher


 

Relevance.ai



 

LevelFive



 

Disclaimer for TRUSTSPHERE.AI

The content provided on the TRUSTSPHEREAI website is intended for informational purposes only. While we strive to provide accurate and up-to-date information, the data and insights presented are generated from a contributory network and consolidated largely through artificial intelligence. As such, the information may not be comprehensive, and we do not guarantee the accuracy, reliability, or completeness of any content.  Users are advised that important decisions should not be made based solely on the information provided on this website. We encourage users to seek professional advice and conduct their own research prior to making any significant decisions.  TruststSphere Partners is a consulting business. For a comprehensive review, analysis, or support on Technology Assessment, Strategy, or go-to-market strategies, please contact us to discuss a customized engagement project.   TRUSTSPHERE.AI, its affiliates, and contributors shall not be liable for any loss or damage arising from the use of or reliance on the information provided on this website. By using this site, you acknowledge and accept these terms.   If you have further questions,  require clarifications, or requests for removal or content or changes please feel free to reach out to us directly.  we can be reached at hello@trustsphere.ai

bottom of page