As Australia and New Zealand move forward with Confirmation of Payee (CoP)–style initiatives, the UK stands as the most mature real-world test case of what these schemes actually deliver.
Introduced in 2019, the UK’s CoP mechanisms were designed to reduce payment fraud by checking whether bank account details match the intended recipient before funds are released. Five years on, CoP is now mandatory across most UK payment service providers and widely referenced as a cornerstone of the country’s anti-fraud strategy.
For CFOs in Australia and New Zealand, the question is no longer theoretical: does CoP materially protect businesses, or does it simply shift responsibility while leaving the core risk unresolved?
The UK evidence points clearly to the latter. Here’s why.
What CoP was designed to fix (and what it was never built to solve)
At its core, CoP is a name-matching service. It compares the payee’s name entered by the payer with the name held by the recipient’s bank for a given sort code and account number, returning one of four outcomes according to the Confirmation of Payee guidance on Pay.UK:
- match (green)
- close match (amber)
- no match (red), or unavailable
In consumer contexts, this control is effective. It introduces friction at the moment funds are about to leave an account, and it has reduced accidental misdirected payments in the UK, according to UK Finance.
But CoP was never designed to validate:
- Intent (why the payment is being made)
- Context (whether details have changed legitimately)
- Authenticity (whether trust has been manipulated upstream)
It performs a narrow data comparison at a single point in time. That limitation is manageable for consumers. For businesses, it’s a fundamental missing piece. Read more about how CoP is designed to help businesses (and how it's not).
UK fraud hasn’t gone down
Despite CoP being in place for over five years, Authorised Push Payment (APP) fraud has not meaningfully declined in the UK. Instead, its characteristics have evolved.
UK Finance data (Fraud: The Facts 2024) shows that:
- APP fraud volumes remain persistently high
- Losses affecting non-personal (business) customers remain significant
- Invoice and mandate scams continue to represent one of the highest-value fraud categories for businesses
Regulators and industry bodies acknowledge that fraudsters have adapted to CoP by:
- Opening accounts in names likely to return a “green” result
- Grooming victims to override red warnings
- Exploiting ambiguous “amber” outcomes
In other words, CoP has raised friction, but it has not removed the vulnerability.
How business payments expose the limits of bank-level verification
Business payments are not isolated transactions. They move through continuous workflows: supplier onboarding, vendor master maintenance, invoice processing, payment file creation, approval, and release of funds.
Fraud rarely enters at the point of payment. It enters earlier, typically through:
- Compromised supplier email accounts
- Manipulated bank-detail change requests
- Internal access or credential misuse
CoP in its current form operates only at the final step.
By the time a CoP check is triggered, the organisation has already trusted the data. The bank does not assess how the details were introduced, whether they changed recently, or whether communication channels were compromised. It simply compares two strings of text at that moment.
For CFOs, this means CoP is not preventative control but, instead, a late-stage signal. This can be overcome: a few banks have indicated to start helping businesses with providing their data at earlier stages of the payment process for businesses. But is that going to be effective?
The most dangerous outcome: amber alerts in business payments
One of the clearest, and frankly least discussed lessons from the UK is the structural risk created by “amber” (close match) outcomes, particularly for business and batch payments.
An amber result provides:
- No explanation of what did not match
- No assistance from the bank in resolving the discrepancy
- No mechanism for the payer to correct or clear the alert
Data protection rules prevent banks from disclosing which part of the name failed to match. Once an amber alert is returned, it cannot be resolved inside the banking system even if the business believes the supplier details are correct.
This becomes especially problematic for batch payments, which are the dominant payment method for B2B transactions.
CoP is not natively designed for batch workflows. As a result:
- Amber outcomes are carried forward into payment runs
- AP teams cannot “fix” them by requesting the amber alert to change into a green
- The amber alert persists indefinitely in every subsequent payment run
Fraudsters do not need to defeat CoP. They only need to explain the amber alert.
According to UK Finance, victims are increasingly groomed to convince themselves a payment is legitimate, even when warnings are present. A plausible explanation, delivered through compromised email or phone channels, is often enough for teams to proceed.
From an operational perspective, the payment appears controlled. From a governance perspective, nothing has been independently verified.
The deeper issue is corrosive: the vendor master file becomes suspect, yet the bank cannot provide a definitive answer either. CFOs are left unable to obtain a clear “yes” or “no” on payment accuracy only a record that risk was flagged and transferred.
This is not a process failure. It's a limitation of the CoP design, which is massively helpful for reducing instances of individual consumer fraud but can't address all the needs of B2B payment.
Where responsibility ultimately lands
UK case law and regulation make the accountability clear: once a payment is authorised, banks disclaim liability for payment fraud involving business customers. (See: Philipp v Barclays Bank UK PLC [2022]).
Similar terms of service exist in Australia and New Zealand. Further, fraud reimbursement frameworks in the UK such as the Contingent Reimbursement Model (CRM) overwhelmingly favour personal customers and micro-enterprises. Larger businesses are largely excluded, according to the Lending Standards Board.
Boards, auditors, and insurers don’t assess whether a warning was displayed. Rather, they assess whether controls were reasonably capable of preventing loss.
A control that surfaces risk but can’t resolve ambiguity does not meet that standard.
What Australia and New Zealand should learn from the UK
Australia and New Zealand are rolling out CoP-style schemes on real-time payment rails – NPP in Australia and equivalent systems in New Zealand – that closely resemble Faster Payments in the UK.
If the UK model is followed, the outcome is highly predictable:
- Consumer protection will improve
- Fraud patterns will adapt rather than disappear
- Batch B2B payments will remain weakly protected
- Amber outcomes will shift risk onto businesses
- CFOs will carry responsibility without certainty
The UK experience shows that point-in-time verification can’t fully solve a lifecycle problem.
Unless Australia and New Zealand explicitly address upstream verification, including supplier onboarding, bank-detail changes, and vendor master integrity, and provide services to accommodate “amber” alerts, they should expect the same result: B2B fraud succeeding through ambiguity.
The lesson after five years
CoP improves visibility and detects ambiguity, but it doesn’t create certainty for business payments.
CoP hasn’t failed – on the contrary, it’s a positive step! – but it also hasn’t solved business payment fraud. This isn’t surprising, because fraud is a multi-faceted, ever-evolving threat and it’s unlikely that any single, unilateral solution can solve it forever.
The most dangerous outcome is not a red alert: it’s an amber one that cannot be resolved, cannot be cleared, and cannot be trusted. After five years, the UK has learned these lessons the hard way. Australia and New Zealand now have the opportunity to learn it sooner. But, in the meantime, organisations are exposed and liable to fraud today.
In other words, leaders can’t wait for banks to solve these problems for them.
Read more about CoP: its benefits, its limitations, and how business leaders should be incorporating it.
