Banks’ and EMIs’ new information and account direct deduction obligations under UK Public Authorities (Fraud, Error and Recovery) Act 2025 - Government consults on Codes of Practice

Charles Elliott, Virginia Montgomery
Hogan Lovells
Contact
LinkedIn
Facebook
X
Send
Embed

Hogan Lovells

A Department for Work and Pensions (DWP) consultation on draft Codes of Practice (COPs) on the issuing of information notices and direct deduction orders (DDOs), eligibility verification notices (EVNs), and information notices related to fraud investigations was launched shortly after the Public Authorities (Fraud, Error and Recovery) Act 2025 received Royal Assent in early December 2025. The consultation closed on 27 February 2026. Regulations providing further detail on requirements in a number of areas are still pending. Although the DWP has committed to “test and learn” periods for both the DDO and EVN processes once introduced, there is still a lot that in-scope firms will have to be ready for from day one.

Current status of relevant provisions under the Act

With the exception of the provisions on EVNs, which came into force on 2 February 2026, the other relevant provisions under the Act are not yet in force (except to the extent necessary for required regulations to be developed).

However, the government has made it clear that it will begin implementing the measures in the Act this year, once the COPs are published. In the meantime, the DWP and the Cabinet Office will continue to work with industry on implementation, including planned additional guidance.

The DWP will initially test the eligibility verification power with a small number of financial institutions - the ‘Test and Learn’ period - focusing on ensuring that delivery of the measure is ‘workable and effective’. The measure will then be gradually rolled out with all relevant financial institutions.

There will also be a ‘robust period of test and learn activity’ in relation to DDOs, with the aim of helping the DWP to find the most effective way of working with banks on the DDO process.

What are some of the key takeaways from the DWP COPs consultation?

Scope

  • One point worth bearing in mind is that, while the Act’s provisions on EVNs and DDOs currently only apply to authorised deposit takers (banks) and e-money issuers (EMIs), further types of financial institution may be added via future regulations if they are relevant to the exercise of the powers. This includes products or services/accounts that operate by reference to cryptoassets or any similar product/service or asset.

Draft eligibility verification notices COP

  • Following amendments made during the Act’s passage through Parliament, the DWP’s power to issue an EVN is now dependent on it considering such a notice to be ‘necessary and proportionate’. However, the draft COP contains a list of factors that the DWP ‘may consider’ in assessing necessity and proportionality, among which is a “catch-all” provision encompassing ‘any other relevant considerations’. This could reduce the level of comfort for financial institutions on the extent to which the EV power has actually been restricted.
  • An EVN must not request data which is more than one year old ending with the day on which the EVN was sent. This is not as limited as it might first appear, as the EVN may also request the date on which the account(s) first began to meet the eligibility indicator(s) set out in the EVN, even if this date is more than one year after the day on which the EVN was sent. By way of example in the draft COP, a financial institution may be required to provide the date on which an account in receipt of a relevant benefit first held capital in excess of the capital amount specified in the EVN. If, over a period of time, an account (and any linked accounts) fluctuates in its meeting of an eligibility indicator, then the financial institution must share the date on which the account(s) in question most recently began to meet the eligibility indicator. This is therefore likely to be an onerous requirement for financial institutions to fulfil.
  • Penalties can be issued for sharing inaccurate or prohibited information (the latter being transaction information or special category data), as well as for general non-compliance with an EVN. The draft COP emphasises that financial institutions ‘should put in place robust safeguards to mitigate the risk of these types of information being shared.’
  • While information shared solely in response to an EVN should not trigger any financial crime obligations for the bank or financial institution sharing that data, the draft COP makes it clear that if a financial institution identifies or already holds information in the course of its business that, in combination with an EVN return, might indicate fraud, they should consider their existing financial crime obligations (e.g. the Proceeds of Crime Act 2002 (POCA) and the Money Laundering Regulations 2017).

Draft direct deduction orders COP

  • There are a number of circumstances in which a DDO may be varied, including where an individual (and any other account holder) informs DWP at any time during the order that their circumstances have changed. The bank/EMI will need to comply with the varied order, including giving effect to any new deduction amount or applying the DDO to another account held by the debtor (where this was requested by an account holder). While the Act makes provision for the recovery of reasonable costs in complying with the DDO, the fact that existing DDOs can be varied at any point could necessitate substantive systems and process changes by banks/EMIs. The costs that can be recovered are also to be limited by regulations yet to be proposed.
  • There could be further systems and processes complications ahead, as the draft COP contains a note that regulations will clarify what actions a bank must take where one or more other, similar orders are in place in relation to an individual.
  • The draft COP clarifies that if a bank receives a Data Subject Access Request (DSAR), it will not be in breach of the prohibition on notifying the individual or any other account holder(s) that DWP has requested or obtained bank statements or other information by telling the individual they have received a notice. Similarly if, during the period that the bank is prevented from disclosing that DWP has requested information or issued a Pre-Deduction Notice, they are contacted by the account holder(s) as a result, the draft COP provides that they can signpost the individual (and any other account holder) to contact DWP using lines that will be made available to the bank.

Draft fraud investigations COP

  • Banks and other financial institutions are clearly in scope of the new powers to allow DWP officers authorised by the Secretary of State working within criminal investigation teams to require persons or organisations to provide information about suspected fraud, with criminal penalties (fines) for non-compliance.
  • As the draft COP illustrates, however, there may be a number of cases where DWP already has access to the relevant information through existing DWP records and so won’t need to make a request to a bank.

What’s next?

The consultation closed on 27 February 2026, and we are now waiting for a consultation response document to be published.

The Government will begin implementing the measures in the Act this year, once the COPs are published. In the meantime, the DWP and the Cabinet Office will continue to work with industry on implementation, including planned additional guidance.

Under the Public Authorities (Fraud, Error and Recovery) Act 2025 (Commencement No.1) Regulations 2025, the provisions on EVNs came into force on 2 February 2026. However, the final EVN COP must be issued before any EVNs can be given. The DWP will initially test the eligibility verification power with a small number of financial institutions - the ‘Test and Learn’ period - focusing on ensuring that delivery of the measure is ‘workable and effective’. This might involve several different approaches being trialled during the period ‘in cooperation with financial institutions.’ The DWP may adopt a ‘flexible approach to timescales and other aspects of compliance with an EVN, and the associated penalties regime.’ The measure will then be gradually rolled out with all relevant financial institutions.

The draft DDO COP also refers to the fact that notices and orders will initially be given as part of a ‘robust period of test and learn activity’, with the aim of helping the DWP to find the most effective way of working with the banks on the DDO process.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Hogan Lovells

Written by:

Hogan Lovells
Hogan Lovells
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA

  • Increased readership
  • Actionable analytics
  • Ongoing writing guidance

Join more than 70,000 authors publishing their insights on JD Supra

Start Publishing »

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide