Navigating the new Verification of Payee Rulebook

Major Changes and Their Impact

The Verification of Payee (VoP) is one of the most challenging requirements within the EU Instant Payments Regulation, defining the mandatory obligation for all payer banks to check the beneficiary’s name before executing a payment. Instant payment systems enhance transaction security and efficiency through mechanisms like VoP. Verifying the international bank account number (IBAN) against the beneficiary’s name is crucial to prevent payment fraud and misdirected transactions. Misdirected payments refer to errors that occur when funds are sent to the wrong account, leading to significant financial losses. VoP helps prevent these by ensuring accurate matching of payee details before a transaction is executed. This can only be achieved by consulting the beneficiary’s bank, which creates a strong need for standardization and interoperability among European banks. To support this interoperability, the EPC has defined an appropriate VoP Scheme.

In February 2024, the EPC launched a public consultation on the initial draft version of the Rulebook for the Verification of Payee (VoP) Scheme. With the deadline in May, the EPC received more than 400 comments and questions from almost 50 contributors. After four months of work, they have now published the first released version of the Verification of Payee (VoP) Scheme Rulebook. The European Payments Council plays a crucial role in guiding the implementation of the VoP measures within the SEPA framework, enhancing payment security and preventing fraud.

This blog outlines the major changes introduced in this new version.

VoP request processing

• The Requester and the requesting PSP can agree that name verification may be fully replaced with an unambiguous additional Identification Code matching (such as a fiscal or VAT number). Consequently, the name of the payee is optional for legal persons (but still mandatory for natural persons), and the supported VoP request types, matching result scenarios (source: new EPC rulebook), and affected attributes and data elements have been adjusted accordingly. It is crucial to verify the payee's account details, including the payee's name, IBAN, and identification code, to ensure accurate transactions.

• An updated flow diagram (source: new EPC rulebook) now includes Routing and Verification Mechanisms (RVMs) and the new EPC Directory Service. This includes the step for the requesting PSP to check the access to the responding PSP using a local copy of the EDS, and for the responding PSP to check the requesting PSP. Furthermore, it is explicitly mentioned that all messages must be processed and sent immediately. The payee's PSP plays a critical role in confirming the payee's account details and responding to the payer's PSP with matches or discrepancies.

• An updated overview of the actors in the VoP model (source: new EPC rulebook). The figure shows both the relationships between the PSPs and the RVMs, as well as the interaction between both and the Directory Service (EDS). The payer's PSP is responsible for verifying the payee's account details to enhance payment security and prevent fraud.

• The maximum request execution time has been extended from 3 to 5 seconds (preferably 1 second or less). Payment service providers play a vital role in the VoP process to ensure accurate payee identification and prevent fraud.
• In the case of multiple account holders, at least the first name and last name of one of the account holders should be provided by the Requester. If the verification results in a CLOSE-MATCH, the responding PSP will only provide the exact name mentioned in the request (this is also related to GDPR).
• The role of Intermediary PSPs has been removed.

EPC Directory Service (EDS)

• The EDS stores all required operational data for reaching participating PSPs, such as identification, URLs, and endpoints. Payment service providers play a crucial role in storing and accessing this data to ensure accurate payee identification. All participants must store their data in the directory.
• The directory will be used by requesting PSPs to obtain the necessary routing information for the responding PSP and verify its participation in the scheme. The VoP service ensures the recipient's name matches the bank account number during transactions, thereby reducing the risk of Authorized Push Payment fraud. Responding PSPs must also declare in the EDS their support for additional Identification Codes, allowing requesting PSPs to determine whether it is useful to include them in the request. The directory will be used by responding PSPs to check whether the requesting PSP is a participant in the scheme.
• As part of the Routing and Verification Mechanism (RVM), providers need to regularly access the EDS to import updated data into their local directories, which will be used for request routing

Payment Security Standards and API Specification

• The VoP Scheme Inter-PSP API Specifications set out the rules for implementing the Verification of Payee request and the Verification of Payee response. The SCT Inst scheme and its compliance with the VoP scheme are crucial for ensuring regulatory adherence and interoperability.
• The publication of the API specification is still scheduled for October 2024. The Single Euro Payments Area (SEPA) requires PSPs to verify payment details to enhance security and reduce fraud.
• The API Security Framework constitutes binding supplements to the rulebook.

Recommendations for the Name Matching

• Support for Commercial Names in addition to the legal name for the responding PSP. It is up to the responding PSP to collect reliable information and use it in the verification process. The VoP scheme evolution calendar highlights key deadlines for integrating the VoP system, with a final implementation date by early October 2025.
• The extension of the MATCH scenario for legal persons: A MATCH will also be accepted if the commercial name is provided and entirely correct.
• Responding PSPs are strongly recommended to advise payees to communicate their exact and complete official names to payers in order to reduce unnecessary NO-MATCH responses and friction during payment initiation.
• The scenarios for CLOSE-MATCH have been separated for natural and legal persons, and some patterns have been added.
• For Identification Codes, CLOSE-MATCH is not possible, only MATCH or NO-MATCH.
• The recommended data clean-up for Identification Codes has been removed.

This new version of the VoP Rulebook introduces important details that help advance the deployment of the new European service in line with the established timeline. But two key milestones remain: the publication of the detailed API specifications and later, details for the EPC Directory Service (including API, data, and processes). The regulatory timeline mandates that VoP be available for all customer payment methods by October 2025, and it should be offered at no extra cost to prevent payment fraud.

If you have further questions, please contact us. We can assist you with our knowledge as well as with our Worldline Verification of Payee product.