Verification of Payee: A new era in instant payment security

The European Instant Payments Regulation (IPR) has introduced a new framework to secure the use of instant SEPA credit transfers to speed up their adoption. The Verification of Payee (VOP), to be introduced in October 2025, is a European scheme applicable to payment service providers for instant SEPA credit transfers but also for traditional SEPA credit transfers in order to harmonize practices within the European Union to limit the exposure of our clients to transfers to bad payees

This new system comes in addition to existing security tools, but will it be sufficient and what impact will the implementation of this new system have on companies’ payment processes?

An article written by Vincent Lefebvre and Laurence Mary.

Payment security: the main challenge of wider use of instant SEPA transfers?

Since its launch at the end of 2017 by the European Payments Council, the SEPA Instant Credit Transfer Scheme (SCT Inst) has continued to accelerate, now guaranteeing that funds reach beneficiaries in 10 seconds, 24 hours a day, 7 days a week in 35 countries in the SEPA zone.

While the rollout of SCT Inst may be an opportunity for companies, its immediacy naturally makes it more susceptible to fraud. According to the 2024 figures from FPAD - EBA clearing, instant SCTs are 9 times more likely to be fraudulent than the traditional SCT.

To strengthen the security of this payment instrument, the European Commission has introduced a control mechanism to verify the correspondence between the name and the bank account of the beneficiary provided by the payer before the payment is executed. This payment security feature, called Verification of Payee (VoP), is at the heart of this new Instant Payment Regulation (IPR¹) and will go into force on 9 October 2025 for the Eurozone countries. Its objective is to detect potential errors or fraud by analysing inconsistencies between the information provided by the payer and that recorded in the repository of the beneficiary's bank.

Varied configurations and impacts according to companies

Depending on the size of the company, the volume of flows processed, the communication channel used or the number of beneficiaries involved, the impact of the implementation of VoP for companies will not be the same.

Companies using unit payments with a less complex beneficiary base will be less affected. For example, unit payments made from a web banking platform will have a VoP device activated systematically and all the elements necessary for informed decision-making will be presented to the client throughout his journey.

For companies with a more complex beneficiary base, making bulk payments via signed “host-to-host” channels, the choice of whether or not to activate the VoP will be more concrete. They will need to be able to assess the reliability of their existing base in order to make their decision and balance accountability with operational effectiveness. With a potential risk of delay in issuing the payment, the company will therefore have the choice of activating the VoP control - “Opt in” - or not - “Opt out”.

If the company decides to activate the VoP device (“Opt in”), the payer’s bank will perform a real-time verification, and the “non-compliant” payments will be left to the payer’s decision. The VoP statutes are as follows:

• "Match": There is an exact match between the name and IBAN provided by the payer.
• "Close match": A partial match (e.g. a typo) is detected and the correct name is communicated, but this may also indicate a need to better identify the company actually involved.
• "No match": No match between the data provided, indicating potential risk.
• "Cannot Verify": The verification cannot be performed due to missing or incorrect data provided, or due to a technical problem.

Companies that have already initiated work to validate their beneficiary databases and that make bulk payments will likely choose not to activate this VoP option. For those wishing to enable it, they will need to adapt their internal processes to support VoP results, correct data, conduct check and possibly re-issue a stream.

The Limitations and Challenges of VoP

For companies, this regulation raises questions and potential barriers. Its deployment is likely to slow down payment processes, especially for companies that process mass files with a large number of beneficiaries. It would be challenging to automate the individual verification of each recipient, as required by law.

Another obstacle is the reconciliation of company names. It is possible to match a unique identifier (such as SIREN or LEI) to an IBAN. However, this solution is not widespread, and the unique identifier is very often replaced in favour of the company name. Some companies frequently use abbreviations, acronyms, or brand names, making it difficult to match their official names. Likewise, organisational changes may occur within a group (the company you want to pay for has just changed its name) while the KYS (Know Your Supplier) was initially validated, resulting in a VOP close match result.

Finally, beyond a simple validation of correspondence (acronym to full name or typo, name inversion...), it may be necessary to revalidate the identity of the beneficiary and its RIB with the suppliers to obtain a pair of valid data within a constrained time. For these cases, the Vop will not provide answers, and banks, while complying with data protection obligations, will not be able to directly correct the erroneous information or communicate sensitive details, which may slow down the resolution of the detected anomalies.

The need for companies to ensure the reliability of their beneficiary bases up front

The VoP is therefore a final control that forms part of an end-to-end payment security framework. Companies must now analyse the integration of these new VoP controls into their processes for ensuring the reliability of their beneficiary bases in order to be able to interpret their results and put in place a process of continuous improvement as soon as a new beneficiary account is created (strictly respecting the name defined on the Bank account details) and set up periodic reviews to ensure optimal data quality.

Conclusion

The implementation of the VoP will mark an important step in accelerating the adoption of instant SEPA credit transfers and securing them, by addressing a major fraud scenario based on the counterfeit bank account details.

However, it is difficult to see the VoP device alone resolving all the challenges around payment security. It will not address all cases of fraud, particularly social engineering fraud (such as CEO fraud) or internal fraud.

Companies therefore need to analyse and verify the relevance of their entire security system and ensure that they have implemented solutions tailored to their organisation (such as a rigorous approval process prior to payment, or raising awareness among their employees about potential risks, etc.)

To this end, Societe Generale’s teams provide their expertise to support companies in identifying and implementing a comprehensive security system tailored to the specific needs of their business and organisation. They may also engage specialised partners to address specific needs, such as ensuring the reliability of beneficiary databases required by this new VoP regulation.

With the 9 October 2025 deadline fast approaching, companies must anticipate the reliability of their databases now to secure their payments and reduce the risk of errors. It is important to leverage this regulation as a lever to enhance operational efficiency and prepare their organisation for the challenges and the use of the services of tomorrow. 

¹Instant Payment Regulation