VoP Around the Clock

Preparing for the Next Stage of the Payment Processing Revolution

The European Instant Payments Regulation (IPR) has introduced a new framework to secure the use of instant SEPA credit transfers (SCT Inst) to speed up their adoption. Verification of Payee (VoP), to be introduced in October 2025, is a European scheme applicable to SCT Inst payment service providers. It will also apply to traditional SEPA credit transfers in order to harmonise practices within the European Union to limit companies’ exposure to bad payees. Societe Generale’s Laurence Mary, Payment Product Manager, and Vincent Lefebvre, Head of Security and Fraud, examine the changes ahead.

VoP will be implemented in addition to existing security tools, but will it be sufficient, and what impact will its execution have on organisations’ payment processes?

Since its launch at the end of 2017 by the European Payments Council, SCT Inst has continued to accelerate, now guaranteeing that funds reach beneficiaries in 10 seconds, 24 hours a day, 7 days a week in 35 countries in the SEPA zone.

While the roll-out of SCT Inst may be an opportunity for companies, its immediacy naturally makes its users more susceptible to fraud. According to the 2024 figures from Fraud Pattern and Anomaly Detection (FPAD) and EBA Clearing, instant SCTs are nine times more likely to be fraudulent than traditional SCTs.

To strengthen the security of this payment instrument, the European Commission (EC) has introduced a control mechanism to verify the correspondence between the name and the bank account of the beneficiary provided by the payer before the payment is executed.

VoP is at the heart of IPR and will come into force on 9 October 2025 for the Eurozone countries. Its objective is to detect potential errors or fraud by analysing inconsistencies between the information provided by the payer and that recorded in the repository of the beneficiary’s bank.

Understanding varied configurations and impacts

Depending on the size of the company, the volume of flows processed, the communication channel used, or the number of beneficiaries involved, the impact of the implementation of VoP for companies will vary.

Those using unit payments with a less complex beneficiary base will be less affected. For example, unit payments made from a web banking platform will have a VoP device activated systematically, and all the elements necessary for informed decision-making will be presented to the clients throughout that payment’s journey.

For companies with a more complex beneficiary base, making bulk payments via signed host-to-host channels, the choice of whether or not to activate VoP will be more straightforward. They will need to be able to assess the reliability of their existing base in order to make their decision and balance accountability with operational effectiveness. With a potential risk of delay in issuing the payment, the company will therefore have the choice of activating the VoP control to opt in or opt out.

If the company decides to activate the VoP opt-in device, the payer’s bank will perform a real-time verification, and ‘non-compliant’ payments will be left to the payer’s decision. VoP statuses are as follows:

• Match: there is an exact match between the name and IBAN provided by the payer.
• Close match: a partial match (e.g. a typo) is detected and the correct name is communicated, but this may also indicate a need to better identify the company involved.
• No match: no match between the data provided, indicating potential risk.
• Cannot verify: the verification cannot be performed due to missing or incorrect data provided or a technical issue.

Companies that have already initiated work to validate their beneficiary databases, and that make bulk payments, will likely choose not to activate this VoP option. For those wishing to enable it, they will have to adapt their internal processes to support VoP results, correct their data, conduct checks, and possibly redevelop payments flows.

Limitations and challenges of VoP

IPR raises questions and potential barriers. Its deployment is likely to slow down payment processes, especially for companies that process mass files with a large number of beneficiaries. It would be challenging to automate the individual verification of each recipient, as required by law.

Another obstacle is the reconciliation of company names. It is possible to match a unique identifier, such as SIREN, the nine-digit identifier assigned to every registered business in France, or legal entity identifier (LEI), to an international bank account number (IBAN). However, this solution is not widespread and the unique identifier is often replaced in favour of the company name.

Some companies frequently use abbreviations, acronyms, or brand names, making it difficult to match their official names. Likewise, organisational changes may occur within a group (perhaps the company you want to pay has just changed its name), so while the KYS (know your supplier) was initially validated, it will now result in a VoP close match result, upon which a judgement must now be made.

Finally, beyond a simple validation of correspondence, it may be necessary to revalidate the identity of the beneficiary, and its bank identity information, with the suppliers to obtain a pair of valid data within a constrained time. For these cases, VoP will not provide answers, and banks, while complying with data protection obligations, will not be able to directly correct the erroneous information or communicate sensitive details, which may slow down the resolution of the detected anomalies.

Control, respect, review

VoP is a final control that forms part of an end-to-end payment security framework. Companies must now analyse the integration of these new controls into their processes to ensure the reliability of their beneficiary bases. This is essential in order to be able to interpret results and put in place a process of continuous improvement as soon as a new beneficiary account is created. This involves strictly respecting the name defined on the bank account details, and setting up periodic reviews to ensure optimal data quality.

Poised for tomorrow

The implementation of VoP will mark an important milestone in accelerating the adoption of SCT Inst. It will also help to secure these transfers as it will address a potential major fraud scenario based on counterfeit bank account details.

However, it is difficult to see VoP alone resolving all the challenges around payment security. It will not eliminate all cases of deception, particularly social engineering cases such as CEO fraud or internal fraud.

Businesses therefore have to analyse and verify the relevance of their entire security system, and ensure that they have implemented solutions tailored to their organisation, including a rigorous approval process prior to payment, and are raising awareness among their employees about potential risks.

To this end, Societe Generale’s teams support companies in identifying and implementing comprehensive security systems tailored to their specific needs. Specialised partners may also be engaged to address specific needs, such as ensuring the reliability of beneficiary databases required by the new VoP regulation.

With the 9 October deadline fast approaching, companies must review the reliability of their databases to secure their payments and reduce the risk of errors. It is important to leverage this regulation to enhance operational efficiency, prepare for the challenges ahead – and to be ready to embrace the new services that are on the horizon.