Verification of Payee (VoP) is more than just a name check; it’s a powerful weapon in the fight against authorised push payment fraud.
With VoP, a payer can confirm the identity of the person or business they are sending money before making a transaction. If there is a difference, say, in the payee’s name, the payee’s bank will notify the payer’s bank, which helps the payer to decide whether they would like to continue with the transaction.
These solutions have existed for some time in several European countries including The Netherlands, the UK, France and Italy. But all EU banks will soon be legally required to introduce one as part of the new SEPA Instant Regulations.
In this article, we explore why ubiquity is needed for VoP to be truly effective, the challenges banks face in implementing VoP services, and how they can overcome them.
Though European data is hard to come by, the UK's payments ecosystem has had to deal with eye-watering levels of authorised push payments (APP) scams. Close to half a billion pounds were lost to APP fraud in 2022, which overtook card fraud for the first time a year earlier. In a recent high-profile case, a finance worker was duped by deepfakes of their colleagues into sending $25 million to scammers.
Verification of Payee services are springing up all over Europe to combat it, with notable success. SurePay’s VoP service helped Dutch banks to reduce invoice fraud by 81%. A remarkable achievement.
But ubiquity is essential for VoP to be truly effective. Fraudsters responded by using money mules across the borders of Belgium, Luxembourg and Germany, according to SurePay's CEO, David Jan Jansen. The scammers began exploiting the banks that did not use Verification of Payee to work around the system. Cross-border invoice fraud shot up.
So despite its effectiveness, 99% coverage is not enough. Fraudsters will simply migrate to the 1% of banks that do not have a VoP service in place.
The good news is that the EU is making VoP mandatory as part of the SEPA Instant Payment Regulation, to ensure banks are 100% covered for Euro credit transfers between European countries.
It’s an exciting development. But it will be incredibly challenging to implement from a technical perspective, and there are a couple of reasons for that.
The first is timing. Within eighteen months, banks need to have a Verification of Payee solution that is readily available as per the SEPA Instant Regulations. But to have an interoperable VoP scheme, you need a rulebook to ensure banks have a standardized way of communicating VoP messages.
The payer’s bank must send the payer’s information (name and account number) to the payee’s bank to compare it against the client database. For example, the bank will see that the payer is trying to make a payment to John Smith, but that the account details they’ve been provided belong to Joe Bloggs. If the details do not match, the payee’s bank will flag that the details do not match the payer’s bank, which notifies the customer. This matching process must be standardized so banks can communicate effectively.
Now, the European Payments Council is in the process of developing a rulebook for VoP. But the rulebook doesn’t go into a great deal of detail regarding how banks are going to communicate. It talks a lot about data, and what data elements need to be in there, but not over which network these messages will be sent, nor how they will be sent. Will it be an API or something else? The rulebook also fails to mention an economic remuneration model.
So, there are still a ton of unknowns regarding this rulebook, which is a service that banks need to be developing today. How do we make VoP interoperable without a rulebook in such a short time frame? That’s a big challenge.
The second complication relates to unitary payments: payments that happen one by one. Verification of Payee has not been used for file-based payments in the past. The new SEPA Instant Regulation says that you now must perform VoP in between the time it takes to input the beneficiary data and the time that the client authorizes the payment.
That’s all good and well for digital channels. To make a payment, you input a bank account number and name and before you hit authorize or sign it using your facial I-D or fingerprint or whatever it is, the system verifies the payee. But it becomes more complicated for business payments.
In business payments, the payment channel is often authorized, rather than an individual payment. For example, if a corporation sends its SWI connectivity payment instructions to its bank, the bank doesn’t ask the corporation to sign the individual transactions. It just says “Okay, the corporate was able to send me that payment over a ‘secure-corporate channel,’ I can trust it and execute this payment.” In that sense, the time limit between receiving the data and authorizing does not exist. The payment transaction comes in pre-authorized (if you will).
This is an exception allowed under the PSD2 strong customer authentication guidelines, meaning there’s a hole in the SEPA Instant legislation. The SEPA Instant legislation says, “You have to do it in between these two time periods”, while PSD2 says “Well, you don’t need to do it for certain channels”.
Then consider that corporates do not use online banking channels when initiating a file-based payment. They’re just sending a file; they’re sending an API call. How do we return that matching VoP status to the corporate? Is it file-based? Or do we redirect the corporate? Do we send them an email that says they need to check on their online banking and validate the payment?
And what happens if a corporation schedules 200 payments to go out at a single time? In theory, they could receive 200 verification of payee notifications at once, all of which need validating before the payment can be authorized. It’s another big hurdle for banks.
There’s a lot of complexity associated with Verification of Payee, particularly around file-based instant payments. As an industry, we need to figure out how to solve these problems. We do not want every bank to implement VoP in their own way. We want to standardize the process so multi-bank corporates have a consistent way of working with their banks.
And this extends beyond Europe. It’s reasonable to think that fraudsters will migrate to countries that do not have a VoP style solution – just as we saw in the Netherlands. The global financial community must collaborate to overcome challenges and establish seamless cross-border interoperability, ensure the widespread effectiveness of VoP in safeguarding transactions, and strengthen the integrity of the financial ecosystem.
Verification of Payee is essential, but it will not be easy to implement.
At RedCompass Labs, we’ve helped some of the biggest banks embrace the future of payments. If you’re worried about meeting the SEPA instant regulations, reach out to the team today.