Why VoP is not enough: the real risks Treasurers will face starting Oct 9th

On October 9th, a quiet revolution begins in European payments. The Verification of Payee (VoP) regulation will come into force, requiring over 3,000 Payment Service Providers (PSPs) across the Eurozone to verify the match between a beneficiary’s name and their bank account before executing SEPA payments.

If you’re a corporate treasurer, this should raise a critical question: Is your master data ready?

Because if it’s not — or if your beneficiary’s bank relies on outdated or incorrect information — you may soon face payment delays, operational disruptions, and a flood of false fraud alerts. But VoP is more than a compliance requirement in my view. It’s a strategic opportunity to strengthen your payment security ecosystem. And it’s also a risk — if you rely on it blindly.

What is VoP and why it matters

VoP is designed to reduce fraud and errors by verifying the pairing between a beneficiary’s name and their IBAN before a payment is executed. For SEPA single payments (pre-authorised or not), and for any payment made from a banking platform, this verification will be mandatory. For pre-authorised SEPA bulk payments, corporates can choose to opt in or out.

The regulation introduces four possible outcomes for each verification:

• Match: Name and IBAN pair correctly.
• Close match: Partial match, requiring review.
• No match: Mismatch, payment on hold.
• Match not possible: Verification failed due to missing data.

This approach is not entirely new. The UK has already implemented a similar system known as Confirmation of Payee (CoP) several years ago, which has proven effective in reducing payment fraud. VoP builds on this model, aiming to bring similar protections to the Eurozone, though with some differences in scope and implementation.

While this sounds straightforward, the operational implications are significant. A single mismatch in a bulk payment file could block the entire batch, depending on your bank’s processing logic.

The Risks of Inaction

Treasurers who fail to prepare for VoP may face:

• Payment delays due to verification failures.
• False fraud alerts triggered by minor name discrepancies.
• Operational disruption as banks hold payments for review.
• Reputational damage if vendors or employees are not paid on time.

And perhaps most critically: VoP does not protect you from fraud that has already infiltrated your systems.

VoP’s Limitations: Why it’s not enough

While VoP is a step forward, it is not bullet proof. Key limitations include:

1. Post-initiation checks: VoP only activates after the payment is sent to the bank. Fraudulent bank accounts may already be embedded in your ERP or TMS.
2. No PSP liability: Even if a match is returned, <u>the PSP is not responsible for fraud</u>.
3. Limited scope: VoP applies only to SEPA payments. Expansion to the EEA is expected in 2027. But what about the hundred other countries not covered?
4. Simple matching logic: Fraudsters can exploit homonyms or register companies with similar names.
5. No ID verification: VoP checks only name and IBAN, not national identifiers.
6. Batch payment risk: A single mismatch can block an entire file, depending on the bank.
7. Unreliable data sources: Not all beneficiary banks use trusted registries for name verification.

Strengthening your defenses beyond VoP

To truly secure your payments, treasurers must go beyond VoP and implement robust internal controls. This starts with strictly followed procedures to independently validate a beneficiary bank account, complemented by a comprehensive & ongoing audit and clean-up of your ERP and TMS master data.

Third-party bank account validation platforms offer a powerful complement to VoP. These platforms:

• Use national IDs, VAT numbers, and tax IDs to retrieve the exact registered name & addresses of beneficiaries (reminding us not to forget about the upcoming ISO20022 in November, where structured address will need to be part of your payment files to avoid rejections)
• Provide advanced fraud detection, including:
  • Alerts for high-risk banks or jurisdictions,
  • Detection of suspicious email addresses or recently created domains,
  • Identification of falsified documents,
  • Flagging of newly opened or blacklisted bank accounts, on top of pairing issues.

These platforms can integrate seamlessly with your ERP and TMS, creating a secure and automated payment ecosystem that minimizes manual intervention and maximizes fraud prevention.

Recommendations for Treasurers

To prepare for VoP and enhance your fraud defences:

• Have clear and auditable means to independently validate a new or changed beneficiary bank account details
• Speak openly about fraud in your company. Do not let fear make employees hide anything that smells
• Engage with your banks to activate the opt-out option for bulk payments if needed (recommended before you have cleared your master data),
• Deploy a third-party validation platform across your entire P2P process,
• Clean your supplier and beneficiary data to reduce validation issues,
• Educate your teams on VoP mechanics and fraud prevention overall,
• Develop internal workflows to manage VoP alerts and exceptions efficiently.

To conclude, VoP is not just a regulatory hurdle — it’s a catalyst for better controls, cleaner data, and stronger fraud prevention. Treasurers who act now will not only avoid disruption but also elevate their organization’s financial security maturity.

In a world where fraud is increasingly sophisticated, proactive validation and layered controls are no longer optional. They are essential.