0
39

Bringing Control Back: How the VOP Scheme Secures Instant Payments

Instant payments removed the buffer of time—and with it, the bank’s last chance to catch a mistake or stop fraud. The European Payments Council (EPC)’s Verification of Payee (VOP) Scheme now introduces a secure, API-driven layer to euro payments that helps verify a payee’s identity before a transfer is executed. By aligning with new regulatory requirements under the Instant Payments Regulation, the VOP Scheme protects consumers from fraud, reduces misdirected payments, and clarifies liability rules for payment service providers (PSPs). This article explains how VOP works, who must comply, and what PSPs need to do to get ready.
In response to new EU rules on instant payments, the EPC introduced the VOP Scheme to strengthen trust in SEPA Credit Transfers (SCT) and SEPA Instant Credit Transfers (SCT Inst). Payee verification is no longer optional—it’s becoming a requirement across the European Economic Area (EEA), with compliance deadlines beginning in October 2025.
The VOP Scheme is part of a larger push for speed, security, and clarity. As instant payments become the norm, consumers and businesses expect protection from fraud without delays. By enabling real-time verification of a recipient’s name and account details, VOP offers just that—protecting users while preserving efficiency. What seems like a small technical step may well carry far-reaching consequences for how responsibility and trust are structured across Europe’s financial networks. But what, ultimately, is motivating this shift—not just on paper, but in the underlying dynamics between banks, users, and regulators? First, let's see how the VOP scheme works.

Verification of Payee scheme in a nutshell
When a payer initiates a payment, their PSP (called the Requesting PSP) sends a verification request to the payee’s PSP (Responding PSP). The request includes:
  • The IBAN of the payee
  • The payee’s name (as provided by the payer)
  • Optionally, an identifier such as a VAT number, Legal Entity Identifier (LEI), or social security number.

The Responding PSP checks the provided details against its records and instantly responds with:
  • Match – The information corresponds exactly
  • Close Match – Minor differences exist; the correct name is provided
  • No Match – The data does not align
  • Verification Not Possible – The check cannot be completed

The result is relayed to the payer, who can then decide to proceed or cancel the payment. This entire process is designed to be completed in under 5 seconds, providing quick but meaningful protection against fraud and mistakes.
Note: VOP is a verification service, not a payment method or identity confirmation tool.

Behind the Mandate: What VOP Is Really Solving
Now, let’s talk about the elephant in the room. Instant payments may thrill users with their speed, but they’ve long made banks uneasy. With no delay between authorization and execution, banks lose their final window to detect fraud or fix errors—turning every transaction into a potential liability minefield.
The rise of instant payments has forced a difficult question: who takes responsibility when things go wrong? The Verification of Payee (VOP) Scheme doesn’t just protect users—it introduces a framework that reshapes liability, compliance, and trust across PSPs in the euro payment ecosystem.

Legal and Liability Shifts—or Winning the Blame Game
The addition of the VOP scheme in the Instant Payments Regulation has changed how liability is distributed when payment errors occur:
  • Incorrect Execution due to Incorrect Unique Identifier: PSPs aren’t liable for payments sent to a wrong IBAN—if VOP was offered and the payer ignored a mismatch alert.
  • Failure to Perform Payee Verification (Payer's PSP): If the check isn’t done and funds are misdirected, the payer’s PSP must refund the full amount.
  • Failure by a PISP: If a PISP submits wrong payee data, the payer’s PSP refunds the client and seeks redress from the PISP.
  • Failure by the Payee's PSP: If the payee’s PSP provides incorrect info or fails to respond, it must compensate the payer’s PSP.
  • Payment Service User (PSU) Ignores a Warning: If the payer receives a mismatch or 'close match' alert and still authorises the payment, the PSP is not liable—assuming it fulfilled its verification obligations.
  • Verification Not Possible: If the payee’s PSP is in a non-euro EU country not yet obliged to comply with the VOP requirement, neither PSP is liable for not completing the check.
  • Technical Failures: If technical issues prevent the VOP check, liability falls on the party responsible for the malfunction.
  • Sanctions Screening: PSPs must perform periodic screening of their customers against financial sanctions lists. This is separate from VOP but still mandatory. Failure to comply can lead to penalties or compensation claims from other PSPs.

This framework allows PSPs to limit their liability only if they comply with the VOP process.

Who Benefits from VOP scheme—And Why
Banks and PSPs (Primary Beneficiaries)
  • Reduce exposure to refunds and claims by performing VOP correctly.
  • Shift liability downstream if another PSP fails to comply.
  • Benefit from a clear legal structure that protects them in fast, irreversible payment environments.
  • Standardise procedures across SEPA to reduce risk.

Consumers and Users (Secondary Beneficiaries)
  • Gain fraud protection and clarity about mismatches.
  • Are informed but still responsible if they override a mismatch warning.

Regulators
  • Enable safe instant payment adoption.
  • Ensure cross-border liability harmonisation. but still responsible if they override a mismatch warning.
  • Support compliance without imposing transaction-level sanctions screening.

In summary, the VOP Scheme is as much about protecting banks from losses and uncertainty as it is about helping users avoid mistakes. Its greatest value lies in clarifying who is responsible when things go wrong—and ensuring everyone plays their part.

How VOP Works Technically: API, Directory, and Certification
The VOP Scheme is built on a RESTful API using JSON and ISO 20022 data standards. It leverages the PSD2 Open Banking infrastructure, including EU-trusted digital certificates.
To support secure and scalable implementation across SEPA, the EPC introduced the EPC Directory Service (EDS)—a centralized lookup system where PSPs can publish their endpoints (URIs) to facilitate VOP message exchange. PSPs may manage integration directly or use third-party Routing and/or Verification Mechanisms (RVMs).
VOP is one of several EPC schemes based on APIs. These include:
  • Verification of Payee (VOP)
  • SEPA Payment Account Access (SPAA)
  • SEPA Request-to-Pay (SRTP)

All these schemes require the use of APIs. For VOP and SRTP, the EPC develops the technical specifications directly. For SPAA, market actors build APIs based on EPC rulebooks.
Certification and Interoperability
To ensure compliance and technical interoperability before going live, the EPC requires the use of the API Reference Toolbox (ART) for scheme participants.
  • All Routing and/or Verification Mechanisms (RVMs) must be qualified by the EPC and comply with the technical, operational, and security standards defined in the VOP Scheme Rulebook.
  • RVMs are required to complete self-certification using the ART platform.
  • PSPs that exchange VOP messages directly (i.e. without relying on an RVM) are strongly encouraged to complete self-certification via ART as well.

  • For PSPs using one or more RVMs, interoperability is ensured by the RVM(s), and separate certification by the PSP is not required.


Key Deadlines and Onboarding Waves for the VOP Scheme
The EPC has structured the rollout of the VOP scheme into a clear timeline supported by three waves of adherence. This approach is designed to help PSPs plan their onboarding while ensuring operational readiness and timely inclusion in the EPC Directory Service (EDS).
Wave 1 (Before 15 May 2025)
  • PSPs and groupings that submitted complete and signed adherence documents and paid VOP/EDS fees by 15 May 2025
  • Target registration into EDS by 15 August 2025 (worst-case)
  • PSPs not using RVMs in this wave are prioritised for self-certification if they opt to perform it
Wave 2 (16 May – 30 June 2025)
  • PSPs submitting documents and paying fees between 16 May and 30 June 2025
  • Target registration into EDS by 10 September 2025
Wave 3 (After 30 June 2025)
  • For PSPs submitting documents after 30 June 2025
  • Registration into EDS by the 4 October 2025 is not guaranteed
  • Processing will follow a best effort, first-come-first-served basis


Who Must Join the VOP Scheme—and Pay for It
All SCT and SCT Inst participants impacted by the amended SEPA Regulation must adhere to the VOP Scheme and fund the EPC Directory Service (EDS) for three years starting October 2025. This ensures cross-border interoperability and full regulatory alignment.
Obligations and Deadlines
  • All SCT/SCT Inst participants must join the VOP Scheme and EDS
  • The opt-out deadline (31 January 2025) has passed
  • PSPs that did not submit a formal opt-out are now:
    • Considered VOP Scheme participants
    • Obliged to pay the 2025 VOP Scheme participation fee and the EDS setup fee
    • Included (or about to be included) in the Register of VOP Scheme Participants and in the EDS
  • Fees are invoiced in full regardless of onboarding date
  • PSPs that plan to exit the SCT or SCT Inst schemes in 2025 are still liable for fees covering their participation period

Adherence Limits for PSPs Outside SEPA or the EU
The VOP Scheme is open to PSPs in all SEPA countries. However, participation for PSPs based in non-EU SEPA countries—such as the UK or Switzerland—depends on legal alignment:
  • In EEA countries (e.g., Iceland, Liechtenstein, Norway), adherence depends on the Instant Payments Regulation being incorporated into national law.
  • In non-EEA SEPA countries (e.g., the UK), equivalent legal provisions must be adopted, particularly those that support VOP API usage.

Some UK-based companies already act as RVMs under the scheme, indicating operational readiness despite legal alignment still being in progress.
Importantly, PSPs not incorporated and licensed in a SEPA country or territory cannot join the scheme, as clarified in Section 4.4 of the VOP Scheme Rulebook.

Closing Reflections
The EPC’s Verification of Payee Scheme is more than a technical fix or a checkbox for regulatory compliance. It is a structural rebalancing of trust in a payments ecosystem where speed and irreversibility have outpaced traditional safeguards. By assigning clear responsibilities, standardising practices, and embedding real-time verification into the fabric of SEPA transactions, VOP empowers PSPs to act with confidence and protects users from preventable losses. But beyond compliance, the real achievement of the VOP Scheme is cultural: it aligns incentives, reduces ambiguity, and invites every actor in the payments value chain to play their part in restoring control where it matters most—right before the money moves.
Get in touch with us to learn how we can help you with aplonHUB

Comments are closed.