API call
Your system calls our REST API with the payee’s name (or identifier) and IBAN.
If you’ve been following payment industry news, you may have already heard of Confirmation of Payee (CoP), the UK equivalent of VoP. They are cousins: same fundamental purpose but different regulatory frameworks.
Confirmation of Payee (CoP) was introduced in the UK starting in 2020, under the Payment Systems Regulator (PSR). It covers payments through Faster Payments and CHAPS. The UK has been a pioneer in this space, and the results have been measurable: participating banks reported significant reductions in APP fraud in the years following implementation.
Verification of Payee (VoP) is the European version, governed by the European Payments Council (EPC) under its VoP Rulebook. It covers SEPA Credit Transfers (SCT) and SEPA Instant Credit Transfers (SCT Inst), and became mandatory across the eurozone in October 2025.
Beyond these two, SWIFT also operates pre-validation services for cross-border payments but VoP’s scope within SEPA is distinct and regulation-driven.
The broader lesson is clear: across the globe, regulators are moving in the same direction. Account name verification before payment execution is becoming a universal expectation.
Regulation (EU) 2024/886, commonly referred to as the Instant Payments Regulation (IPR), requires all Payment Service Providers (PSPs) operating in the EU to provide Verification of Payee for both SEPA Credit Transfers and SEPA Instant Credit Transfers.
This means:
The EPC has published the technical VoP Rulebook that defines the scheme rules, the supported data formats, the accepted match results and the obligations of each participant. Compliance with the EPC scheme is what gives a VoP implementation its legal and technical validity.
The rollout happens in two waves, based on currency.
Austria, Belgium, Cyprus, Germany, Estonia, Spain, Finland, France, Greece, Croatia, Ireland, Italy, Lithuania, Luxembourg, Latvia, Malta, Netherlands, Portugal, Slovenia, Slovakia.
Bulgaria, Czech Republic, Denmark, Hungary, Poland, Romania, Sweden.
Countries like the United Kingdom, Switzerland, Norway, Iceland and Liechtenstein are within the EPC VoP scheme’s scope but are not bound by the EU regulation’s deadlines. Their adoption depends on local legislation and whether their PSPs adhere voluntarily to the EPC VoP Rulebook.
In practical terms: if your business, your customers or your software users touch any payment going to or from a eurozone account, VoP is already live and mandatory.
If you build software that touches payments, bank accounts or supplier data, VoP is not someone else’s problem: it’s yours.
Think about where IBANs enter your system:
Every one of these is a moment where a wrong IBAN (fraudulent or accidental) can enter the system. And every one of these is a moment where a VoP check can prevent it.
Your users (finance teams, accountants, treasury managers) are not expecting to manually verify IBANs. They are trusting your software to help them work securely. Integrating VoP means your product does what they need it to do, at the right moment, without adding friction.
The value proposition for software editors is threefold:
What types of software are directly in scope?
Any software that collects, stores or processes IBANs in a payment context is relevant.
The most common categories are:
If your product has a field that says “IBAN”, VoP has a use case.
My software doesn’t initiate payments directly. Does VoP still apply?
Yes, and this is an important point to understand. VoP’s value isn’t only at the moment of payment execution. It’s equally valuable when an IBAN first enters your system.
If your software stores a supplier IBAN, an employee’s bank account or a customer’s mandate details, you are the first line of defense. By the time a payment is initiated (whether by your software or by an external bank), the IBAN is already in the system, often trusted implicitly.
Integrating VoP at the onboarding and data-capture stage means you are catching fraudulent or incorrect IBANs before they become problems, not after.
What data is needed to make a VoP request?
A VoP request requires two pieces of information:
1. The payee’s IBAN
The bank account number that will receive the payment.
2. A verification reference
Either:
Name-based verification is the most widely supported and recommended approach. Identifier-based verification can be useful when the exact name is uncertain (for example, when onboarding a new B2B supplier using their VAT number as the primary reference).
What does the API response look like in practice?
Here is a simplified example of what a VoP API call and response look like with Digiteal’s API:
Request:
```bash
POST /api/v1/ibanAccountHolderVerification
{
"iban": "BE03130000000184",
"name": "Digiteal SA"
}
```
Response — Match:
```json
{
"vopMatchResult": { "result": "MATCH" },
"bankAccountHolder": { "name": "Digiteal SA" },
"bank": { "bic": "DIGEBEB2", "name": "DIGITEAL SA" }
}
```
Response — Close match (name provided: "Digiteal", missing the "SA" suffix):
```json
{
"vopMatchResult": { "result": "CLOSE_MATCH" },
"bankAccountHolder": { "name": "Digiteal SA" },
"bank": { "bic": "DIGEBEB2", "name": "DIGITEAL SA" }
}
```
Response — No match (name provided: "John Doe"):
```json
{
"vopMatchResult": { "result": "NO_MATCH" },
"bank": { "bic": "DIGEBEB2", "name": "DIGITEAL SA" }
}
```
Each response also includes a timestamp and a unique ‘request-id’ in the response headers for audit trail purposes.
How should we handle each response in our UX?
The recommended approach balances security with usability. VoP is designed to inform, not to automatically block.
| Result | Recommended UX pattern |
|---|---|
| MATCH | Proceed automatically: no friction needed. |
| CLOSE_MATCH | Display a warning with the discrepancy. Ask the user to confirm or review before proceeding. |
| NO_MATCH | Block the action or require mandatory manual review, and clearly explain why. |
| NO_AP | Note that verification was not possible for this account. Apply alternative verification methods if available. |
A critical design principle: never block silently and never scare unnecessarily. A close match on a company name (because a user typed “Acme Corp” instead of “Acme Corporation”) is not a fraud signal. It’s an invitation to review. Your UX should make that distinction clear.
Equally important: always log the VoP result, even when the payment proceeds. This creates an audit trail that demonstrates due diligence, which becomes critical in the event of a dispute or investigation.
How does VoP handle approximate names, abbreviations and special characters?
This is where the intelligence of a good VoP implementation shows.
The matching algorithm at the issuing bank’s side handles a range of common variations:
When such a variation is detected, the response is `CLOSE_MATCH` rather than `MATCH`, allowing your system to surface the discrepancy to a human reviewer rather than blocking outright.
A practical note: the quality of your outbound data matters. If your supplier master data is poorly maintained (truncated names, old trade names, missing legal suffixe…), you will see more close matches than necessary. VoP integration is also an opportunity to review and clean your reference data.
Can we verify an entire supplier database in bulk?
Yes. Bulk verification is one of the most powerful use cases for software editors.
The typical scenario: a company has thousands of IBANs stored in their ERP or accounts payable platform. They have never been systematically verified. Integrating a VoP API allows you to offer a one-time (or periodic) bulk check of the entire database, flagging suspect records before they ever reach a payment run.
Practical considerations for bulk verification:
This is a particularly compelling feature for ERP vendors and accounts payable platforms, where a “clean your supplier bank data” workflow can be a premium offering in its own right.
What is the geographic coverage? What about IBANs outside the eurozone?
As of October 2025, VoP is operational for eurozone IBANs (the 20 EU member states whose currency is the euro). This covers the vast majority of SEPA payment volume.
For IBANs from non-euro EU member states (Poland, Denmark, Czech Republic, etc.), mandatory compliance comes in July 2027, but some banks in these countries may already support VoP.
For IBANs from non-EU SEPA countries (UK, Switzerland, Norway, etc.), availability depends on the individual bank’s participation in the EPC VoP scheme.
When a VoP check is requested for an IBAN whose issuing bank is not yet connected to the scheme, the response will be ‘NO_AP’ (not applicable). Your system should handle this gracefully (it doesn’t mean the payment is suspect, it means verification is currently unavailable for that account).
How long does integration take? What’s the real technical effort?
The short answer: a few days maximum.
Digiteal’s VoP API is a simple REST/JSON interface with Basic Authentication. The core integration (a single POST endpoint) can be implemented in any modern development stack.
SDKs are available for Java, .NET, Python, and PHP, among others.
What makes VoP complex to build from scratch is not the API call itself. It’s everything around it: registering with the EPC scheme and the EDS Directory Service, implementing the RVM routing logic to find the right bank for any given IBAN, staying compliant with the EPC VoP Rulebook as it evolves, submitting quarterly statistical reports to the EPC, managing the certification and conformance testing process…
By integrating Digiteal’s API, you get all of that handled for you. Your engineering team writes the API call and the UX logic. We handle the regulatory plumbing.
A sandbox environment is available from day one for integration testing. The path to production is straightforward, with dedicated developer support.
What’s the business model? Can we monetize this for our own clients?
VoP integration can be structured in several ways depending on your product model:
The ROI calculation is straightforward: a single prevented fraudulent transfer (typically worth tens of thousands of euros) covers years of VoP API costs. When you frame it that way in a conversation with a CFO, the question stops being “is this worth it?” and starts being “why haven’t we done this already?”
Digiteal is a payment institution certified by the National Bank of Belgium and ISO/IEC 27001:2022 certified for information security management.
Our VoP service is compliant with the European Payments Council (EPC) VoP Rulebook and operates on a live production environment with an SLA-backed uptime guarantee.
Contact our team via the contact form on our website to request access to the sandbox environment, receive your API credentials, and discuss your integration requirements.