VoP checks names. Fraudsters exploit everything it doesn't check: ownership, entity legitimacy, account status, and cross-border gaps. Here's where VoP fails — and how to close the blind spots before your next payment goes out.

Table of Contents

  1. VoP Is Live. Fraud Hasn't Stopped. Why?
  2. What Verification of Payee Actually Checks (And What It Doesn't)
  3. Five Ways Payment Fraud Bypasses VoP
  4. The Real-World Cost of the VoP Blind Spot
  5. Why Name Matching Is Not Ownership Verification
  6. What Full Payment Verification Actually Looks Like
  7. How to Close the Gap: A Practical Checklist
  8. VoP Is a Floor, Not a Ceiling
  9. Frequently Asked Questions

VoP Is Live. Fraud Hasn't Stopped. Why?

Since October 2025, Verification of Payee has been mandatory for every Payment Service Provider in the Eurozone. The regulation requires banks to check that a payee's name matches their IBAN before executing SEPA credit transfers.

It was supposed to be the kill shot against payment fraud.

It wasn't.

Fraud MetricValue
Projected APP fraud losses (US, UK, India) by 2026$5.25 billion
Estimated global APP fraud losses by 2027 (LSEG)$331 billion
Consumer losses to APP fraud and scams, 2025 worldwide$442 billion
US estimated fraud losses in a single year (FTC)$196 billion

Sources: ACI Worldwide & GlobalData, LSEG Risk Intelligence, Global Anti-Scam Alliance, FTC (2024–2025)

VoP has not slowed this down in any meaningful way. The reason is structural.

VoP was designed to solve one specific problem: catching typos and obvious name mismatches before payments execute. It does that well. But modern payment fraud doesn't rely on mismatched names. It relies on deception that VoP was never designed to detect.

The result: finance teams now have a compliance checkbox. They do not have fraud prevention.

What Verification of Payee Actually Checks (And What It Doesn't)

VoP performs a single function. It compares the name entered by the payer against the name registered on the payee's account at the receiving bank.

That's it.

The system returns one of four results: Match, Close Match, No Match, or Unable to Verify. The payer then decides whether to proceed.

Here's what VoP does not check:

Verification LayerVoPMonitorPay
Name ↔ IBAN matching
Account ownership verification✅ Registry-sourced
Entity legitimacy (active / dissolved / suspended)✅ 200+ gov registries
Account status (active / dormant / frozen)
Beneficial ownership / UBO
Cross-border coverage (beyond SEPA)✅ 150+ countries
Continuous monitoring

VoP protects against fat-finger errors and obvious impersonation. It does not protect against sophisticated fraud — which is exactly what's increasing.

Five Ways Payment Fraud Bypasses VoP

1. Stolen Identity, Legitimate Account

If a fraudster opens a bank account using stolen identity documents, the account is legitimately registered in that name. When a VoP check runs, it returns "Match." The fraud is invisible to VoP because, from the bank's perspective, the account holder and the name align perfectly.

This is the single biggest blind spot in the system. AI-powered identity fraud now makes it cheaper and faster than ever to create convincing synthetic identities at scale.

Why this matters: A "Match" response from VoP creates a false sense of security. It tells you the name is correct — not that the entity is legitimate. MonitorPay's account ownership verification cross-references the account against government registry records to confirm the actual legal owner.

2. Invoice Interception with Mule Accounts

In a classic Business Email Compromise attack, a fraudster intercepts a legitimate invoice and swaps in new bank details. The new account belongs to a mule — a real person whose name is on the account. VoP checks the mule's name against the IBAN. It matches. The payment goes through.

BEC has cost businesses an estimated $55 billion over the past decade. VoP doesn't touch this attack vector. The name is "correct." The account is real. The money is gone.

3. Shell Companies and Dormant Entities

Fraudsters register shell companies or acquire dormant entities. These entities have valid bank accounts with matching names. VoP sees no mismatch. But the entity has no real operations, no employees, no legitimate business activity.

VoP cannot distinguish between a legitimate operating company and a freshly registered shell. It doesn't check company status, registration details, or trading history. All it sees is: name matches IBAN. Green light.

4. Payments Outside SEPA

VoP only applies to SEPA credit transfers. Any payment routed outside the Eurozone — to the UK, US, Asia, Africa, the Middle East — operates with zero VoP coverage.

For companies with global supply chains, this is a massive gap. Fraudsters know it. They route attacks through jurisdictions where no pre-payment verification exists. Non-Euro EU countries don't even need to comply until July 2027. That's 18 months of additional exposure.

5. Social Engineering That Coaches the Victim

In APP scams, fraudsters coach victims to enter the exact registered name on the receiving account. They tell you the name. You type it in. VoP returns "Match."

The fraud succeeds precisely because VoP does what it's supposed to do — and nothing more.

Every one of these attack vectors returns a VoP "Match" result. The system is working as designed. That's the problem.

The Real-World Cost of the VoP Blind Spot

These aren't theoretical risks. The numbers tell the story.

MetricValue
Organizations experiencing payment fraud (2024)79%
Organizations recovering 75%+ of fraud losses22% (down from 41%)
Average cost per failed B2B payment$12.10
Estimated American fraud losses in one year (FTC)$196 billion
Revenue lost to fraud by surveyed business leaders (2025)7.7% of annual revenue

Sources: AFP, FTC, TransUnion (2024–2025)

Recovery rates are collapsing. Once instant payments clear, the money is usually gone. For companies processing thousands of payments monthly, these errors compound into six-figure annual losses.

For enterprise finance teams, the math is brutal: VoP creates a false sense of security while the actual attack surface remains wide open.

Why Name Matching Is Not Ownership Verification

This is the critical distinction most companies miss.

Name matching asks: does the name I entered match the name on this bank account?

Ownership verification asks: does the entity behind this bank account legally own and operate the business I intend to pay?

These are fundamentally different questions. Name matching is a string comparison. Ownership verification is an intelligence function that requires:

  • Cross-referencing the account holder against official government business registries
  • Confirming the company's legal status (active, dissolved, suspended)
  • Validating registration details: incorporation date, registered address, company number
  • Checking beneficial ownership and group structure
  • Monitoring for changes over time — new directors, address changes, status changes

VoP answers the first question. It doesn't even attempt the second.

Providers that verify ownership against aggregated or scraped data are better than VoP alone. But they inherit the accuracy problems of their sources. Providers that connect directly to government registries — the legal source of truth for entity existence, ownership, and status — deliver fundamentally higher confidence.

MonitorPay connects directly to 200+ official government registries and banking partners across 150+ countries. Each verification returns the verified account holder name, company details, registration number, VAT status, and enriched firmographics including beneficial ownership and group structure.

What Full Payment Verification Actually Looks Like

Treating VoP as your primary fraud defense is like locking the front door and leaving every window open. Full payment verification requires multiple layers working together.

LayerWhat It DoesWhat It Stops
1. IBAN ValidationConfirms the account number is structurally valid and associated with a real bankData entry errors, formatting mistakes
2. Name Matching (VoP)Confirms payee name matches the account holder at the receiving bankTypos, obvious impersonation
3. Account StatusConfirms the account is active, open, and able to receive paymentsPayments to dormant, frozen, or closed accounts
4. Account OwnershipConfirms the legal owner of the bank account matches the entity you intend to payShell companies, mule accounts, identity fraud
5. Entity LegitimacyConfirms the company is real, active, and legally registeredDissolved entities, fake companies, dormant shells
6. Continuous MonitoringOngoing alerts when verified accounts change bank details, ownership, or statusDelayed fraud, compromised vendors, entity changes

No single layer stops all fraud. The combination does.

MonitorPay's API delivers all six layers through a single integration — from IBAN validation to continuous monitoring — sourced from government registries and banking partners across 150+ countries.

How to Close the Gap: A Practical Checklist for Finance Teams

If you're relying on VoP as your primary payment security measure, here's what needs to change.

Immediate Actions

  • Audit your current payment verification process. Map exactly which checks happen before money moves. Identify the gaps.
  • Add account ownership verification before every first payment to a new vendor and every bank detail change for existing vendors.
  • Require entity legitimacy checks sourced from government registries — not self-reported data from the vendor.

Process Changes

  • Treat any change of bank details as a high-risk event. Require independent verification through a separate channel before updating payment records.
  • Implement dual authorization for payments above your risk threshold.
  • Build verification into vendor onboarding — not as an afterthought, but as a gate that blocks account creation until checks complete.

Technology Requirements

  • Deploy an API-driven verification platform that validates IBAN structure, account ownership, entity status, and beneficial ownership in a single workflow.
  • Ensure coverage beyond SEPA. If you pay vendors globally, your verification must work globally.
  • Require sub-second response times. Verification that slows down payment processing won't get adopted.
  • Choose providers that source data directly from government registries and banking partners — not aggregators.

VoP Is a Floor, Not a Ceiling

VoP was a necessary regulation. It catches a real category of errors and prevents a subset of impersonation attacks. No reasonable person argues against it.

But the mistake — the dangerous, expensive mistake — is treating VoP as a fraud prevention strategy.

It's not.

VoP is a compliance requirement. It checks one thing: does this name match this IBAN? Fraudsters have already mapped every way around that single check. Stolen identities. Shell companies. Mule accounts. Cross-border routing. Social engineering that hands you the "right" name on a silver platter.

The companies that will avoid the next wave of payment fraud are the ones that verify deeper: ownership, entity legitimacy, account status, and beneficial control — sourced from the legal record of truth.

Name matching tells you the door is labelled correctly. Ownership verification tells you who's behind it. One protects you from typos. The other protects your treasury.

Frequently Asked Questions

Verification of Payee is a mandatory EU regulation that requires banks to check whether a payee's name matches their IBAN before executing SEPA credit transfers. The system returns one of four results — Match, Close Match, No Match, or Unable to Verify — and the payer then decides whether to proceed. It became mandatory for Eurozone PSPs in October 2025 under the EU Instant Payments Regulation. Non-Euro EU countries must comply by July 2027.
Yes. VoP only checks name-to-IBAN matching. Fraudsters bypass it in at least five documented ways: using stolen identities to open legitimate accounts, deploying mule accounts with matching names in BEC attacks, registering shell companies with valid bank accounts, routing payments outside the SEPA zone where VoP doesn't apply, and coaching victims to enter the exact registered account name during social engineering attacks. In each scenario, VoP returns "Match" while the fraud proceeds undetected.
VoP checks if the name you entered matches the name on a bank account — a simple string comparison. Account ownership verification confirms whether the legal owner of that bank account is the entity you actually intend to pay, by cross-referencing against government registries, checking company status, and validating beneficial ownership. MonitorPay provides registry-verified ownership verification across 150+ countries, using data from 200+ official government registries.
No. VoP only covers SEPA credit transfers within the Eurozone. Payments to the UK, US, Asia, Africa, and other regions outside SEPA have zero VoP coverage. Non-Euro EU countries don't need to comply until July 2027. For companies with global supply chains, this creates a significant fraud gap. MonitorPay provides account verification and ownership checks across 150+ countries to cover what VoP cannot.
Global losses are massive and growing. APP fraud losses are projected to reach $5.25 billion across the US, UK, and India by 2026 (ACI Worldwide & GlobalData). LSEG estimates global APP fraud could hit $331 billion by 2027. Deloitte projects US losses alone could reach nearly $15 billion by 2028. The Global Anti-Scam Alliance estimated consumers lost $442 billion to APP fraud and scams worldwide in 2025. Recovery rates are falling — in 2024, only 22% of organizations recovered 75% or more of funds lost to payment fraud.
No. VoP does not verify entity legitimacy in any way. It cannot distinguish between an active operating company and a dissolved shell entity. It doesn't check company status, incorporation details, VAT registration, beneficial ownership, or trading history. A shell company with a valid bank account and matching name passes VoP every time. MonitorPay fills this gap by verifying entities against 200+ official government registries worldwide, confirming company status, registration details, and ownership structure.
Finance teams should take three immediate actions: add account ownership verification for every new vendor and every bank detail change, require entity legitimacy checks sourced from government registries (not self-reported vendor data), and implement continuous monitoring that alerts when verified accounts change status. Process changes should include treating any bank detail change as a high-risk event, requiring dual authorization for high-value payments, and building verification into vendor onboarding as a mandatory gate before the first payment is released.
The most reliable method is registry-verified ownership verification. This cross-references bank account details against official government business registries to confirm the legal owner of the account matches the entity you intend to pay. MonitorPay's API connects directly to 200+ government registries and banking partners across 150+ countries to deliver real-time ownership verification. Each check returns the verified account holder name, company details, registration number, VAT status, and enriched firmographics including beneficial ownership and group structure.
Not effectively. In BEC attacks, fraudsters intercept legitimate invoices and substitute bank details belonging to a mule account — a real person whose name matches the IBAN. VoP checks the name, returns "Match," and the payment proceeds to the fraudulent account. BEC has cost businesses an estimated $55 billion over the past decade. Stopping BEC requires ownership verification that confirms the bank account belongs to the actual vendor entity — checking against government registry records, not just matching a name to an IBAN.
MonitorPay provides multiple verification layers beyond what VoP offers: IBAN structural validation, payee name matching with fuzzy logic and confidence scoring, account ownership verification sourced directly from government registries and banking partners, entity legitimacy checks (company status, VAT registration, directors, beneficial ownership, group structure), account status verification (active, dormant, closed), and continuous monitoring that alerts you when verified accounts change. Coverage spans 150+ countries — far beyond the SEPA zone. The API returns results in sub-second response times and integrates into existing payment workflows, onboarding processes, and ERP systems.
Ready to go beyond name matching?

Start with 100 free checks. No credit card required.

Try MonitorPay Free →