Skip links

How to Verify Chinese Supplier Bank Accounts

How to Verify Spanish Supplier Bank Accounts: VoP, IBAN, and the Registro Mercantil

Verification of Payee went live across the eurozone on 9 October 2025. In Spain, that gives you a green “match” before you pay — but a match only confirms a name fits an IBAN. It says nothing about whether the company behind it is real, active, or controlled by who you think.

If you pay suppliers in Spain, the rules just changed in your favour — and not as much as you’d think. Since 9 October 2025, every payment service provider in the eurozone must offer Verification of Payee (VoP) on SEPA credit transfers, Spain included. Before you authorise a transfer, your bank now tells you whether the beneficiary name matches the IBAN: match, close match, no match, or other.

That’s a real improvement. It’s also the exact point where Spanish AP and compliance teams get comfortable too early. VoP verifies one relationship — name to account number — at the bank layer. It does not verify the entity layer: whether Distribuciones Ibéricas S.L. is a registered, active company, who its directors and ultimate owners are, or whether the legal name on your contract is the same entity that just asked you to wire €80,000 to a new IBAN.

In Spain that entity layer is unusually hard to check yourself. The company register is decentralised and pay-per-document. The beneficial-ownership register exists but is, in practice, close to inaccessible. This guide breaks down what VoP confirms in Spain, what it leaves open, and how to close the gap — for one supplier or for ten thousand.

The verification gap, in numbers · Banco de España & ECB/EBA, 2024–2025
€318M
Payment fraud reported in Spain, 2024
7.6% of the €4.2bn lost across the EEA
€153M
Lost to fraudulent credit transfers in Spain
The exact rail VoP is meant to protect
85%
Share of EEA transfer-fraud losses borne by users who were manipulated into paying
Scams a name-match check doesn’t catch
+42%
Rise in the average fraudulent transfer in Spain, H1 2025
€2,347 per fraudulent order, and climbing

One figure deserves a second look. Across the EEA, roughly 85% of credit-transfer fraud losses fall on users who were tricked into authorising the payment themselves — invoice redirection, impersonated suppliers, “urgent” bank-detail changes. Those payments pass every authentication check because the real customer approves them. Banco de España makes the point bluntly in its 2025 supervision report: fraud incidence on electronically-initiated transfers that used strong customer authentication is actually higher, because attackers have moved on from breaking security to manipulating people. VoP doesn’t stop that. Verifying the company behind the account does.

Section 01What VoP actually checks in Spain

Spain is in the eurozone, so Spanish PSPs fell under the VoP obligation on the first deadline, 9 October 2025, set by the EU’s Instant Payments Regulation. (PSPs in non-euro EU states have until 9 July 2027.) The mechanics are pan-European and run through the European Payments Council’s VoP scheme: the payer’s bank submits the payee’s name and IBAN, the payee’s bank checks them against its records, and a result comes back — typically within a second.

Here’s the limit. VoP answers a single question: does the name you typed match the registered holder of this IBAN? It is a fraud check against typos and mismatched beneficiaries. It is not a know-your-business check. A “match” confirms the account holder’s name lines up — it does not confirm that holder is a legitimate, registered Spanish company, that it’s still trading, or that it’s the counterparty in your contract. A fraudster operating a real account under a deceptively similar company name can still return a clean or “close match” result.

We’ve written the full mechanics elsewhere — see our complete guide to Verification of Payee and the deeper look at how fraud still bypasses VoP. The short version for Spain: treat the VoP result as the first of two checks, never the only one.

Figure 1 · The two questions
A VoP “match” answers the top question. Your risk lives in the bottom one.
✓ Bank layer — what VoP confirms
The IBAN is valid and reachable
The name matches the account holder on record
Result returned in <1 second: match / close / no match
— Entity layer — what it doesn’t
?Is this a registered, active Spanish company?
?Who are the directors and the ultimate owners (UBO)?
?Is this the same legal entity named in your contract?
?Has its status, name, or ownership changed since onboarding?
A clean match tells you the money will arrive at the named account. It doesn’t tell you the account belongs to the supplier you meant to pay.
Why Spanish suppliers trigger “close match” so often. Spanish companies routinely trade under a nombre comercial (a brand name, e.g. “Sol Fitness”) that differs from the denominación social — the full legal name the bank account is held in, e.g. “Costa Health Ventures S.L.” If your records carry the brand and the account carries the legal entity, VoP comes back close match rather than a clean match. It’s a routine naming gap, not a red flag — but it trains teams to wave “close match” through, which is exactly the habit fraudsters rely on. Resolving the legal name from registry data is what tells you whether a close match is harmless or hostile.

Section 02The Spanish IBAN, decoded

A Spanish IBAN is always 24 characters. Validating its structure is the cheapest fraud filter you have — a malformed IBAN, a bad check digit, or a bank code that doesn’t exist should never reach a payment run. The 24 characters are ES, two IBAN check digits, then the legacy 20-digit Código Cuenta Cliente (CCC): a 4-digit bank code, a 4-digit branch code, two national control digits, and a 10-digit account number.

Figure 2 · IBAN anatomy
ES91 2100 0418 45 0200 0513 32 — every segment is checkable before you pay
ES
Country
91
Check
2100
Bank · entidad
0418
Branch · oficina
45
Control
0200 0513 32
Account · cuenta
The 4-digit entidad code maps to a real bank (e.g. Santander 0049, BBVA 0182, CaixaBank 2100, Sabadell 0081). The two control digits validate the CCC; the IBAN check digits validate the whole string via ISO 7064 MOD-97. Example IBAN shown for illustration only.

Structure validation catches mechanical errors and obvious junk — but a perfectly-formed IBAN can still belong to the wrong party. For the rules across markets, see IBAN formats by country, or the developer view in our IBAN validation API guide. Format is necessary. It is nowhere near sufficient.

Section 03The entity layer: the Registro Mercantil and the NIF

Spain’s company register is the Registro Mercantil — decentralised, with a provincial registry in each province coordinated by the Registro Mercantil Central (RMC) in Madrid. Every commercial entity must register: corporate name, registration number, registered office, legal form, share capital, directors, and annual accounts. Two entity types cover almost all suppliers you’ll meet:

  • S.L. (Sociedad de Responsabilidad Limitada) — the private limited company, by far the most common SME form, with minimum capital as low as €1.
  • S.A. (Sociedad Anónima) — the public limited company, used by larger businesses.

The tax identifier is the NIF (Número de Identificación Fiscal): one letter plus eight digits, where the leading letter encodes the entity type — A for an S.A., B for an S.L. If a supplier’s old paperwork says “CIF”, that’s the same number under its pre-2008 name; the CIF was renamed the NIF under Royal Decree 1065/2007 and the digits never changed. The intra-EU VAT number is simply ES + the NIF (e.g. ESB12345678), checkable in the EU’s VIES system.

A VIES trap worth knowing. A legitimate Spanish company that trades only domestically will have a valid NIF but return “not found” in VIES, because VIES only lists businesses registered for intra-EU trade (the ROI). A blank VIES result is not proof a supplier is fake — it’s a prompt to check the Registro Mercantil instead.

So far, so verifiable — if you have the time. The catch is access. RMC searches return basic identity data, but anything useful for compliance (a nota informativa with directors, capital, and status) is a paid, per-document request, and the portal caps results and varies by province. It works for checking one supplier. It does not work for verifying a vendor master file of thousands, on a schedule, with an audit trail.

Section 04The UBO problem: a register that exists but won’t let you in

Knowing the directors isn’t the same as knowing who controls a company. For ultimate beneficial ownership, Spain has the Registro Central de Titularidades Reales (RETIR) — a central UBO register holding the individuals who own or control 25% or more of a company. On paper, it’s exactly what a compliance team needs. In practice, getting data out of it is the hardest part of verifying a Spanish supplier.

Since the EU Court of Justice struck down general public access to UBO registers in late 2022, Spain’s register operates on a legitimate-interest basis. Reaching the data means a Spanish digital ID, correspondence in Spanish, and a registrar’s assessment of your interest. When KYB specialists tested access in early 2026, they described it as “virtually impossible” — and noted that even Transparency International’s Spanish arm took six months to be granted access, after which the records still excluded the nature of the ownership. Shareholder data elsewhere in the register is thin; the only reliably public ownership snapshot is the original incorporation deed.

Figure 3 · Spain’s registry access reality
Mandatory to file. Built to be public. In practice, a wall.
● Reachable
Registro Mercantil (company identity)
Name, NIF, status, directors, accounts — but per-document and pay-per-search.
  • Basic search free; useful extracts cost per request
  • Decentralised across provinces
  • No bulk, no monitoring, no audit trail
▲ Locked
Registro Central de Titularidades Reales (UBO)
Holds the people who actually control the company — and rarely opens.
  • Legitimate-interest only since the 2022 CJEU ruling
  • Spanish ID and Spanish-language process required
  • Access measured in months, not minutes
The information you most need to stop shell-company and impersonation fraud is the information Spain makes hardest to reach. Registry-sourced data closes that gap without the queue.

If you assemble this picture yourself, here’s where each piece lives — and why no single Spanish source gives you the whole supplier:

Reference · Spanish verification sources
Four sources, four partial views of one supplier
SourceWhat it confirmsAccessThe catch
EU VIESIntra-EU VAT (NIF-IVA) valid & the registered nameFreeDomestic-only firms aren’t listed — a blank result isn’t proof of fraud
Agencia TributariaThe NIF exists and is activeFreeExistence only — no directors, ownership, or status detail
Registro MercantilLegal name, reg number, status, directors, accountsPay per docDecentralised by province; per-document; no bulk, no monitoring
Reg. Central de Titularidades RealesUltimate beneficial owners (25%+)RestrictedLegitimate-interest only, Spanish ID required, access in months

Stitching four sources together — three slow or paywalled, one effectively closed — is the manual reality of verifying a single Spanish supplier. It’s the reason most teams stop at the VoP result and hope. The alternative is to pull all four layers from registry data in one call.

How MonitorPay closes the gap

One API call. The bank account and the company behind it — verified together.

MonitorPay runs both layers in a single request. First it confirms the payment side: the IBAN is valid and the payee name matches the legal account holder. Then, for the same Spanish supplier, it returns the entity behind the account from registry-sourced data — so a green result also tells you the company is real, active, and controlled by who you expect.

IBAN validation & payee-name match Account ownership Legal name, NIF, status, incorporation Directors & officers Shareholders & UBO Ultimate parent & group structure
See it on a Spanish supplier

Section 05Why a “match” still loses money

Return to the data. Spain lost €153M to fraudulent credit transfers in 2024, and the dominant pattern isn’t broken bank security — it’s manipulation. Banco de España identifies the two leading transfer frauds as the fraudster manipulating the payer (social engineering) and the fraudster issuing payment orders directly. Both produce payments the legitimate user authorises. Both sail past authentication. And the average fraudulent transfer in Spain jumped 42% in the first half of 2025, to €2,347 — the losses aren’t just frequent, they’re getting larger.

Anatomy of the attack · illustrative
How a clean VoP “match” still pays the fraudster
1
You’ve paid Distribuciones Ibéricas S.L. for two years. The relationship is real and the supplier is legitimate.
2
An email lands from the supplier’s “finance team”: updated bank details, a new IBAN, please use it for the next invoice. The domain looks right and the tone is routine.
3
The fraudster controls an account opened in a name that’s close enough — or has compromised a lookalike entity. You run the payment and VoP returns match or close match, because the name does line up with that account’s holder.
4
€48,000 leaves instantly and irreversibly. Every control passed: you authorised it, the name matched the IBAN, the bank cleared it. Nothing checked the one thing that mattered — whether that account belonged to the supplier you’ve been paying for two years.

This is the structural reason VoP alone won’t move Spain’s fraud line much.

The fraud that costs the most isn’t a name-IBAN mismatch a green light would have caught — it’s a payment to the “right” name at an account that was never really your supplier’s. The defence is verifying the business: confirming the entity is registered and active, that ownership hasn’t quietly changed, and that a sudden bank-detail change is coming from the company you actually contracted with. For why that protection has to be continuous rather than a one-time onboarding check, see why one-time verification fails.

Figure 4 · The trend behind the rules
EEA payment fraud, total reported losses (€bn)
€3.4bn 2022 €3.5bn 2023 €4.2bn 2024 +20%
Reported payment fraud across the EEA rose ~20% in 2024, with credit transfers the single largest loss category. Source: ECB / EBA joint payment fraud report, December 2025.

Section 06A practical verification stack for Spanish suppliers

Put together, here’s what robust verification of a Spanish supplier looks like — at onboarding and on every bank-detail change:

  • Validate the IBAN structure. 24 characters, valid check digits, a real entidad code. Reject malformed accounts before they reach a payment run.
  • Run VoP / payee-name match. Confirm the name matches the account holder. Treat “close match” and “no match” as stop-and-check, not proceed-at-risk.
  • Confirm account ownership. Tie the IBAN to the legal account holder, not just a name string.
  • Verify the entity. Legal name, NIF, registration number, status (active / struck-off), incorporation date, and registered office from registry data.
  • Check control. Directors, shareholders, UBO, ultimate parent and group structure — the layer the Spanish UBO register makes hardest to reach.
  • Monitor continuously. Alert on status changes, ownership changes, and bank-detail changes after onboarding — fraud lands on the change, not the first payment.

The first three are the payment layer. The last three are the business layer that VoP was never designed to cover. Doing both is what separates a confirmation that money will arrive from a confirmation you’re paying the right company. For the wider argument, see VoP vs full account verification. The same two-layer logic carries across borders — if you pay beyond Spain, see our guides for the Netherlands and France, or the pillar on paying suppliers in 50+ countries.

Section 07What’s coming next: the 2026–2027 horizon

Spain’s verification landscape isn’t settled. Four shifts will matter for anyone paying Spanish — and European — suppliers over the next 18 months:

  • VoP goes pan-European (July 2027). The 9 July 2027 deadline brings non-euro EU PSPs into the VoP scheme, extending name-matching to the rest of the single market. Expands coverage — same entity-layer blind spot.
  • The EU AML package bites. The new Anti-Money-Laundering Regulation and the EU’s AML Authority (AMLA) tighten UBO obligations and registry interconnection from 2027. Expect pressure on registers to standardise — but the practical access friction in Spain won’t vanish overnight.
  • Instant payments scale up. Spain is already a European leader in instant transfers (via Iberpay and Bizum). Faster, irreversible payments raise the cost of paying the wrong account — there’s no clawback window to fall back on.
  • Manipulation-led fraud keeps rising. With the average fraudulent transfer up 42% and attackers targeting authenticated, user-approved payments, the controls that move the needle are the ones that verify the counterparty, not just the credential.
Get this data your way

Verify one Spanish supplier — or your entire vendor master file.

Bank account and company verification for Spain through a single integration. Use it however your team works:

API One REST call, results in <1s, webhook alerts on change Bulk Thousands of suppliers in one file upload Platform Online dashboard with exportable audit logs
Book a 30-minute walkthrough

Frequently asked questions

Is Verification of Payee (VoP) mandatory in Spain?
Yes. Because Spain is in the eurozone, Spanish payment service providers were required to offer VoP from 9 October 2025 under the EU’s Instant Payments Regulation. Before authorising a SEPA credit transfer, your bank checks whether the payee name matches the IBAN and returns a result — match, close match, no match, or other. PSPs in non-euro EU states must comply by 9 July 2027.
Does a VoP “match” mean a Spanish company is legitimate?
No. VoP only confirms that the name you entered matches the registered holder of that IBAN. It does not confirm the holder is a registered, active Spanish company, who owns or controls it, or that it’s the entity in your contract. A VoP match is a payment-layer check; verifying the business requires registry-sourced entity and ownership data on top.
How do I verify a Spanish company’s registration and NIF?
There are three official routes. The Registro Mercantil Central (sede.registradores.org) lets you search by company name or NIF and buy extracts with directors, capital, and status. The Agencia Tributaria confirms a NIF exists and is active. For intra-EU VAT, VIES verifies the NIF with the ES prefix. For a vendor master file rather than a single lookup, an API that returns this data at scale is far more practical than per-document portal searches.
What’s the difference between a CIF and a NIF in Spain?
They’re the same identifier. The CIF (Código de Identificación Fiscal) was the tax ID for Spanish legal entities until it was renamed the NIF under Royal Decree 1065/2007 in 2008. The number itself never changed — a company whose CIF was B12345678 now has the NIF B12345678. The leading letter shows the entity type: A for an S.A., B for an S.L.
How long is a Spanish IBAN and what do the parts mean?
A Spanish IBAN is exactly 24 characters: ES + 2 IBAN check digits + the 20-digit legacy CCC. The CCC breaks down into a 4-digit bank code (entidad), a 4-digit branch code (oficina), 2 national control digits, and a 10-digit account number. The bank code maps to a real institution (e.g. Santander 0049, BBVA 0182, CaixaBank 2100), and the check digits let you validate the whole string before paying.
Can I find out who really owns a Spanish company (the UBO)?
In theory, yes — via the Registro Central de Titularidades Reales, which holds individuals controlling 25% or more. In practice, access is difficult: since the 2022 EU Court of Justice ruling it runs on a legitimate-interest basis, requires a Spanish digital ID and Spanish-language process, and can take months to obtain. Registry-sourced verification services are usually the practical way to get UBO, director, and group-structure data on a Spanish supplier.
Why does my Spanish supplier’s VAT number fail on VIES?
A “not found” on VIES doesn’t mean the company is fake. VIES only lists Spanish businesses registered for intra-EU trade (the ROI). A legitimate company trading only inside Spain has a valid NIF but won’t appear in VIES. Check the Registro Mercantil to confirm it’s a real, registered entity, and verify the intra-community NIF-IVA before issuing a zero-rated invoice.
What’s the difference between an S.L. and an S.A. in Spain?
An S.L. (Sociedad de Responsabilidad Limitada) is the private limited company — the most common SME form, with minimum capital as low as €1. An S.A. (Sociedad Anónima) is the public limited company used by larger businesses. Both must register with the Registro Mercantil; the NIF’s leading letter (B for S.L., A for S.A.) tells you which you’re dealing with.
How much payment fraud does Spain actually see?
Spain reported over €318M in payment fraud in 2024 — about 7.6% of the €4.2bn lost across the EEA — with €153M of that on credit transfers, according to the ECB/EBA joint report. The dominant pattern is manipulation: across the EEA, roughly 85% of transfer-fraud losses fall on users tricked into authorising the payment. Banco de España also reported the average fraudulent transfer in Spain rose 42% in the first half of 2025.
How can I verify Spanish supplier bank accounts at scale?
Manual portal checks don’t scale to a vendor master file. MonitorPay verifies the IBAN, matches the payee name, confirms account ownership, and returns the registry-sourced entity behind it — legal name, NIF, status, directors, shareholders, UBO, and group structure — in one API call. You can run it as an API, a bulk file of thousands of suppliers, or through an online dashboard with exportable audit logs, with continuous monitoring for status, ownership, and bank-detail changes.