How to Verify Chinese Supplier Bank Accounts
How to Verify Spanish Supplier Bank Accounts: VoP, IBAN, and the Registro Mercantil
Verification of Payee went live across the eurozone on 9 October 2025. In Spain, that gives you a green “match” before you pay — but a match only confirms a name fits an IBAN. It says nothing about whether the company behind it is real, active, or controlled by who you think.
If you pay suppliers in Spain, the rules just changed in your favour — and not as much as you’d think. Since 9 October 2025, every payment service provider in the eurozone must offer Verification of Payee (VoP) on SEPA credit transfers, Spain included. Before you authorise a transfer, your bank now tells you whether the beneficiary name matches the IBAN: match, close match, no match, or other.
That’s a real improvement. It’s also the exact point where Spanish AP and compliance teams get comfortable too early. VoP verifies one relationship — name to account number — at the bank layer. It does not verify the entity layer: whether Distribuciones Ibéricas S.L. is a registered, active company, who its directors and ultimate owners are, or whether the legal name on your contract is the same entity that just asked you to wire €80,000 to a new IBAN.
In Spain that entity layer is unusually hard to check yourself. The company register is decentralised and pay-per-document. The beneficial-ownership register exists but is, in practice, close to inaccessible. This guide breaks down what VoP confirms in Spain, what it leaves open, and how to close the gap — for one supplier or for ten thousand.
One figure deserves a second look. Across the EEA, roughly 85% of credit-transfer fraud losses fall on users who were tricked into authorising the payment themselves — invoice redirection, impersonated suppliers, “urgent” bank-detail changes. Those payments pass every authentication check because the real customer approves them. Banco de España makes the point bluntly in its 2025 supervision report: fraud incidence on electronically-initiated transfers that used strong customer authentication is actually higher, because attackers have moved on from breaking security to manipulating people. VoP doesn’t stop that. Verifying the company behind the account does.
Section 01What VoP actually checks in Spain
Spain is in the eurozone, so Spanish PSPs fell under the VoP obligation on the first deadline, 9 October 2025, set by the EU’s Instant Payments Regulation. (PSPs in non-euro EU states have until 9 July 2027.) The mechanics are pan-European and run through the European Payments Council’s VoP scheme: the payer’s bank submits the payee’s name and IBAN, the payee’s bank checks them against its records, and a result comes back — typically within a second.
Here’s the limit. VoP answers a single question: does the name you typed match the registered holder of this IBAN? It is a fraud check against typos and mismatched beneficiaries. It is not a know-your-business check. A “match” confirms the account holder’s name lines up — it does not confirm that holder is a legitimate, registered Spanish company, that it’s still trading, or that it’s the counterparty in your contract. A fraudster operating a real account under a deceptively similar company name can still return a clean or “close match” result.
We’ve written the full mechanics elsewhere — see our complete guide to Verification of Payee and the deeper look at how fraud still bypasses VoP. The short version for Spain: treat the VoP result as the first of two checks, never the only one.
Section 02The Spanish IBAN, decoded
A Spanish IBAN is always 24 characters. Validating its structure is the cheapest fraud filter you have — a malformed IBAN, a bad check digit, or a bank code that doesn’t exist should never reach a payment run. The 24 characters are ES, two IBAN check digits, then the legacy 20-digit Código Cuenta Cliente (CCC): a 4-digit bank code, a 4-digit branch code, two national control digits, and a 10-digit account number.
Structure validation catches mechanical errors and obvious junk — but a perfectly-formed IBAN can still belong to the wrong party. For the rules across markets, see IBAN formats by country, or the developer view in our IBAN validation API guide. Format is necessary. It is nowhere near sufficient.
Section 03The entity layer: the Registro Mercantil and the NIF
Spain’s company register is the Registro Mercantil — decentralised, with a provincial registry in each province coordinated by the Registro Mercantil Central (RMC) in Madrid. Every commercial entity must register: corporate name, registration number, registered office, legal form, share capital, directors, and annual accounts. Two entity types cover almost all suppliers you’ll meet:
- S.L. (Sociedad de Responsabilidad Limitada) — the private limited company, by far the most common SME form, with minimum capital as low as €1.
- S.A. (Sociedad Anónima) — the public limited company, used by larger businesses.
The tax identifier is the NIF (Número de Identificación Fiscal): one letter plus eight digits, where the leading letter encodes the entity type — A for an S.A., B for an S.L. If a supplier’s old paperwork says “CIF”, that’s the same number under its pre-2008 name; the CIF was renamed the NIF under Royal Decree 1065/2007 and the digits never changed. The intra-EU VAT number is simply ES + the NIF (e.g. ESB12345678), checkable in the EU’s VIES system.
So far, so verifiable — if you have the time. The catch is access. RMC searches return basic identity data, but anything useful for compliance (a nota informativa with directors, capital, and status) is a paid, per-document request, and the portal caps results and varies by province. It works for checking one supplier. It does not work for verifying a vendor master file of thousands, on a schedule, with an audit trail.
Section 04The UBO problem: a register that exists but won’t let you in
Knowing the directors isn’t the same as knowing who controls a company. For ultimate beneficial ownership, Spain has the Registro Central de Titularidades Reales (RETIR) — a central UBO register holding the individuals who own or control 25% or more of a company. On paper, it’s exactly what a compliance team needs. In practice, getting data out of it is the hardest part of verifying a Spanish supplier.
Since the EU Court of Justice struck down general public access to UBO registers in late 2022, Spain’s register operates on a legitimate-interest basis. Reaching the data means a Spanish digital ID, correspondence in Spanish, and a registrar’s assessment of your interest. When KYB specialists tested access in early 2026, they described it as “virtually impossible” — and noted that even Transparency International’s Spanish arm took six months to be granted access, after which the records still excluded the nature of the ownership. Shareholder data elsewhere in the register is thin; the only reliably public ownership snapshot is the original incorporation deed.
- Basic search free; useful extracts cost per request
- Decentralised across provinces
- No bulk, no monitoring, no audit trail
- Legitimate-interest only since the 2022 CJEU ruling
- Spanish ID and Spanish-language process required
- Access measured in months, not minutes
If you assemble this picture yourself, here’s where each piece lives — and why no single Spanish source gives you the whole supplier:
| Source | What it confirms | Access | The catch |
|---|---|---|---|
| EU VIES | Intra-EU VAT (NIF-IVA) valid & the registered name | Free | Domestic-only firms aren’t listed — a blank result isn’t proof of fraud |
| Agencia Tributaria | The NIF exists and is active | Free | Existence only — no directors, ownership, or status detail |
| Registro Mercantil | Legal name, reg number, status, directors, accounts | Pay per doc | Decentralised by province; per-document; no bulk, no monitoring |
| Reg. Central de Titularidades Reales | Ultimate beneficial owners (25%+) | Restricted | Legitimate-interest only, Spanish ID required, access in months |
Stitching four sources together — three slow or paywalled, one effectively closed — is the manual reality of verifying a single Spanish supplier. It’s the reason most teams stop at the VoP result and hope. The alternative is to pull all four layers from registry data in one call.
One API call. The bank account and the company behind it — verified together.
MonitorPay runs both layers in a single request. First it confirms the payment side: the IBAN is valid and the payee name matches the legal account holder. Then, for the same Spanish supplier, it returns the entity behind the account from registry-sourced data — so a green result also tells you the company is real, active, and controlled by who you expect.
Section 05Why a “match” still loses money
Return to the data. Spain lost €153M to fraudulent credit transfers in 2024, and the dominant pattern isn’t broken bank security — it’s manipulation. Banco de España identifies the two leading transfer frauds as the fraudster manipulating the payer (social engineering) and the fraudster issuing payment orders directly. Both produce payments the legitimate user authorises. Both sail past authentication. And the average fraudulent transfer in Spain jumped 42% in the first half of 2025, to €2,347 — the losses aren’t just frequent, they’re getting larger.
This is the structural reason VoP alone won’t move Spain’s fraud line much.
The fraud that costs the most isn’t a name-IBAN mismatch a green light would have caught — it’s a payment to the “right” name at an account that was never really your supplier’s. The defence is verifying the business: confirming the entity is registered and active, that ownership hasn’t quietly changed, and that a sudden bank-detail change is coming from the company you actually contracted with. For why that protection has to be continuous rather than a one-time onboarding check, see why one-time verification fails.
Section 06A practical verification stack for Spanish suppliers
Put together, here’s what robust verification of a Spanish supplier looks like — at onboarding and on every bank-detail change:
- Validate the IBAN structure. 24 characters, valid check digits, a real entidad code. Reject malformed accounts before they reach a payment run.
- Run VoP / payee-name match. Confirm the name matches the account holder. Treat “close match” and “no match” as stop-and-check, not proceed-at-risk.
- Confirm account ownership. Tie the IBAN to the legal account holder, not just a name string.
- Verify the entity. Legal name, NIF, registration number, status (active / struck-off), incorporation date, and registered office from registry data.
- Check control. Directors, shareholders, UBO, ultimate parent and group structure — the layer the Spanish UBO register makes hardest to reach.
- Monitor continuously. Alert on status changes, ownership changes, and bank-detail changes after onboarding — fraud lands on the change, not the first payment.
The first three are the payment layer. The last three are the business layer that VoP was never designed to cover. Doing both is what separates a confirmation that money will arrive from a confirmation you’re paying the right company. For the wider argument, see VoP vs full account verification. The same two-layer logic carries across borders — if you pay beyond Spain, see our guides for the Netherlands and France, or the pillar on paying suppliers in 50+ countries.
Section 07What’s coming next: the 2026–2027 horizon
Spain’s verification landscape isn’t settled. Four shifts will matter for anyone paying Spanish — and European — suppliers over the next 18 months:
- VoP goes pan-European (July 2027). The 9 July 2027 deadline brings non-euro EU PSPs into the VoP scheme, extending name-matching to the rest of the single market. Expands coverage — same entity-layer blind spot.
- The EU AML package bites. The new Anti-Money-Laundering Regulation and the EU’s AML Authority (AMLA) tighten UBO obligations and registry interconnection from 2027. Expect pressure on registers to standardise — but the practical access friction in Spain won’t vanish overnight.
- Instant payments scale up. Spain is already a European leader in instant transfers (via Iberpay and Bizum). Faster, irreversible payments raise the cost of paying the wrong account — there’s no clawback window to fall back on.
- Manipulation-led fraud keeps rising. With the average fraudulent transfer up 42% and attackers targeting authenticated, user-approved payments, the controls that move the needle are the ones that verify the counterparty, not just the credential.
Verify one Spanish supplier — or your entire vendor master file.
Bank account and company verification for Spain through a single integration. Use it however your team works:
Frequently asked questions
Is Verification of Payee (VoP) mandatory in Spain?
Does a VoP “match” mean a Spanish company is legitimate?
How do I verify a Spanish company’s registration and NIF?
ES prefix. For a vendor master file rather than a single lookup, an API that returns this data at scale is far more practical than per-document portal searches.What’s the difference between a CIF and a NIF in Spain?
B12345678 now has the NIF B12345678. The leading letter shows the entity type: A for an S.A., B for an S.L.How long is a Spanish IBAN and what do the parts mean?
ES + 2 IBAN check digits + the 20-digit legacy CCC. The CCC breaks down into a 4-digit bank code (entidad), a 4-digit branch code (oficina), 2 national control digits, and a 10-digit account number. The bank code maps to a real institution (e.g. Santander 0049, BBVA 0182, CaixaBank 2100), and the check digits let you validate the whole string before paying.Can I find out who really owns a Spanish company (the UBO)?
Why does my Spanish supplier’s VAT number fail on VIES?
What’s the difference between an S.L. and an S.A. in Spain?
B for S.L., A for S.A.) tells you which you’re dealing with.