How to Verify Dutch Supplier Bank Accounts: VoP, IBAN-Name Check, and KVK

The Netherlands invented account-name verification — the IBAN-Name Check launched here in 2017, a world first. As of October 2025, the EU made it mandatory across the eurozone under Verification of Payee. But for businesses paying Dutch suppliers, VoP is only the account layer. The KVK registry, the restricted UBO register, and Wwft obligations sit on top — and the operational question is how they fit together.

The Netherlands has the most mature bank-account-verification infrastructure in Europe. The IBAN-Name Check — built into nearly every Dutch bank since 2017 — verifies whether the name entered on a payment matches the account holder registered at the receiving bank. It became the model for the UK's Confirmation of Payee and, ultimately, for the EU-wide Verification of Payee scheme that became mandatory across the eurozone on 9 October 2025.

That maturity is a double-edged sword. Dutch businesses and the citizens who pay them have grown to trust the green "name matches" checkmark — which is exactly what makes the gaps dangerous. The Netherlands faces some of the heaviest payment-fraud losses in Europe: figures from the Global Anti-Scam Alliance put scam losses at €2.6 billion over the past year, with 50% of stolen funds sent via bank or wire transfer — double the EU average of 25%. Account-name verification catches some of that. It misses the rest.

The European picture explains why. The EBA-ECB Joint Report on Payment Fraud, published in December 2025, put total EU/EEA payment fraud at €4.2 billion in 2024 — up from €3.5 billion in 2023, a 17% rise in a single year. Credit transfers were the single largest category by value at €2.2 billion, growing 16% year-on-year. The most important figure for any business making payments is who absorbs the loss: payment service users — not banks — bore roughly 85% of credit-transfer fraud losses in 2024, because the fraud increasingly works by manipulating the payer into authorising the transfer themselves. When you authorise the payment, you own the loss. That is the structural reason verification has to happen before the money moves.

This article explains how Dutch bank account verification actually works in 2026 — VoP and the IBAN-Name Check at the account layer, KVK and the UBO register at the entity layer — and what businesses paying Dutch suppliers should put in place beyond the name check. The framing is practical: not a regulatory primer, but the workflow a finance or compliance team needs to run when onboarding and paying Dutch counterparties.

The Dutch verification landscape: what changed in October 2025

Three things define bank account verification in the Netherlands today: the long-established IBAN-Name Check, the new EU-mandated VoP, and the KVK-based KYB layer required under Dutch AML law (Wwft). A brief refresh on each.

• VoP became mandatory on 9 October 2025. Under the EU Instant Payments Regulation (Regulation (EU) 2024/886), all payment service providers in the eurozone — including banks, payment institutions, and e-money institutions — must offer a free Verification of Payee service before executing SEPA Credit Transfers and SEPA Instant Credit Transfers. The Netherlands, as a euro-area member, was in the first wave.
• VoP returns four outcomes. The payee's PSP verifies whether the name and IBAN match the registered account holder and returns one of: Match, Close Match, No Match, or Other (unable to verify). The European Payments Council's VoP Rulebook governs how this works across SEPA.
• The IBAN-Name Check predates the mandate by eight years. The Dutch IBAN-Naam Check launched in 2017 and has been integrated into nearly every Dutch bank since. It now covers an estimated 99%+ of Dutch online payments and generates roughly 100,000 mismatch warnings every day. For Dutch payments specifically, VoP and the IBAN-Name Check are functionally the same check — the EU mandate formalised what the Netherlands had already been doing voluntarily for years.
• Daily sanctions screening is also mandatory. Under Article 5d of the IPR, PSPs must screen their payment service users against sanctions lists at least daily, with the rejection rate reported separately for domestic and cross-border payments to De Nederlandsche Bank (DNB).
• Wwft governs KYB and UBO obligations. The Wet ter voorkoming van witwassen en financieren van terrorisme (Wwft) — Dutch AML law — requires regulated institutions to identify and verify the businesses they onboard and the ultimate beneficial owners behind them. This is the entity-layer obligation that sits above the account-layer VoP check.

The practical takeaway: in the Netherlands, the account-name check is solved infrastructure. Every Dutch bank does it; the EU now mandates it; coverage is near-universal. That means the verification questions that actually differentiate a robust supplier-payment workflow from a weak one are no longer "does the name match the account" — they're at the entity layer: is this a real, legitimate business, who owns it, and is the business behind the account what it claims to be.

VoP and the IBAN-Name Check: what they actually do

For Dutch payments, Verification of Payee and the IBAN-Name Check are the same kind of check. You enter a payee's name and IBAN; the receiving bank confirms whether the name matches the registered account holder; you get one of four responses before the payment goes out.

The evidence that this works is strong, and it comes from the Dutch market's eight-year head start. After the IBAN-Name Check was introduced, the Netherlands saw an 81% drop in reported fraud and 67% fewer payments sent to incorrect account numbers. The earliest figures, from the 2017 Rabobank rollout, showed a 70% reduction in invoice fraud and 50% fewer misdirected transfers within nine months. Across the Dutch banking network, the check now generates well over 100,000 mismatch warnings every single day — each one a payment the payer was about to send to the wrong account. The account-name check is not a marginal control; it is one of the most effective single fraud interventions deployed in European payments.

The four VoP outcomes and what each means operationally:

• Match — the name you entered matches the registered account holder. Safe to proceed.
• Close Match — the name is similar but not exact (e.g. a trading name vs the legal entity name, or "B.V." vs "BV"). The actual registered name is typically returned so you can decide whether to proceed.
• No Match — the name does not match the account holder. The full registered name is not disclosed (GDPR protection). Contact the supplier directly through an independent channel before proceeding.
• Other / unable to verify — the receiving PSP can't perform the check (account type unsupported, technical issue, or foreign account outside the scheme). Proceed with additional caution.

The crucial design point — same as in the UK and across SEPA — is that VoP returns information, it does not block the payment. A No Match is a warning, not a hard stop. The payer decides whether to proceed. That makes VoP a powerful fraud-prevention overlay, but it leaves the decision (and the liability) with the business making the payment.

Natural person vs organisation

When checking a Dutch account, you indicate whether the account holder is a natural person (natuurlijk persoon) or an organisation (organisatie). The receiving bank uses this to return the correct response. For B2B payments, you generally check against the organisation's registered name. Getting the account-type flag wrong can produce a misleading No Match even when the details are correct — so confirm whether your supplier banks as a sole trader (eenmanszaak, often personal banking) or as a registered company (BV, NV) before running the check.

The company-number and VAT extension

The Dutch IBAN-Name Check ecosystem has extended beyond name matching. Some implementations now also check whether a supplied company registration number (KVK number) or VAT number matches the entity behind the account — helping businesses confirm that the registered company and the bank account are genuinely linked, as part of AML and Know Your Supplier requirements. This is a useful bridge between the account layer and the entity layer, but it's not a substitute for full KVK-based KYB, which we cover below.

Where VoP falls short for Dutch B2B payments

VoP is excellent at what it does — confirming the account-name match. But three gaps matter for businesses paying Dutch suppliers, and all three sit at the entity layer that VoP doesn't reach.

1. A "Match" doesn't tell you the business is legitimate

VoP confirms the account belongs to whoever registered it. It doesn't tell you whether that entity is a real, trading business or a shell company created to receive fraudulent payments. Registering a Dutch BV is fast and inexpensive; a fraudster who incorporates "Amstel Cloud Solutions B.V.," opens a business account in that name, and submits an invoice will pass VoP cleanly. The account is registered correctly to the entity that exists — but the entity itself is the fraud. Closing that gap requires KVK-based KYB, not a name check. See KYB verification for marketplaces for how entity verification complements account verification.

2. VoP can't reliably identify the legal or natural person behind the account

This is explicit in the regulatory guidance: VoP facilitates verification of payee data, but it cannot be used to reliably identify a private or legal person. The name on the account matches — but VoP doesn't confirm who controls the entity. For Wwft compliance, you need the ultimate beneficial owner, the directors, and the corporate structure. None of that comes from a VoP check; it comes from the KVK register and UBO data.

3. VoP doesn't catch supplier-side compromise

The highest-frequency attack against Dutch businesses isn't a fake company — it's a real supplier whose email has been compromised, sending a convincing request to change payment details to a new account. The supplier is real, their KVK record is clean, and the new account passes VoP (because it's registered correctly to a money mule). The fraud lives in the change request, not the account details. This is exactly the risk SurePay flagged around the Belastingdienst's 2026 bank switch: when an organisation changes its account details legitimately, fraudsters exploit the moment to slip in fraudulent change requests that recipients are primed to accept. For the operational picture on this attack pattern, see vendor email compromise vs business email compromise.

A concrete scenario: VEC against VoP

A composite, anonymised Dutch scenario showing how the supplier-compromise gap plays out.

The setup. "Zuid Tech B.V." is a Dutch software company that has been paying "Amstel Logistics B.V." — a Dutch logistics supplier — for two years. Monthly invoices of around €15,000. Payment details have never changed. Amstel banks with ING; the registered account name matches Amstel's KVK record exactly. Every payment has cleared cleanly through the IBAN-Name Check.

The attack. On a Monday, Zuid Tech's finance team receives an email from their regular Amstel contact — the address they recognise. The message says Amstel has switched banks and asks Zuid Tech to update the payment details to a new account at a different Dutch bank for this month's invoice. It references the correct invoice number and reads exactly like the contact's normal style.

What the process catches — and misses. Zuid Tech runs a VoP check on the new account, entering "Amstel Logistics B.V." as the account name. The response: Match. The receiving bank confirms the account is registered to Amstel Logistics B.V. The finance analyst updates the master file and processes the €15,000 payment.

What actually happened. The Amstel contact's email was compromised weeks earlier. The "new account" was opened in Amstel's legal name using fraudulent documentation that passed the receiving bank's onboarding. The VoP Match was technically correct — the registered name on the account really did read "Amstel Logistics B.V." The fraud lived in the change request, not the account details. This is precisely the window SurePay warned about around the Belastingdienst bank switch: when a legitimate account change is plausible, fraudsters slip their request into the same moment.

What would have caught it. A callback to Amstel on a number from Zuid Tech's records or the KVK registry — not the email signature — would have exposed the fraud in under a minute. So would a continuous-monitoring webhook flagging the destination account as recently opened. Both are mature, available controls. Neither is part of a "VoP-first" policy, because VoP secures the name match, not the change-request channel.

The KVK layer: entity verification for Dutch suppliers

The Kamer van Koophandel (KVK) — the Dutch Chamber of Commerce — maintains the Handelsregister, the central business register. Every registered Dutch business has a unique 8-digit KVK number, and the register is the authoritative source for whether a company exists, is active, and who runs it. This is the entity layer that VoP doesn't reach.

What the KVK gives you

The standard KYB document is the Uittreksel Handelsregister (business register extract). It provides the KVK number, RSIN, legal form (BV, NV, eenmanszaak, etc.), share capital, registration dates, SBI activity codes, current directors with their authority levels (independent or joint signing power), the main shareholder, and address history. A certified digital copy carries an electronic seal confirming it came from the KVK — useful when you need formal proof for compliance.

Dutch BVs must also file annual accounts with the KVK within 12 months of their financial year-end, with disclosure depth scaling by company size. This filing history is a useful signal: a trading company that files minimal or late accounts warrants closer scrutiny.

The holding-BV trap

Here's the single most common mistake in Dutch KYB: the main shareholder shown in the Uittreksel is almost always a holding BV, not a natural person. A Dutch corporate structure typically nests an operating BV beneath one or more holding BVs, with the actual beneficial owner at the top. Treating the KVK's listed shareholder as the beneficial owner produces a fundamentally incomplete KYB record. Every Dutch entity KYB workflow needs at minimum a second lookup on the holding BV — and often several more — to trace ownership to the natural persons who actually control the company. This is precisely the kind of corporate-structure mapping that registry-aggregating verification platforms automate. For the deeper case on tracing ownership chains, see beneficial ownership verification in B2B payments.

The UBO register: real, but restricted

The Netherlands introduced a UBO register years ago, requiring companies to register their ultimate beneficial owners (defined as those holding 25%+ ownership or control) within one week of incorporation or any change. But after the 2022 European Court of Justice ruling that ended broad public access to EU UBO registers, the Dutch UBO register became a restricted source. As of 2026, recognised institutions covered by the Wwft and the Sanctions Act can access UBO data through the KVK for statutory tasks — but the register is not a general public resource. For businesses that aren't Wwft-regulated, this means UBO data must often come from the corporate-structure chain (holding BV lookups) rather than direct register access.

The full Dutch supplier verification workflow

What a working bank account verification workflow looks like for a business paying Dutch suppliers in 2026 — across onboarding, before each material payment, and continuously thereafter.

At supplier onboarding

• Verify the entity in the KVK Handelsregister. Confirm the supplier exists, is active (not ontbonden / dissolved), the registered name and address match what they supplied, and check the directors and their signing authority. Pull the KVK number and confirm it's an 8-digit valid identifier.
• Run a VoP / IBAN-Name Check on the supplied account. A Match, or a Close Match with an explainable trading-name reason, is acceptable. A No Match requires direct contact with the supplier through an independent channel.
• Trace the ownership chain past the holding BV. Don't stop at the main shareholder in the Uittreksel. Follow the holding-BV chain to the natural-person UBOs, or pull UBO data if you're a Wwft-regulated institution with register access.
• Screen the entity and its UBOs against sanctions and PEP lists. Required under the Wwft for regulated firms; strongly advisable for any business paying higher-risk suppliers.
• Document the verification with timestamps and source attribution. Under the Wwft, regulated institutions must keep records. The dev-community consensus on Dutch KYB is clear: store the raw registry response with a timestamp, because regulators expect clear provenance for every check and screenshots of portals are no longer sufficient for high-volume automated onboarding.

Before each bank-detail change

This is the highest-risk workflow event — the same as in every market. Bank-detail change requests are where supplier-payment fraud concentrates.

• Treat every change request as suspicious by default. The threshold isn't "does this look like fraud" — it's "have we verified this through an independent channel."
• Verify by callback to a known number. Not the number in the email requesting the change — a number from your existing supplier records or the KVK-registered contact details.
• Run VoP on the new account before saving it. Verify first, update the master file second — never the other way around.
• Confirm the new account's registered name matches the existing supplier's legal entity name. A supplier registered as "Amstel Logistics B.V." should not suddenly have an account registered under a different entity without explanation.

Continuous monitoring between payments

Dutch companies change continuously — UBO transfers (which must be filed within a week), director changes, restructurings, dissolutions. The point of continuous monitoring is to catch these before the next payment cycle.

• Monitor KVK status changes. Dissolution, director changes, registered-address changes, and late filings are early warning signs.
• Monitor UBO changes specifically. Because Dutch UBO data must be updated within a week of any change, UBO drift is detectable — but only if you're watching. A supplier that cleared screening at onboarding can quietly come under sanctioned or high-risk ownership without any obvious operational signal.
• Re-screen against sanctions and PEP lists on a defined cadence. Sanctions designations change frequently; a supplier clean at onboarding may have been designated since.

For the full case on why one-time verification isn't enough — and why continuous monitoring is now the operational standard — see why one-time verification fails.

How Dutch verification methods compare

Businesses paying Dutch suppliers have several verification options. They differ in what they confirm and where they fit in the workflow.

The pattern: no single method is sufficient for Dutch B2B verification. VoP is the right first-line account check, but it works alongside KVK-based KYB at onboarding, holding-BV chain tracing for ownership, callback verification for changes, and continuous monitoring between payments. For how these methods interact with their non-Dutch equivalents, see our 7 verification methods compared article.

Paying Dutch suppliers from outside the Netherlands

If you're paying Dutch suppliers from another country, VoP coverage depends on where your PSP sits. Since 9 October 2025, all eurozone PSPs must offer VoP, so payments from euro-area countries to Dutch accounts get the name check. Non-euro EU countries (Sweden, Poland, Denmark, and others) have until 9 July 2027 to comply. Outside the EU — the UK, US, and beyond — there's no automatic VoP coverage, though cross-border VoP corridors are emerging (the first was launched between France and the Netherlands).

For businesses paying Dutch suppliers from outside the eurozone, the practical answer is a verification provider that covers the VoP scheme directly plus the KVK registry, rather than relying on your domestic banking rails to reach into the Dutch system. See cross-border bank account verification for the country-by-country picture.

Why account changes are fraud windows: the Belastingdienst example

A concrete, current Dutch example of why bank-detail changes deserve special caution. In 2026, the Belastingdienst — the Dutch tax authority — is moving its house bank to Rabobank, away from its previous banking arrangement. This is a legitimate, publicly announced change. But it creates exactly the conditions fraudsters exploit.

The fraud specialist SurePay flagged the risk directly: when a large, trusted organisation changes its payment details, citizens and businesses are primed to accept new account numbers without the usual scepticism. A fraudster who sends a convincing message during the transition — "the tax authority has changed its account, please pay to this new IBAN" — is far more likely to succeed than they would in a normal period, because the recipient already expects a change to be coming. The risk is particularly acute for Authorised Push Payment fraud, where the victim is persuaded to transfer the money themselves.

The lesson generalises well beyond the tax authority. Any time a counterparty legitimately changes its bank details, a window opens. Suppliers switch banks. Companies restructure. Organisations consolidate accounts. Each genuine change normalises the idea that "the account is different now" — which is exactly the cover a fraudster needs. The operational response isn't to distrust every change; it's to verify every change through an independent channel before acting on it, regardless of how plausible the request looks or how trusted the source appears.

For the Belastingdienst transition specifically, the verification answer is simple: confirm any new tax-authority IBAN against the official published account, not against details supplied in an inbound message. For supplier payments generally, it's the callback-and-verify workflow described above — applied to every change, every time.

There's a harder reason prevention matters more in the Netherlands than in some other markets: recovery is rare. According to Statistics Netherlands (CBS), of the Dutch fraud victims who lost money in 2024, only 1% recovered or were reimbursed. Unlike the UK — where the Payment Systems Regulator's mandatory reimbursement regime now refunds most APP-fraud victims — the Netherlands has no equivalent blanket reimbursement scheme, which means a payment sent to a fraudster is, in the overwhelming majority of cases, simply gone. That asymmetry changes the economics of verification entirely. In a reimbursement market, weak verification is expensive but partly insured; in the Dutch market, weak verification is effectively uninsured. The money you fail to verify before sending is money you are unlikely to ever see again.

What's coming next: the 2026-2027 horizon

The October 2025 VoP mandate was the first major step in EU-wide payee verification. Three near-term changes will reshape the Dutch verification landscape further.

Non-euro SEPA countries join by July 2027

VoP is mandatory for eurozone PSPs now, but non-euro EU Member States — Sweden, Poland, Denmark, the Czech Republic, Hungary, Romania, Bulgaria — have until 9 July 2027 to comply. For Dutch businesses paying suppliers in those countries, or receiving payments from them, full VoP coverage across the EU is still 18 months out. Until then, the verification picture for non-euro-EU corridors remains uneven.

Cross-border VoP corridors expand

The first cross-border VoP corridor launched between France and the Netherlands, linking more than 30 Dutch banks and over 100 French banks. As more corridors come online, businesses paying across EU borders will increasingly get the same account-name check they're used to domestically. But these corridors roll out piecemeal — a verification provider that covers the full VoP scheme directly avoids the dependency on which corridors happen to be live.

The entity layer stays fragmented — and matters more

VoP standardises the account-name check across the EU. But there is no equivalent EU-wide standard for entity verification. The KVK is Dutch; the Handelsregister is German; the RCS is French; each registry has its own access rules, data depth, and UBO restrictions. As the account layer becomes commoditised and uniform, the entity layer — KYB, UBO, corporate structure — is where verification depth actually differentiates. For businesses operating across the EU, the practical implication is that registry-aggregating verification matters more, not less, as VoP coverage completes.

Frequently Asked Questions