How to Verify German Supplier Bank Accounts: VoP and the Handelsregister

Germany did two things at once in 2025: it made instant SEPA payments universal and it made Verification of Payee mandatory. The first widened the fraud surface — irrevocable money, moving in seconds. The second is the control meant to contain it. But VoP only checks the name on the account. For businesses paying German suppliers, the harder verification questions sit in the Handelsregister and the Transparenzregister — and Germany's entity layer is the most fragmented in Europe.

On 9 October 2025, Verification of Payee became mandatory for every payment service provider in the eurozone under the EU Instant Payments Regulation. Germany — the largest economy in the EU and one of the heaviest users of SEPA credit transfers — implemented it alongside the broader instant-payments rollout. The two changes are linked: instant payments settle irrevocably within seconds, which removes the recall window that used to give banks and businesses time to claw back a misdirected transfer. VoP is the compensating control: check the payee before the money moves, because once it has moved, it is gone.

German banking-fraud leaders are openly uneasy about the combination. In a survey of German fraud, AML, and compliance team leads, more than half said they believe fraud risk increased following the mandatory rollout of real-time SEPA payments in 2025. Fraud-prevention firms observed instant-payment fraud spiking sharply across their European customers as the rails went live. The faster the payment, the more the verification has to happen up front — which is exactly what VoP is designed to do.

The stakes are sharpened by how German law handles fraud losses. German banks are generally only obliged to reimburse victims of unauthorised fraud — phishing or account takeover where the customer never approved the transfer — and even then the victim typically has to prove they weren't negligent. Authorised push payments, where the payer is tricked into sending the money themselves, sit largely outside that protection. The result is low reimbursement rates compared with much of Europe. Unlike the UK's mandatory APP-reimbursement regime, a German business that authorises a payment to a fraudster has little statutory backstop. On instant rails, that combination is unforgiving: the money is gone in seconds, and it is unlikely to come back. Verification before the payment is not just good practice — it is the loss-prevention mechanism.

But VoP is only the account layer. It confirms that the name you entered matches the account holder. It does not tell you whether the German company behind that account is real, who controls it, or whether the supplier emailing you a new IBAN has been compromised. Those questions live in Germany's company registers — and that is where German verification gets genuinely hard. This article covers both layers: VoP at the account level, the Handelsregister and Transparenzregister at the entity level, and the workflow a business paying German suppliers needs to run in 2026.

The German verification landscape in 2026

Three pillars define bank account verification for German suppliers: the EU-mandated VoP at the account layer, the Handelsregister/Unternehmensregister for entity verification, and the Transparenzregister for beneficial ownership. A brief refresh on each.

• VoP became mandatory on 9 October 2025. Under the EU Instant Payments Regulation (Regulation (EU) 2024/886), all PSPs in the eurozone must offer a free Verification of Payee service before a credit transfer is authorised. It applies to both standard SEPA Credit Transfers (SCT) and SEPA Instant Credit Transfers (SCT Inst) — not only instant payments.
• Non-consumers can opt out — but shouldn't. Under the IPR, business payers (non-consumers) may waive the VoP service, and can opt back in. For any business serious about fraud prevention, waiving the check removes the single most effective pre-payment control. The opt-out exists for high-volume automated flows that run their own verification; it is not a reason to skip verification.
• The check runs in seconds, on every channel. German banks had to implement VoP so the check completes within a few seconds, across online banking, mobile, telephone, and in-branch. BaFin — Germany's financial regulator — was among the first EU national authorities to publish a VoP FAQ.
• If you proceed past a warning, you own the loss. Where a payer authorises a transfer after being warned of a no-match or close-match, the payer is liable for sending money to an unintended recipient. This is the core liability mechanic of VoP across the EU.
• The Handelsregister is the entity-verification backbone. Germany's commercial register records legally binding corporate details — formation, legal form, share capital, legal representatives. It's the German equivalent of the UK's Companies House or the Dutch KVK, but structurally more fragmented (more on this below).
• The Transparenzregister holds UBO data under the GwG. Germany's Money Laundering Act (Geldwäschegesetz, GwG) requires beneficial owners to be registered. Access has been restricted since the 2022 European Court of Justice ruling — more on the access problem below.

The practical takeaway: in Germany, the account-name check is now solved infrastructure, mandated and universal. What differentiates a robust supplier-payment workflow from a weak one is the entity layer — and Germany's entity layer is harder to navigate than almost anywhere else in Europe.

VoP: what it does and how it reads

Verification of Payee compares the payee name you enter against the name registered to the destination IBAN at the receiving bank. You get a result before the payment is authorised. The check applies to all SEPA credit transfers within the EU/EEA in euro — both standard and instant.

The possible outcomes:

• Match — the name matches the registered account holder. Safe to proceed.
• Close match — similar but not identical (for example, a legal-form difference like "GmbH" vs the full registered name). The registered name is typically returned so you can decide.
• No match — the name does not match. The full name isn't disclosed, for data-protection reasons. Contact the supplier through an independent channel before proceeding.
• No check possible — the receiving bank isn't yet part of the VoP scheme, the account isn't a payment account (loan, fixed-term deposit, savings), or the destination is outside the covered area. Proceed with additional caution.

Two design points matter. First, VoP doesn't block payments — it informs. A no-match is a warning; the payer decides whether to proceed, and bears the liability if they push past it. Second, the regulatory text deliberately left "close match" loosely defined — there's no single prescribed way to calculate how close is close enough, which means different banks may return close-match results slightly differently. For German businesses, that means a close match warrants a human look, not an automatic proceed.

What VoP does NOT cover

VoP covers euro-denominated SEPA credit transfers. It does not verify payments to non-payment accounts (loan accounts, fixed-term deposits, savings accounts), payments routed to banks outside the EU/EEA, or payments in non-euro currencies. For a German business paying a supplier in Switzerland, the UK, or the US, VoP provides no coverage — a separate verification method is needed for each of those corridors.

Where VoP falls short for German B2B payments

VoP is the right first-line check. But three gaps matter for businesses paying German suppliers — and all three sit at the entity layer.

1. A "Match" doesn't tell you the company is real

VoP confirms the account belongs to whoever registered it. It does not tell you whether "Rheinland Logistik GmbH" is a genuine trading business or a shell created to receive a fraudulent payment. Forming a GmbH and opening a business account is routine; a fraudster who does both and submits an invoice will pass VoP cleanly. The fraud is in the entity, not the account name. Closing that gap requires Handelsregister-based KYB, not a name check. See KYB verification for marketplaces for how entity verification complements account verification.

2. VoP tells you nothing about who controls the company

The name on the account can match perfectly while the people behind the company remain completely opaque. German corporate structures frequently nest a trading GmbH beneath holding companies, sometimes layered across jurisdictions. For AML compliance under the GwG, you need the ultimate beneficial owner — the natural person who ultimately controls the entity. That comes from the Transparenzregister and the shareholder list (Gesellschafterliste), not from a VoP check.

3. VoP doesn't catch a compromised supplier

The most common attack on German businesses isn't a fake company — it's a real supplier whose email has been hijacked, sending a plausible request to change payment details to a new account. The supplier is real, their Handelsregister entry is clean, and the new account passes VoP because it's registered correctly to a money mule. The fraud lives in the change request, not the account details. Phishing dominates the German threat landscape — around 67% of German consumers report receiving phishing messages impersonating their bank — and business email compromise is a global multi-billion-euro problem. For the operational picture, see vendor email compromise vs business email compromise.

A concrete scenario: VEC meets instant payments

A composite, anonymised German scenario showing why the instant-payments shift raises the stakes.

The setup. “Münchner Software GmbH” has paid “Rheinland Logistik GmbH” monthly for two years — around €18,000 per invoice. Rheinland banks with a German Sparkasse; the registered account name matches its Handelsregister entry. Every payment has cleared cleanly.

The attack. On a Thursday, Münchner’s finance team gets an email from their regular Rheinland contact — the familiar address. It explains Rheinland has changed banks and asks them to update the payment details for this month’s invoice. It references the correct invoice number and reads exactly like the contact’s normal style.

What the process catches — and misses. Münchner runs a VoP check on the new account, entering “Rheinland Logistik GmbH.” The response: Match. The receiving bank confirms the account is registered to Rheinland Logistik GmbH. The analyst updates the record and sends the €18,000 — as an instant payment, because that is now the default. It settles in under ten seconds.

What actually happened. The Rheinland contact’s email was compromised weeks earlier. The “new account” was opened in Rheinland’s legal name using fraudulent documentation that passed the receiving bank’s onboarding. The VoP Match was technically correct — the registered name really did read “Rheinland Logistik GmbH.” The fraud lived in the change request, not the account details. And because the payment was instant, there was no recall window: by the time anyone noticed, the money had settled irrevocably and moved on through mule accounts.

What would have caught it. A callback to Rheinland on a number from Münchner’s records or its Handelsregister-filed contact details — not the email signature — would have exposed the fraud in under a minute. So would a continuous-monitoring check flagging the destination account as recently opened. Both are mature, available controls. Neither is part of a “VoP-first” policy, because VoP secures the name match, not the change-request channel — and on instant rails, the name match is the only thing standing between the payment and an irreversible loss.

The entity layer: Germany's three registers

Germany doesn't have one company register. It has three — and they overlap inconsistently. This is the single biggest difference between German KYB and the cleaner single-register models in the UK (Companies House) or the Netherlands (KVK). For businesses verifying German suppliers, understanding which register holds what is half the battle.

The Handelsregister (commercial register)

The Handelsregister is the legally authoritative source for corporate details: formation documents, legal form, share capital, and registered legal representatives (Geschäftsführer for a GmbH). It's where you confirm a company exists and is validly registered. The catch: the Handelsregister is administered across roughly 150 separate local court registrars (Amtsgerichte), not as one central database. Filings are frequently unstructured PDF scans — some are images — and there's no consistent structured API across the system. Basic search is free; individual documents cost roughly €4.50 to €12.50. For one-off checks this is workable; at any scale, manual retrieval across 150 registrars is not.

The Unternehmensregister (company register)

The Unternehmensregister is the central access point that aggregates company information — financial statements, register extracts, status updates — and is often more complete and up to date than navigating the Handelsregister directly. Financial filings published here (via the Bundesanzeiger) let you assess a supplier's financial health: balance sheets, and for larger companies, profit-and-loss data. A trading company filing minimal or overdue accounts is a signal worth noting.

The Transparenzregister (transparency register)

The Transparenzregister is Germany's UBO register, holding beneficial-ownership data under §23 of the GwG. It's maintained by Bundesanzeiger Verlag under the supervision of the Federal Office of Administration (Bundesverwaltungsamt). Under §3 GwG, a beneficial owner (wirtschaftlich Berechtigter) is any natural person who directly or indirectly holds more than 25% of capital shares, controls more than 25% of voting rights, or exercises equivalent control. UBO registration is mandatory for nearly all German legal entities, with serious penalties for non-compliance — fines up to €150,000 for intentional violations, and up to €5 million or 10% of annual turnover for serious, repeated, or systematic breaches.

The access problem — and the legitimate-interest barrier

Here's where German KYB gets genuinely difficult. Following the November 2022 European Court of Justice ruling that ended unrestricted public access to EU beneficial-ownership registers, the Transparenzregister was closed to the general public. Access is now granted on a "legitimate interest" (berechtigtes Interesse) basis. German authorities and obliged entities (banks, lawyers, notaries) have broader access; everyone else — including foreign compliance teams — must formally apply and justify their interest, and the review is manual and slow.

The cross-border situation is worse. As of September 2025, the European Commission opened infringement proceedings against Germany for failing to transpose the latest EU AML directive's access requirements — Germany is among several member states facing Commission action. For a foreign business trying to verify a German supplier's beneficial ownership, the practical reality in 2026 is a fragmented, manual, access-restricted environment. Where direct register access isn't available, the workaround is the shareholder list (Gesellschafterliste) filed with the Handelsregister, combined with corporate-structure tracing — exactly the kind of multi-source ownership mapping that registry-aggregating verification platforms automate.

The full German supplier verification workflow

What a working verification workflow looks like for a business paying German suppliers in 2026 — across onboarding, before each material payment, and continuously thereafter.

At supplier onboarding

• Verify the entity in the Handelsregister. Confirm the supplier exists, the legal form and registered name match, and identify the legal representatives (Geschäftsführer). Confirm the company isn't in insolvency (Insolvenzverfahren) or dissolution.
• Pull financials from the Unternehmensregister. Check the most recent filed accounts for financial-health signals and confirm filings are current.
• Run a VoP / IBAN-name check on the supplied account. A Match, or a Close Match with an explainable legal-form reason, is acceptable. A No Match requires independent contact with the supplier.
• Establish beneficial ownership. Pull Transparenzregister data if you have access; otherwise use the Gesellschafterliste plus corporate-structure tracing to identify the natural-person UBOs at 25%+ control.
• Screen the entity and UBOs against sanctions and PEP lists. Required under the GwG for obliged entities; advisable for any business paying higher-risk suppliers.
• Document everything with timestamps and source attribution. German registry data is fragmented and filings change; a timestamped record of what each register showed at the moment of onboarding is your audit defence.

Before each bank-detail change

The highest-risk event in the entire workflow. Bank-detail change requests are where supplier-payment fraud concentrates — and instant payments make a successful one irreversible in seconds.

• Treat every change request as suspicious by default. The question isn't "does this look like fraud" — it's "have we verified this through an independent channel."
• Call back on a known number. Not the number in the email requesting the change — a number from your existing records or the Handelsregister-filed contact details.
• Run VoP on the new account before saving it. Verify first, update the master record second.
• Confirm the new account's registered name matches the supplier's legal entity name. A supplier registered as "Rheinland Logistik GmbH" should not suddenly bank under a different entity without a documented explanation.

Continuous monitoring between payments

German companies change constantly — Geschäftsführer changes, share transfers, insolvencies, restructurings. Continuous monitoring catches these before the next payment cycle.

• Monitor Handelsregister status changes. Insolvency proceedings, changes of legal representative, and dissolution are all early warning signs.
• Monitor UBO changes. A supplier that cleared screening at onboarding can come under sanctioned or high-risk ownership through a share transfer that never triggers an obvious operational signal.
• Re-screen against sanctions and PEP lists on a defined cadence. Designations change frequently; a supplier clean at onboarding may have been designated since.

For the full case on why one-time verification isn't enough — and why continuous monitoring is now the operational standard — see why one-time verification fails.

How German verification methods compare

Businesses paying German suppliers have several verification options. They differ in what they confirm and where they fit.

The pattern: no single method is sufficient for German B2B verification. VoP is the right first-line account check, but it works alongside Handelsregister KYB at onboarding, Transparenzregister or Gesellschafterliste-based UBO tracing, callback verification for changes, and continuous monitoring between payments. For how these methods interact with their non-German equivalents, see our 7 verification methods compared article.

Paying German suppliers from outside Germany

If you pay German suppliers from another country, VoP coverage depends on where your PSP sits. Since 9 October 2025, all eurozone PSPs must offer VoP, so payments from euro-area countries to German accounts get the name check. Non-euro EU countries have until 9 July 2027 to comply. Outside the EU — the UK, US, Switzerland — there's no automatic VoP coverage.

The entity layer is the harder cross-border problem. As noted above, Transparenzregister access for foreign obliged entities remains restricted and is the subject of active EU infringement proceedings against Germany. For a business outside Germany verifying German suppliers at any scale, the practical answer is a verification provider that covers the VoP scheme directly and aggregates the Handelsregister and beneficial-ownership data — rather than attempting to navigate 150 local registrars and a legitimate-interest application process manually. See cross-border bank account verification for the country-by-country picture.

What's coming next: the 2026-2027 horizon

The October 2025 VoP mandate was the first major step. Three near-term changes will reshape German verification further — and the entity layer, in particular, is on the verge of a structural shift.

The Transparenzregister access fight comes to a head

Germany's restricted UBO access isn't a settled state — it's an active dispute. The European Commission opened infringement proceedings against Germany in September 2025 for failing to provide adequate access to beneficial-ownership data, particularly for cross-border obliged entities. As of early 2026 the situation remains unresolved, with Germany among several member states under Commission action. For businesses depending on Transparenzregister data, the access environment is in flux, and the direction of travel is toward wider, not narrower, access.

The EU AML Regulation (AMLR) overrides fragmentation from 2027

The bigger shift is the EU Anti-Money Laundering Regulation, which becomes directly applicable from 2027. Unlike a directive — which each member state transposes in its own way, producing exactly the fragmentation that makes German KYB hard — a regulation applies uniformly across the EU. AMLR is expected to harmonise UBO-register access and standardise beneficial-ownership requirements, which over time should reduce the gap between Germany's three-register maze and the cleaner single-register models elsewhere. Businesses building German verification workflows now should design for an entity layer that is about to become more accessible and more standardised, not less.

DTAZV is phased out in November 2026

On the payments side, the legacy DTAZV format used for German foreign (non-SEPA) payment orders is being retired in November 2026. Corporates and SAP-based treasury teams that still rely on DTAZV for cross-border instructions need to migrate to ISO 20022-based formats. The migration is operationally significant for any business making non-SEPA payments out of Germany, and it dovetails with the broader move to real-time, verification-first payment infrastructure.

Non-euro SEPA countries join VoP by July 2027

VoP is mandatory for eurozone PSPs now, but non-euro EU members — Sweden, Poland, Denmark, the Czech Republic, Hungary, Romania, Bulgaria — have until 9 July 2027 to comply. For German businesses paying suppliers in or receiving payments from those countries, full VoP coverage across the EU is still some way off. Until then, the verification picture for German payments into non-euro corridors remains uneven, and a verification provider that covers those corridors directly fills the gap.

Frequently Asked Questions