Why VoP Won’t Stop Supplier Fraud: The Hidden Limits of EU Payee Verification
The EU's Verification of Payee mandate went live on 9 October 2025. Around 2,700 banks and payment service providers across the Eurozone now check the payee's name against the IBAN before every SEPA credit transfer settles.
Compliance teams are exhausted. Press releases are loud. The implication, from regulators and vendors alike, is that the supplier-payment fraud problem has finally been solved.
It hasn't.
VoP catches some fraud. It misses the patterns growing fastest. This article walks through the three hidden limits of the EU's payee verification mandate — what VoP actually checks, what it misses, the implementation issues already documented six months in, and what corporates need to add on top to stop the fraud still draining billions from B2B payments globally.
If you are paying suppliers in the Eurozone, your money is safer than it was in September 2025. If you are paying suppliers outside the Eurozone, almost nothing has changed.
1. What Verification of Payee Actually Does
Verification of Payee is a regulatory requirement under the EU Instant Payments Regulation (Regulation (EU) 2024/886). Before a SEPA credit transfer — standard or instant — is authorised, the payer's PSP must check whether the beneficiary name on the payment matches the IBAN registered at the payee's bank.
The system returns one of four standardised responses:
| Response | What it means |
|---|---|
| Match | The submitted name and IBAN agree. Payment can proceed. |
| Close Match | The name is similar but not identical. The system may suggest a corrected version. |
| No Match | The name does not match the IBAN. The payer is warned but can still proceed. |
| NOAP | "No Answer Possible." The check could not be completed. No detail on why. |
The core architecture is decentralised. The European Payments Council (EPC) publishes a rulebook and a security framework, but the actual verification happens directly between PSPs through Routing and Verification Mechanisms (RVMs). As of the October 2025 go-live, the EPC's register of participants included 2,673 PSPs and 55 RVMs.
Figure 1
VoP returns one of four outcomes — and only one of them is unambiguous.
Three of the four outcomes leave the finance team with operational ambiguity. Only "Match" is clean — and even Match doesn't tell you who actually owns the account.
VoP applies to all SEPA credit transfers — including standard SCT, not just instant payments. Many corporates assume it only affects instant transfers. It does not.
The non-Eurozone EEA states (Iceland, Liechtenstein, Norway, plus EU member states outside the euro) have until 9 July 2027 to implement VoP for SEPA credit transfers in euros. Non-SEPA countries are not in scope.
2. The First Limitation: Name vs. IBAN, Not Identity
Read the EPC's own description of the scheme carefully and the limitation is explicit. VoP "facilitates the verification of data about a payee, but it cannot be used to reliably identify a private or legal person."
This is the single most important sentence in the regulatory record. VoP confirms that the IBAN you are about to pay belongs to an account in the name you provided. It does not confirm that the named entity is the entity you intend to do business with.
A registered shell company with a real bank account in a real legal name will pass VoP every time. A compromised account where a fraudster has gained control of a legitimate supplier's banking will pass VoP every time. An account opened with stolen identity documents that match the name on the invoice will pass VoP every time.
Trustpair's analysis puts it directly: VoP "only checks whether the beneficiary name matches the account holder's name. Today, most fraudsters rely on identity theft, something VoP cannot detect. For instance, a bank may confirm that the account name matches, without realising the account itself has been compromised by criminals."
This is the gap that vendor imposter fraud exploits. The Association for Financial Professionals' 2025 survey found that vendor imposter fraud — where attackers pose as a real supplier and request a change of bank details — rose to 45 per cent of business email compromise incidents in 2024, up 11 percentage points year-on-year. It was the largest single-year increase of any BEC subcategory.
VoP answers "does this name match this IBAN?" It does not answer "is this entity real?", "who owns this entity?", or "is this entity the one I have an invoice from?" Three of the most common B2B fraud patterns exploit exactly that gap.
3. The Second Limitation: SEPA-Only Coverage
VoP applies to credit transfers within the Single Euro Payments Area. Payments outside SEPA — to suppliers in the United States, the United Kingdom, Brazil, India, Vietnam, Nigeria, the UAE, or any of the 49+ markets where most multinational corporates source goods and services — are entirely outside the scheme's reach.
The data already shows fraudsters have noticed.
UK Finance reported that international payments accounted for 11 per cent of authorised push payment fraud losses in 2024, up from 6 per cent in 2023 — almost doubling in a single year. Their analysis is direct: criminals are "likely trying to get people to send money outside of the UK" because mandatory reimbursement rules do not cover international payments.
Figure 2
International payments as a share of UK APP fraud losses — almost doubled in one year.
UK Finance's annual fraud report shows fraudsters pivoting to corridors where mandatory reimbursement rules don't apply. The same logic applies to corporate supplier payments.
The same logic applies to corporate payments. If fraudsters can route an attack through a country where neither VoP, Confirmation of Payee, nor Nacha applies, they will. Cross-border B2B payments now sit in a regulatory blind spot.
| Region | Regulator-mandated payee verification? | In scope of VoP? |
|---|---|---|
| Eurozone (20 EU states) | Yes — VoP from 9 October 2025 | ✅ |
| Non-Eurozone EEA (IS, LI, NO) | By 9 July 2027 | ❌ until 2027 |
| United Kingdom | Yes — Confirmation of Payee since 2020 | ❌ separate UK scheme |
| Switzerland | No regulatory mandate | ❌ |
| United States | Indirect — Nacha account validation | ❌ |
| Latin America (Brazil, Mexico) | No | ❌ |
| MENA (UAE, Saudi Arabia) | No | ❌ |
| South & South-East Asia | No | ❌ |
For a UK corporate paying a German supplier, VoP applies on the receiving end (post-July 2027 for the UK side; CoP works on the UK side now). For a German corporate paying a US supplier, VoP applies on the German side — but the US side has no equivalent mandate, and the verification stops at the SEPA boundary. For a Spanish corporate paying a Brazilian supplier, neither end is covered.
4. The Third Limitation: Implementation Issues Already Documented
Within a month of the October 2025 go-live, SurePay — one of the largest VoP RVMs in Europe — published a CTO-level review of operational issues. The list is sobering for any corporate that assumed the scheme would work cleanly out of the box.
Diacritics break matching
SurePay reports two distinct issues: some PSPs return a Close Match suggesting a name with diacritics (e.g. requested name "Rene Muller" returns suggested "René Müller") — but if the requesting bank's UI does not allow diacritic input, the user can never achieve a full Match. Other PSPs return outright errors when names contain diacritics, with no separate reason code, leaving the end user with a generic "could not match" message.
Match rates are inconsistent across Europe
SurePay reports that match rates in the mature Netherlands market reach approximately 80 per cent, "whereas the results across Europe are way lower." Anything below 80 per cent means routine warnings on legitimate payments — and a routine warning that fires on legitimate payments is a warning that gets ignored.
Name-matching limits vary by country and bank
SurePay's CTO documents the operational variation:
- Some banks restrict name fields to 70 or even 40 characters, even though the VoP scheme allows 140
- Some countries use full names; others use initials by default
- Joint accounts, double-barreled names, and business trading names all create matching ambiguity
- Some markets use Greek or Cyrillic alphabets, requiring transliteration
The NOAP code is structurally vague
SurePay describes NOAP as "somewhat vaguely described as a valid reason code in case a match could not be performed for whatever reason." When a corporate submits a payment and the response is NOAP, there is no standard mechanism to learn whether the failure was technical, regulatory, or a genuine name mismatch.
Bulk corporate payments are partially outside the scheme
While banks must offer VoP for bulk files, the VoP scheme itself "does not provide any standard or guideline for VoP bulk checks." SurePay reports many corporates are simply opting out of VoP for their bulk payment files because of the operational complexity. The scheme's biggest theoretical beneficiaries — corporates running thousands of vendor payments per file — are using it least.
VoP is technically working, but operational issues mean a meaningful share of legitimate payments produce ambiguous responses. When operational pain meets a payment deadline, finance teams override warnings. The control degrades.
5. What VoP Tells You vs. What You Actually Need to Know
Below is the gap as it sits today, written from the perspective of a finance team about to send a six-figure payment to a new supplier. The first column is what VoP returns. The second is what verification needs to answer to actually make a confident payment decision.
| What VoP returns | What you actually need to know |
|---|---|
| The IBAN is correctly formatted | ✅ VoP confirms this |
| The IBAN belongs to a real bank account | ✅ VoP confirms this |
| The name on the IBAN matches the name we provided | ✅ VoP confirms this (within SEPA, with caveats) |
| The named entity is a real, registered legal entity | ❌ VoP does not check |
| The entity is currently active and not dissolved | ❌ VoP does not check |
| The entity has been operating long enough to be plausibly legitimate | ❌ VoP does not check |
| The entity's directors and shareholders are who we expect | ❌ VoP does not check |
| The entity's ultimate beneficial owner has not changed | ❌ VoP does not check |
| The entity is part of the group structure on our supplier record | ❌ VoP does not check |
| The supplier's bank details have not changed since onboarding | ❌ VoP does not check |
| The payment is in scope of regulator-mandated verification | ❌ Only inside SEPA |
A finance team with only VoP can answer the first three questions. The next eight are the ones that actually distinguish a legitimate supplier from a sophisticated fraudster — and they are the ones VoP was never designed to address.
Figure 3
Of the 11 questions a finance team needs to answer before sending a supplier payment, VoP answers three.
VoP confirms format, bank, and name. Everything else — legal entity verification, ultimate beneficial owners, account ownership confirmation, continuous monitoring, cross-border coverage — sits outside the scheme.
6. Why "Just Add More Manual Checks" Doesn't Work
The default response to limitations of VoP, in many corporates, has been to add manual processes on top. A callback to the supplier on a known phone number. A second-pair-of-eyes review by treasury. A finance director sign-off above a certain threshold.
Manual controls fail on three fronts.
They fail under speed
Trustpair's January 2026 survey of 250 senior US finance executives found that 48 per cent still rely on manual checks like callbacks or email confirmations to validate vendor bank details. In the same study, 71 per cent reported an increase in AI-powered fraud attempts over the prior 12 months. Manual controls were designed for an era when a fraudulent invoice took a fraudster days to produce. AI tools now produce convincing fake supplier emails, voice calls, and supporting documents in minutes.
They fail under volume
Lee-Ann Perkins, Head of Global Treasury at Ankura Consulting, summarised the failure mode in a Trustpair-published interview: "End-of-month pressure, urgent payments, year-end activity, and high vendor turnover — these are exactly the conditions fraudsters exploit. Humans are most vulnerable when we're rushed or overloaded."
They fail under continuity
A supplier verified manually at onboarding is not verified six months later when their bank details "change." Only 32 per cent of US finance leaders continuously validate vendor bank account details, according to Trustpair's 2026 data. The remaining 68 per cent verify periodically or only at onboarding — which is exactly the gap vendor imposter fraud exploits.
Figure 4
How US finance leaders validate vendor bank details — and where the gap sits.
Trustpair's January 2026 survey of 250 senior US finance executives. The fastest-growing fraud pattern is the one continuous validation is designed to catch — and most companies don't have it.
The manual-control posture made sense when fraud was slow, low-volume, and human. It does not make sense in a world where attackers automate, AI-generate, and target dozens of suppliers in parallel.
7. What the Layer Above VoP Looks Like
If VoP is the floor, the question for finance and compliance leaders is what sits on top of it. Three controls do the heavy lifting on the questions VoP cannot answer.
Legal entity verification
Confirms the supplier is a real, registered company with a current registration status, an active tax ID, and a valid address. Sourced from official government registries — Companies House in the UK, Receita Federal in Brazil, the IRS for EINs in the US, and equivalents in 200+ countries. This catches shell companies and dissolved entities VoP would happily verify.
Account ownership confirmation
Confirms that the bank account is owned by the named legal entity, not by a third party using the entity's name. This is the layer that catches compromised accounts where a fraudster has gained banking control of a legitimate supplier — VoP's biggest blind spot.
Continuous monitoring
Tracks the supplier's bank details, registration status, and corporate structure over time. Alerts when something changes. This is what catches the change-of-bank-details attack between two point-in-time verifications, and it is the control most corporates do not have.
VoP answers "is this account real and named correctly?" The verification layer above answers "is this entity real, current, and the one I expect — and is anything about them changing?"
8. How MonitorPay Closes the Gap
MonitorPay was built around the assumption that VoP, CoP, and Nacha account validation cover what they cover, and nothing else. Our role is everything VoP does not check.
In a single API call, MonitorPay returns:
| Layer | What it confirms | Beyond VoP? |
|---|---|---|
| IBAN structure validation | Format, length, check digits, country code | VoP does this |
| Bank lookup | Bank name, BIC/SWIFT, branch, SEPA capability | VoP does this within SEPA |
| Payee name matching | Fuzzy match with confidence scoring, transliteration support | VoP does this within SEPA |
| Legal entity verification | Confirmed registration, tax ID, EIN, LEI, status, incorporation date, industry | ✅ Beyond VoP |
| Officers and directors | Named directors, appointment dates, current status | ✅ Beyond VoP |
| Shareholders and UBO | Named shareholders, UBO status, ownership percentages | ✅ Beyond VoP |
| Group structure | Parent companies, subsidiaries, ultimate parent | ✅ Beyond VoP |
| Account ownership confirmation | Confirms the account belongs to the named legal entity | ✅ Beyond VoP |
| Continuous monitoring | Webhook alerts on any change to the verified data | ✅ Beyond VoP |
Coverage extends across 49+ countries with direct bank verification and 200+ government registries for entity intelligence. Sub-second response. Single endpoint. The same API call that handles a SEPA payment to Munich also handles a wire to Mumbai, Brasília, or Lagos.
See VoP and beyond, in one API call.
MonitorPay covers everything VoP cannot: legal entity verification, UBO, account ownership, and continuous monitoring across 49+ countries.
Request a Demo →9. What This Means in Practice
Three changes to make in your supplier verification posture in 2026:
Stop treating VoP as the answer
It is one layer. It catches one class of error. Plan and budget for the layers above it as separate controls, not bolt-ons.
Verify continuously, not at onboarding
A point-in-time check at onboarding tells you what was true on that day. Vendor imposter fraud is built on the premise that something changes between onboarding and the next payment. Continuous monitoring is the only control that catches the change.
Extend coverage past the SEPA border
UK Finance's data showing international APP fraud nearly doubled in a year is the leading indicator. If your supplier base is global, your verification posture has to be global. VoP, CoP, and Nacha will not get you there.
The rule of thumb that works: every payment, every supplier, every country, every time. Anything less is a hole the fraud is already moving into.
Frequently Asked Questions
What is Verification of Payee (VoP)?
VoP is a regulatory requirement under the EU Instant Payments Regulation. Before a SEPA credit transfer is authorised, the payer's PSP must check whether the beneficiary name matches the IBAN registered at the payee's bank. The scheme went live on 9 October 2025 across the Eurozone, with non-Eurozone EEA states required to comply by 9 July 2027.
Is VoP the same as Confirmation of Payee?
They are similar in purpose but are separate schemes. Confirmation of Payee is the UK service operated by Pay.UK, live since 2020. VoP is the EU equivalent operated by the European Payments Council, live since October 2025. They use compatible concepts (name-vs-account checking) but they do not interoperate directly, and a UK CoP check does not satisfy an EU VoP requirement.
Does VoP only apply to instant payments?
No — and this is one of the most common misconceptions. VoP applies to all SEPA credit transfers, both standard SCT and SCT Inst. Many corporates assume it is only relevant to instant payment rails; in fact, the requirement covers every euro credit transfer originated by an in-scope PSP.
What does VoP not check?
VoP confirms the name on the IBAN matches the name you submitted. It does not confirm the named entity is a real, active legal company; it does not verify directors, shareholders, or beneficial owners; it does not detect compromised accounts where a fraudster has taken over a legitimate supplier's banking; and it does not extend beyond the SEPA zone.
Can VoP detect business email compromise (BEC) fraud?
Partially. VoP catches BEC scenarios where the fraudster supplies an IBAN that doesn't match the supplier's name. It does not catch BEC scenarios where the fraudster has registered an account in a name similar to the supplier, or where the supplier's actual account has been compromised. The Association for Financial Professionals' 2025 survey found vendor imposter fraud rose to 45 per cent of BEC cases — and most of those scenarios are outside what VoP can catch.
What happens if I get a "No Match" or "Close Match" response?
The payer is warned but can usually still proceed. Under the EU Instant Payments Regulation, if the payer authorises the payment after a warning of an incorrect identifier, the payer is liable for any loss to an unintended recipient. In practice, finance teams often face an operational decision: investigate the warning (which delays the payment) or proceed and accept the liability shift.
Why are some legitimate payments returning "No Match" or "Close Match"?
Several documented reasons. Diacritics — for example, the system may suggest "René Müller" when the user typed "Rene Muller" but cannot input the accented version through their bank's interface. Name-field length limits (some banks restrict to 40 or 70 characters when the scheme allows 140). Use of trading names versus registered legal names. Joint accounts. Match rate variability across Europe — SurePay reports the mature Netherlands market reaches around 80 per cent match rates while results elsewhere in Europe are "way lower."
Does VoP cover payments to suppliers outside the EU?
No. VoP applies only to SEPA credit transfers within the Single Euro Payments Area. Payments to suppliers in the United States, United Kingdom (which has its own CoP scheme), Switzerland, Brazil, India, Vietnam, Nigeria, the UAE, and other non-SEPA countries are outside the scheme. UK Finance has reported that international payments rose from 6 per cent to 11 per cent of APP fraud losses in 2024, suggesting fraudsters are already routing around regulator-protected rails.
Is VoP enough on its own to prevent supplier payment fraud?
For payments inside SEPA, VoP is a useful first layer that catches name/IBAN mismatches and many lower-sophistication frauds. It is not sufficient on its own. Sophisticated fraud — vendor impersonation, compromised supplier accounts, shell company onboarding, identity theft — passes VoP because the underlying account is technically real and correctly named. Best practice is to layer entity-level verification, account ownership confirmation, and continuous monitoring above VoP.
How does MonitorPay differ from VoP-only providers?
MonitorPay covers the layer above VoP. Where VoP confirms name and IBAN, MonitorPay also confirms legal entity registration, directors, shareholders and ultimate beneficial owners, group structure, financial history, and account ownership — all sourced from 200+ government registries across 200+ countries, with direct bank verification in 49+ markets. The same API works inside the SEPA zone (where VoP applies) and outside it (where VoP does not). Continuous monitoring tracks all of this over time and alerts on changes.
