Verification of Payee and the evolution of trust in payments: An inside view from a European EMI

In October 2025, the European Union will mandate the implementation of Verification of Payee (VoP) — a mechanism requiring payment providers to check whether the account name entered by the sender matches the IBAN of the recipient, in real time.

While this may appear to be a simple additional security step, the implications are far more structural.

At Papaya Ltd, we see this not only as a way to reduce fraud, but as a shift in how trust is engineered within the payments ecosystem.

Why VoP became a priority  

APP fraud — Authorised Push Payment scams — are not technical flaws, but social engineering attacks. Victims are manipulated into sending money to criminals posing as a bank, supplier, or even a family member. 

According to the European Banking Authority (EBA) and the European Central Bank, EU citizens lost over €1 billion in APP fraud in just six months — accounting for more than half of all fraud losses during that period. 

VoP aims to prevent this by alerting users when the name entered for a payment does not match the registered account name. 

International context: what other countries have learned 

Some countries have already implemented similar systems:

Netherlands (IBAN-Name Check)

Launched by banks as a market-driven initiative. According to SurePay, this reduced P2P APP fraud by 81%.

However, the system is limited to domestic transfers and lacks B2B standardisation.

United Kingdom (Confirmation of Payee)

A mandatory system since 2020 for major banks. UK Finance reports a 60% drop in APP fraud incidents.

Yet implementation was gradual, didn’t cover all PSPs initially, and faced some user friction due to payment delays

These examples prove that name-checking mechanisms can significantly reduce fraud — but they also highlight key challenges in implementation, especially at scale.

Specific implementation challenges across the EU

1. Infrastructure fragmentation

The EU lacks a centralised registry of IBAN-name associations. The EPC’s VoP framework must be integrated with local infrastructures, such as national central banks and payment system operators — adding complexity, especially for cross-border payments.

2. Naming conventions and linguistic diversity

The EU’s multilingual environment creates challenges in matching names. Variants like "John Smith" vs. "J. Smith" or corporate abbreviations make binary logic ineffective. Soft matching, fuzzy logic, and typo tolerance are essential.

3. UX vs. security trade-offs

False negatives can confuse users. For example, in B2B scenarios, a legal entity may be registered under a full name, while invoices use a shortened version. Balancing clarity and caution is a UX challenge.

4. Responsibility and SLAs

If a mismatch warning is ignored by the user, who is liable? How quickly must a VoP response arrive? These questions remain open and may vary by jurisdiction and implementation model.

How we’re building VoP at Papaya Ltd 

As a regulated EMI serving both individuals and businesses, we view VoP not just as a compliance milestone, but as an opportunity to strengthen the way trust is built into digital payments.

We’re already working on key elements of our implementation. This includes adapting VoP to the specific realities of cross-border payments, preparing our internal systems for smooth integration, and ensuring that users — experience VoP not as a disruption, but as intelligent guidance during a transaction.

We’re also exploring how VoP can contribute to fraud detection more broadly, combining it with other signals such as user behavior and device identity to support more context-aware decision-making.

More importantly, VoP signals a shift in EU regulation — from static controls to intelligent, layered defenses