Verification of Payee: the new cornerstone of the Instant Payment Regulation and the strategic role of QWACs

The European payments ecosystem is constantly evolving, and the Instant Payment Regulation (IPR) represents an important milestone in this process.
With this Regulation, which came into force on April 8, 2024, the European Union aims to make payments faster, safer, more accessible, and more convenient for all EU citizens and businesses.

To achieve this, several obligations have been introduced for Payment Service Providers (PSPs), such as banks, payment institutions (PIs), and electronic money institutions (EMIs). One of these obligations requires the provision of a Verification of Payee (VoP) service, which checks the match between the payee’s name and the IBAN provided by the payer, thus reducing the risk of errors and fraud. The deadline for this service is fast approaching: it must be available for all operations carried out by euro-area PSPs starting October 9, 2025.

Key new features

The IPR introduces four main innovations:

1. Instant credit transfers in euro are no longer optional. All institutions offering standard euro credit transfers must also provide instant transfers. This means real-time payments become the standard, accessible to all customers.

2. Cost alignment: banks and PSPs can no longer charge higher fees for instant transfers than for standard ones. One of the main barriers to adoption has been the higher cost of instant transfers. The new Regulation eliminates this disparity.

3. Processing time: instant transfers must be executed in less than 10 seconds, 24/7/365, with no interruptions for weekends or holidays.

4. Verification of Payee (VoP): as mentioned, this service ensures that the payee’s name and IBAN provided by the user match the actual account details held by the payee’s bank.

IBAN consistency check (Verification of Payee – VoP)

VoP is one of the most innovative elements of the IPR. It is not just a technical measure but a true safeguard against fraud and human error.

How does it work?
The customer (Requester) provides the beneficiary’s details to their payment service provider (Requesting PSP), which sends them via secure APIs to the beneficiary’s provider (Responding PSP). As required by the Rulebook adopted by the European Payment Council (EPC), the Requesting PSP must authenticate using a PSD2 Qualified Website Authentication Certificate (QWAC) to ensure secure and trustworthy data exchange. The Responding PSP then compares the data with its records and returns a result: Match, Close Match, No Match, or Verification check not possible.

The role of PSD2 QWACs in VoP

Behind VoP lies a technical infrastructure that must guarantee maximum levels of security and reliability. This is where QWACs come into play, a tool provided under the eIDAS Regulation and already widely used within PSD2.

The QWAC serves to authenticate and protect communications between PSPs exchanging verification requests and responses. Its role is twofold:

1. Authentication: the PSD2 QWAC allows the Requesting PSP to authenticate with the VoP service of the Responding PSP, ensuring secure and reliable application-to-application communication.

2. Qualified organizational identification: the PSD2 QWAC provides a legally recognized and trustworthy identity of the service provider. This ensures that when the Responding PSP receives a request, it knows the sender has been validated by a Qualified Trust Service Provider (QTSP) accredited at the European level.

Thus, a PSD2 QWAC is indispensable for the Requesting PSP. On the Responding PSP side, both a PSD2 QWAC or an Extended Validation (EV) TLS/SSL certificate can be used, depending on the desired level of qualification and security.

Deadlines to remember

The Regulation sets a clear and phased timeline, distinguishing between euro-area PSPs, non-euro-area PSPs, and PIs/EMIs.

• Euro-area PSPs:

  • From January 9, 2025: obligation to receive instant payments and align fees with standard transfers.

  • From October 9, 2025: obligation to send instant payments and implement VoP.

• Non-euro-area PSPs:

  • From January 9, 2027: obligation to receive instant payments and align fees.

  • From July 9, 2027: obligation to send instant payments and implement VoP.

• Payment Institutions (PIs) and Electronic Money Institutions (EMIs):

  • From April 9, 2027: euro-area PIs/EMIs must support both sending and receiving instant payments.

  • From July 9, 2027: non-euro-area PIs/EMIs must at least support sending instant payments.

Time is running out – but we can help!

If you are a euro-area PSP, you have until October 9, 2025 to obtain a PSD2 QWAC and implement the VoP procedure.

Even if a PSP already has a PSD2 QWAC, obtaining a certificate dedicated exclusively to the VoP process is a strategic choice. A separate QWAC makes it possible to clearly distinguish its purpose, reducing the risk of misuse in unintended contexts. This advantage becomes even more relevant when a PSP relies on external providers or Routing & Verification Mechanisms (RVMs): in such cases, a dedicated VoP QWAC helps minimize vulnerabilities, avoid operational conflicts, and limit shared liabilities. In other words, investing in a VoP-dedicated certificate is a concrete step towards greater security, control, and governance.

👉 Learn more on our website or contact us!