A commentary by Dirk Mayer, Head of Anti-Fraud Consultants at RISK IDENT

The introduction of Verification of Payee (VoP) as part of the EU Instant Payments Regulation is a welcome and long-overdue step towards greater payment security in the SEPA area. Comparing the payee’s IBAN with the name provided corrects the mistake of abolishing the name verification that was mandatory in Germany before SEPA.

However, experience from pioneering countries such as the United Kingdom and the Netherlands shows that VoP cannot be relied upon as the only solution. Impressive results have been achieved there – for example, an 81% reduction in invoice fraud in the Netherlands. However, these successes are always in the context of a more comprehensive strategy and in conjunction with other prevention systems.

Why VoP alone is not enough

Practice shows that VoP has its limitations as a stand-alone tool:

Adaptability of fraudsters: Criminals are dynamic. With the widespread introduction of VoP, it is to be expected that they will shift their attacks to fraud patterns that are not covered by VoP or adapt their methods within the payment processing system. An increase in other types of fraud is to be feared, e.g. in direct debits or BNPL.

The human factor in ‘close matches’: The system delivers results such as “match”, ‘no match’ or ‘close match’. Especially in the case of a close match, payment service providers must provide clear instructions for action. The protective effect is undermined if customers ignore warnings and approve the payment anyway.

Fraud scenarios without VoP protection: VoP is ineffective against many common forms of fraud. These include account takeovers, direct debit fraud (where VoP is currently not effective), credit fraud, and social engineering attacks in which victims are manipulated into transferring money to money mule accounts with correct names.

Growing importance of money mules: Recipient verification will make the misuse of third-party accounts (money mules) play an even greater role. Opening corporate accounts in particular will become more attractive to fraudsters, which will increase the liability risk for the account-holding institutions.

What financial service providers and companies should do now

The introduction of VoP is the right opportunity to holistically review and strengthen your own anti-fraud strategy. Instead of focusing solely on compliance with regulatory requirements, companies and payment service providers should now take proactive action. For effective and sustainable protection, it is essential to embed VoP in a comprehensive security concept. This requires intelligent combination with other technologies such as device fingerprinting for device recognition, systems for preventing account opening fraud and robust real-time transaction monitoring. Only a multi-layered approach can build a protective wall that also works where pure recipient verification reaches its limits.