We are living in an era where digital transactions are now the norm. For the most part, there is little need to visit a physical Payment Service Provider (PSP) to make a financial transaction, PSPs are now available twenty-four hours a day. Through banking apps, users can send and receive money or make payments at the click of the button. With this surge in use, ensuring the security and trustworthiness of transactions has never been more critical.
One key measure in safeguarding payments is Verification of Payee (VoP), (or Confirmation of Payee (CoP)), which verifies the identity of the recipient, ensuring that payments are directed to the correct receiver. Updates to VoP requirements and the role of Qualified Website Authentication Certificates (QWACs) are reshaping the regulatory landscape.
In this blog we explore VoP requirements, the significance of QWACs, and the role of the Payment Services Directive 2 (PSD2) in shaping payment security across different regions.
Understanding Confirmation of Payee (CoP), Which Led to VoP
The UK was one of the first countries to launch the Confirmation of Payee (CoP) initiative in 2020. Spearheaded by Pay.UK, the primary objective of CoP regulations is to prevent misdirected and fraudulent payments. It essentially verifies that the name and account details of the payee matches the account details provided by the payer before the payment is completed. If the details do not match, it will alert the sender that something is possibly amiss.
The initiative has been deemed to be a huge success with over 2.5 billion CoP checks completed, leading to a significant reduction in fraud cases.
The European Payments Council (ECP) followed suit and introduced the Verification of Payee scheme in October 2024. ECP have now directed that all PSPs offering instant payments or credit transfers within the Single Euro Payments Area (SEPA) must implement VoP by October, 2025.
CoP vs VoP – What’s The Difference?
Both CoP and VoP schemes share the same fundamental principles of reducing payment fraud and misdirected payments. However, they have different verification requirements. For CoP, payee identity is verified using a personal or business name, banking sort code and account number. Whereas for VoP transactions, identity is verified using either the account name or an unambiguous account identifier, such as a Legal Entity Identifier (LEI) or a tax code.
The Role of Qualified Website Authentication Certificates (QWACs) with VoP and CoP Transactions
So where do QWACs come in? A QWAC is a Qualified Website Authentication Certificate and is a mandatory requirement that PSPs need to implement under the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA), and Common and Secure Communication (CSC).
A QWAC is a qualified digital certificates that provides strong authentication, encryption, and integrity protection for data exchanged between financial institutions. They are used to secure communication between banks, PSPs, and APIs. They help meet the regulatory and security requirements, particularly under PSD2 and Open Banking frameworks.
QWACs play a crucial role in securing VoP and CoP transactions:
- They ensure mutual authentication by verifying the identities of banks, PSPs, and third-party providers (TPPs).
- They encrypt confidential data and prevent man-in-the-middle attacks and data breaches.
- They comply with PSD2 requirements for secure API communication between banks and fintech providers.
PSD2 Influence
The Payment Services Directive 2 (PSD2) is an EU regulation created to promote a practice of security, promote competition, and protect consumers in digital transactions. Key to PSD2 is Strong Customer Authentication (SCA), which ensures that payment protocols are verified and secure.
PSD2 has substantial influence on VoP. It mandates that banks and PSPs must ensure the secure communication of processing transactions. This can be done through mTLS authentication using QWACs (as mTLS certificates provide mutual authentication of both end points). It also requires the PSPs identity when communication with open banking API integrations be verified using QWACs, to enable identity verification of payee details before authorizing transactions to enable secure payments.
You can read more on PSD2 in our blog or eBook.
What is the RTS SCA/CSC for PSD2?
The Regulatory Technical Standards (RTS) for Strong Customer Authentication (SCA) and Common and Secure Open Standards of Communication (CSC) detail the specific security measures and implementation requirements that financial institutions and TPPs must meet to comply with PSD2.
A core principle of the RTS is common and secure communication between all parties involved. All transactions between payment service providers and financial institutions must take place over secured channels and ensure authenticity and integrity of the data.
Global Adoption of VoP Schemes
There is a global need to avoid misdirected domestic and cross-border payments, while maintaining the speed of payments processing.
Various countries are exploring and implementing VoP schemes to combat fraud and ensure secure transactions. In August 2024, the Australian Banking Association (ABA) completed the design phase for their CoP service, to be rolled out in 2025.
Other regions including Asia Pacific, Middle East and Africa, and Latin America are increasingly exploring Verification of Payment (VoP) schemes and fostering collaborations between PSPs and fintech firms to bolster payment security and efficiency. Tailored VoP systems aligned with regional payment infrastructures are key to address unique market needs and support secure transaction processes.
With mandates like PSD2 instrumental in shaping the global payment landscape, VoP schemes and QWAC certificates are essential to a future of secure and trustworthy payment transactions. It is important to stay informed about the regulatory updates and implement the necessary security measures.
Discover how our QWAC certificates can enhance the security and trustworthiness of your transactions
