For many years, the bank transfer system has presented a flaw widely exploited by fraudsters. The absence of systematic verification of the beneficiary’s identity has facilitated the proliferation of diversions, particularly fraudulent IBAN substitutions. In this context, a new regulatory obligation, the “Verification of Payee” (VoP), is set to redefine the liability of Payment Service Providers (PSPs).
This development is objectively considered a major step for transfer security, its importance being compared to that of 3-D Secure for online card payments in its time. This reform, which aims to reduce cases of IBAN substitution, identity theft and input errors, requires Payment Service Providers (PSPs) to urgently review their internal processes.
Verifications for Transfer Orders Before European Regulation No. 2024/886 of 13 March 2024
Until 9 October 2025, the state of the law granted extensive protection to PSPs in the event of transfer errors. Indeed, they were not legally required to verify that the beneficiary’s name provided in the transfer order corresponded to the IBAN number of the receiving account.
It should be recalled that Article L. 133-21 of the Monetary and Financial Code provides that if the identifier provided by the payment service user is inaccurate, “the PSP is not liable for the improper execution or non-execution of the payment transaction.” In other words, an error by the payer regarding the transmitted IBAN allows both his PSP and the beneficiary’s PSP to escape any liability. This solution has been confirmed numerous times by Court of Cassation case law (Cass. com., 24 Jan. 2018, No. 16-22.336: JurisData No. 2018-000782. – Cass. com., 23 May 2024, No. 22-18.098).
The New “Verification of Payee” (VoP) System
A new era of verification is now in place, requiring financial institutions to exercise active vigilance. Indeed, Article 5 quater of Regulation 2024/886 of 13 March 2024 (amending EU Regulations Nos. 260/2012 and 2021/1230 and Directives Nos. 98/26/EC and 2015/2366 regarding instant credit transfers in euros: OJEU L 2024/886, 19 March 2024) provides that PSPs are required to offer the payer a “Verification of Payee” (VoP) service.
When the payer enters the payment account identifier and the beneficiary’s name in the transfer order, a precise matching process is implemented. The payer’s PSP contacts the beneficiary’s PSP to verify the adequacy between the name provided and the IBAN of the receiving account. To this end, PSPs must implement robust internal procedures to ensure the reliability of data concerning beneficiaries. This obligation applies to both instant transfers and regular euro transfers.
To avoid undue blocking or delay in transaction processing, the payer’s PSP must perform this service immediately “after the payer has provided the relevant information on the beneficiary and before the payer is offered the possibility of authorizing the transfer.”
Thus, the PSP is required to carry out the verification in three different situations:
- Partial match: the beneficiary’s name is close to the one associated with the IBAN, but it is not identical.
- No match: the name provided does not correspond to the indicated IBAN.
- Account cannot be identified: the account does not exist.
In all cases, the user retains freedom of action. Thus, even in the event of non-matching, the user may confirm the payment order, doing so “in full knowledge of the facts.” Consequently, the payer fully assumes the risk related to the transaction, and the PSP, having fulfilled its verification obligation, will not have its liability engaged.
Furthermore, it should be noted that only payment service users who are not consumers have the option of waiving this service. However, PSPs must ensure that those who have chosen to waive retain the possibility of reactivating the verification service at any time.
This matching verification is expected by 9 October 2025 at the latest for PSPs located in a Member State whose currency is the euro, and by 9 October 2027 for those whose currency is different.
Consequences of Non-Compliance with VoP by the Bank
Compliance with VoP is not optional. It now constitutes the essential condition for the PSP (the Bank) to benefit from an exemption from liability. Thus, the PSP will not be able to escape liability for the execution of a transfer to the wrong beneficiary, based on an inaccurate unique identifier within the meaning of Article L. 133-21 of the Monetary and Financial Code, unless it proves that it has fully “satisfied the requirements” of VoP.
If it has not complied with these requirements, the following penalties apply:
- If the payer’s PSP is responsible for the breaches, it must promptly refund the user the amount transferred and, where applicable, restore the debited account to the situation that would have prevailed if the transaction had never taken place.
- If the fault is attributable to the beneficiary’s PSP, the latter must compensate the payer’s PSP for the financial loss suffered as a result of non-compliance with the obligations.
Furthermore, any other financial loss caused to the payer may be compensated in accordance with the law applicable to the contract concluded between the payer and the relevant PSP.
In conclusion, this development should reduce cases of IBAN substitution, identity theft, as well as input errors. Furthermore, a recent legislative proposal aims, for example, to create a national file of suspicious IBANs, centralized at the Banque de France, accessible and maintained by PSPs, which would enable the rapid identification and blocking of fraudulent transactions. Other measures are expected under the future Payment Services Directive (PSD3) and the future Payment Services Regulation (PSR), still under negotiation in Brussels.
Frequently Asked Questions
Is my bank required to inform me if there is an error in the IBAN entry?
Yes, since 9 October 2025, the bank is subject to a “Verification of Payee” service. Thus, it must verify the correspondence between the beneficiary’s name entered by the payer and the IBAN of the receiving account.
At what point must my bank inform me of a matching problem between the name provided and the IBAN?
The bank must perform the verification immediately after the client has provided the beneficiary’s name and IBAN.
This verification must obligatorily take place before the client can confirm or validate the transfer.
What must the bank do if the name and IBAN do not match?
In the event of non-matching (partial or no correspondence) between the name provided and the IBAN:
- The bank must immediately inform the payer of the situation.
- The bank must also warn the payer that authorizing the transfer could lead to the transfer of funds to an account not held by the indicated beneficiary.
- If the correspondence is “nearly equivalent” (name close but not identical), the bank must indicate to the payer the exact name of the beneficiary associated with the provided IBAN.
Even in the event of non-matching, the client retains the freedom to execute the transfer, but does so in full knowledge of the facts.
Is my bank required to reimburse if the name provided does not match the IBAN of the receiving account?
Yes, under certain conditions. If the bank fails to comply with its verification obligation and this breach leads to an improperly executed transaction, it must promptly refund the payer the amount transferred.
Furthermore, the bank is not held liable if it has complied with all verification requirements but the payer chose to ignore the non-matching warning.
From when does this new IBAN verification obligation apply for the bank?
The application timeline depends on the currency of the Member State in which the bank is located:
- For a bank located in a Member State whose currency is the euro: by 9 October 2025 at the latest.
- For a bank located in a Member State whose currency is not the euro: by 9 July 2027 at the latest.
