In June 2023, the European Commission published its legislative proposal to amend and modernise the current version of the Payment Services Directive, PSD2. The new version, PSD3, introduces new guidelines regarding IBAN verification application and implementation.
In this article, we break down what IBAN verification is, what was previously in the law, and what PSD3 is changing.
IBAN verification, also known as Confirmation of Payee in the UK, is the process by which a payer can confirm the name of a payee before sending a payment to a specific account number, or IBAN.
Concretely, let’s say that John Payer would like to send a payment to Jane Doe.
John Payer would enter Jane Doe’s IBAN into their bank’s mobile app. But it happened that Jane Doe incorrectly copy-pasted her IBAN before sharing it with John Payer. It’s actually Richard Roe’s IBAN.
“Jane Doe” doesn’t match “Richard Roe”, so John Payer’s bank mobile app would have to inform them that if they send a payment to this IBAN, they won’t send the payment to Jane Doe but Richard Roe.
The European Commission first introduced the concept of mandatory IBAN verification in its legislative proposal on instant payments published in October 2022.
In this proposal, Article 5c titled “Discrepancies between the name and payment account identifier of a payee in case of instant credit transfers”, described that PSPs (banks, payment institutions, and electronic money institutions participating in SEPA) would have to “verify whether the payment account identifier (i.e., the IBAN) and the name of the payee provided by the payer match”, and inform the payer if not.
The payer should be informed “immediately” after they enter their counterparty IBAN and name into their PSP’s websites or mobile apps and before being able actually to send the payment. This service should be accessible no matter the interface the payer uses to send an instant payment.
The European Commission motivated this part of the proposition by the goal of increasing the adoption of instant payments by making them safer. Indeed, unlike regular payments, instant payments are, in most cases, irrevocable.
Also, instant payments mean no time for PSPs’ compliance teams to review payments before they are accepted and the ability for fraudsters to move money from account to account to blur tracks instantly. IBAN verification prevents part of such payment frauds.
In this legislative proposal, PSPs were given 12 months after the proposal adoption to comply. But the EU did not share any details as to how PSPs were supposed to implement IBAN verification.
The combination of both raised a lot of concerns in the industry, as expressed in the feedback on the instant payments legislative proposal.
Accessing the data There is no single database of all IBANs and linked account holders' names across SEPA. Each SEPA participant has this information for its accounts, but the data isn’t generally shared.
Some country-specific initiatives and service providers have this data on the scale of one or a few countries or a portion of all European accounts, but no 100% comprehensive pan-European database.
Matching the names In the case such a comprehensive database of all European IBANs and their corresponding account holder names existed, the next step would be to match the name entered by the payer and the name in the database.
Here, many things can go wrong:
The payee and payer might use different alphabets for the same name, leading to no match. For instance, someone in Spain might want to send an instant payment to someone in Greece, using their name written in the Latin alphabet, while it’s stored using the Greek alphabet in the database.
The payer might use the payee’s middle or maiden names while they are not stored in the database, and vice versa
The payer might make simple typos in the payee name (e.g. “Mathieu” instead of Matthieu”)
A simple match-no-match system would most likely return too many no-matches. The challenge is building a system that can natively handle most of the nuances above and, when necessary, show payers the discrepancies between the entered beneficiary name and the name linked to the IBAN in the database.
All that without showing too much so as to prevent reverse engineering of the database.
Doing it quickly The instant payments legislative proposal says that this verification should be done “immediately” after the payer enters the IBAN and account holder name information into the PSPs systems. While “immediately” is, as of today, not clearly defined, it makes sense that you don’t want users to wait more than a few seconds before they can send a payment. It would otherwise create a bad user experience.
It would mean searching for an IBAN among a few hundred million records, returning the name corresponding to this IBAN, and checking it against the name entered by the sender in less than a few seconds, and doing so millions of times a day. It is not impossible, but not trivial.
Another option would be for the sending and receiving banks to exchange the payee’s account holder information before the payment, which would require new interbank messaging capabilities.
Equivalent solutions already exist, though they are not at the scale of SEPA.
Pay.UK, the operator of UK interbank payment systems, launched its equivalent to IBAN verification, Confirmation of Payee in 2020. It created the rules and standards for the system and operates it. It has been optional for most banks and other PSPs to implement it since its launch in 2020. Today, volumes of Confirmation of Payee requests are averaging more than one million per day.
In some countries, banks have launched joint initiatives to share bank account holders’ details for various use cases, such as SEPAm@il with its DIAMOND solution in France.
DIAMOND isn’t based on a joint IBAN-name database but on a local interbank messaging system.
Some fintech companies specialise in account holder information verification in Europe, such as Surepay in the Netherlands or Trustpair in France.
These companies offer their services via APIs that are relatively simple to integrate compared to local interbank messaging solutions, making them good candidates for PSPs to implement quickly.
However, they do not offer 100% comprehensive pan-European data source, limiting their reach.
The European Payment Council (EPC) defines the SEPA payment schemes, which are the sets of rules PSPs have agreed upon to execute transactions through SEPA payment methods.
The EPC writes the rulebooks containing the business rules, obligations and technical standards to execute SEPA payments, implementation guidelines and management rules.
Interestingly, the EPC also develops pure interbank messaging schemes that do not involve payments, such as Request-to-Pay. The EPC could develop a scheme similar to France’s SEPAm@il DIAMOND, but at a European level, driving further adoption.
Part of the “Combat and mitigate payment fraud” propositions of the PSD3 legislation is the extension of mandatory IBAN verification for all SEPA credit transfers instead of SEPA instant credit transfers only, as introduced in the EU legislative proposal on Instant Payments planned to be enforced in the next 24 months.
Contrary to the fuzziness caused by the lack of technical implementation guidelines from the instant payments legislative proposal, PSD3 includes this:
“The PSP of the payee will be required, at the request of the PSP of the payer, to verify whether the unique identifier (IBAN number) and the name of the payee as provided by the payer match.”
In other words, the receiving bank will need to provide the information to the sending bank before the sender can confirm its payment.
This is quite similar to how the UK’s Confirmation of Payee, or French interbank initiative SEPAm@il’s DIAMOND work, with one major unknown left: will the final legislation require the IBAN verification for every single payment, or only when registering a new beneficiary in its PSP system?
The answer to this question is crucial. Indeed, the technical implementation described in the proposal at first glance disqualifies database-based solutions described above. A centralised, purpose-built system could easily (relatively speaking) withstand the volumes required to check the IBAN<>name match for every single SEPA credit transfer.
But the proposal seems to mandate: 1. Each PSP to have its IBAN<>name table, which they all have in their systems of records. But are not necessarily built to be queried at high volumes with instant expected answers. 2. A standardised inter-PSP communication channel to share this information for every payment or every time a payee adds a beneficiary to its account.
Some versions of 2. already exist at a similar European scale. It is the system banks rely on for interbank payments (and now Request-to-Pay), whether classic or instant. The EPC defines the rules, and entities like EBA Clearing provide the infrastructure. It’s robust, trusted, and proven. And again, with SEPAm@il’s DIAMOND, such systems already exist and work at a local scale.
So no doubt it can be done even if the checks have to be done for each payment.
But 1. will be trickier, especially for traditional banks relying on legacy systems. While extremely robust for all the use cases they cover as of today, they haven’t been designed with the ability to answer high volumes of IBAN<>name queries instantly. PSPs relying on legacy systems will most likely have to build (or buy) additional systems mirroring their core systems’ IBAN<>name data capable of supporting such throughput.
The PSD3 legislation is expected to be passed by June 2024, with full enforcement likely in 2025. On the instant payments side specifically, the European Commission’s legislative proposal is expected to be enforced by Q4 2024 for the reception of instant payments and Q3 2025 for the obligation to be able to send instant payments.
This timeline gives European PSPs a bit more than a year to support IBAN verification, which is, as described above, ambitious. Moreover, players that started to develop solutions based on the instant payments legislative proposal and its lack of implementation guidelines, such as EBA Clearing, might have to go back to the drawing board.
Members of the banking and payments industry will most likely ask for further details and extended timelines on mandatory IBAN verification implementation.
But whatever the final form and date of enforcement, PSPs should start preparing their payment infrastructure for straight-through processing, including automated real-time checks on these payments today. If you are a financial institution looking to upgrade your payment infrastructure, contact us.