The European Union's mandate for Verification of Payee (VoP) by October 2025 is poised to change payments as we know them. While the goal is simple—to reduce fraud and misdirected payments by verifying a payee's name against their account number—the execution is anything but.
The real challenge lies in the "matching" process. How does a system reliably recognise that "Jon Doe" and "Jonathan Doe" are likely the same person, or distinguish a common trading name from a legal entity name?
This isn't just about string comparison, but about building systems that understand the nuances of human identity, from cultural naming conventions to the simple reality of a typo. The stakes are high as overly strict algorithms risk rejecting legitimate payments, creating friction and frustrating customers, and lenient ones could inadvertently expose customer data, breach GDPR, or worse, fail to stop the very fraud they were designed to prevent.
How does VoP work?
At its core, the VoP process involves a real-time dialogue between two payment service providers (PSPs). When a payer initiates a transfer, their PSP (the "Requesting PSP") sends a request containing the payee's name and IBAN to the recipient's PSP (the "Responding PSP"). The Responding PSP then checks these details against its records.
The result of this check isn't a simple "yes" or "no." It falls into one of several categories: "match," "no match," or "close match". This feedback is then relayed to the payer, who can make an informed decision about whether to proceed with the treatment. The entire exchange is designed to happen in seconds, ideally in under one second, though the maximum time allowed has been extended to five seconds.
To facilitate this across Europe, the European Payments Council (EPC) has established a VoP scheme rulebook and is collaborating with SWIFT to create a directory service. This directory will help PSPs locate the correct API endpoint for the Responding PSP, creating the interoperable framework necessary for the system to function across the SEPA zone.
What is the underlying challenge of name matching?
Name matching is far more complicated than it appears because names are not unique identifiers like a Social Security number or a legal entity identifier (LEI). They are subject to immense variation:
- Nicknames and abbreviations: "Bill" for "William" or "Ltd." for "Limited."
- Spelling variations and typos: "Sophia" vs. "Sofia" or a simple keyboard error.
- Transliteration: When names are converted from one script to another, such as from Cyrillic or Han scripts to Latin, multiple valid spellings can emerge. For example, the common Chinese name Wu can be transliterated as "W-U" or "W-O-O".
- Cultural differences: Naming conventions, the use of middle names, and the order of first and last names vary significantly across the globe. Some languages also lack certain sounds, leading to predictable transliteration substitutions, like "L" for "R" in Cantonese.
- Business names: Companies often use trading names that are different from their legally registered names.
These linguistic and cultural nuances mean that a simple, direct comparison of text strings would result in an unacceptably high rate of false negatives, where legitimate payees are flagged as "no match".
Which technologies can help solve for these challenges?
To overcome the complexities of name variation, VoP systems rely on sophisticated algorithms, often referred to as "fuzzy name matching". These algorithms go beyond exact matches to find names that are similar but not identical.
Several techniques are used, often in combination:
Phonetic Algorithms: These methods, such as Soundex or Metaphone, reduce names to a phonetic key based on their English pronunciation. This allows the system to match names that sound similar even if they are spelt differently, like "Smith" and "Smythe."
Edit Distance Algorithms: Algorithms like Levenshtein distance measure the number of edits (insertions, deletions, or substitutions) required to change one name into another. This is effective for catching typos.
AI and Machine Learning: The most advanced solutions now incorporate AI and machine learning. Companies like iPiD, in collaboration with Microsoft, are using large language models (LLMs) to power their matching engines. As Ivan Chong, CTO of iPiD, notes, "With AI, we can bridge the gap between technical precision and contextual nuance". These AI-driven systems can be trained on vast datasets to understand context, cultural variations, and the statistical likelihood of different name variations, significantly improving accuracy.
Babel Street employs a patented "two-pass" hybrid method, first utilising phonetic transliteration to generate a list of likely matches and then applying statistical analysis to refine the results.
These technologies allow a PSP to set its risk tolerance, creating rules that can, for instance, accept a close match if the variation is a known nickname or a standard transliteration, while flagging more ambiguous cases for review.
How does this affect financial institutions?
For PSPs, implementing VoP is a significant technical undertaking. They must not only build or integrate a system capable of both sending and responding to verification requests, but also fine-tune their matching algorithms to strike a balance between security and customer experience.
The challenge is more than technical; it’s also operational. Financial institutions must navigate data privacy regulations, such as the GDPR, which impose strict limits on how personal data can be shared. When a "close match" occurs, the system must provide sufficient information for the payer to decide without revealing sensitive data about a third party unnecessarily. For example, if a payment is sent to a joint account, the responding PSP will only confirm the name provided in the request, even if other account holders exist.
Furthermore, as fraud tactics constantly evolve, these systems cannot remain static. They require ongoing monitoring and adjustment. The introduction of VoP has already proven effective in markets like the Netherlands, where it reduced authorised push payment (APP) fraud by 81% and misdirected payments by 67%. As this mandate rolls out across Europe, it will compel all financial players to invest in the sophisticated technology necessary to comprehend identity in a truly globalised, digital world.
The road to VoP compliance is paved with significant technical and operational hurdles. For financial institutions navigating this new landscape, the right technical partner is not just a vendor but a crucial guide.
How can Ximedes help?
The road to VoP compliance is paved with significant technical and operational hurdles. After the October 9, 2025, deadline, all banks and Payment Service Providers (PSPs) in the SEPA zone must have a functioning Verification of Payee solution for all credit transfers.
Ximedes offers a robust, dedicated solution designed to help institutions meet this mandate efficiently and effectively. While banks possess the necessary data, implementing the scheme rules correctly is a significant challenge. Placing these services directly on top of core banking platforms is often not feasible.
To address this, Ximedes has developed a specialised component that functions as a backbone for VoP requests. This solution is engineered to provide near-instant responses without placing any additional load on existing legacy systems.
Key features of the Ximedes VoP solution include:
- Directory Service Design: Ximedes proposes a design utilising a central directory service that maps a payee's BIC code to a specific URL endpoint for the verification request. This creates a streamlined and interoperable framework for communication between PSPs.
- Advanced Name Matching: The system incorporates sophisticated name-matching logic to handle the complexities of real-world data. Before comparison, names are normalised by converting them to uppercase, removing diacritics, and stripping titles. The matching engine can identify "close matches" resulting from typos, switched letters, reversed first and last names, the use of initials, and common nicknames.
- Efficient Architecture: The design includes caching and optimised data importing to ensure the system can respond to verification requests in under one second, well within the mandated timeframe.
Ximedes provides a clear implementation path that includes analysis, development, data importation, and testing.
Would you like to speak in person about how Ximedes can help your business navigate this change? We will be at Sibos Frankfurt from the 29th of September to the 2nd or October 2025, ready to answer any questions you may have.
Learn more and book a meeting with us here: https://ximedes.com/ximedes-at-sibos
