Skip to content

VOP Process Flow

This page provides visual representations of the Verification of Payee (VOP) process flow based on the EPC VOP scheme specifications, including request/response sequences and scheme participant interactions.

Complete VOP Request/Response Process Flow

Section titled “Complete VOP Request/Response Process Flow”
sequenceDiagram participant Payer as Payer (PSU) participant RPSP as Requesting PSP participant RVM as RVM (Optional) participant EDS as EDS participant VPSP as Responding PSP participant Payee as Payee Account Note over Payer,Payee: SEPA Credit Transfer Initiation Context Payer->>RPSP: Initiates SCT/SCT Inst with:<br/>• Payee name<br/>• IBAN<br/>• Optional: LEI/BIC/ID rect rgb(240, 245, 255) Note over RPSP,EDS: EDS Directory Service Lookup alt Direct PSP Connection RPSP->>EDS: Query Responding PSP details<br/>API endpoint + certificates EDS-->>RPSP: Return PSP connection info else Via RVM RPSP->>RVM: Forward VOP request RVM->>EDS: Query Responding PSP details EDS-->>RVM: Return PSP connection info end end rect rgb(245, 240, 255) Note over RPSP,VPSP: VOP API Request Processing (HTTPS/TLS) alt Direct Connection RPSP->>VPSP: POST /vop/verify<br/>Content: JSON ISO 20022 elements<br/>Headers: X-Request-ID, Content-Type else Via RVM RVM->>VPSP: POST /vop/verify<br/>Content: JSON ISO 20022 elements end activate VPSP VPSP->>VPSP: 1. Validate request format VPSP->>VPSP: 2. Authenticate client certificate VPSP->>VPSP: 3. Validate IBAN format VPSP->>VPSP: 4. Check account existence alt Name-based Verification VPSP->>VPSP: Perform name matching:<br/>• Exact match<br/>• Fuzzy matching<br/>• Phonetic matching<br/>• Token analysis else BIC-based Verification VPSP->>VPSP: Match BIC against<br/>account holder BIC else LEI-based Verification VPSP->>VPSP: Match LEI against<br/>account holder LEI else ID-based Verification VPSP->>VPSP: Match ID (VAT, etc.) against<br/>account holder identification end VPSP->>VPSP: Generate match result:<br/>• MTCH (Match)<br/>• NMTC (No Match)<br/>• CMTC (Close Match)<br/>• NOAP (Not Applicable) alt Direct Connection VPSP-->>RPSP: VOP Response<br/>Status: 200 OK<br/>Body: partyNameMatch MTCH else Via RVM VPSP-->>RVM: VOP Response RVM-->>RPSP: Forward VOP Response end deactivate VPSP end rect rgb(255, 245, 240) Note over RPSP,Payer: Response Processing & User Notification alt MTCH - Exact Match RPSP->>Payer: ✅ Payee verified<br/>Payment can proceed else CMTC - Close Match RPSP->>Payer: ⚠️ Close match found<br/>Matched name: actual name<br/>Confirm to proceed? else NMTC - No Match RPSP->>Payer: ❌ Payee verification failed<br/>Check payee details else NOAP - Not Applicable RPSP->>Payer: ℹ️ Verification not available<br/>for this account else Error Response RPSP->>Payer: ⚠️ Technical error<br/>Try again later end end Note over Payer,Payee: Payment Processing Continues Based on VOP Result
graph TB subgraph "Payment Service Users PSUs" Payer[Payer<br/>Payment Initiator] Payee[Payee<br/>Account Holder] end subgraph "Payment Service Providers PSPs" RPSP[Requesting PSP<br/>Payers Bank] VPSP[Responding PSP<br/>Payees Bank] end subgraph "Optional Intermediaries" RVM[RVM<br/>Routing & Verification<br/>Mechanism] end subgraph "EPC Scheme Infrastructure" EDS[EDS<br/>European Directory Service<br/>PSP Registry & Routing] SR[VOP Scheme Rulebook<br/>Rules & Standards] EPC[EPC<br/>Scheme Management<br/>Governance & Oversight] end subgraph "Technical Infrastructure" API[VOP API<br/>HTTPS/TLS<br/>ISO 20022 JSON] PKI[PKI Infrastructure<br/>Client Certificates<br/>Mutual TLS] end %% User interactions Payer -->|1. Initiates SCT/SCT Inst<br/>with payee details| RPSP Payee -->|Account relationship| VPSP %% PSP interactions RPSP -->|2. VOP Request<br/>direct or via RVM| VPSP RPSP -.->|Alternative: Via RVM| RVM RVM -.->|Forward request| VPSP %% Directory service RPSP -->|Query PSP details| EDS RVM -->|Query PSP details| EDS VPSP -->|Registered| EDS %% Scheme compliance RPSP -->|Adheres to| SR VPSP -->|Adheres to| SR RVM -.->|Adheres to| SR %% Technical layer RPSP -->|Uses| API VPSP -->|Implements| API RVM -.->|Uses| API API -->|Secured by| PKI %% Governance EPC -->|Manages| SR EPC -->|Oversees| EDS EPC -->|Governs| API %% Response flow VPSP -->|3. VOP Response<br/>MTCH/NMTC/CMTC/NOAP| RPSP RVM -.->|Forward response| RPSP RPSP -->|4. Verification result<br/>& payment decision| Payer classDef psu fill:#e8f4fd,color:#1f2937,stroke:#3b82f6,stroke-width:2px classDef psp fill:#0066cc,color:white,stroke:#004499,stroke-width:2px classDef infrastructure fill:#003366,color:white,stroke:#001a33,stroke-width:2px classDef optional fill:#f3f4f6,color:#374151,stroke:#6b7280,stroke-width:1px,stroke-dasharray: 5 5 classDef technical fill:#065f46,color:white,stroke:#047857,stroke-width:2px class Payer,Payee psu class RPSP,VPSP psp class EDS,SR,EPC infrastructure class RVM optional class API,PKI technical
  • Payer (PSU) initiates a SEPA Credit Transfer (SCT) or SEPA Instant Credit Transfer (SCT Inst)
  • Provides payee details: name, IBAN, and optionally LEI, BIC, or identification code
  • Requesting PSP receives payment instruction and determines VOP verification is required
  • Compliance with EU Instant Payments Regulation (IPR) requirements
  • Requesting PSP or RVM queries the European Directory Service (EDS)
  • EDS returns Responding PSP’s API endpoint and certificate information
  • Enables secure peer-to-peer communication between PSPs
  • Supports both direct PSP connections and RVM-mediated routing
  • HTTPS/TLS connection established using mutual certificate authentication
  • POST request to /vop/verify endpoint with ISO 20022 JSON elements
  • Request validation: format, authentication, IBAN syntax
  • Account verification: existence check against IBAN
  • Matching algorithms applied based on verification type:
    • Name-based: Exact, fuzzy, phonetic, and token-based matching
    • BIC-based: Business Identifier Code verification
    • LEI-based: Legal Entity Identifier verification
    • ID-based: VAT number, social security, or other identification codes
  • MTCH (Match): Exact match found, payment can proceed
  • CMTC (Close Match): Similar match found, includes actual name for confirmation
  • NMTC (No Match): No matching data found
  • NOAP (Not Applicable): Verification not possible for this account type
  • Processing time tracking and audit logging for compliance

5. Response Processing & User Notification

Section titled “5. Response Processing & User Notification”
  • Requesting PSP processes VOP response and notifies payer
  • User decision based on match result (proceed, confirm, or abort payment)
  • Payment processing continues based on VOP outcome and user choice
  • Compliance reporting for regulatory requirements
  • Payer: Initiates SEPA payments and receives VOP verification results
  • Payee: Account holder whose details are being verified
  • Requesting PSP: Payer’s bank that sends VOP requests
  • Responding PSP: Payee’s bank that processes verification requests
  • Mandatory EDS registration and scheme compliance
  • RVM (Routing and/or Verification Mechanisms):
    • Optional service providers that facilitate VOP requests
    • Can aggregate multiple PSP connections
    • Must comply with scheme rules and technical standards
  • EDS (European Directory Service):
    • Central registry of participating PSPs
    • Provides routing information and certificates
    • Managed by EPC with operational oversight
  • VOP Scheme Rulebook:
    • Defines rules, practices, and standards
    • Technical specifications and compliance requirements
    • Regular updates and governance procedures
  • EPC Governance:
    • Scheme management and oversight
    • Rule development and enforcement
    • Participant onboarding and certification
  • VOP API: RESTful HTTPS endpoints using ISO 20022 JSON elements
  • PKI Infrastructure: X.509 certificates for mutual TLS authentication
  • Security Standards: EPC164-22 compliant cipher suites and protocols
  • Monitoring & Reporting: Transaction logging and regulatory reporting
  • SLA Requirements: Response time limits and availability standards
  • EU IPR Compliance: Mandatory for instant payments from October 2025
  • Data Protection: GDPR compliance for personal data processing
  • Security Standards: Regular security assessments and incident reporting
  • Testing & Certification: EPC139-25 test case compliance
  • Business Continuity: Disaster recovery and operational resilience