The impacts of PSD3 on IBAN verification: the EU is getting its version of confirmation of payee
In June 2023, the European Commission published its legislative proposal to amend and modernise the current version of the Payment Services Directive, PSD2. The new version, PSD3, introduces new guidelines regarding IBAN verification application and implementation.
In this article, we break down what IBAN verification is, what was previously in the law, and what PSD3 is changing.
Introducing IBAN verification
IBAN verification, also known as Confirmation of Payee in the UK, is the process by which a payer can confirm the name of a payee before sending a payment to a specific account number, or IBAN.
Concretely, let’s say that John Payer would like to send a payment to Jane Doe.
John Payer would enter Jane Doe’s IBAN into their bank’s mobile app. But it happened that Jane Doe incorrectly copy-pasted her IBAN before sharing it with John Payer. It’s actually Richard Roe’s IBAN.
“Jane Doe” doesn’t match “Richard Roe”, so John Payer’s bank mobile app would have to inform them that if they send a payment to this IBAN, they won’t send the payment to Jane Doe but Richard Roe.
IBAN verification in the law before PSD3
The European Commission first introduced the concept of mandatory IBAN verification in its legislative proposal on instant payments published in October 2022.
In this proposal, Article 5c titled “Discrepancies between the name and payment account identifier of a payee in case of instant credit transfers”, described that PSPs (banks, payment institutions, and electronic money institutions participating in SEPA) would have to “verify whether the payment account identifier (i.e., the IBAN) and the name of the payee provided by the payer match”, and inform the payer if not.
The payer should be informed “immediately” after they enter their counterparty IBAN and name into their PSP’s websites or mobile apps and before being able actually to send the payment. This service should be accessible no matter the interface the payer uses to send an instant payment.
The European Commission motivated this part of the proposition by the goal of increasing the adoption of instant payments by making them safer. Indeed, unlike regular payments, instant payments are, in most cases, irrevocable.
Also, instant payments mean no time for PSPs’ compliance teams to review payments before they are accepted and the ability for fraudsters to move money from account to account to blur tracks instantly. IBAN verification prevents part of such payment frauds.
In this legislative proposal, PSPs were given 12 months after the proposal adoption to comply. But the EU did not share any details as to how PSPs were supposed to implement IBAN verification.
The combination of both raised a lot of concerns in the industry, as expressed in the feedback on the instant payments legislative proposal.
Why is IBAN verification difficult?
Accessing the data There is no single database of all IBANs and linked account holders’ names across SEPA. Each SEPA participant has this information for its accounts, but the data isn’t generally shared.
Some country-specific initiatives and service providers have this data on the scale of one or a few countries or a portion of all European accounts, but no 100% comprehensive pan-European database.
Matching the names In the case such a comprehensive database of all European IBANs and their corresponding account holder names existed, the next step would be to match the name entered by the payer and the name in the database.
Here, many things can go wrong:
The payee and payer might use different alphabets for the same name, leading to no match. For instance, someone in Spain might want to send an instant payment to someone in Greece, using their name written in the Latin alphabet, while it’s stored using the Greek alphabet in the database.
The payer might use the payee’s middle or maiden names while they are not stored in the database, and vice versa
The payer might make simple typos in the payee name (e.g. “Mathieu” instead of Matthieu”)
A simple match-no-match system would most likely return too many no-matches. The challenge is building a system that can natively handle most of the nuances above and, when necessary, show payers the discrepancies between the entered beneficiary name and the name linked to the IBAN in the database.
All that without showing too much so as to prevent reverse engineering of the database.
Doing it quickly The instant payments legislative proposal says that this verification should be done “immediately” after the payer enters the IBAN and account holder name information into the PSPs systems. While “immediately” is, as of today, not clearly defined, it makes sense that you don’t want users to wait more than a few seconds before they can send a payment. It would otherwise create a bad user experience.
It would mean searching for an IBAN among a few hundred million records, returning the name corresponding to this IBAN, and checking it against the name entered by the sender in less than a few seconds, and doing so millions of times a day. It is not impossible, but not trivial.
Another option would be for the sending and receiving banks to exchange the payee’s account holder information before the payment, which would require new interbank messaging capabilities.
Existing IBAN verification systems in Europe
Equivalent solutions already exist, though they are not at the scale of SEPA.
Keep reading with a 7-day free trial
Subscribe to Payments:Unpacked to keep reading this post and get 7 days of free access to the full post archives.