EU fraud liability VoP: Protect Your Revenue from APP Scams

The New Frontier of Financial Risk: The Tectonic Shift in European Payments

The payment industry relied heavily on the Revised Payment Services Directive (PSD2) to secure transactions. While PSD2’s Strong Customer Authentication (SCA) successfully curbed unauthorized card fraud, it proved ineffective against the current threat: Authorized Push Payment (APP) fraud. Consequently, financial crime evolved.

APP fraud, the apex of financial crime, operates by manipulating people, not systems. A customer is socially engineered – often through sophisticated impersonation of a supplier – into authorizing a transfer to a fraudster’s account. This intentional authorization made traditional recourse difficult, often leaving the loss with the customer or necessitating complex disputes for merchants. Therefore, the European Union’s regulatory response is a revolutionary step.

The EU’s framework, driven by the Payment Services Regulation (PSR) and the Instant Payments Regulation (IPR), directly addresses this systemic weakness. It mandates preventive checks and, crucially, redefines who absorbs the loss. This initiative to solidify EU fraud liability VoP (Verification of Payee) is not a minor update. It represents a fundamental re-engineering of the European payment trust system, demanding strategic attention from every finance director.

The Core Mechanism: Addressing EU Fraud Liability with VoP

The centerpiece of the EU’s defensive strategy is the mandatory implementation of the Verification of Payee (VoP) service for all euro-denominated SEPA Credit Transfers (SCT), including the new instant variety.

The Anatomy of the Pre-Execution Check

VoP fundamentally changes the liability paradigm. It shifts the focus from transaction authentication to payee identity verification. The PSP on the sending side is now obligated to perform an instantaneous, real-time check before execution:

1. Data Reconciliation: When a payer initiates a transfer, the system cross-references the Recipient Name entered by the payer against the name legally registered to the Recipient IBAN (your merchant account).

2. Immediate Risk Assessment: The system immediately returns a standardized response to the payer: a ‘Match,’ a ‘Close Match’ (allowing the payer to proceed after a warning), or a definitive ‘No Match’ (a strong fraud indicator). Consequently, the customer receives immediate feedback.

3. Frictionless Defense: This mechanism introduces a mandatory, real-time “stop” sign for potentially high-risk payments. The vast majority of fraudulent transfers, which rely on the account name being different from the legitimate party being impersonated, will be flagged and halted at the source .

For Novalnet merchants, this translates into a systemic reduction in the receipt of money derived from APP fraud. It ensures that the funds reaching your settlement accounts are inherently cleaner and more reliable.

Source: Review the key obligations and timelines for the IPR.

The Commercial Imperative: From Compliance to Competitive Advantage

The implementation of EU fraud liability VoP is not a cost of doing business. It is an investment in system integrity that delivers tangible commercial benefits.

Strategic Liability Allocation

The PSR clarifies that a PSP will be financially liable for reimbursing the customer’s loss resulting from APP fraud if the PSP failed to apply the mandatory VoP check or ignored the ‘No Match’ warning. This action places the onus for upfront fraud prevention squarely on the financial infrastructure, relieving the customer and the merchant of undue risk.

• Financial Impact: Eliminating fraudulent deposits and correcting erroneous transfers before execution saves your finance team significant time. Therefore, time spent on investigation, manual reconciliation, and dealing with financial uncertainty is drastically reduced – a direct boost to operational efficiency.

• Trust and Conversion: As A2A payments become faster, safer, and cheaper than card schemes due to these enhanced security features, consumer and B2B adoption will rise. Offering instant, trusted payment methods consequently becomes a competitive differentiator.

The DORA Nexus: Resilient Payments

The success of VoP and Instant Payments is underpinned by the Digital Operational Resilience Act (DORA), applicable since January 2025. DORA requires financial entities and their critical service providers to maintain robust cyber resilience.

The synergy is clear: the instantaneous, trusted verification required by VoP necessitates a 24/7/365, failure-proof infrastructure. DORA ensures that the PSP ecosystem is legally bound to meet this high standard. Ultimately, this translates to guaranteed payment continuity and data integrity for your critical processing.

Source: Read the comprehensive analysis on PSD3 and PSR from Flagright.

Compliance Deadlines and Key Implementation Dates

For merchants, knowing the mandated deadlines is essential for technical roadmap planning and partner evaluation.

• October 2025: This is the critical implementation deadline for the Verification of Payee (VoP) service under the IPR. All PSPs must offer VoP checks for all SEPA Credit Transfers.

• January 2025: The DORA regulation entered into force, meaning PSPs and their critical third-party providers must comply with strict rules on ICT risk management, incident reporting, and operational testing.

• The Mandate: PSPs must offer VoP on all channels where customers can initiate payments: online, mobile, over the phone, or in person. Merchants must ensure their payment partners adhere to this full-channel availability.

The Limitations of VoP: What Doesn’t it Stop?

VoP is highly effective against impersonation scams (APP fraud). But it has limitations that require merchants to maintain holistic fraud defenses. It is important to remember:

• Identity Theft: VoP only checks if the name matches the account number. If a fraudster has successfully taken over a customer’s legitimate account (an Account Takeover or ATO) and the account name remains the same, VoP will return a ‘Match.’

• Transactions Outside SEPA: VoP applies only to transactions within the SEPA zone. Cross-border payments outside of SEPA remain subject to different verification and liability rules.

Therefore, VoP is a foundational security layer, but it does not eliminate the need for layered fraud tools that analyze behavioral biometrics and velocity checks.

The Rise of A2A Payments: Challenging the Card Networks

The simultaneous mandates for Instant Payments and EU fraud liability VoP create a powerful economic incentive for the growth of Account-to-Account (A2A) payments.

A2A payments, which facilitate instant, direct transfers between bank accounts, possess inherent advantages over card transactions:

• Lower Acceptance Costs: A2A payments bypass expensive card scheme interchange fees, dramatically reducing costs for high-volume merchants.

• Immediate Settlement: Instant Payments provide cash liquidity in seconds, eliminating the 1-3 day settlement lag common with card schemes.

• Enhanced Security: VoP, coupled with the security of Open Banking APIs, offers a superior, fraud-mitigated payment experience that card schemes cannot natively match for fraud that originates outside their network.

Industry experts predict A2A payments will offset 15-25% of future card transaction growth in Europe. Merchants who integrate instant A2A solutions now are strategically positioning themselves to benefit from lower fees and faster cash cycles in the dominant payment rail of the future.

The Strategic Call to Action: Mastering the New Regulatory Architecture

For enterprises targeting high efficiency and scalable growth in the EU, adapting to this new architecture requires strategic foresight, not just technical deployment.

How to Future-Proof Your Payment Stack

1. Validate End-to-End Compliance: Go beyond checking a simple compliance box. Ensure your PSP’s VoP implementation is robustly integrated with their fraud and risk management layers to maximize protection against evolving APP techniques.

2. Re-engineer Fulfillment: With settlement confirmed in seconds, not days, your logistics, inventory, and fulfillment systems must be ready to capitalize on instant cash liquidity. In essence, the acceleration of payment velocity should trigger a corresponding acceleration in operational delivery.

3. Embed Resilience: Ask your partners about their DORA compliance readiness. A critical, system-wide failure at a non-compliant PSP can translate into severe, unnecessary business disruption for your enterprise. Furthermore, choosing a DORA-ready partner like Novalnet is a proactive risk mitigation strategy.

The EU fraud liability VoP mandate is not merely a European security layer. It is an international benchmark for payment trust. Therefore, by partnering with a fully compliant PSP, you secure your revenue, streamline your operations, and gain a competitive edge in the high-speed European digital market.

Connect with Our Payment Experts

If your organization is navigating the complex requirements of the PSR, IPR, and DORA – or if you simply want to understand how a fully compliant and secure payment ecosystem can enable scalable, frictionless growth – our experts are ready to assist. A confidential consultation can illuminate strategic risks, clarify architectural needs, and outline a path toward the level of resilience the future will demand.

You can contact them directly on our dedicated page: Contact Novalnet Experts.

Alexander Burba

Alexander Burba is a Performance Marketing Specialist at Novalnet AG in Munich, where he leads digital acquisition and brand initiatives. With over 7 years of experience in B2B SaaS, FinTech, and IT marketing, Alexander has supported international teams in Germany and Ukraine, serving clients across the EU, US, and global markets. He combines data-driven strategy with cross-functional collaboration to deliver measurable growth for Novalnet and its partners.