Skip to main content
Skip table of contents

05. VoP - Verification of Payee

Introduction

Verification of Payee (VoP) is generally supported by the XS2A server. However, whether VoP will be indeed available will depend on the individual Bank’s configuration.

There is no obligation on a Bank to offer the VoP via their PSD2 interfaces, as clarified by the EU Commission in their Q&As on IPR implementation.

Each Bank should have a note on their PSD2 website actively indicating their VoP support (or lack thereof).

VoP is active on the Sandbox to enable testing.

Variants of VoP

VoP exists as “standalone” variant or can be used while the payment authorisation with the header TPP-VOP-Requested = true.

To see the standalone variant, you can use this API documentation and switch between standalone and the regular XS2A API.

Support of VoP with Standalone Endpoints

Please validate on the Banks PSD2 website, if the Bank supports this flow!

If the Bank supports the standalone endpoints, the TPP can call the POST /v1/party-verifications (see API documentation under the product “finAPI xs2a VOP”) endpoint.

In this case, the relevant party data has to be submitted (partyAccount and party.name).

Support of VoP while Payment Authorisation Flow

Please validate on the Banks PSD2 website, if the Bank supports this flow!

Start the Authorisation

If the payment authorisation should execute the VoP directly, the header TPP-VOP-Requested = true must be set.

If the header is not set or is set to false, the VoP can be skipped (opt-out per default). In this case, the TPP indicates the Bank, that the VoP was already done or is not required.
When the VoP has already been executed, it is recommended to also set the TPP-VOP-ID header with the corresponding VoP ID of the verification, if available.

Result of the VoP

At this point, there is a difference between the redirect flow and the decoupled/embedded flow.

The redirect flow will return the vopResultList in the response of the start of the authorisation, while the other flows will return it after the PSU was successfully authenticated.

If the match is not MTCH, a confirmation by the PSU is required. For that, the _links list includes a link to the related confirmation API endpoint under the key creditorNameConfirmation.

Confirmation of Creditor Name

When the result of the VoP is not MTCH, the XS2A server expects confirmation of the creditor name from the PSU in order to proceed with the payment and accept the mismatch.

This happens with the PUT /v1/{payment-service}/{payment-product}/{paymentId}/creditor-confirmation endpoint.

After this endpoint was successfully called, the flow can continue as usual.
In case of the redirect flow, the scaRedirect element is then available in the _links list.
For embedded/decoupled, the link element selectAuthenticationMethod is set.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.