05. VoP - Verification of Payee
Introduction
Verification of Payee (VoP) is generally supported by the XS2A server. However, whether VoP will be indeed available will depend on the individual Bank’s configuration.
There is no obligation on a Bank to offer the VoP via their PSD2 interfaces, as clarified by the EU Commission in their Q&As on IPR implementation.
Each Bank should have a note on their PSD2 website actively indicating their VoP support (or lack thereof).
VoP is active on the Sandbox to enable testing.
Variants of VoP
VoP exists as “standalone” variant or can be used while the payment authorisation with the header TPP-VOP-Requested = true
.
To see the standalone variant, you can use this API documentation and switch between standalone and the regular XS2A API.
Support of VoP with Standalone Endpoints
Please validate on the Banks PSD2 website, if the Bank supports this flow!
If the Bank supports the standalone endpoints, the TPP can call the POST /v1/party-verifications
(see API documentation under the product “finAPI xs2a VOP”) endpoint.
In this case, the relevant party data has to be submitted (partyAccount
and party.name
).
Support of VoP while Payment Authorisation Flow
Please validate on the Banks PSD2 website, if the Bank supports this flow!
Start the Authorisation
If the payment authorisation should execute the VoP directly, the header TPP-VOP-Requested = true
must be set.
If the header is not set or is set to false
, the VoP can be skipped (opt-out per default). In this case, the TPP indicates the Bank, that the VoP was already done or is not required.
When the VoP has already been executed, it is recommended to also set the TPP-VOP-ID
header with the corresponding VoP ID of the verification, if available.
Result of the VoP
At this point, there is a difference between the redirect flow and the decoupled/embedded flow.
The redirect flow will return the vopResultList
in the response of the start of the authorisation, while the other flows will return it after the PSU was successfully authenticated.
If the match is not MTCH
, a confirmation by the PSU is required. For that, the _links
list includes a link to the related confirmation API endpoint under the key creditorNameConfirmation
.
Confirmation of Creditor Name
When the result of the VoP is not MTCH
, the XS2A server expects confirmation of the creditor name from the PSU in order to proceed with the payment and accept the mismatch.
This happens with the PUT /v1/{payment-service}/{payment-product}/{paymentId}/creditor-confirmation
endpoint.
After this endpoint was successfully called, the flow can continue as usual.
In case of the redirect flow, the scaRedirect
element is then available in the _links
list.
For embedded/decoupled, the link element selectAuthenticationMethod
is set.