As the initiator of IBAN-Name Check, SurePay welcomes the initiative of the European Commission to include the IBAN-Name Check in every Instant Payment via Online Banking. Since 2017 we have seen a large positive and instant impact on the prevention of APP scams and misdirected payments. Based on our experience in the EU and the UK, we have some recommendations to optimise the effect and improve the implementation.
- Trust: The objective is to increase trust when you make an instant payment. Next to alerting customers in case of discrepancies (Close Match and No Match) there should therefore be a Match result, providing feedback to the payer that the entered details are correct and it’s safe to proceed with the payment.
- New payment methods: Payment initiations are increasingly originated via (PSD2) PISPs before being processed by the bank. We recommend extending the scope of IBAN-Name Check with initiation via PSP (Bank) and PISP, but also a confirmation of the account holder when initiating via a Request to Pay for example.
- Online Feedback: The most important aspect of the IBAN-Name Check is that the user gets direct feedback and can act when needed. We suggest mandating the IBAN-Name Check for online channels and leave it at the discretion of individual PSPs to also check payment initiations through other channels.
- Batch: packaging multiple payment orders and checking for discrepancies in the Name and the IBAN only makes sense if customer interaction exists in these processes.
- Payer Opt-out: PSPs should not be obliged to offer an opt-out possibility for IBAN-Name Check when it’s offered free of charge. Payer Opt-out is only relevant when IBAN-Name Check is offered as a paid feature.
- Speed of the response: In order to not have a negative impact on the User Experience (at the Payer bank), we suggest keeping the response of an IBAN-Name Check below 1 second (by the Payee bank).
- First mover countries: Existing or planned IBAN-Name Check solutions/schemes where PSPs act as a first mover, should be respected and not be forced to refactor their solution. They should however adapt for cross-border checks to any EU solution/scheme.