The EPC is establishing a set of guidelines for VOP-related API use in line with the VOP scheme rulebook version 1.0. These specifications are slated to take effect on 5 October 2025. The newly published guidelines focus on the standards for VOP-related communications, specifically governing VOP Requests and Responses exchanged between Payment Service Providers (PSPs). The specifications are part of an effort to create uniformity within inter-PSP communications across the European market.
A key feature of the new framework is its API security requirements, which draw from established European and international standards. These requirements set a minimum threshold for security practices applicable not only to participants in the VOP scheme but also to those involved in the SEPA Request-to-Pay (SRTP) and SEPA Payment Account Access (SPAA) schemes. This uniform framework applies across different API specifications, including those not developed by the EPC.
The VOP, SPAA, and SRTP schemes all employ APIs to facilitate communications among their participants, sharing enough operational similarities to allow for a common security structure. However, distinctions between the schemes are noted in an annex to the rulebook, which provides additional guidance specific to each.
This security framework will be mandatory for VOP, SRTP, and SPAA scheme participants using APIs, with enforcement beginning on October 5, 2025.
The European Payments Council (EPC) announced the launch of the first version of the Verification of Payee (VoP) scheme rulebook in October 2024. This version was developed to support payment service providers (PSPs) in the Single Euro Payments Area (SEPA) that need to comply with legal requirements on the verification of a payee in case of credit transfers, as included in the proposed EU Instant Payments Regulation (IPR) revising the SEPA law.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now