Europe spent two years and enormous industry effort standing up Verification of Payee (VoP). Since 9 October 2025, every payment service provider in the euro area has had to check a payee's name against their account number before a credit transfer goes through. It is a real step forward, but it has not reduced fraud.
That was the message from Erwin Kulk, Head of Service Development and Management at EBA Clearing, speaking to FinextraTV at EBAday in Copenhagen. Kulk called VoP "a huge project for the whole industry" and credited it as a strong start. He was equally clear about its limits, describing it as something that "would not be a silver bullet" against fraud. "If verification of payee is the sprint, we now have to move on to the marathon," he said.
His evidence is uncomfortable for anyone who assumed a new control would move the numbers. EBA Clearing's own fraud statistics show VoP has not significantly reduced fraud across the ecosystem. It continues to increase, and it keeps getting more sophisticated, more organised, and harder to tackle in isolation.
Why this matters well beyond Europe
Australian finance teams don't fall under VoP or the incoming EU Payment Services Regulation (PSR), but the lesson travels. The PSR, which reached provisional political agreement in November 2025, will require PSPs to run behaviour-based transaction monitoring and to share fraud data with each other through structured arrangements. That is the marathon Kulk describes: layered, network-level detection rather than a single name-check at the point of payment.
Regulators keep raising the bar because the losses keep climbing. As you'll see in our Payment Fraud Index, payment redirection fraud cost Australian businesses A$166.8 million in 2025, up 9.3% on the year before, drawing on ACCC National Anti-Scam Centre data. INTERPOL's 2026 assessment, cited in the same index, found that 77% of business leaders saw fraud rise over the past year and that AI-enabled fraud is roughly 4.5 times more profitable than traditional methods. New compliance regimes are a response to that trend, not a cure for it.
Meeting the obligation is not the same as closing the gap
A control can satisfy a regulator and still leave your money exposed. VoP confirms that a name matches an account. It does nothing to tell you whether that account is the one your genuine vendor wants paid, or whether the request to change those details came from a criminal who has compromised the vendor's email.
Kulk's point is that fraud now operates at a level a single check can't see. "If you really want to fight fraud," he said, "then you will need to build more sophisticated solutions that can look at a network view, that can digest additional information elements." Transaction monitoring, in his description, means using a view of the network to spot patterns of fraud that no individual payment reveals on its own.
Australian businesses already face the same structural problem. External defences keep getting stronger, yet the gap that remains sits inside the accounts payable function. A bank can only act on what it can see. If your team approves a payment to a vendor whose email has been taken over, the transaction looks legitimate from every external vantage point, including a name-match check.
The human conditions that let this succeed are well documented. Eftsure's 2026 AU Payment Security Survey found that only 25% of Australian employees feel comfortable questioning a suspicious payment request from a senior executive, and 32% feel pressured to process payments quickly. Add the 90% who believe AI-generated scams are now harder to detect, and a plausible payment instruction is far more likely to be actioned than challenged.
Build the layer closest to the payment
The practical response is not to wait for the next regulation. It is to add the control that sits nearest to the money leaving your account.
Treat every vendor bank detail change as a high-risk event, no matter how routine it looks. Verify it independently, using contact details you already hold on file rather than the phone number or email in the request itself. Make sure no single person, inbox, or approval can move funds without a second, independent check. And build these steps so they run at scale, without slowing legitimate payments to a crawl.
That is the same principle the PSR is reaching for at the network level: confirmation from more than one source before money moves. Finance teams don't need to wait for a directive to apply it inside their own approval process.
Compliance confirms you met the standard on the day money left the account. Whether it reached the right vendor is a separate question, and it is the one your own controls have to answer. Eftsure helps finance teams independently verify who they're paying before funds leave the business, closing the gap that a name-match check and a compliance tick both leave open.
How Eftsure can help
Eftsure gives finance teams the independent verification layer that sits closest to the payment. It confirms who you're paying before funds leave the business, cross-checking vendor bank details against multiple authoritative sources so a name-match check and a compliance tick aren't the only things standing between you and a redirected payment.
See how it works in a demo.