Verification of Payee (Standard)
EPC-compliant verification of payee (VoP), delivered through a single, easy-to-integrate API.
This API is organised around REST. The API has predictable resource-oriented URLs, accepts JSON-encoded request bodies, returns JSON-encoded responses, and uses standard HTTP response codes, authentication, and verbs. Make all API requests over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.
API Metadata
- OpenAPI version: 3.0.3
- API version: 1.0.0
External Documentation
Servers
| URL | Description |
|---|---|
https://test-api.apicunia.com | Test/Sandbox |
https://api.apicunia.com | Production |
Authentication
Authentication for this API is via (mTLS) Mutual TLS. Requesting client must provide a valid Qualified Website Authentication Certificate (QWAC) PSD2. The corresponding PSD2 NAN of requesting Payment Service Provider must be embedded within a valid QWAC PSD2, as this will be checked against the EPC Directory Service (EDS) that holds valid VOP Scheme Participants. For additional information on this method of API authentication see Mutual TLS.
Verification of Payee
/vop/v1/payee-verifications
Summary
Verification of Payee detail endpoint.
Returns a Regulated EPC VOP Response indicating whether the supplied Payee details are a match or otherwise.
As Requestor:
The endpoint validates and routes an incoming VOP request to the applicable responding PSP/RVM and relays the VOP response back to the calling application.
Request
Request Headers
| Name | Type | Format | Required | Description |
|---|---|---|---|---|
X-Request-ID | string | uuid | Yes | The Requesting PSP's reference ID of the VOP Request |
X-Request-Timestamp | string | date-time | Yes | Timestamp of the VOP Request in ISO 8601 UTC format (YYYY-MM-DDThh:mm:ss.sssZ) |
Request Body
Content Type: application/json
Schema: VerificationOfPayeeRequest
{
"party": {
"name": "string (optional if identification present)",
"identification": {
"organisationId": {
"lei": "string (Code LEI (Legal Entity Identifier) ISO 17442)",
"anyBIC": "string (A BIC11 Business Identifier Code, used to identify a specific branch of a bank or financial institution)",
"others": [
{
"identification": "string",
"schemeNameCode": "BANK | CBID | CHID | CINC | COID | CUST | DUNS | EMPL | GS1G | SREN | SRET | TXID | BDID | BOID",
"schemeNameProprietary": "string",
"issuer": "string"
}
]
}
}
},
"partyAccount": {
"iban": "string (International Bank Account Number upt 34 characters depending on the country)"
},
"partyAgent": {
"financialInstitutionId": {
"bicfi": "string (A BIC11 Business Identifier Code, used to identify a specific branch of a bank or financial institution)"
}
},
"unstructuredRemittanceInformation": []
"requestingAgent": {
"financialInstitutionId": {
"bicfi": "string (A BIC11 Business Identifier Code, used to identify a specific branch of a bank or financial institution)"
}
}
}
Examples
- IBAN and Party Name
- IBAN and LEI
- IBAN and TXID
- IBAN and BIC
{
"party": {
"name": "Lukas Klein"
},
"partyAccount": {
"iban": "DE33500105175746121394"
},
"partyAgent": {
"financialInstitutionId": {
"bicfi": "INGDDEFFXXX"
}
},
"unstructuredRemittanceInformation": [],
"requestingAgent": {
"financialInstitutionId": {
"bicfi": "AGRIFRPP888"
}
}
}
{
"party": {
"identification": {
"organisationId": {
"lei": "529900F6BNUR3RJ2WH29"
}
}
},
"partyAccount": {
"iban": "NL93INGB1200042867"
},
"partyAgent": {
"financialInstitutionId": {
"bicfi": "INGBNL2AXXX"
}
},
"unstructuredRemittanceInformation": [],
"requestingAgent": {
"financialInstitutionId": {
"bicfi": "AGRIFRPP888"
}
}
}
{
"party": {
"identification": {
"organisationId": {
"others": [
{
"identification": "NL638757010B01",
"schemeNameCode": "TXID"
}
]
}
}
},
"partyAccount": {
"iban": "NL73ABNA6631699223"
},
"partyAgent": {
"financialInstitutionId": {
"bicfi": "ABNANL2AXXX"
}
},
"unstructuredRemittanceInformation": [],
"requestingAgent": {
"financialInstitutionId": {
"bicfi": "AGRIFRPP888"
}
}
}
{
"party": {
"identification": {
"organisationId": {
"anyBIC": "FOTNLULLXXX"
}
}
},
"partyAccount": {
"iban": "LU250109945629814341"
},
"partyAgent": {
"financialInstitutionId": {
"bicfi": "FOTNLULLXXX"
}
},
"unstructuredRemittanceInformation": [],
"requestingAgent": {
"financialInstitutionId": {
"bicfi": "AGRIFRPP888"
}
}
}
Response
Response Headers
| Name | Type | Format | Required | Description |
|---|---|---|---|---|
X-Request-ID | string | uuid | Yes | The Requesting PSP's reference ID of the VOP Request |
X-Response-Timestamp | string | date-time | Yes | Timestamp of the VOP Response in ISO 8601 UTC format |
Response Body
Content type: application/json
Schema: VerificationOfPayeeResponse
{
"partyNameMatch": "MTCH | CMTC | NMTC | NOAP",
"partyIdMatch": "MTCH | NMTC | NOAP",
"matchedName": "string (If the result of partyNameMatch is CMTC, then matchedName is mandatory and can only be used in this case)"
}
200 OK Response
Regulated EPC VOP response codes (HTTP Status Code 200)
| Code | Meaning | Note |
|---|---|---|
MTCH | Match | Account is Valid and the Name Matches exactly |
CMTC | Close Match (matched name is also included in the response) | Account is Valid and the Name is a partial Match |
NMTC | No Match | Account is Valid but the Name does not match |
NOAP | Not Applicable | Account matching is not possible |
NOTE: There are some legitimate reasons for a NOAP but the specific reason is not disclosed by the responding PSP/RVM. The account IBAN supplied may well be valid at the responding PSP/RVM but;
- Not eligible for VOP (none accepting payment account)
- Account is confidential/protected and reason cannot legally be disclosed
- Issue with Name data at the PSP so cannot perform a VOP
- Explicitly excluded from VOP by the PSP and again reason cannot be disclosed
Party Name Examples (200 OK Status Code)
- Match
- No Match
- Close Match
- Not Applicable
{
"partyNameMatch": "MTCH"
}
{
"partyNameMatch": "NMTC"
}
{
"partyNameMatch": "CMTC",
"matchedName": "Lukas Klein"
}
{
"partyNameMatch": "NOAP"
}
Party ID Examples (200 OK Status Code)
- Match
- No Match
- Not Applicable
{
"partyIdMatch": "MTCH"
}
{
"partyIdMatch": "NMTC"
}
{
"partyIdMatch": "NOAP"
}
400 Status Code
Bad/Malformed VOP Request. The request body is malformed. See Problem Details for additional information about API errors.
Bad Request Examples (400 Status Code)
- FORMAT_ERROR 1
- FORMAT_ERROR 2
- FORMAT_ERROR 3
- TIMESTAMP_INVALID
{
"type": "https://example.com/probs/FORMAT_ERROR",
"code": "FORMAT_ERROR",
"title": "Validation of VOP Request failed. See Detail",
"status": 400,
"detail": "At least one of 'name' or 'identification' must be provided.",
"instance": "/vop/v1/payee-verifications"
}
{
"type": "https://example.com/probs/FORMAT_ERROR",
"code": "FORMAT_ERROR",
"title": "Validation of VOP Request failed. See Detail",
"status": 400,
"detail": "Invalid IBAN format",
"instance": "/vop/v1/payee-verifications"
}
{
"type": "https://example.com/probs/FORMAT_ERROR",
"code": "FORMAT_ERROR",
"title": "Validation of VOP Request failed. See Detail",
"status": 400,
"detail": "Invalid IBAN format Both 'name' and 'identification' present – mutually exclusive fields",
"instance": "/vop/v1/payee-verifications"
}
{
"type": "https://example.com/probs/TIMESTAMP_INVALID",
"code": "TIMESTAMP_INVALID",
"title": "Invalid timestamp format: X-Request-Timestamp",
"status": 400,
"detail": "Invalid timestamp format: X-Request-Timestamp",
"instance": "/vop/v1/payee-verifications"
}
401 Status Code
Invalid Request. The Requestor is not authorised to perform the request. See Problem Details for additional information about API errors.
Unauthorised Examples (401 Status Code)
- CLIENT_INVALID 1
- CLIENT_INVALID 2
- CLIENT_INCONSISTENT 2
{
"type": "https://example.com/probs/CLIENT_INVALID",
"code": "CLIENT_INVALID",
"title": "Validating the client failed. See Detail",
"status": 401,
"detail": "Invalid Client, no permission to access resource.",
"instance": "/vop/v1/payee-verifications"
}
{
"type": "https://example.com/probs/CLIENT_INVALID",
"code": "CLIENT_INVALID",
"title": "Unknown Requestor/Responder. See Detail",
"status": 401,
"detail": "One or both of the Responding/Requesting Party Agent is not recognised or not currently adherent to the VOP Scheme.",
"instance": "/vop/v1/payee-verifications"
}
{
"type": "https://example.com/probs/CLIENT_INCONSISTENT",
"code": "CLIENT_INCONSISTENT",
"title": "Validating the client certificate failed. See Detail",
"status": 401,
"detail": "PSD2 NAN from client certificate does not match Requesting Agent BIC in the EDS directory.",
"instance": "/vop/v1/payee-verifications"
}
500 Status Code
Internal Server Error. This code is used whenever a technical problem occurred in the application code or application server that prevented the execution of the request. See Problem Details for additional information about API errors.
Internal Server Error Examples (500 Status Code)
- SERVER_ERROR
{
"type": "https://example.com/probs/SERVER_ERROR",
"code": "SERVER_ERROR",
"title": "Encountered an unexpected error/condition",
"status": 500,
"detail": "Encountered an unexpected error/condition.",
"instance": "/vop/v1/payee-verifications"
}
502 Status Code
Bad Gateway Error. This code is used whenever a technical problem occurred and the server acted as a gateway or proxy and received an invalid response from an upstream server. See Problem Details for additional information about API errors.
Bad Gateway Examples (502 Status Code)
- SSL_ERROR
{
"type": "https://example.com/probs/SSL_ERROR",
"code": "SSL_ERROR",
"title": "SSL/TLS handshake failed",
"status": 502,
"detail": "SSL/TLS handshake failed.",
"instance": "/vop/v1/payee-verifications"
}