Frequently asked questions about "Verification Of Payee scheme"
33 questions
Major browsers will no longer accept public TLS certificates with client authentication option. What is the impact of for the use of QWAC PSD2 certificates for the authentication of the VOP Requesting PSP?
The security model of the EPC VOP API is built on mutual authentication using a Qualified Web Authentication Certificate (QWAC) issued for use in the PSD2 Open Banking on client side (VoP Requesting PSP) a
How should the VOP Responder validate the QWAC PSD2 certificate of the VOP Requester?
The security model of the EPC VOP API is built on mutual authentication using a Qualified Web Authentication Certificate (QWAC) issued for use in the PSD2 Open Banking on client side (VoP Requesting PSP) a
How can the validity of the Extended Validation Transport Layer Security (EV-TLS) certificate be validated by the VoP Requesting PSP or RVM? Which Certificate Authority of EV-TLS needs to be trusted?
The security model of the EPC VOP API is built on mutual authentication, using a Qualified Web Authentication Certificate (QWAC) issued for use in the PSD2 Open Banking on client side (VoP Requesting PSP)
Regarding the schemeNameCode enumeration values that are listed under the ExternalOrganisationIdentification1Code list and while format validations are provided for SREN and SRET, we could not find format details for the other codes such as: BANK, CBID, CHID, CINC, COID, CUST, DUNS, EMPL, GS1G, TXID, BDID, and BOID. Could you please confirm if there are any format validations or constraints available for these remaining codes? And provide them to us, if possible.
For the codes such as BANK, CBID, CHID, CINC, COID, CUST, DUNS, EMPL, GS1G, TXID, BDID and BOID, ISO 20022 does not provide explicit format validations.
Multiple URIs in the EDS : When more than a URI is indicated by a VOP participant in the EDS, which URI should be used by the Requesting PSP? Which policy should be used to select the URI?
Priority 1 URI should always be used by the Requesting PSP as the “default” URI.
URI(s) with lower priorities may be used e.g. as alternative backup reachability endpoints, in case Priority 1 URI is not reachable.
How is the execution time technically calculated? The rulebook says that the execution time is the subtraction between the requested date-time and the responding date-time. There is no rule about the synchronization of the clocks. Can the execution time be accurate?
• The rulebook does not say that the calculation requires a subtraction between the requested date-time and the responding date-time.
What do I need to consider when requesting a QWAC PSD2 certificate from a QTSP?
As described in detail in the VOP API specifications and the
In case both the Requesting and Responding PSPs use the same RVM is it mandatory to use the published VOP APIs?
All VOP scheme participants must at least support the inter-PSP API specifications set by the EPC. This ensures SEPA wide reachability and interoperability.
Is it possible for a group-head PSP (acting as RVM, or partnering with a selected third-party RVM) to use its own QWAC PSD2 certificate and NAN number, when acting as Requesting PSP also on behalf of other PSPs of the same community?
This means one QWAC PSD2 certificate (and one NAN) would be shared within a community of VOP scheme participants, and be used to identify, authenticate and authorise all VOP scheme participants of the same community, when acting
Which role should be used in the QWAC PSD2 certificates?
The role is not relevant for the VOP scheme. The Responding PSPs should not check this information.
The OpenAPI specification defines the service URL as "/vop/v1/payee-verifications". Could the "Inter-PSP" VoP services be differentiated from internal (PSU->PSP) VoP services? For example, it would help to assume URL such as "/vop/fi2fi/v1/payee-verificat
The API “Verification of Payee” is only dedicated to the inter-PSP’s space.
The Open API specification prescribes the mandatory "code" attribute in VerificationOfPayeeError with a fixed set of codes (FORMAT_ERROR, CLIENT_INVALID, CLIENT_INCONSISTENT, TIMESTAMP_INVALID).
Note that the provided list of error codes does not cover other situations:
Could minLength=1 be used for all string attributes in the OpenAPI specs, except for the cases where it clearly makes sense to differentiate between "not provided" and "empty".
The string types (such as Max35Text, Max70Text etc.) in the OpenAPI specs differ from the ISO 20022 standard types of the same names, where min length is prescribed to be 1.
Is it correct to treat authorization issues with HTTP 401, while this should typically be done with HTTP 403?
The VOP API WB decided to not include the HTTP 403.
The VoP API specification (Chapter 4.4) prescribes the usage of RFC 7807 Problem Detail structure, but links it with Content-type "application/json".
The standard approach is to use content type of "application/problem+json", which allows the client to clearly inform that the problem detail structure is provided.
Verification Of Payee API Specifications lists some of the error cases identified and provides the corresponding error codes. However, there is not a message code in two cases (Certificate items and Internal Server Error).
We believe that this is a mandatory field consequently it should be added specific message code. Could you please clarify what code should be used in these cases?
In case of a misdirected request (the IBAN does not belong to the PSP that receives the request), should the PSP return the message ‘Verification Not Possible’?
If the validation of the requesting PSP (via the check BIC / NAN) is valid therefore the response should be HTTP 200 – “partyNameMatch”: “NOAP” (Verification Not Possible).
Is it possible to send examples of the response payload in case of error (http 400 and http 500)? For example, what value should be put in the attribute CODE in case of http 500?
The HTTP code is sufficient, the VOP API WB agreed to change the YAML to reflect this.
We would like to have more information about the usage of the party.identification.organisationId.others field. When should it be used and how will it work?
The “Generic Organisation Identification” element must be used when the party is identified using an identification other than the LEI or BIC, i.e. TXID, etc.
In the response payload, we have the field type that should have an URI reference [RFC3986] that identifies the problem type. Will the EPC provide the URI references to be used in each problem?
Alternatively, could the URIs from the Mozilla Developer Network (MDN) be used?
In case of problem with the format of the X-Request-Timestamp attribute, should the RVM send a FORMAT_ERROR or a TIMESTAMP_INVALID code?
Our recommendation is to use TIMESTAMP_INVALID.
Could you please share additional information regarding the ‘Business Identification Code’ (+++AnyBIC mentioned in 4.2.1 of API Specifications doc.) referred as an alternative identifier to perform VOP validation? Which type of identifier and/or standard (if any) should be considered for this field?
This attribute can be used when the party (subject of the verification) has a BIC code that can be used to identify it, and such BIC is sent in the VOP request by the requesting PSP. The BIC used
Which reason code should be used in the Response if the account is closed (NMTC or NOAP)?
Our recommendation is to use the code “NOAP”.
VerificationOfPayeeError, the yaml defines two fields as mandatory: code and type. Specifically, code (MessageCode) should be equal to one of the following ISO codes: [FORMAT_ERROR, CLIENT_INVALID, CLIENT_INCONSISTENT, TIMESTAMP_INVALID] but the examples listed in the API specifications leave that field blank in the following cases: ‘Certificate Items’ and ‘Internal Server Error’. Please could you advise which value might be used in that case?
In these cases, the response code is sufficient and self-explanatory, there is no need for a detailed error code.
For organisation identification (section 4.2), for organisationId/others/identification, is Max256Text length necessary, have specific use-cases been identified where this length is needed rather than Max140Text used for name, are there any discussions to shorten this length requirement?
We followed the definition described in ISO20022, the “identification” has the Datatype “Max256Text”
i.e. source ISO20022_MDRPart2_PaymentsInitiation_2023_2024_v1 (page 341)
In the event of a ‘NO ANSWER’, should we use the NOAP code or the RVNA code (received Verification Completed Not Applicable)?However, we have not yet identified the correct specification for ‘No Answer’. Could you please send us the correct specification? Also, in the specification, it is mentioned that an error code must be communicated. Could you tell me where I can find a list of these codes?
- VOP Response will include NOAP code in case of Matching not possible for the responding application for any reason, with HTTP code 200.
- In case of technical problems, the Responding PSP wil
UnstructuredRemittance
Regarding the Unstructured remittance information field, we have the following questions:
What are the rules for using a VAT code as a counterparty identifier in a VOP Request ?
Following the specifications described in the “Verification Of Payee API Specifications” document, the VAT number value must be inserted in the “identification” attribute, and it is mandatory that the value “TXID” be used as the
Should we buy two, separated QWAC certificates (one for test, one for prod environments) if we are planing to use QWAC certificate only for VOP service?
From the EPC point of view, you only need one certificate, which is for production. However, when it comes to testing VOP, there are different scenarios depending on your choice to work with an RVM or not.
What are best practices to mitigate security risk when sharing a QWAC certificate with an RVM?
PSPs are required to use a QWAC PSD2 certificate when sending a VOP Request for authentication by the Responding PSP.
Does a timestamp in the VOP API that contains trailing zeroes for milliseconds, lead to a rejection due to invalid format?
The VOP API specifications include a number of timestamp fields in the headers and body. The format of these timestamps does not allow for trailing zeroes for milliseconds.
What character set should be used in the VOP scheme API specifications and what about the special characters?
As mentioned in the VOP scheme API specifications, only the Latin characters set should be transported in the inter-PSP API messages, through UTF-8. This restriction has been agreed in order to overcome the complexity that