Adobe Stock
The recent
Across the globe, other jurisdictions are also moving more aggressively. The European Union is preparing for its October 2025 mandate requiring Verification of Payee, or VoP, within the Single Euro Payments Area. In the Asia-Pacific region, countries are expanding their Confirmation of Payee, or CoP, regimes. These frameworks ensure that a payee’s name and account number match before a payment is released, offering a vital safeguard against misdirected payments and impersonation fraud.
But while this regulatory effort is welcome, it is also late. Fraud tactics are evolving at a pace that traditional, static verification methods cannot match. Businesses, banks and governments are operating with security infrastructure built for yesterday’s threats while fraudsters exploit the vulnerabilities of today’s real-time, digital payments.
The benefits are tangible. Businesses that adopt VoP or CoP see a drop in invoice scams, improvements in supplier onboarding and greater customer trust. These frameworks help raise the baseline for secure payments and improve compliance with anti-fraud mandates.
However, even these advancements have limits. Most verification models, including VoP and CoP, operate as a single checkpoint before a payment is processed. Once a payee is verified, that trust is often treated as permanent. But in practice, payee information and behavior are fluid. A verified identity today may be compromised tomorrow.
This is the challenge regulators must grapple with. The future of fraud prevention will not be solved through one-time validation. It will require a shift toward a dynamic and comprehensive understanding of the relationship between payer and payee.
Imagine a system that treats each transaction as its own verification event. One that factors in behavioral biometrics, device intelligence and contextual risk signals. Suppose a supplier’s credentials match, but their login location suddenly shifts to a high-risk region. Or a routine payment request arrives at 2 a.m. from a device never seen before. These are the signals that indicate a high probability of compromise. These are also the signals traditional systems are not designed to catch.
U.S. regulators should not only study what has worked in international models but also push the conversation forward. One-time verification methods can block certain forms of fraud, but they are not equipped to keep pace with adaptive attacks that evolve after the first gate is passed. Social engineering, synthetic identities and account takeovers are now common tactics used to exploit weaknesses in verification systems that stop checking after the first interaction.
To reverse the trend in payments fraud, regulators and the private sector must work together to expand how we define verification. It is no longer a static record-matching exercise. It must be a dynamic, intelligence-driven process embedded at every point of the payment journey. And it must evolve alongside the very threats it is trying to prevent.
The recent RFI is a much-needed signal that regulators are paying closer attention. But to be effective, any resulting guidance must support the kind of verification infrastructure that does not just meet compliance thresholds but actively reduces risk in a fast-changing environment.
Payments are only as secure as the systems that verify them. The time to modernize those systems is now.