Virtual IBANs: the EBA’s report on their issuance and regulation

Virtual IBANs (“vIBANs”) are increasingly being used as payment account identifiers across the EU to redirect payments, yet the definition and the appropriate regulatory treatment thereof remains ambiguous.

The EBA has addressed vIBANs from an AML/CFT perspective in its Opinion issued in July 2023 (EBA/Op/2023/08), and thereafter carried out a wider assessment of the practices of payment service providers (“PSPs”) or other entities offering vIBANs, with a particular focus on the market integrity, consumer and payments regulatory implications thereof. As a result of such assessment, the EBA published its report on vIBANs (EBA/Rep/2024/08) on 24 May 2024.

Given the absence of a definition of or common approach to vIBANs, the EBA primarily sets out some standard characteristics that it observed from the results of its assessment, including the fact that a vIBAN has the same format and functionality as a regular IBAN and is linked to a payment account (referred to as the ‘master account’). In turn, such master account has its own IBAN and is generally opened either in the name of the end user of the vIBAN or in the name of another entity which allocates the vIBANs to the end users. The latter scenario involves the opening of the master account (with vIBANs linked to it) with banks in the name of the institution that allocates the vIBANs to its customers (the end users), and also serves as the institution’s safeguarding account.

Despite such similarities, the EBA observed that vIBANs are used to served different purposes and have different functionalities which may enable their users to make and receive payments to or from third parties, or which may be used for a more limited purpose. The EBA sets out six use cases through which PSPs or other entities which partner with a PSP offer vIBANs to their customers.

  1. PSPs having a branch in a host Member State offer to customers vIBANs with the country code of that host Member State, while the master account it held and services from the home Member State;
  2. PSPs partner with another PSP to offer vIBANs that have been issued by the partner PSP and the identifier is that of the partner PSP and the country code is that of the host Member State in which the partner PSP is authorised or has a branch;
  3. PSPs partner with a bank to offer vIBANs that have been issued by the partner bank and the identifier is that of the bank, with the country code being that of the Member state in which both the institution and the partner bank are authorised;
  4. Non-EU institutions offer to their non-EU customers vIBANs that are issued by a partner PSP and the identifier is that of the partner PSP, with the country code being that of the Member State in which the partner PSP is authorised;
  5. Non-EU institutions offer to their customers worldwide vIBANs that are issued by a partner PSP and the identifier is that of the partner PSP, with the country code being that of the Member State in which the partner PSP is authorised;
  6. PSPs offer vIBANs to companies managing payments on behalf of other group companies that allocate the vIBANs to other subsidiaries of the group.

The EBA also identified the main risks and challenges for institutions, competent authorities and end users of vIBANs which arise from the use of vIBANs. Amongst others, such risks include:

  1. Divergent interpretations on the applicable AML/CFT regulatory framework in case of cross-border provision of vIBANs, leading to risks of AML/CFT supervisory gaps;
  2. Unlevel playing field and regulatory arbitrage issues stemming from divergent interpretations across competent authorities on the way in which the SEPA Regulation and the ISO IBAN standard apply to vIBANs;
  3. Risks for end users where they are not the master account holders and issues stemming from divergent interpretation across authorities about the qualification of the relevant payment services in these cases;
  4. Risks of divergent categorisation and reporting of payment transactions by PSPs under PSD2, where the vIBANs and the IBAN of the master account have different country codes;
  5. Unlevel playing field on the application of the service ensuring verification of the payee, introduced by the EU’s Instant Payments Regulation, where the payee using a vIBAN is not the master account holder.

In addressing every risk identified above individually, the EBA suggests measures which PSPs and competent authorities may implement to mitigate such risks, including in respect of the risk set out in c) above by way of example, a recommendation for a clarification of the definition of a ‘payment account’ and whether the uses of vIBANs that are not the holder of the master account are considered to have a payment account within the meaning of PSD2.

The advantages associated with vIBANs may have contributed to their increased use, however, the EBA notes that the divergent interpretations amongst competent authorities undermines the EU Single Market and the lack of legal certainty obscures regulatory oversight of such service and consumer protection implications.

Nevertheless, the EBA’s report may be interpreted as a positive indicator that it is time to recognise and discuss the use of vIBANs, whilst possibly determining its implications from a regulatory point of view.