POST/account/matchingdata

Online Data Provisioning API specifications

Welcome to the Online Data Provisioning API specification. This document provides implementation guidelines for Responding Payment Service Providers (PSPs) to build and configure an API endpoint that enables secure account data sharing for Verification of Payee (VoP) checks. The purpose of this API is to facilitate compliance with EPC VoP requirements by delivering accurate and relevant account information when requested. SurePay will call this endpoint to perform real-time verification, enhancing payment security and reducing fraud risks.

This specification outlines the API structure, data models, and response handling to ensure a seamless and standardized integration. By following this guide, PSPs can confidently implement a robust VoP solution that meets industry standards.

This specification outlines the API structure, data models, and response handling to ensure a seamless and standardized integration. By following this guide, PSPs can confidently implement a robust VoP solution that meets industry standards.

Document History

VersionDateDescription
1.0.015 Jan 2025Original Digital Version. Aligned with PDF V1.3
1.1.003 Feb 2025Validation added to accountId.type.iban, updated mandatory, condition & optional values for startDate, bankAccountType, surname, birthName, language. Added 'nomatchSuggestionAllowed' field in the 'organisationAccountHolder' object. Changed validation format of the fields 'iban' and 'lei'
1.1.119 Feb 2025Changed 'legalNames' to 'legalName', 'language' format from 'ISO 639' to 'ISO 639-1'
2.0.020 Mar 2025Format changes, refer to the detailed changes here.
2.1.015 May 2025Corrected the X-Request-Id example with valid RFC4122 value. Removed usage rule for accountHolderType. Updated usage rules for personalAccountHolders. Updated usage rules for organisationAccountHolder.
2.1.120 May 2025Added reference to RFC6749 for connection (token).
2.1.216 Jun 2025Updated description of EMPL from "employee" to "employer" under schemeNameCode.

Endpoints example

EnvironmentMethodEndpoint URL suggestion (Defined by customer)
AcceptancePOSThttps://api.acc.yourbank.com/account/matchingdata
ProductionPOSThttps://api.yourbank.com/account/matchingdata

Which data is mandatory to deliver?

Depending on the accessibility of your data, we highly recommend delivering at least the mandatory fields, as they are essential to ensure the service functions properly for the end user (the payer initiating the transaction). Optional fields are not required for the basic functionality of the VoP check but can improve the algorithm’s matching quality.

In a response, we always expect the mandatory information for the requested bank account.

What items do we need to establish the connection?

  • The exact endpoints for both production and test environments.
  • The certificates required to connect to the provided endpoints (SurePay's certificates are signed by DigiCert).
  • Client credentials, if needed, to access an Access Token API.
  • The token endpoint to be used with the above client credentials to retrieve the access token. This should be implemented according to the RFC6749 standard, you can find the specification here.
  • A Postman collection (including both the Data Provisioning and Token APIs). If a collection is not possible, a text file containing equivalent "curl" requests.

Request

Request Headers

  • X-Request-IdStringMandatory

    An RFC4122 UUID used as a correlation id.

  • Content-TypeStringMandatory

    Content type and encoding of the request.

    • Example: application/json
  • AuthorizationStringMandatory

    OAuth 2.0 bearer token. You will also need to create an authentication endpoint where we can fetch and refresh this token.

  • AcceptStringOptional

    The media type the client can process in the response. This is always set to application/json.

    • Example: application/json

Example of Request headers

Header nameExample
X-Request-Id550e8400-e29b-41d4-a716-446655440000
Content-Typeapplication/json;charset=utf-8
AuthorizationBearer <a bearer token>
Acceptapplication/json

Request Body

  • accountIdObjectMandatory

    Object used to send the account information in the request.

    • typeEnumMandatory

      Describes the type of account that needs to be retrieved.

      • Possible Values:
        • IBAN: International Bank Account Number. No spaces are allowed.
    • valueStringMandatory

      The identifier of the account details to be retrieved.

      • Format:
        • IBAN: ^[A-Z]{2}[0-9]{2}[A-Z0-9]{1,30}$
        • Format: Max. 34 Characters.
  • unstructuredRemittanceInformationArray of StringsOptional

    Additional information about the account number sent by the Requesting PSP.

    • Format: Max. 140 Characters.

Request

POST
account/matchingdata
    { 
        "accountId": { 
            "type": "IBAN",
            "value": "NL11SRPY1234567890"
        }   
    } 

Response

In case of a successful response, the following headers and parameters are expected to be returned. In case of an unsuccessful response, a meaningful HTTP code and error message is expected, please read Error Handling.

Response Headers

  • X-Request-IdStringMandatory

    Value as sent in the corresponding request header.

  • Content-TypeStringMandatory

    Content type and encoding of the request.

    • Example: application/json

Example of Response Headers

Header nameExample
X-Request-Id123e4567-e89b-12d3-a456-426614174000
Content-Typeapplication/json;charset=utf-8

Response Body

Within the following fields, you will encounter shared attributes applicable to both Natural Persons and Organisations in the ‘Account object’ section. However, each of these entities also possesses distinct attributes, which can be located within the "Person" and "Organisation" objects respectively.

  • accountNameStringConditional

    The name under which the account is registered at the PSP. In case the name of the account holder is longer than the permitted characters, this has to be shortened until it reaches the maximum number of allowed characters. The accountName can be created based on the following combinations:

    • For Natural Persons, the account name can be a combination of: allFirstNames + surname or initials + surname.
    • For Organisations, the account name can be taken from the following field: legalName.
    • Format: Max. 140 Characters.
    • Usage Rule:
      • If the account is found, then Mandatory.
      • If the account is NOT_FOUND, then this field is not returned.
  • accountHolderTypeEnumOptional

    This designates if the account is a personal account or an account owned by an organisation.

    • Possible Values:
      • NP: Natural Person
      • ORG: Organisation
  • bankAccountTypeEnumConditional

    The type of bank account.

    • Possible Values:

      • PAYMENTS: A payments account, also known as a checking account.
      • SAVINGS: A savings account.
      • MORTGAGE: A mortgage account.
      • TRUST: Also known as Escrow account. Used by notary offices, lawyers and bailiffs.
      • COLLECTION: Also known as beheer rekening. Typically owned by a collection agency or a debt buyer, but can also be used by Collecting Payment Service Providers.
      • INVESTMENT: Also known as brokerage account or pension account. An account used for investing.
      • OTHER: Other products.
      • UNKNOWN: Unknown account type.
    • Usage Rule: Mandatory when the customer has enabled the FRI add-on.

  • statusEnumMandatory

    The status of the account.

    • Possible Values:
      • ACTIVE: Account is a valid account and supported for checks.
      • INACTIVE: An account has been marked as 'closed' permanently or temporarily unable to receive payments.
      • NOT_FOUND: The account could not be found by the PSP.
  • startDateStringConditional

    The date when the account was opened and registered by the PSP. Reflects the real start date of the account.

    • Usage Rule: Mandatory when the customer has enabled the FRI add-on.
    • Format: "YYYY-MM-DD".
  • personalAccountHoldersArray of ObjectsConditional

    For Natural Person owned accounts, we expect an object per account holder, as some accounts might have multiple account holders. At least one item is mandatory if the account is a personal account and is not switched, not opted out, and status is Active.

    • Usage Rule: Either personalAccountHolders or organisationAccountHolder is used.
    • allFirstNamesStringConditional

      All first names as registered by the PSP, normally as per Passport/ID records. Separate with spaces. Last names/surnames cannot be added in this field.

      • Usage Rule: Either allFirstNames or initials has to be provided.
      • Format: Max. 70 Characters.
      • Example: "Jane" or "Jane Helena Alexandra".
    • initialsStringConditional

      Abbreviation of all first names. Needs to be separated with periods in between (no whilte spaces in between the characters) and the letters should be capital.

      • Usage Rule: Either allFirstNames or initials has to be provided.
      • Format: Max. 50 Characters.
      • Example: "F.G."
    • surnameStringConditional

      The registered account holder's surname in their Passport. The surname may include prefixes, suffixes and partner name.

      • Usage Rule: Either surname or birthName has to be provided.
      • Format: Max. 100 Characters.
      • Example: "Johnson", "Johnson - Davids Jr.", "van der Sloot - Davids Jr."
    • surnamePrefixStringOptional

      Prepositions and/or articles preceding the surname. Only if applicable.

      • Format: Max. 25 Characters.
      • Example: "Van Der"
    • surnameSuffixStringOptional

      Prepositions and/or articles positioned after the surname. Only if applicable.

      • Format: Max. 25 Characters.
      • Example: "Sr.", "Jr."
    • birthNameStringConditional

      The birth name, as formally registered at the moment of their birth. The birthName may include prefixes & suffixes.

      • Usage Rule: Either surname or birthName has to be provided.
      • Format : Max. 100 Characters.
      • Example: "Johnson", "Johnson - Davids Jr.".
    • birthNamePrefixStringOptional

      Prepositions and/or articles preceding the birth name (surname). Only if applicable. May be included in the birthName field but may also be delivered separately.

      • Format: Max. 25 Characters.
      • Example: "van der".
    • birthNameSuffixStringOptional

      Prepositions and/or articles positioned after the birthname. Only if applicable. May be included in the birthName field but may also be delivered separately.

      • Format: Max. 25 Characters.
      • Example: "Jr."
    • givenNameStringOptional

      The nickname or commonly used first name of a natural person. This name does not necessarily have to be registered in the passport.

      • Format: Max. 35 Characters.
      • Example: "Flo" for "Florence", "Liz" for "Elizabeth", "Andy" for "Andrew".
    • nameQualificationPrefixStringOptional

      The qualifier prefix is added to the account holder to distinguish them by specifying a generational standing, an achievement or honor that the person has attained. Only if applicable.

      • Format: Max. 25 Characters.
      • Example: "Prof."
    • nameQualificationSuffixStringOptional

      The qualifier suffix is added to the account holder to distinguish them by specifying a generational standing, an achievement or honor that the person has attained. Only if applicable.

      • Format: Max. 25 Characters.
      • Example: "MBA", "PhD".
    • nobilitySalutationStringOptional

      Nobility title of the account holder. Only if applicable.

      • Format: Max. 25 Characters.
      • Example: "Lord".
  • organisationAccountHolderObjectConditional

    For Organisation owned accounts, we expect only one object.

    • Usage Rule: Either personalAccountHolders or organisationAccountHolder is used.
    • legalNameArray of ObjectsMandatory

      The official, legal company name. Can be provided in multiple languages.

      • Usage Rule: At least 1 legal name must be provided.
      • languageStringConditional

        The language of the legal name in ISO 639-1 language code.

        • Format: Max. 2 Characters.
        • Example: 'EN' for 'English'.
        • Usage Rule: This field is mandatory in Belgium.
      • nameStringMandatory

        The official name of the organisation as stated in its rules and regulations. This name will be suggested if there is no match found.

        • Format: Max. 200 Characters.
        • Example: "SurePay B.V."
    • nomatchSuggestionAllowedBooleanConditional

      This field designates if the service can return a name suggestion in case of a no match.

      • true: A name suggestion is returned in case of a no match.
      • false: No name suggestion is returned in case of a no match.

      If the field is not present in the record, the default used is true. Due to GDPR regulations concerning self employed people, this field is mandatory in Belgium.

    • commercialNamesArray of StringsOptional

      The commercial or trade names of the organisation. These details are used in addition to legalName to improve the likelihood of a successful match.

      • Format: Max. 140 Characters.
      • Example: [SurePay B.V, Surepay technologies, SurePay Anti-fraud].
    • companyIdArray of ObjectsOptional

      The company identifier for the organisation. Multiple identifiers can be provided.

      • typeEnumMandatory

        The CompanyID type.

        • Find the code list in here.
      • valueStringMandatory

        The value of the CompanyID.

    • legalStructureStringOptional

      The code of the legal form of the organisation as registered at the Chamber of Commerce.

      • Example: "BV", "SARL" or "Ltd".
    • postalAddressObjectOptional

      The postal address of the account holder. The account holder could reside in a different country than where the account is opened.

      • postalCodeStringOptional

        Postal code of the account holder. Added in case the townName is not available.

        • Example: 1097OG
      • countryCodeStringOptional

        The code which identifies the country of the business address defined by ISO 3166-1.

        • Format: ^[A-Z]{2}$
        • Example: "NL", "BE"
      • townNameStringOptional

        The town/city where the organisation is located.

Response

{
    "accountName": "J.R. van der Werff",
    "status": "ACTIVE",
    "personalAccountHolders": [
        {
            "allFirstNames": "John Richard",
            "surname": "van der Werff"
        }
    ]
}

Error Handling

Status and error codes

Errors follow standard HTTP status codes in the 4xx and 5xx ranges. In some cases, it is useful to include a JSON error object in the response body, especially for a 400 Bad Request status. The chosen structure aligns with the error format used in the VoP Gateway API.

HTTP Status CodeDescription
400 - Bad requestRequest has malformed missing or non-compliant JSON body or URL parameters
401 - UnauthorisedAuthorization header missing or invalid token
403 - ForbiddenToken has incorrect scope or a security policy was violated
404 - Not FoundWe were unable to find the requested resource in any of our available data sources
429 - Too many requestsResponse status code indicates the user has sent too many requests in a given amount of time
500 - Internal server errorSomething went wrong on the API gateway or service. In this case the body might contain different details based on the schema that we are connected with

Error Response

Error Response Headers

  • X-Request-IdStringMandatory

    Value as sent in the corresponding request header.

  • Content-TypeStringMandatory

    Content type and encoding of the request.

    • Example: application/json

Example of Error Response Headers

Header nameExample
X-Request-Id123e4567-e89b-12d3-a456-426614174000
Content-Typeapplication/json;charset=utf-8

Error Response Body

  • errorCodeStringMandatory

    The error code that represents the functional error. All the functional errors are described in the Functional Errors table.

  • messageStringOptional

    A description of the error that occurred.

HTTP 400 - Bad Request

    {
        "errorCode": "INVALID_IBAN",
        "message": "Invalid correlation ID in the request headers."
    }

Functional errors

HTTP 400 - Bad Request

If the client's submitted request does not pass the validations, the service will return an Error Response object with the details of the issue. The possible errorCode values are gathered in the following table: Not all codes are mandatory to implement; these are suggestions.

Functional errorDescriptionMessage
INVALID_IBANThe IBAN provided does not pass the MOD97 algorithm check."The IBAN in the request body is invalid."
INVALID_REQUEST_IDA correlation ID is invalid if it does not match the regular expression, if its length is shorter than 1 or its length is longer than 70 characters"Invalid correlation ID in the request headers."
INVALID_UNSTRUCTURED_REMITTANCE_INFORMATIONThe secondary identification is invalid."The unstructured remittance information in the request body is invalid."
INVALID_REQUESTThe provided request’s JSON format does not comply with the expected structure."The request has an invalid JSON format."

List of Enumeration values

companyId

The following table contains a list of enumeration values:

Enumeration valueDescriptionFormatExample
NL_KVKIdentifying number for a registration in the Netherlands Business Register.Format: [0-9]{8}Example: '12345678'
NL_KVK_BRANCHIdentifying number of a branch, providing information about the specific branch.Format: [0-9]{12}Example: '123456789101'
FR_SIRENThe unique French business identification number assigned by INSEE, the French National Institute for Statistics and Economic Studies.Format: [0-9]{9}Example: '123456789'
FR_SIRETNumber providing information about the business location in France. The registration number contains an extra 5 digits (added to the end of the SIREN number to form the full SIRET number).Format: [0-9]{14}Example: '12345678900001'
EU_VATNumber used for sending a VAT number associated with a European company. To accept its value, the user must send the country code (from an EU country) plus the VAT number.Format: Varies by country; typically [A-Z]{2}[0-9]{8,12}Example: 'FR12345678901'
UK_CRNThe unique identifier in the register of the UK's Companies House.Format: (SC|OC|SO|NI|R|NC|RC|LP|SL|NL){1,2}[0-9]{6,7} or [0-9]{8}Example: 'SC123456' or '12345678'
BE_KBOThe unique business identifier in the Belgium Kruispuntbank van Ondernemingen (KBO).Format: [0-9]{10}Example: '1234567890'
ES_CIFThe tax ID (CIF - Certificado de Identificación Fiscal) for Spanish companies.Format: [A-Z]{1}[0-9]{8}Example: 'A12345678'
DE_HRNThe German Handelsregister Number, a unique identifier for limited companies in Germany.Format: (HRA)[0-9]{6} or (HRB)[0-9]{6} or (HRB)[0-9]{6}(B){1}Example: 'HRA123456' or 'HRB123456' or 'HRB123456B'
LEILegal Entity Identifier, an alternate identification for a party. The LEI is a 20-character, alphanumeric code based on the ISO 17442 standard.Format: [A-Z0-9]{18}[0-9]{2}Example: 'XYZEFGHIJ0ABCDEF011'
BANKBank Party Identification request. A unique and unambiguous assignment made by a specific bank or financial institution to identify a relationship between the bank and its client.Format: [CountryCode][BankCode][BranchCode]Example: 'US123BANK001'
CBIDCentral Bank Identification Number request. A unique identification number assigned by a central bank to identify an organisation.Format: (CB)[0-9]{9,12}Example: 'CB123456789'
CHIDClearing Identification Number request. A unique identification number assigned by a clearing house to identify an organisation.Format: [A-Z]{2,4}[0-9]{4,6}Example: 'CHCLRG1234'
CINCCertificate of Incorporation Number request. A unique identification number assigned by a designated authority to a certificate of incorporation, used to identify an organisation.Format: (INC)[0-9]{7,10}Example: 'INC1234567'
COIDCountry Identification Code request. An identification code assigned by the country authority to identify an organisation (e.g., corporate registration number).Format: [A-Z]{2}[0-9]{8,10}Example: 'US123456789'
CUSTCustomer Number request. A number assigned by an issuer to identify a customer or by a party to identify a creditor or debtor relationship.Format: (CUST)[0-9]{6,8}Example: 'CUST789456'
DUNSData Universal Numbering System request. A unique identification number provided by Dun & Bradstreet to identify an organisation.Format: [0-9]{9}Example: '123456789'
EMPLEmployer Identification Number request. Number assigned by a registration authority to an employer.Format: (EMP)[0-9]{6,8}Example: 'EMP123456'
GS1GGS1 GLN (Global Location Number) Identifier request. A non-significant reference number used to identify legal, functional, or physical entities according to GS1 numbering scheme rules.Format: [0-9]{13,14}Example: 'GLN1234567890123'
TXIDTax Identification Number request.Format: (TX)[0-9]{8,12}Example: 'TX123456789'
BDIDBusiness Domain Identifier request. An identifier representing the business domain in which the organisation operates.Format: (BUSDOM)[0-9]{5,10}Example: 'BUSDOM12345'
BOIDBusiness Other Identification request. Other identification for the organisation.Format: Not specifiedExample: Not Applicable