Mies ja tietokone

OP and instant credit transfers

Published 17.3.2025

 

OP has long been a pioneer in real-time payments, including in the European context. It has handled inbound and outbound SEPA instant credit transfers since 2018. For around five years, customer payments have been handled as SEPA instant credit transfers in all OP customer self-service channels, practically whenever possible.

As its approach, OP chose to use the fastest possible route for transfers without requiring customers to make new choices. To ensure that instant credit transfers were as convenient and accessible as possible for our customers, we did not want to add extra fees or introduce technological changes.

In the Web Services channel, customers can continue to use SEPA instant credit transfers with OP’s “fastest route” approach without making any changes. Current payment data and their handling will remain the same.

However, due to the regulation, OP will also introduce a new payment data type with all the payments handled exclusively as SEPA instant credit transfers. This means that if a payment can't be delivered as a SEPA instant credit transfer, the payment will be cancelled immediately. The processing cycle will be faster for the new payment data type. All customers will receive feedback on payments made, formed within 10 seconds of the last instant credit transfer being handled.

Verification of payee service

Published 17.3.2025

 

The service ensuring payee verification means the payer must receive verification before the payment’s approval that they are indeed transferring funds to the intended recipient. Under the Instant Payments Regulation, verification of payee must be offered for all credit transfers in euros made to EU or EEA states, not only for instant credit transfers, and in all payment channels for every payment before the payment’s approval.

After the payer provides the relevant payment data – essentially the name and account number – the payer’s bank requests the payee’s bank to confirm that the name provided by the payer corresponds to the account holder’s name known to the bank. The payer's bank must provide the result of this comparison to the payer.

Verification may result in a match, near match or no match. If the names are a near match, the payee’s real name must be provided to the payer. The payer can approve the payment even if the names do not match. In this case, the payer assumes responsibility should the funds be transferred to an unintended payee.

The development of this service requires us as a bank to build the required capabilities – both making queries in the bank network and responding to such queries concerning OP payment accounts. Moreover, the service must be made available to customers in all payment channels.

According to the regulation, companies submitting multiple payments as a package must be able to opt out of the verification of the payee service for their package. If the customer decides to opt out of the service, they will be held liable if their transfer goes to an unintended recipient. The decision on payee verification is therefore of major importance to the customer. From the customer’s perspective, payee verification may involve changes related to payment processes such as whether to perform verification for every transfer or only for some, how to react to the verification result in the case of a near match or no match, and who makes the ultimate transfer approval decision.

In Finland, the payee verification service for C2B payments will be implemented as a separate “pre-verification service”. This will minimise changes to the creation of actual payment data and to the sensitive payment transaction processing in banks. The method also minimises any unpredictability in the duration of payee verification as part of the payment process, as the customer can submit the payment data to the bank after payee verification within the limits of their normal processes and processing times. In other words, the customer chooses not to use the payee verification service if they do not first submit the payment data to payee verification with a separate data package for verification purposes.

For API payment transactions, opting out of payee verification is not possible under the regulation. This will lead to significant changes in the OP Corporate Payment API’s use to ensure we can offer the payee verification service for all credit transfers in euros. We are currently planning these changes in consultation with our customers.

We will release customer instructions, interface documentation and testing opportunities during spring 2025.

SHA256 certificate to be adopted

Published 17.3.2025

 

OP Financial Group will no longer support the SHA1 certificate and digital signature. They will be replaced with the SHA256 certificate to ensure increasingly safe services to our customers.

If you use the Web Services channel, contact your software provider to check whether your software is up to date, and whether it needs to be updated.

The old SHA1 service will be closed down on 31 August 2025, after which customers must use the SHA256 algorithm. Content will not be transmitted through the Web Services channel from 1 September 2025 if the bank connection software uses the old certificate/TLS encryption protocol.

Make the required changes to your software application requests (ApplicationRequest) and SOAP requests (SOAPRequest) to enable the SHA256 algorithm.

  • SignatureMethod Algorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
  • DigestMethod Algorithm=http://www.w3.org/2001/04/xmlenc#sha256

Correspondingly, response messages are signed using the SHA256 certificate and algorithm.

These changes will not affect the certificate algorithms. The change will not affect the content or terms of corporate payment services or payments in the op.fi service for corporate customers.

More information about the deployment of SHA256 certificates can be found in the Web Services channel user guide.

Web Services channel user guide >