EN DE
Book a guided demo Get Certified
B2B Account Trust · PKI for IBANs

Bank VoP breaks payment runs.
Vexola doesn't.

Bank-operated Verification of Payee schemes block payments inline, breaking STP and creating thousands of exceptions per run. Vexola moves the check upstream — to a signed certificate, queried by URL, before any payment is initiated.

Bank-operated VoP

Mandated in EU since Oct 2025
Inline check during payment execution
Blocks STP — every match/no-match raises an exception
Different scheme per bank, country and corridor
No certificate; verification expires at payment-time
Many large corporates have opted out for STP reasons

Vexola certificates

Pre-payment, certificate-based, vendor-neutral
Check happens before the payment run starts
STP is preserved — Green resolves silently
Single X.509 standard, every bank, every country
Cert + OCSP gives a fresh, signed status URL
Aggregates across SisID, Surepay, LSEG / Giact
<300ms
Single-cert P95 latency
50
Concurrent requests, DDoS-safe
47d
Cert validity · auto-renewed
100k+
Records in a bulk XLS run
The problem

The new fraud surface is your master data.

Three mechanisms move payments to the wrong account. They look nothing alike, but they share one weakness: the beneficiary IBAN is trusted at face value.

Mechanism 01

Invoice manipulation

An attacker substitutes the IBAN on a real invoice — usually intercepted in transit, sometimes inside an email account. The payment clears like any other. The supplier reports non-payment 30 days later.

Mechanism 02

Business Email Compromise

A spoofed sender, indistinguishable from the CFO, asks AP to update the account on file. The new IBAN passes every internal control because nothing was technically forged. The wire is recovered, on average, never.

Mechanism 03

Insider master-data fraud

A staff member with master-data write access redirects a long-standing beneficiary. The change is logged, the audit trail is intact — only the destination is wrong. Discovered, on average, after the third payment run.

How it works

Four moves. Then every payment is checked at the source.

From IBAN submission to pre-payment URL check. The same certificate model the public web has trusted since 1995 — applied to the beneficiary side of every B2B payment.

Vexola Certificate
Verified
Boehringer Ingelheim GmbH
Ingelheim am Rhein, Germany
IBAN (hashed · sha256-public)
a3f8…7d21
BIC / SWIFT
DEUTDEFFXXX
Confidence
A · Multi-source
Validity
47 days · auto-renew
Status URL
vexola.com/cert/8f3a…d219
01

Register the account

Account holder submits their company, IBAN and BIC. Mod-97 validates in-browser before the first API call.

02

Verify across providers

Vexola queries SisID, Surepay and LSEG / Giact in parallel. Two independent matches are required for a Green certificate.

03

Issue the certificate

An X.509 cert is signed by the Vexola issuing CA. Confidence A/B/C, source providers and identifier hashes are embedded as extensions.

04

Check before paying

Your ERP or TIS pings the handle URL before the payment run. Green resolves to STP. Yellow routes to review. Red blocks.

Try it

A guided walk-through of one verification.

Type an IBAN, see the response your ERP would see. We've prefilled three scenarios so the difference between Green, Yellow and Red is unmissable.

Vexola Status API · Live
Try a scenario
Response · what the ERP sees
Green — verified

Two independent providers (SisID and LSEG/Giact) returned a name match against the IBAN. A 47-day certificate was issued under the Vexola issuing CA. STP continues; no human review required.

sha256-public
Confidence A — multi-source
47 days, auto-renewed
$ GET vexola.com/v1/status/{serial}
{
  "status": " GREEN",
  "confidence": "A",
  "sources": ["SisID", "LSEG"],
  "valid_until": "2026-07-29"
}
Built for three sides of the payment

One platform. Three jobs.

Sponsors fund the verification. Account owners get verified. Partners embed the check at the point of payment.

Treasury, AP, master-data owners

Verify ten thousand suppliers without a single new exception.

Pre-purchase certificate credits, distribute deep-link invitations from your AP system, and let your suppliers self-certify. Quarterly expiry reports keep your master data clean year over year.

Talk to Vexola sales
Voucher model — 100% discount for your suppliers
Bulk XLS check for one-time master-data audit
Quarterly auto-renewal — no work for treasury
Trust & compliance

Built to be audited. Every signature, every hash, every row.

Vexola sits on the same standards the public web has trusted for thirty years — X.509, OCSP, SHA-256 — operated under ISO 27001 readiness from day one. EU data residency is non-negotiable.

ISO 27001 at launch

Audit process started in month 1, not post-launch. Immutable logs cover every verification, status change and certificate issuance.

EU data residency

All Vexola infrastructure runs on GCP europe-west3 (Frankfurt). No data leaves the EU. GDPR Art. 25 informs every storage choice.

Two-tier PKI

Offline root in managed third-party custody; issuing CA in Cloud KMS. Designed for Phase 2 QTSP cross-sign with no leaf reissuance.

Hashed identifiers

IBANs are never stored in plaintext. Public hash by default; per-account salted hash for entities that prefer to disclose counterparty-by-counterparty.

The team

Two founders. Forty years of payment infrastructure.

Vexola GmbH is being built by people who have spent careers inside the systems that move corporate money.

Erol Bozak

Erol Bozak

Co-founder · Product, Technology, Security

Product and platform lead. Owns the certificate model, the secure-development discipline and the GDPR posture.

Jörg Wiemer

Jörg Wiemer

Co-founder · Go-to-market, Finance, Legal

Sales and commercial. Brings the TIS network, the treasury relationships and decades of B2B-payments customer empathy.

Vexola · Book a guided demo

Ready to see one verification end-to-end?

We'll walk you through a Green, a Yellow and a Red certificate, then map the same flow onto your master data.

Book a guided demo Read the architecture overview