Shufti-Sphere-Website-Banner
burger-menu cross-icon-2

Resources

us

216.73.217.71

EU Instant Payments Regulation & AML Screening: What PSPs Must Do

PSPs across the EU face a deadline most compliance teams underestimated when the Instant Payments Regulation 2024 passed. From 9 October 2025, any PSP offering euro credit transfers must also send instant payments. These transfers settle in under 10 seconds, run around the clock, and carry the same fee as a standard SCT. The regulation does more than rewire payment rails. It rewrites how PSP AML screening EU-wide must work, how sanctions checks are run, and how Verification of Payee fits into onboarding.

This article covers the AML obligations the IPR places on PSPs, what EU instant payments AML screening looks like in practice, and how SEPA instant payment compliance can hold inside a 10-second window.

When the EU Instant Payments Regulation Takes Effect

Regulation (EU) 2024/886 entered into force on 8 April 2024 with a phased rollout that splits eurozone and non-eurozone PSPs.

Eurozone PSPs had to be able to receive SEPA Instant Credit Transfers by 9 January 2025 and to send them by 9 October 2025. PSPs in non-euro Member States handling euro transactions get longer runways. Receiving applies from 9 January 2027 and sending from 9 July 2027. The European Central Bank confirmed the phased timetable for participants in the SEPA Instant scheme.

Two compliance milestones travel alongside the payment-rail dates. Daily sanctions screening of customers and Verification of Payee both kick in on 9 October 2025 for eurozone PSPs.

AML Screening Obligations the IPR Places on PSPs

The IPR amends the SEPA Regulation (260/2012) and addresses head-on how AML and sanctions controls must work when payments settle in seconds. Two changes drive most of the compliance redesign work.

  • First, Article 5d requires PSPs to screen their payment service users at least once per calendar day against EU restrictive measures lists. The unit of screening is the customer, not the transaction. PSPs check whether any of their PSUs (senders or receivers) appears on the EU consolidated sanctions list, and they do this daily as a sweep over the customer base.
  • Second, the regulation does not replace AML and CFT obligations under the AML directive or the new AML Regulation (EU) 2024/1624. Transaction monitoring, suspicious activity reporting, and customer due diligence still apply to instant payments. The IPR reshapes one specific control (sanctions screening) without touching the rest of the AML framework.

In practice, this changes the operational shape of compliance teams. Daily sanctions screening replaces a transaction-level filter that, for many PSPs, ran inside the same workflow as fraud rules. The new model splits the two and demands a screening cadence reconciled against intraday list updates from the EU Council, with most firms also voluntarily covering OFAC, the UN Security Council, and UK HMT to meet correspondent-bank expectations.

For practical purposes this means PSPs need a daily sanctions screening run that covers the entire PSU base reliably, and a separate real-time monitoring layer that handles fraud and AML typologies inside the payment window.

Sanctions Screening in the 10-Second Payment Window

Banks do not need to screen every instant payment against sanctions at the transaction level under the IPR. The regulation deliberately moved the obligation from per-payment to daily customer screening because per-payment checks could not run reliably inside a 10-second window without producing false-positive rejection rates that would have made SCT Inst commercially unworkable.

This shift narrows the screening obligation but does not narrow transaction monitoring. Real-time AML controls (mule detection, structuring patterns, geographic risk scoring, behavioural anomaly flagging) still apply to instant payments, and they still need to run inside the 10-second envelope. PSPs therefore operate two parallel capabilities. The daily sanctions sweep covers the full PSU base against EU and any voluntary additional lists. The real-time monitoring layer scores transactions in flight and triggers holds, SARs, or reviewer queues based on fraud and typology signals.

The trade-off is clear. Removing per-transaction sanctions screening unlocks the 10-second commitment, but it raises the bar for the daily customer screening to be exhaustive, accurate, and reconciled against any list updates that landed in the previous 24 hours.

List freshness becomes the critical control variable here. The EU Council can publish new restrictive measures at any point during a business day, and a PSP that ran its daily sweep at 03:00 UTC against a list that updated at 09:00 UTC carries a six-hour gap where new listings are not reflected in the customer base. Some firms run two or three sweeps per day to close that gap. The IPR sets a minimum cadence, not a ceiling, and supervisors are likely to view a true once-a-day sweep as the floor of acceptable practice rather than the target.

Verification of Payee Adds a Real-Time Fraud Layer

From 9 October 2025 PSPs must also offer Verification of Payee (VOP) for every credit transfer (instant or standard) within the eurozone. The receiving PSP takes the IBAN and the payee name the sender supplied, matches them against the actual account-holder record, and returns a match, close-match, or no-match flag before the payer authorises the payment.

VOP is a fraud control on its face, but it changes the AML picture too. Authorised push-payment scams produce payments that look clean to traditional AML monitoring (the customer authorised the transfer voluntarily) but originate from social engineering. Catching the name mismatch upstream cuts the volume of suspicious payments hitting the AML reviewer queue and reduces false-positive load on transaction monitoring.

The European Payments Council operates the Verification of Payee scheme that PSPs use to interoperate. Firms that have not procured a VOP capability by the deadline will not be able to execute consumer credit transfers lawfully.

Penalties for Non-Compliance with EU Instant Payments AML Rules

The IPR leans on existing AML and SEPA enforcement provisions rather than creating a new penalty regime. PSPs that fall short on daily sanctions screening, transaction monitoring, or VOP face overlapping consequences.

Administrative fines under national AML law (often calibrated as percentages of annual turnover) come first. Supervisory enforcement actions from the national competent authority follow, and in serious cases authorisations granted under PSD2 can be revoked. Reputational damage and correspondent-bank de-risking add commercial cost on top of the regulatory fine.

The new EU Anti-Money Laundering Authority AMLA takes up direct supervision of selected large cross-border firms from 2025 onwards. AMLA’s involvement raises the practical stakes for PSPs that treat sanctions screening and monitoring as box-checking exercises rather than functioning controls.

How Shufti Supports PSPs on IPR AML Screening

PSPs working through SEPA instant payment compliance generally hit three problems at the same time. The daily sanctions screening run needs to cover a large PSU base accurately and within a tight operational window. Real-time transaction monitoring needs to flag suspicious instant payments without breaking the 10-second settlement target. And onboarding controls need to feed clean, verified customer data into both layers so screening hits reflect real risk rather than dirty records.

Shufti’s AML screening service runs sanctions, PEP, and adverse-media checks against more than 1,700 global watchlists, including EU consolidated sanctions, OFAC, UN, and UK HMT lists, with daily ongoing monitoring built in. The same platform covers KYC verification and KYB onboarding, so the customer records flowing into daily screening carry verified identity and beneficial ownership data from the start. For PSPs procuring VOP capability, the identity layer reduces the noise that name-mismatch false positives can generate downstream.

The outcome is a single compliance stack that covers the IPR’s intersecting obligations and scales to daily PSU sweeps without the false-positive overhead that legacy screening tools produce at instant-payments cadence.

Shufti’s AML screening platform gives PSPs daily sanctions monitoring, PEP and adverse-media coverage, and an integrated KYC onboarding layer built for SEPA instant payment compliance. Speak to a Shufti compliance specialist to scope a deployment ahead of your IPR deadline. Book a demo.

Frequently Asked Questions

What AML screening obligations does EU Instant Payments Regulation place on PSPs?

PSPs must screen all customers against EU restrictive measures lists at least once per day under Article 5d of the Instant Payments Regulation. Per-transaction sanctions screening is replaced by daily customer screening. Transaction monitoring under AMLD and the AML Regulation remains in force.

How must PSPs screen transactions against sanctions within the 10-second payment window?

The regulation removes per-transaction sanctions screening for SCT Inst. PSPs screen their customer base daily, so the 10-second window does not need to accommodate a sanctions check. Real-time fraud and AML transaction monitoring still apply inside the payment window.

Does EU Instant Payments Regulation require PSPs to update existing AML systems?

Most PSPs need to reconfigure sanctions screening from per-transaction to daily customer sweeps and procure Verification of Payee capability by 9 October 2025. Transaction monitoring and SAR reporting obligations under the AML framework remain in force.

What penalties apply for PSP non-compliance with EU Instant Payments AML rules?

The IPR draws on existing AML and SEPA enforcement powers. National competent authorities can impose administrative fines, issue enforcement orders, and in serious cases revoke PSD2 authorisation. AMLA will add direct supervisory pressure on large cross-border PSPs from 2025.

Related Posts

Shufti Blog

Germany GwG Compliance: AML Obligations for Fintech & Banks Under the Geldwäschegesetz

Germany GwG Compliance: AML Obligations for Fintech & Banks Under the Geldwäschegesetz

Explore More

Shufti Blog

EU Instant Payments Regulation & AML Screening: What PSPs Must Do

EU Instant Payments Regulation & AML Screening: What PSPs Must Do

Explore More

Shufti Blog

Watchlist Screening: What It Means And How It Actually Works

Watchlist Screening: What It Means And How It Actually Works

Explore More

Shufti Blog

Best Fraud Prevention Practices in Australia’s Banking Sector

Best Fraud Prevention Practices in Australia’s Banking Sector

Explore More

Shufti Blog

Enterprise Fraud Prevention: How to Detect, Prevent, and Mitigate Risks

Enterprise Fraud Prevention: How to Detect, Prevent, and Mitigate Risks

Explore More

Shufti Blog

What Is A Front Company? How Criminals Hide Behind Real Businesses

What Is A Front Company? How Criminals Hide Behind Real Businesses

Explore More

Shufti Blog

What Is a Shelf Company? Risks, Red Flags, And KYB Checks

What Is a Shelf Company? Risks, Red Flags, And KYB Checks

Explore More

Shufti Blog

Germany GwG Compliance: AML Obligations for Fintech & Banks Under the Geldwäschegesetz

Germany GwG Compliance: AML Obligations for Fintech & Banks Under the Geldwäschegesetz

Explore More

Shufti Blog

EU Instant Payments Regulation & AML Screening: What PSPs Must Do

EU Instant Payments Regulation & AML Screening: What PSPs Must Do

Explore More

Shufti Blog

Watchlist Screening: What It Means And How It Actually Works

Watchlist Screening: What It Means And How It Actually Works

Explore More

Shufti Blog

Best Fraud Prevention Practices in Australia’s Banking Sector

Best Fraud Prevention Practices in Australia’s Banking Sector

Explore More

Shufti Blog

Enterprise Fraud Prevention: How to Detect, Prevent, and Mitigate Risks

Enterprise Fraud Prevention: How to Detect, Prevent, and Mitigate Risks

Explore More

Shufti Blog

What Is A Front Company? How Criminals Hide Behind Real Businesses

What Is A Front Company? How Criminals Hide Behind Real Businesses

Explore More

Shufti Blog

What Is a Shelf Company? Risks, Red Flags, And KYB Checks

What Is a Shelf Company? Risks, Red Flags, And KYB Checks

Explore More

Take the next steps to better security.

Contact us

Get in touch with our experts. We'll help you find the perfect solution for your compliance and security needs.

Contact us

Request demo

Get free access to our platform and try our products today.

Get started