Mies ja tietokone

Current information to software suppliers

New instructions to customers for C2B payments

Published on 20 August 2025, updated on 12 September 2025

 

Version 9 of the pain instructions to customers for C2B payments has been published

The instructions include, for example, version change of the SEPA scheme and changes specified in the Instant Payments Regulation. 

OP has published new C2B instructions compliant with pain.001.001.09. The new version will be adopted owing to changes in the SEPA scheme for C2B payments. The instructions also take into account changes to the Instant Payments Regulation and Funds Transfer Regulation, among other things.

Verification of Payee, VoP, is a new part of SEPA payments, and the material used for the service, including a description of the service, is included in the instructions. The instructions include a new section on C2B instant payment payload that may only contain SEPA instant credit transfers. As previously, OP enables a file type that may include a variety of payment types per payload, also SEPA instant credit transfers.

OP has also published sample messages that are compliant with the new format. OP will publish customer material that is compliant with version 09 of the pain instructions on 5 October 2025. OP will also update version 3 of the pain instructions to customers.

Downloadable instructions >

 

This is how OP's Verification of Payee works

OP provides the Verification of Payee service in material complying with versions 9 and 3 of pain. The response is pain.002.001.10 in accordance with version 9 of pain.

When submitting a payload, OP's corporate customers may decide for themselves whether they use Verification of Payee or not. The customer expresses through their action whether they use the Verification of Payee service; no separate agreement is required, because use of the service is already included in the C2B payment agreement.

Sending payload Sending payload

 

How does OP provide SEPA instant credit transfers for payloads?

OP has been providing SEPA instant credit transfers to its customers already since 2019 as part of payroll payment services. It is not necessary to specify payments separately as SEPA instant credit transfers. OP has processed SEPA credit transfers as SEPA instant credit transfers whenever possible.

Indeed, OP has been one of the Europe's biggest providers of SEPA instant credit transfers for years. The way we operate has provided our customers with the fastest possible service, and at the same time delivering payments at least as SEPA credit transfers without being rejected. OP offers the same easy-to-use service also to businesses after the Instant Payments Regulation entered into force.

The instructions to customers describes to type of payload:

1. A regular payload (C2B payload) that may contains regular SEPA credit transfers, payments entered as SEPA instant credit transfers and international payments. Payments are processed under the same schedules as conventional payroll channels on business days from morning to evening. OP will continue to process regular SEPA credit transfers as SEPA instant credit transfers. Payrolls with recurring payments (SALA) are not processed as SEPA instant credit transfers; instead, action is taken as specified in the service description. For regular accounts ledger payments, we recommend the use of C2B payroll format due to its versatile operation.

2. The new C2B instant credit transfer payload may only contain SEPA instant credit transfers. These are processed 24/7/365 in quick cycles. If a SEPA instant credit transfer is not processed in less than 10 seconds, for example due to the payee bank's instant credit transfers being unavailable, the payment is rejected. This is why we recommend that software providers implement C2B instant credit transfer payload for user interfaces and use cases in which it is critical that payment is made immediately, and if payment cannot be made, it must be rejected.

The table below shows how various payloads are processed:

The table C2B The table C2B

The table below gives details about the codes used in C2B payroll and C2B instant credit transfer payload in its different parts. Using the codes, the customer can specify the entire payroll or an individual payment as SEPA instant credit transfer.

The codes The codes

In C2B payment files, SEPA instant credit transfer is identified by the INST value of the Local Instrument or the URGP value of the Proprietary Service Level entered at the PaymentInformation level (B-part) or Credit Transfer Transaction Information (C-part). Regular C2B payroll may also include SEPA instant credit transfers equipped with an INST code or instant credit transfers equipped with an URGP code. The URGP code indicates urgent SEPA credit transfers or international payments.

C2B instant credit transfer payload must include the INST code for any payment at the PaymentInformation (B-part) level or at the Credit Transfer Transaction Information (C-part) level.

Renewal of TLS Certificate for Web Services Channel

Published on 28 May 2025, dates corrected and updated on 2 September and 12 September 2025

 

The new TLS certificate for OP Financial Group’s Web Services Channel wsk.op.fi domain will be implemented in production on September 9, 2025 (wsk.op.fi) and in the customer testing environment (wsk.asiakastesti.op.fi) on June 9, 2025.

Files cannot be sent or received after 9 September 2025 if the customer has not adopted the new root certificate once OP has deployed the new TLS certificate.

To ensure the TLS certificate for wsk.op.fi functions with the customer’s connections, the customer’s system must trust the root certificate authority. The root certificate authority for the new certificates is Sectigo.

Please ensure that your banking connection software trusts not only the root certificates from Entrust but also the root and intermediate certificates from Sectigo. The trust relationship is defined in the TrustStore, where the root certificate authority must be stored. Sectigo’s root certificates (RSA and ECC) should be added to the TrustStore.

Sectigo’s root certificates can be downloaded from the following links:

Root certificate for RSA certificates: Sectigo Public Server Authentication Root R46:

  • http://crt.sectigo.com/SectigoPublicServerAuthenticationRootR46.crt
  • Fingerprint: SHA-256: 7BB647A62AEEAC88BF257AA522D01FFEA395E0AB45C73F93F65654EC38F25A06

Root certificate for ECC certificates: Sectigo Public Server Authentication Root E46:

  • http://crt.sectigo.com/SectigoPublicServerAuthenticationRootE46.crt
  • Fingerprint: SHA-256: C90F26F0FB1B4018B22227519B5CA2B53E2CA5B3BE5CF18EFE1BEF47380C5383

Please ensure that the old root certificate of Sectigo has been installed. A credit relationship is typically established with this root certificate.

USERTrust RSA Certification Authority:

  • http://crt.sectigo.com/USERTrustRSACertificationAuthority.crt
  • Fingerprint: E793C9B02FD8AA13E21C31228ACCB08119643B749C898964B1746D46C3D4CBD2

USERTrust ECC Certification Authority:

  • http://crt.sectigo.com/USERTrustECCCertificationAuthority.crt
  • Fingerprint: 4FF460D54B9C86DABFBCFC5712E0400D2BED3FBC4D4FBDAA86E06ADCD2A9AD7A

OP and instant credit transfers

Published on 17 March 2025

 

OP has long been a pioneer in real-time payments, including in the European context. It has handled inbound and outbound SEPA instant credit transfers since 2018. For around five years, customer payments have been handled as SEPA instant credit transfers in all OP customer self-service channels, practically whenever possible.

As its approach, OP chose to use the fastest possible route for transfers without requiring customers to make new choices. To ensure that instant credit transfers were as convenient and accessible as possible for our customers, we did not want to add extra fees or introduce technological changes.

In the Web Services channel, customers can continue to use SEPA instant credit transfers with OP’s “fastest route” approach without making any changes. Current payment data and their handling will remain the same.

However, due to the regulation, OP will also introduce a new payment data type with all the payments handled exclusively as SEPA instant credit transfers. This means that if a payment can't be delivered as a SEPA instant credit transfer, the payment will be cancelled immediately. The processing cycle will be faster for the new payment data type. All customers will receive feedback on payments made, formed within 10 seconds of the last instant credit transfer being handled.

Verification of payee service

Published on 17 March 2025

 

The service ensuring payee verification means the payer must receive verification before the payment’s approval that they are indeed transferring funds to the intended recipient. Under the Instant Payments Regulation, verification of payee must be offered for all credit transfers in euros made to EU or EEA states, not only for instant credit transfers, and in all payment channels for every payment before the payment’s approval.

After the payer provides the relevant payment data – essentially the name and account number – the payer’s bank requests the payee’s bank to confirm that the name provided by the payer corresponds to the account holder’s name known to the bank. The payer's bank must provide the result of this comparison to the payer.

Verification may result in a match, near match or no match. If the names are a near match, the payee’s real name must be provided to the payer. The payer can approve the payment even if the names do not match. In this case, the payer assumes responsibility should the funds be transferred to an unintended payee.

The development of this service requires us as a bank to build the required capabilities – both making queries in the bank network and responding to such queries concerning OP payment accounts. Moreover, the service must be made available to customers in all payment channels.

According to the regulation, companies submitting multiple payments as a package must be able to opt out of the verification of the payee service for their package. If the customer decides to opt out of the service, they will be held liable if their transfer goes to an unintended recipient. The decision on payee verification is therefore of major importance to the customer. From the customer’s perspective, payee verification may involve changes related to payment processes such as whether to perform verification for every transfer or only for some, how to react to the verification result in the case of a near match or no match, and who makes the ultimate transfer approval decision.

In Finland, the payee verification service for C2B payments will be implemented as a separate “pre-verification service”. This will minimise changes to the creation of actual payment data and to the sensitive payment transaction processing in banks. The method also minimises any unpredictability in the duration of payee verification as part of the payment process, as the customer can submit the payment data to the bank after payee verification within the limits of their normal processes and processing times. In other words, the customer chooses not to use the payee verification service if they do not first submit the payment data to payee verification with a separate data package for verification purposes.

For API payment transactions, opting out of payee verification is not possible under the regulation. This will lead to significant changes in the OP Corporate Payment API’s use to ensure we can offer the payee verification service for all credit transfers in euros. We are currently planning these changes in consultation with our customers.

We will release customer instructions, interface documentation and testing opportunities during spring 2025.

Deployment of the SHA256 algorithm

Published on 17 March 2025, updated on 4 November 2025

 

OP will no longer support the SHA1 algorithm and digital signature. They will be replaced with the SHA256 algorithm to ensure increasingly safe services to our customers.

If you use the Web Services channel, contact your software provider to check whether your software is up to date, and whether it needs to be updated.

The old SHA1 service will be closed down on 21 November 2025, after which customers must use the SHA256 algorithm. Content will not be transmitted through the Web Services channel from 22 November 2025 if the bank connection software uses the old algorithm/TLS encryption protocol.

Make the required changes to your software application requests (ApplicationRequest) and SOAP requests (SOAPRequest) to enable the SHA256 algorithm.

  • SignatureMethod Algorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
  • DigestMethod Algorithm=http://www.w3.org/2001/04/xmlenc#sha256

Correspondingly, response messages are signed using the SHA256 certificate and algorithm.

These changes will not affect the certificate algorithms. The change will not affect the content or terms of corporate payment services or payments in the op.fi service for corporate customers.

More information about the deployment of SHA256 algorithms can be found in the Web Services channel user guide.

Web Services channel user guide >