Virtual IBANs are widely used across European payment infrastructure, but the mechanics and regulatory implications are frequently misunderstood — sometimes deliberately. A vIBAN is not a bank account. It is a payment identifier that routes incoming funds to a master account held by a payment institution. The entity holding that master account — not the vIBAN holder — bears the regulatory obligations. This explainer covers how vIBANs work, what those obligations are, and why the EBA has identified material risks in how they are commonly deployed.

What a vIBAN is

An International Bank Account Number (IBAN) is the standardised identifier used to route payments across SEPA and international payment schemes. A virtual IBAN (vIBAN) functions as an IBAN — it can receive SEPA Credit Transfers and, in many implementations, SEPA Direct Debit payments — but it does not correspond to a direct account at a credit institution.

Instead, a vIBAN is a routing label. Payments sent to a vIBAN are received at a master account held by a payment institution or electronic money institution (EMI), which then credits the vIBAN holder’s balance in its own internal ledger.

The distinction is material. A standard bank IBAN maps directly to a segregated account at a credit institution, potentially protected by the Deposit Guarantee Scheme (DGS) under Directive 2014/49/EU. A vIBAN is an accounting entry in the books of an intermediary. The funds arrive at the intermediary’s master account — they do not sit in an account in the vIBAN holder’s name at a bank.

How vIBANs work: the mechanics

A vIBAN arrangement typically involves two parties: the sponsor institution (the entity holding the master account) and the vIBAN holder (the business or individual whose payments route through that account).

When a payment is sent to a vIBAN:

  1. The payment routes through the SEPA scheme to the sponsor institution's master account at its settlement bank.
  2. The sponsor identifies the vIBAN from the payment reference or account identifier.
  3. The corresponding balance is credited to the vIBAN holder's sub-account in the sponsor's ledger.
  4. The vIBAN holder accesses their balance through the sponsor's platform — typically via API or dashboard.

The vIBAN holder has no direct relationship with the payment scheme or with the underlying credit institution holding the master account. The sponsor institution provides both the payment connectivity and the account management layer.

In more complex arrangements, the chain extends further — a payment institution may itself be operating on vIBANs issued by a bank, adding a third party between the end business and the settlement account. This is where regulatory complexity increases significantly.

Who uses vIBANs and why

vIBANs are used across European payment infrastructure for three primary purposes.

Named payment collection. Payment institutions and EMIs issue vIBANs to their customers so those customers can receive SEPA transfers into a named, dedicated account identifier — rather than a shared or generic account number with a transaction reference.

Merchant and seller segregation. Platforms and marketplaces use vIBANs to route incoming payments directly to the correct sub-account for each merchant or seller, eliminating manual reconciliation.

Multi-entity treasury management. Businesses managing multiple legal entities or operating accounts use vIBANs to maintain separation between funds flows within a single institutional relationship.

In each case, the commercial value is the same: a stable, named identifier that simplifies collections and reconciliation. The question is what regulatory framework governs the account behind that identifier.

The regulatory picture: who holds the obligations

Under PSD2 (Directive 2015/2366/EU), providing payment accounts and related payment services requires authorisation as a payment institution or EMI. The entity providing a vIBAN service must either hold this authorisation directly or operate as an agent or distributor of an authorised entity.

This matters because the authorised entity — whoever sits at the top of the vIBAN chain — is responsible for:

AML/CFT obligations. The authorised entity must conduct Customer Due Diligence (CDD) on end customers, operate transaction monitoring systems, and file Suspicious Activity Reports. These are obligations of the licensed entity, regardless of how many intermediaries exist between it and the end vIBAN holder.

Safeguarding. Funds received from customers must be safeguarded under Article 10 of EMD2 or the equivalent PSD2 provisions. Safeguarding requires funds to be held in segregated accounts at a credit institution or covered by an insurance policy — protected against the insolvency of the payment institution.

Transparency. End users must be informed of the nature of their account, its regulatory status, and whether DGS protection applies. For vIBAN arrangements, DGS protection typically does not apply — the funds are in the intermediary’s account, not the customer’s own bank account. This must be disclosed.

When a vIBAN chain involves multiple intermediaries, these obligations can become diffuse. Each layer may assume another layer is conducting the relevant checks. The end customer may have no clear understanding of who their regulated counterparty actually is.

The EBA’s assessment of vIBAN risks

In 2024, the European Banking Authority (EBA) published an analysis of vIBAN arrangements across EU member states, identifying ten categories of risk in how they are structured and operated.

10 Categories of risk identified by the EBA EBA analysis of vIBAN arrangements across EU member states, 2024. The Authority did not prohibit vIBAN use — it called for supervisory convergence, greater transparency, and clearer disclosure to end users.

The most significant are:

Regulatory arbitrage. Some vIBAN arrangements are structured to exploit lighter-touch regulatory requirements in certain EU jurisdictions — allowing entities to provide payment services in higher-cost markets while bearing lower compliance obligations. This creates competitive distortion and undermines the intent of the single market in payment services.

AML/CFT gaps. In multi-layer vIBAN arrangements, the entity conducting CDD on the end customer may not be the entity with full visibility over the transaction flow. Where obligations are split across the chain, suspicious activity patterns can be harder to identify and act on.

Consumer transparency. vIBAN holders are frequently unaware that their account identifier is a virtual instrument routing to a master account at an institution they have no direct relationship with. This affects their understanding of their rights and protections.

DGS protection gaps. Balances held in vIBAN arrangements do not benefit from DGS protection under Directive 2014/49/EU. For businesses operating at scale, this is material — particularly in the event of the intermediary’s failure.

Concentration risk. Where large volumes of vIBANs route through a single master account at a single credit institution, operational or financial failure at that institution creates exposure across every vIBAN holder in the chain simultaneously.

The EBA’s analysis did not prohibit vIBAN arrangements. It called for supervisory convergence across member states, greater transparency in how arrangements are structured, and clearer disclosure to end users of the regulatory protections — and limitations — that apply.

What this means for your business

If you receive payments via a vIBAN, the relevant questions are not technical — they concern the regulatory relationship behind the account identifier.

Which entity holds the payment services authorisation for this arrangement? What safeguarding framework applies to your funds? Are you covered if the payment institution fails? Who conducted KYB/AML checks on your account — and who is responsible if those checks were insufficient?

These are not hypothetical concerns. They are the basis on which the EBA has directed supervisory attention across EU member states.

Stable Mint provides vIBANs as part of its Accounts product. As an EMI authorised by a European competent authority, Stable Mint holds the regulatory relationship directly — the authorisation, the AML/CFT obligations, and the safeguarding requirements all sit with Stable Mint, not with a sponsor institution operating in another jurisdiction. If you want to understand how vIBANs work within the Stable Mint infrastructure and what regulatory protections apply, talk to our team.