Jurisdiction in Disguise: What R16 Demands of Virtual Account Numbers

When the International Organisation for Standardisation first codified the International Bank Account Number (IBAN) structure under ISO 13616, the two-letter country prefix served a deceptively simple purpose: it told the world where an account was held. A German account began with DE; a British account began with GB. The prefix was not merely a routing convenience. It was a jurisdictional declaration, a signal to counterparties, intermediaries and regulators that the funds sat within a specific legal and supervisory perimeter. For nearly three decades, that assumption held. Yet as fintech platforms have built layered account architectures designed for speed and flexibility, the relationship between an account number and the jurisdiction it purports to represent has become dangerously unreliable.

The Financial Action Task Force (FATF) recognised this structural vulnerability when it launched its first public consultation on revisions to Recommendation 16 (R16) in February 2024. Two rounds of consultation followed, drawing more than 300 responses from financial institutions, regulators and civil society. The issue of virtual account numbers (VANs) and their capacity to obscure jurisdictional information emerged as one of the most technically consequential topics in the entire revision. In June 2025, the FATF Plenary agreed the revised standard, now rebranded from 'Wire Transfers' to 'Payment Transparency', with an implementation deadline of the end of 2030.

The revised Interpretive Note to R16 (INR.16) includes an explicit expectation: financial institutions should ensure that account numbers are not used to disguise the identification of the country where the financial institution servicing the account resides. That single sentence carries significant operational weight.

The architecture of misdirection

To understand why VANs pose such a distinctive compliance challenge, it is necessary to understand how they function. A virtual IBAN (vIBAN) is an account identifier that carries the same format as a standard IBAN but does not correspond to a standalone bank account. Instead, it acts as a reference number, routing incoming payments to an underlying master account held by a different entity, often in a different jurisdiction.

The European Banking Authority (EBA), in its May 2024 report on virtual IBANs, mapped six distinct use cases for vIBANs across the EU. These ranged from payment service providers partnering with credit institutions in other member states to non-EU financial institutions using EU-based partners to issue vIBANs bearing EU country codes to customers worldwide.

The compliance difficulty is not that vIBANs exist. They serve legitimate commercial purposes: reconciliation, treasury management, payment segregation. The difficulty is that they are, by design, indistinguishable from standard IBANs to third parties. A payment arriving with an IBAN prefixed 'LT' (Lithuania) may appear to be directed to a Lithuanian account when, in fact, the underlying master account is located in an entirely different jurisdiction. The country code becomes a mask.

The EBA report noted that national competent authorities across the EU hold divergent views on whether a vIBAN’s country code must match the jurisdiction of the institution servicing the master account. Some require alignment; others do not. This inconsistency creates precisely the kind of regulatory arbitrage that the FATF’s revised R16 seeks to close.

Jurisdictional opacity is not an edge case

It would be a mistake to treat the vIBAN transparency problem as a niche concern. The underlying issue is structural: modern payment architectures increasingly decouple the apparent geography of a transaction from its actual geography. Correspondent banking chains, nested accounts, on-behalf-of (OBO) payment arrangements and multi-currency wallet structures all create scenarios in which the jurisdictional signal embedded in an account number is misleading.

The consequences for anti-money laundering and counter-terrorist financing (AML/CFT) controls are material. Sanctions screening relies, in part, on jurisdictional indicators to calibrate risk. Transaction monitoring systems use country-level data to flag unusual payment corridors. Suspicious activity reporting assumes that the jurisdiction of the account is the jurisdiction of regulatory oversight. When that assumption fails, each of these controls is degraded.

The FATF acknowledged this directly in its explanatory note accompanying the revised R16. The second public consultation proposed that financial institutions should ensure account numbers are not used for obscuring the country where the originator and beneficiary’s funds are located. The final text, adopted in June 2025, refined this to focus on the country where the financial institution servicing the account resides. The formulation places the obligation squarely on the institution issuing or processing the account number.

R16 draws a line, but enforcement will define it

The revised R16 represents a significant step forward in addressing jurisdictional opacity, but a standard is only as effective as its implementation. The FATF has set the end of 2030 as the target for jurisdictions to transpose the revised requirements into national regulation. That timeline is realistic, given the operational complexity involved, but it also means that for the next five years, the gap between the aspiration of payment transparency and the reality of payment routing will persist.

Several factors will determine whether the revised standard achieves its intended effect. First, national regulators must interpret the requirement with sufficient specificity. The FATF’s language is deliberately principles-based. It does not prescribe a technical mechanism for compliance. Whether jurisdictions require vIBAN country codes to match the jurisdiction of the servicing institution, or permit alternative disclosure methods, will shape the practical impact.

Second, intermediary financial institutions must be equipped to identify when an account number may not reflect the true jurisdiction of the account. This requires investment in data enrichment, counterparty due diligence and payment chain transparency that many institutions have not yet made.

Third, supervisors must be willing to examine vIBAN arrangements in practice, not merely in policy documentation. The EBA’s finding that national competent authorities across the EU lack a uniform view of vIBAN treatment suggests that supervisory convergence remains some distance away.

The integration of the revised R16 with ISO 20022 messaging standards offers a lever for progress. ISO 20022 supports richer, more structured data fields than its predecessors, including the capacity to carry additional party and institution identifiers within the payment message itself. If regulators require that vIBAN-linked payments carry supplementary fields identifying the servicing institution and its jurisdiction, much of the opacity problem can be addressed at the message level. The Consultative Group to Assist the Poor (CGAP) noted that the revised R16 explicitly aligns with the G20 roadmap for enhancing cross-border payments. The question is whether this alignment will translate into coordinated technical mandates or remain at the level of principle.

The compliance response cannot wait for 2030

Firms that process cross-border payments cannot afford to treat the 2030 deadline as a reason to defer action. The risks are present now, and regulators are already scrutinising vIBAN arrangements with increasing intensity. Italy’s Unita di Informazione Finanziaria (UIF) has flagged concerns about vIBAN misuse. The EBA’s report identified money laundering risks arising from vIBAN end users whose identities are unknown to the issuing institution. The EU’s forthcoming Anti-Money Laundering Regulation (AMLR) includes, for the first time, a pan-European definition of virtual IBANs and requires that firms servicing master accounts can obtain information about vIBAN end users, even where those vIBANs are issued by a different entity.

For compliance teams, the implications are threefold. First, product risk assessments must account for the jurisdictional transparency of account structures. Where a firm issues or processes vIBANs, it must demonstrate that its controls can identify the true servicing institution and its regulatory jurisdiction, not merely the country code embedded in the IBAN.

Second, transaction monitoring rules and sanctions screening logic must be calibrated for the possibility that jurisdictional indicators in account numbers are unreliable. This may require supplementary data sources, counterparty registers or enhanced due diligence at the payment level.

Third, firms must engage with the regulatory developments now under way. The FATF has signalled that forthcoming guidance will provide further detail on the treatment of vIBANs. National regulators will be consulting on transposition. Firms that wait until the rules are finalised risk finding themselves operationally unprepared.

Transparency is not a feature; it is a condition of trust

The revised R16 is, at its core, a recognition that the global payment system has outgrown the assumptions on which its transparency architecture was built. When account numbers reliably encoded jurisdiction, the system worked. When they ceased to do so, the conditions for evasion were created not by criminal ingenuity alone, but by structural design. Virtual account numbers are not inherently problematic. They are problematic when they sever the link between a payment’s apparent geography and its actual regulatory reality.

The FATF’s intervention is overdue but welcome. It establishes a principle that should have been self-evident: that the transparency of a payment depends not only on the identity of the parties but on the verifiable geography of the institutions that serve them. If the revised standard is implemented with rigour, it offers a credible basis for closing the jurisdictional gaps that vIBANs have exposed. If it is implemented with the same unevenness that has characterised previous iterations of R16, the geography of evasion will simply adapt. Opacity does not require innovation. It requires only inconsistency.

Is your firm confident that every account number in your payment chain accurately reflects the jurisdiction of the institution that services it?

At OpusDatum, we view the revised R16 as one of the most consequential developments in payment transparency standards in over a decade. Our advisory and compliance support helps firms assess the jurisdictional integrity of their payment architectures, identify gaps in their vIBAN controls and prepare for the operational demands of the revised standard.

Contact us to discuss how we can support your compliance response to the revised R16 and the evolving regulatory landscape for payment transparency.