SEPA Instant Payments and the End of Batch Screening: A Compliance Guide for Payment Processors

The full mandatory rollout of SEPA Instant Payments in October 2025 did more than change how euro transfers are processed. It forced every payment service provider operating within the Single Euro Payments Area to fundamentally rethink its sanctions compliance architecture. The batch screening model that most PSPs had relied on for years, running customer and transaction data against sanctions lists in scheduled overnight or periodic cycles, is structurally incompatible with a payment rail that settles in under 10 seconds, 24 hours a day, 365 days a year. 

Sanctions screening will transform from transaction-based to customer-based, and with that change comes a host of challenges: tight implementation deadlines, system overhauls, lack of guidance, and resource shortages for smaller PSPs. This article explains what the Instant Payments Regulation requires from compliance teams, why legacy batch infrastructure creates material risk, and what the operational steps are for building a sanctions and AML framework that can function inside a 10-second payment window. 

{{snippets-guide}}

What the Instant Payments Regulation Actually Mandates

The EU's Instant Payments Regulation (Regulation (EU) 2024/886, the IPR) entered into force in April 2024 and established a phased mandatory compliance timeline. It requires all payment service providers to receive instant payments as of 9 January 2025, and to send such payments by 9 October 2025. These are not optional capabilities. Every PSP within scope must offer SEPA Instant Credit Transfers to customers at a fee no higher than equivalent standard SEPA transfers. 

The compliance obligations that attach to this mandate are equally non-negotiable. Under Article 5d of the IPR, which applies to all in-scope PSPs, PSPs must verify at least once per calendar day whether any of their payment service users are subject to EU targeted financial restrictive measures. In addition, PSPs must perform an immediate re-check after the entry into force of any new or amended restrictive measures. 

The word "immediately" is not a synonym for "as soon as practicable." As later clarified by the European Commission in its FAQs, the policy intent is to set a stricter expectation regarding the permissible time gap between updates to restrictive measures and the operational execution of sanctions screening, establishing a far higher compliance threshold than terms like "without undue delay" would imply.

Firms are not permitted to perform screening of individual transactions to verify whether the payer or the payee are persons or entities subject to targeted financial restrictive measures, because this would make 10-second execution impractical at scale. If the customer base is screened daily and updated immediately on list changes, the sanctions check has already happened before any given transaction is initiated, and the payment can execute within the required window. The screening burden is front-loaded onto the customer relationship, not embedded in each individual payment instruction. 

This model only works if the daily customer screening is genuinely comprehensive and the update mechanism is genuinely immediate. A PSP that screens its customers overnight in a single batch run, against a list that was last updated 18 hours earlier, is not meeting the IPR's compliance standard, even if it screens every customer every calendar day. The policy intent is continuous coverage, not nominal compliance.

Why Batch Screening Cannot Survive in an Instant Payments Environment

Batch screening dominated sanctions compliance in payments for decades because it was well-suited to the infrastructure and timeline of traditional payment rails. Overnight processing cycles, next-day settlement, and business-hours-only operations all gave compliance systems time to process large volumes of data at intervals. The compliance gap that batch creates, the window between when a transaction occurs and when it is screened, was tolerable when transactions took days to settle. It is not tolerable when they settle in seconds.

Batch lag creates blind spots in compliance operations. Suspicious or prohibited activity may only be identified after funds have moved, making remediation more complex and costly. Legitimate transactions may be delayed retroactively, investigations become time-sensitive, and compliance teams face pressure to resolve issues after the fact rather than preventing them upfront. 

The false positive problem compounds this further. Common transaction monitoring systems generate up to 90% false positives, according to McKinsey. 

When a flagged transaction requires human review, compliance analysts have seconds, not hours, to investigate and clear the alert. No human can review and adjudicate a potential sanctions hit in under 10 seconds, yet payments cannot be delayed. A batch screening model that generates large volumes of alerts for manual review cannot function in a real-time environment. The alert volume is too high, the review window is too short, and the commercial consequences of holding instant payments pending manual investigation are significant enough to create pressure on compliance teams to lower thresholds, which increases false negatives. 

More than half of banks surveyed reported a surge in payment rejections due to sanctions screening under SEPA Instant. Many institutions see 30 to 50 percent more flagged transactions because they are erring on the side of caution when they cannot investigate thoroughly in real time. This is not a stable operational position. It signals that the screening infrastructure has not been calibrated for the new regime and that compliance teams are compensating for poor system design through manual conservatism. 

The IPR's shift to daily customer screening rather than per-transaction screening was specifically designed to break this cycle. But the shift creates its own operational demands that many PSPs have not yet fully addressed.

The New Compliance Architecture: What PSPs Must Build

The compliance architecture required to meet the IPR's obligations is materially different from what most PSPs operated under legacy batch screening models. It has three interlocking components: continuous customer-level sanctions screening, immediate list update processing, and transaction monitoring that can operate within the 10-second settlement window.

Daily Customer Sanctions Screening

The most immediate and pervasive obligation under Article 5d is daily verification of the entire active payment service user base against EU targeted financial restrictive measures. For a PSP with a large customer base, this is a significant data processing operation. It cannot be handled manually, and it cannot be delegated to a scheduling system that runs once at midnight and considers the day's obligation fulfilled at that point.

EU sanctions lists can change daily, sometimes multiple times in a single day. If firms only screen against lists once a day, they risk processing payments with newly sanctioned entities. Without automated solutions, compliance teams may be required to re-screen entire customer bases multiple times a day. The practical solution is a screening infrastructure that monitors EU list updates continuously and triggers re-screening of the affected customer base immediately on publication of any change, rather than waiting for the next scheduled daily run. 

PSPs must also clarify which lists constitute "EU targeted financial restrictive measures" for purposes of the Article 5d obligation. The IPR specifically addresses EU-issued targeted financial sanctions. It does not directly address OFAC designations, UN Security Council listings, UK OFSI measures, or EU sectoral sanctions. National sanctions maintained by individual EU member states, and extraterritorial sanctions applied by countries such as the United States, sit outside the IPR's specific obligation but remain applicable to PSPs under their broader AML and compliance obligations. PSPs are expected to enforce these even in real time, which often conflicts with the operational demands of instant payments. 

For PSPs with cross-border operations or exposure to non-EU customers, limiting daily screening to the EU consolidated list is not sufficient. A comprehensive screening programme must cover, at minimum, the EU consolidated list, the UN Security Council Consolidated List, OFAC's SDN list where US-nexus applies, and the UK OFSI consolidated list where UK activity is present. The IPR created a specific obligation for EU targeted measures; it did not narrow the broader compliance obligation.

Immediate List Update Response

The requirement to re-screen immediately after any new or amended restrictive measure takes effect is the element of Article 5d that many PSPs have found most technically demanding. Sanctions lists do not update on a predictable schedule. The EU can designate new individuals or entities at any time, and the obligation to re-screen after each such change means that the compliance system must have a live feed to the list source, not a polling mechanism that checks for updates at intervals.

Building instant payment capability from scratch, including infrastructure connectivity, verification of payee, 24/7/365 operations, and the Article 5d screening, typically takes 12 to 18 months for an institution that has not previously offered instant payments. Article 5d sanctions screening has been in force for PIs and EMIs since January 2025. If an institution has not implemented daily customer sanctions screening against EU targeted financial restrictive measures, it is out of compliance now, regardless of when its send and receive obligations apply. 

The operational implication is that the compliance system must be integrated with a data provider that delivers list updates in near real time, and that the system's response to a new designation must be automatic rather than requiring human initiation. A compliance officer receiving an email notification that a new designation has been published and manually triggering a re-screening run does not meet the standard implied by "immediately."

AML Transaction Monitoring Within the 10-Second Window

While the IPR's specific sanctions obligation is satisfied through daily customer screening rather than per-transaction checks, the broader AML/CFT obligations that apply to PSPs do not disappear in an instant payments context. Other AML/CFT obligations still apply. AML/CFT rules require freezing funds and reporting suspicious activities to local FIUs, and the EBA has explicitly noted that instant payments present additional challenges for effective transaction monitoring. 

By embedding sanctions and AML controls directly into the payment flow, institutions can screen, assess, and decide before a transaction is released. But in real-time flows, false positives are extra costly because they directly delay payments. Institutions need controls that can stop or escalate true risks without creating unnecessary friction or delays for legitimate transactions. 

This requires transaction monitoring rules that are tight enough to catch genuine risk but calibrated well enough to avoid flooding compliance teams with alerts they cannot process within the execution window. The rule design challenge is compressing what was previously a multi-hour or multi-day review cycle into an automated decision that either clears the transaction for execution or holds it for rapid escalation. Rules that are copied from a batch monitoring environment and applied to real-time payments without recalibration will produce alert volumes that are operationally unmanageable.

The approach that works is risk stratification. Transactions flagged at the highest risk level, those involving counterparties or amounts that match known high-risk patterns, are blocked pending review. Transactions flagged at lower confidence levels are permitted to execute while a post-execution review is triggered. The system design documents what threshold triggers each response, and that documentation forms part of the audit trail that demonstrates the compliance framework operated within the payment window.

{{snippets-case}}

The False Positive Problem and Why It Matters More Now

False positives in sanctions screening have always been expensive. In a batch environment, an analyst reviews a queue of alerts at the start of a shift and works through them over the course of the day. The customer or payment is held until the alert is resolved, which is inconvenient but manageable. In an instant payments environment, a false positive means a payment that should have executed within 10 seconds has not. The customer experience implication is immediate and visible.

Real-time screening deals with false positives one by one, since they arrive continuously, and each requires rapid triage to ensure the compliance team is not blocking legitimate customers or payments. Batch screening generates thousands of alerts after a single run, requiring bulk review tooling, prioritisation logic, and a tiered approach to differentiate high-confidence from lower-confidence matches. Both problems are real; they are just different problems requiring different solutions. 

The solution to false positives in real-time screening is not to lower sensitivity thresholds, which increases false negatives and creates regulatory risk, but to improve matching quality. Fuzzy name-matching algorithms, entity resolution logic that accounts for transliteration variants, and name-normalisation tools that handle special characters and different script systems all reduce the rate at which clean customers are flagged while maintaining sensitivity to genuine matches. The configuration of these tools should be documented, regularly tested, and reviewed when list composition changes materially.

Most modern and mature sanctions compliance programmes need both real-time and batch screening. Real-time screening does the heavy lifting in onboarding and payment processing through API-driven screening calls to block sanctioned parties. Batch screening runs in the background on a daily schedule and handles the ongoing monitoring part of the program.

Operational Steps for PSPs Building SEPA Instant Compliance Infrastructure

The practical work of becoming compliant with the IPR's sanctions and AML requirements has several distinct phases, each of which requires decisions at both the technical and compliance policy level.

1. Confirming Coverage

The first step is confirming coverage. PSPs must map which sanctions regimes they are obligated to screen against across all their operating markets, not just the EU targeted financial restrictive measures addressed by Article 5d. For each regime, the PSP should confirm that it has a data feed that updates in near real time, that the feed is integrated into the screening system, and that the system triggers automatic re-screening of affected customers on each list update.

2. Reviewing Customer Data Quality

The second step is reviewing customer data quality. Daily customer screening is only as accurate as the data held on each customer. PSPs with poor quality customer data, including incomplete name fields, missing date of birth information, or addresses that have not been updated at onboarding, will generate disproportionate false positive volumes and miss genuine matches. Improving customer data quality is not purely a compliance exercise; it is a prerequisite for screening that works.

3. Designing the Response Workflow

The third step is designing the response workflow for screening hits. When a customer is flagged during daily screening, the PSP needs a documented procedure for what happens next: who is notified, what the review timeline is, whether the customer's instant payment access is suspended pending resolution, and how the outcome is documented. This workflow should be tested before it is needed, since discovering it does not function at the moment a genuine sanctions designation lands is not an acceptable outcome.

4. AML Monitoring Calibration

The fourth step is AML monitoring calibration. PSPs should review their transaction monitoring rules in the context of instant payments and assess whether the rules are calibrated for real-time operation. Rules that trigger a manual review requirement are only appropriate where the review can be completed within the execution window or where the consequence of holding the payment is documented and justified. Rules that trigger automatic blocking should be set at confidence levels high enough to avoid routine false positives.

5. Documentation and Audit Readiness

The fifth step is documentation and audit readiness. PSPs should evidence everything, including time-stamped logs of screenings, VoP responses, and confirmations, to demonstrate that controls operated before execution where required. In a regulatory examination or an enforcement inquiry, the question will not only be whether screening occurred but whether the system operated as designed and whether the PSP can demonstrate that. 

An audit trail that shows screening was performed at 23:58 on a Tuesday night against a list that had been updated at 09:00 that morning does not demonstrate the immediate re-screening the IPR requires. 

What This Means for Smaller PSPs

The IPR's compliance requirements do not scale proportionally with institutional size. The obligation to screen customers daily against EU sanctions lists, immediately on list updates, and to process transactions within 10 seconds applies equally to a FinTech with 50,000 customers and a major bank with 10 million. The cost of building this infrastructure in-house, however, does not scale down in the same way.

A survey by RedCompass Labs found that European banks plan to invest between EUR 1 million and EUR 3 million in new technology to meet the standards posed by the IPR. As the resources needed to implement such technology are already taxing for major financial institutions, the burden for smaller PSPs is proportionally heavier. 

The practical response for smaller PSPs is to source the compliance infrastructure from providers whose systems are already built for real-time operation, rather than attempting to retrofit existing batch tools. An API-based sanctions screening service that returns a decision in milliseconds, updates against sanctions lists in near real time, and produces an auditable record of each screening outcome transfers the infrastructure burden to the vendor while preserving the PSP's regulatory accountability for the programme. 

What the PSP must retain internally is the governance around the tool: the documented methodology for how matches are reviewed, what thresholds trigger what responses, and how the system's performance is monitored over time.

Conclusion

The SEPA Instant Payments mandate ended batch screening as the default compliance model for payments in the EU. The IPR's daily customer screening obligation is not a loophole around real-time compliance; it is a more demanding and continuous form of it, requiring live data feeds, automatic re-screening on list changes, and an operational infrastructure that runs without interruption at any hour. PSPs that have not yet completed the transition from periodic batch processing to continuous customer-level monitoring are already out of compliance, and the audit and enforcement exposure that creates is accumulating with every day that passes.

The compliance architecture that the IPR demands is, in structural terms, the same infrastructure that the broader shift to real-time payments across all channels is making necessary. PSPs that invest in it now are not simply meeting a regulatory deadline; they are building the operational foundation that the next decade of payments compliance will require.

sanctions.io is a highly reliable and cost-effective solution for real-time screening. AI-powered and with an enterprise-grade API with 99.99% uptime are reasons why customers globally trust us with their compliance efforts and sanctions screening needs.

To learn more about how our sanctions, PEP, and criminal watchlist screening service can support your organisation's compliance program: Book a free Discovery Call.

We also encourage you to take advantage of our free 7-day trial to get started with your sanctions and AML screening (no credit card is required).

‍