Verification of Payee (VoP) Requirements (Part 2): The Norwegian KAR Register

Under current Norwegian law, payment service providers, such as banks, are not required to implement a Verification of Payee (VoP) service for payment transactions. This applies both to euro-denominated credit transfers—as stipulated by Article 5c of the SEPA Regulation—and to transactions denominated in Norwegian kroner (NOK). According to section 4-26 of the Norwegian Financial Contracts Act (Finansavtaleloven), banks and other payment service providers are legally permitted to execute payments solely on the basis of a provided unique account identifier, such as an account number or IBAN.

However, to mitigate the risks associated with relying exclusively on these unique account identifiers, the Norwegian financial sector has voluntarily developed the "Konto- og adresseringsregisteret (KAR)" (Account & Address Register). This centralized register enhances payment security and accuracy by linking bank accounts directly to their rightful owners, thus allowing verification and reducing errors or fraud during transaction processing.

What is KAR?

KAR is a centralized register containing bank account information contributed by all banks in Norway. Created by the Norwegian banking industry to enhance payment system efficiency and accuracy, KAR serves as a comprehensive directory of virtually all active payment accounts nationwide. It includes essential details linking bank accounts to their legitimate owners, enabling verification that a particular account is valid, active, and belongs to the intended person or organization.

In practice, KAR supports daily banking operations by allowing (not mandating) financial institutions and certain authorized users to verify account ownership and validity before executing transactions. Thus, KAR does not impose any legal obligation similar to a VoP requirement on Norwegian banks for NOK-denominated payments and the utilization of KAR's information remains entirely at the discretion of each individual bank.

History and Development

The concept of a shared bank account register in Norway emerged from efforts to streamline interbank payments and reduce errors. Prior to KAR, banks maintained separate customer databases, making it cumbersome to verify external account details. As electronic payments grew in volume and speed, the need for a centralized “address book” of accounts became evident. Norwegian banks, through their collaborative bodies, began developing KAR to meet this need in the early 2000s. The KAR system was formally established under the auspices of Finance Norway (Finans Norge, the Norwegian banking sector’s organization) and its subsidiary Bits AS in the 2010s, providing a common infrastructure for account data​. By 2017, a unified set of rules for KAR had been adopted (see link above), obligating all participating banks to supply up-to-date account information to the central register on an ongoing basis (typically daily updates)​.

Originally, KAR’s primary function was to maintain a consolidated list of active Norwegian payment accounts and their owners for verification purposes. Over time, its scope expanded in line with new banking services and technologies. Notably, as instant payment solutions were introduced, KAR was updated to support “straksbetalinger” (real-time payments) by incorporating additional data links, such as mapping customers’ mobile phone numbers to their bank accounts​. This development allowed mobile-based payments and peer-to-peer transfers to be routed correctly by using phone numbers as proxies for account numbers, enhancing the flexibility of payment addressing. By the late 2010s, KAR had become a cornerstone of Norway’s digital payment infrastructure, evolving from a back-office verification tool into a critical component enabling modern payment innovations. Throughout its development, KAR has been continuously refined to meet new regulatory requirements and user needs, illustrating the banking sector’s adaptive approach to collaborative data solutions.

Legal and Institutional Framework

Ownership and Governance:

The KAR register is managed collectively by the Norwegian banking industry under an agreed framework. Bits AS, the banking sector’s infrastructure company (owned by Finance Norway), administers KAR’s rules and standards on behalf of the banks​. Technically, the platform has been operated by a centralized service provider. Historically this role was filled by Nets (formerly Bankenes Betalingssentral), and after industry consolidation, the technical operation is now handled by Mastercard Payment Services (which acquired Nets’ payments division in 2021)​. Thus, the institutional setup is a public-private hybrid: the data is contributed and used by private banks, coordinated through an industry body, and run on a shared infrastructure overseen by the banking community. KAR is not a government-run database, but it functions under sector governance with some regulatory oversight due to the sensitive data involved.

Participation and Obligations:

Nearly all banks in Norway are participants in KAR. In fact, any bank operating in an EEA (European Economic Area) jurisdiction and that is connected to the Norwegian Interbank Clearing System (NICS) is required to join and abide by KAR’s rules. This means each member bank must submit information on every NOK-denominated payment account they hold and keep that information updated. Data updates occur on a daily cycle; as banks open or close accounts or change customer details, they transmit these changes to the KAR system​. By design, this ensures the register remains current and comprehensive. Bits AS’s rules for KAR set out the operational and security requirements for banks, including data formats, update frequency, and query procedures. Compliance with these rules is effectively mandatory for clearing-system participants, integrating KAR’s upkeep into the routine operations of banks.

Data Protection and Privacy:

Because KAR contains personal and confidential financial information, its operation is circumscribed by Norwegian law and privacy regulations. Banks are bound by strict bank secrecy provisions (as set forth in the Financial Institutions Act) which normally prevent disclosure of customer information to external parties. To enable KAR’s collaborative data sharing, banks obtain customer consent through account agreements or rely on specific legal allowances that permit sharing for payment processing purposes. All handling of KAR data must also conform to the requirements of the EU’s General Data Protection Regulation (GDPR) as implemented in Norway​. This includes ensuring a legitimate basis for processing personal data (such as fraud prevention or contract fulfilment) and implementing safeguards for data security and access control. Bits AS acts as a data processor/facilitator, and each bank remains responsible for the accuracy and lawful processing of the customer data it contributes.

In summary, the legal framework for KAR is a combination of industry self-regulation and adherence to national laws on financial confidentiality and data protection.

Data Contents and Structure of KAR

Scope of Data:

The KAR register holds a defined set of information for each account. Its focus is on payment accounts (generally deposit accounts usable for transfers in Norwegian kroner)​. For each such account, the core data elements include:

• Account Number: The domestic bank account number (and by extension IBAN for international format) that identifies the account. This is the primary key used for queries.

• Account Holder Identification: A unique ID for the customer who owns the account. For personal accounts, this is the individual’s national “fødselsnummer” (Norwegian personal identity number) or D-number (temporary ID for foreigners), and for business accounts, it is the organisation’s “organisasjonsnummer “(business registration number)​. This links each account to its owner’s identity.

• Account Holder Name: The name of the person or organisation holding the account. While the register’s fundamental linkage is via ID numbers, in practice KAR allows verification of the account holder’s name as well. This means that if an account number is looked up, the system can confirm the name associated with that account, providing a human-readable validation of ownership​. (The name is typically stored or retrieved from the contributing bank’s records and used for confirming a match with the ID.)

• Account Status and Dates: Information indicating whether the account is currently active/valid for use. Banks update KAR when an account is opened or closed, so the register can implicitly tell if an account number is valid (exists and is open) or not. In some cases, metadata like the account opening date may be included, which helps in certain queries (e.g., verifying if an account was opened after a specified date)​.

• Associated Contact Identifiers: An extension of KAR’s role has been to store secondary identifiers linked to accounts for payment routing. Chief among these are mobile phone numbers. If a customer has registered their mobile number with their bank for payment services, KAR records the association of that phone number with the customer’s account (or accounts)​. This feature supports instant mobile payment systems by allowing the lookup of a phone number to find the corresponding bank account. Other “addressing” identifiers (such as email or national payment alias) could potentially be included as the system evolves, but the primary one in use is the mobile number mapping.

KAR is not a transactional database – it does not contain account balances, transaction histories, or other financial details beyond the static identifying information above. It functions purely as a reference index. By design, the data in KAR is limited to what is necessary for identification and addressing of payments. This limitation serves both privacy and performance: sensitive financial data stays within each bank, and KAR remains a lightweight directory that can be quickly searched to validate accounts.

Coverage:

The register has comprehensive coverage within its defined scope, encompassing all Norwegian bank accounts capable of sending or receiving payments via NICS. This includes personal current accounts & savings accounts, corporate accounts, and other deposit accounts suitable for payment transactions across all licensed banks in Norway. There are only minor exceptions—for instance, accounts held with foreign banks that are not connected to NICS are not included in KAR. To address these gaps, a complementary mechanism called KFR ("Kundeforholdsregisteret") captures customer relationships in financial institutions outside the NICS system. Together, KAR and KFR aim to identify all accounts a person or company holds within Norway's banking sector. KAR, however, remains the primary and substantially larger registry, with participation from nearly every major Norwegian bank. Banks update the data daily by submitting information about new and closed accounts, ensuring that the central registry maintains near-real-time accuracy.

Uses of the KAR Data

1. Payment Verification and Fraud Prevention (Banking Operations):
The original and most widespread use of KAR is to verify payment details in day-to-day banking. When one party initiates a payment to another, particularly in business transactions, there is a risk of errors (typos in account numbers) or fraud (someone invoicing with a bank account that doesn’t belong to the claimed payee). KAR provides a solution: banks and payment service providers can query the register to confirm that a given account number is valid and corresponds to the intended payee. For example, a business making a large transfer to a new supplier can use KAR “pre-validation” services offered by its bank to check that the account number provided is indeed linked to the supplier’s organization number (and not, say, an unrelated account)​. This pre-validation will indicate whether the account exists and is active, and whether the name/owner matches the expected beneficiary, before the payment is executed​.

By catching mismatches or non-existent accounts in advance, KAR helps prevent misdirected payments, billing fraud, and mistakes. Major banks integrate KAR checks into their online banking and accounting systems, allowing clients to verify single accounts or even bulk payment files against the register​. The result is a significant reduction in failed payments and an extra line of defense against schemes such as invoice fraud, where criminals attempt to trick companies into paying money to the wrong account.

In summary, KAR is extensively used within the banking sector as a real-time reference to ensure the “account number ↔ account holder” linkage is correct for payment transactions, thereby strengthening trust and accuracy in the payments infrastructure​.

2. Real-Time Payment Services:
KAR’s data plays a crucial role in supporting instant payment solutions in Norway. Specifically, the inclusion of mobile phone numbers within the KAR register was driven by the rise of modern payment services that enable users to instantly transfer money to contacts using aliases (such as phone numbers) instead of traditional account numbers.

A prime example is Norway’s widely used mobile payment app, Vipps. Initially launched as a standalone application by the bank DNB, Vipps was not originally integrated into the payment infrastructures of other Norwegian banks. Over time, however, the broader Norwegian banking sector recognized the importance of developing interoperable, real-time payment systems. These new systems allowed customers from any bank to seamlessly perform instant transactions with users from other financial institutions.

KAR became essential in enabling this interoperability by providing the infrastructure needed to map phone numbers to specific bank accounts. In practice, KAR serves as an addressing service: when a user initiates a real-time payment using the recipient’s mobile phone number, the payment system queries KAR (or a related directory derived from KAR data) to locate the corresponding bank account. The transaction is then accurately routed through the interbank network.

This approach mirrors the alias-to-account mapping mechanisms adopted by similar instant payment systems in other countries, such as Sweden’s Swish. Through its role as a central addressing register, KAR has become integral to alias-based payment services, significantly enhancing the convenience, accuracy, and efficiency of Norway's modern payment infrastructure.

Additionally, by verifying accounts quickly, KAR also supports instant credit transfers more generally. Banks have confidence to immediately credit funds because they can instantly confirm the receiving account’s validity in KAR.

In effect, KAR has become part of the real-time payments ecosystem in Norway, illustrating how a registry originally meant for overnight batch clearing processes has adapted to serve always-on, instant transaction needs.

3. Government and Regulatory Uses:
Although KAR is an industry-operated register, its data has high value for public sector applications, particularly in financial oversight, law enforcement, and public administration. One important use is in anti-financial crime and investigations. Under a public-private partnership initiative known as DSOP (“Digital Samhandling Offentlig Privat”) – Digital Collaboration between Public and Private sectors – Norwegian authorities gained a more efficient channel to access account information from banks​. Rather than sending inquiries separately to each bank, authorized agencies (for example, the police or the tax authorities) can submit a query through a secure API, which leverages KAR to identify which banks a given person or company has accounts with​. This dramatically speeds up investigations of financial crime, money laundering, or even locating assets of a missing person.

4. Access for Businesses and the Public:
While banks themselves are the main users of KAR (internally and via integrated services for clients), access to the register’s capabilities has also been extended to other private-sector entities in a controlled fashion. Many Norwegian companies, especially those with large payment volumes, use KAR indirectly through their banking relationships. For example, accounting software can be integrated with KAR via APIs provided by a bank or by Mastercard Payment Services, allowing a company to bulk-verify supplier or customer accounts against KAR​. This is typically offered as a value-added service (often called “KAR-web service” or “account validation service”) for corporate customers.

As a result, businesses can avoid costly payment errors and ensure that when they update vendor records, the account numbers correspond to the right legal entity. To use such services involving personal data (like checking an account against a personal ID), the querying entity usually must have a lawful basis (for instance, the company must be allowed to handle personal identification numbers)​. On the other hand, simpler queries – such as merely checking if an account number is valid (without personal ID) – are generally open to any business user of the service​.

For individual members of the public, there is no direct online portal to query KAR, mainly to protect privacy. An individual who wants to verify an account typically does so through existing banking tools – for instance, when setting up a new payee in their internet bank, the bank might silently use KAR to warn if the account number is invalid or the name does not match.

Some banks have also implemented confirmation of payee features leveraging KAR, where the payer can see the registered name of the account holder when they enter the account number, before confirming a transfer. However, these features are at the discretion of each bank’s user interface. The general public cannot freely look up who owns a given bank account without authorization.

This balanced approach ensures KAR’s data is used to increase trust in payments (you can be more confident you’re paying the right person) without turning it into a public directory of bank accounts.

Recent Developments

KAR has seen updates as the banking technology landscape evolves. After Nets, the long-time operator of Norway’s payment clearing, was taken over by Mastercard in 2021, the KAR services were rebranded under Mastercard Payment Services​. Banks and businesses using KAR had to adapt to new interfaces (APIs and portals) provided by Mastercard, but the underlying register remained the same. Bits AS periodically issues updated technical specifications for how banks connect to KAR and how queries can be made (as seen in the published web service documentation)​.

Conclusion

The Norwegian KAR register stands out as a central piece of financial infrastructure that exemplifies successful data sharing within a regulated framework. From its origins in the banking sector’s drive for efficient payment clearing, it has grown into an all-encompassing registry that touches many aspects of financial transactions – from everyday bank transfers to cutting-edge instant payment apps and governmental anti-fraud measures. KAR’s history reflects a proactive collaboration among banks to solve collective challenges, and its ongoing evolution shows adaptability to new requirements.

In academic terms, KAR can be seen as an information commons governed by its contributors (the banks) with oversight aligned to public policy goals (such as combating financial crime). It illustrates how data infrastructure can be co-developed by industry and used for public good without direct state ownership. Of course, this model brings challenges: ensuring all participants comply uniformly, guarding against misuse, and deciding who else should benefit from the data.

In sum, the KAR register has become an essential backbone for Norway’s banking system and beyond – a quietly functioning backbone that most consumers are never aware of, yet one that increases the reliability and security of nearly every payment they make.