UK e-invoicing mandates have moved from policy to programme. PEPPOL is now the assumed standard, with adoption tracking toward the 2030 horizon. The trade press has framed the mandate as a fraud reduction tool. It is not. PEPPOL standardises the invoice. It does not verify the supplier, validate the bank details on it, or detect a change in behaviour. The fraud surface area inside a fully PEPPOL-compliant operation is narrower than the manual world, but it is not closed.
What PEPPOL does well
The standard delivers three things that legacy invoicing did not. First, a machine-readable format that removes OCR error and the manual re-keying that produces most data-entry fraud opportunities. Second, an audit trail attached to the invoice itself, not to a separate document store. Third, a network of certified access points that gives both parties a verified delivery channel. The wider regulatory picture is laid out in our briefing on UK e-invoicing rules.
Those gains are real. AP teams running on PEPPOL spend less time on data validation and more time on review. The error rate falls. The cycle time falls. The audit posture improves.
What PEPPOL does not do
Three categories of fraud sit outside the standard's scope.
Supplier identity. PEPPOL verifies that an invoice came from a registered access point. It does not verify that the supplier behind that access point is who they claim to be at the moment of payment. Beneficial ownership, sanctions exposure, and entity legitimacy all sit outside the standard. This is the gap that a portable supplier identity is designed to close.
Bank-detail integrity. PEPPOL carries bank details as a payload field. It does not verify them. A compromised supplier or a malicious intermediary can submit a clean PEPPOL invoice with a switched account, and the standard will not flag it.
Behavioural change. The standard treats each invoice as atomic. It does not compare today's invoice against yesterday's pattern. A supplier that has historically invoiced £4,000 a month and suddenly submits a £40,000 PEPPOL invoice against a new account passes the standard's checks without comment.
Three fraud patterns that survive the transition
Bank-detail switching survives directly. The mechanism does not change. The attacker compromises supplier credentials, alters the bank details on the next invoice, and the invoice flows through PEPPOL like any other.
Supplier impersonation survives. PEPPOL registration verifies an access point, not the underlying business. Setting up a credible-looking supplier on a certified access point is harder than spinning up an email domain, but it is not difficult.
Volume-tuned AI invoicing survives. The standard makes high-volume, low-value attacks easier, not harder, because the operational cost of processing each invoice falls. We have written more broadly about this trajectory in why AP fraud will explode in the AI era.
The complementary controls a network layer adds
The controls that close the residual gap operate above the standard, not against it. Three matter.
Continuous identity. The supplier's beneficial ownership, sanctions status and entity verification refreshed on a schedule, not just at onboarding. Where PSC data or equivalent changes, the supplier flag is updated.
Behavioural baselining. Each invoice scored against the supplier's network-level behaviour pattern, with exceptions routed for review. This sits inside the broader thesis that supplier verification and payment behaviour are converging.
Exception sharing. A bank-detail change on one buyer's instance of the supplier is visible to others on the network. A pattern that emerges across multiple buyers becomes a high-confidence fraud signal.
Building this into the 2027 to 2030 roadmap
Finance leaders preparing for mandatory e-invoicing have a choice. Treat PEPPOL as the end state and accept the residual fraud risk, or treat it as a foundation and plan the network layer above it. The cost differential between the two paths is not large. The risk differential is substantial.
The pragmatic build sequence is sequential. Year one: PEPPOL compliance, with access point selection prioritising vendors that publish their data architecture. Year two: continuous identity and behavioural layering on top. Year three: full exception sharing on the network. The mandate becomes an upgrade, not a tax.
