The number one rule with receiving any weblink is not to trust it if you are not expecting it.  This is doubly important with sensitive data.

We expect that all requests for payment sent to payers using BOPP would be expected (i.e. the payer has bought something from the payee). So the source of the request (the payee) is 'trusted' and the request expected. 

BOPP adds a layer of security for payers in that the payer can be sure that the account information that the payer sees comes directly from the payees bank. We do not let payees manually type in their own bank account information. All payee bank account information is sourced from the payee's bank directly.